Edit tour

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Overview

General Information

Sample Name:	Order_002376662-579588_Date 24082022.exe
Analysis ID:	694559
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
Tags:	exesigned
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Stores files to the Windows start menu directory

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Order_002376662-579588_Date 24082022.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" MD5: 8C2A59BD88B7E2C26045A604ED544288)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%			Perma Link
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,	2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,	2_2_004026F8

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004052FE

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: GPUPowerSavingConfigEditor.dll.2.dr

Static PE information: No import functions for PE file found

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_0040330D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00406725		2_2_00406725
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00404B3D		2_2_00404B3D

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Process Stats: CPU usage > 98%

Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

2_2_0040330D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Local\Temp\nsn2719.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winEXE@1/7@0/0

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar,

2_2_004020CB

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

2_2_004045CA

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10002D20 push eax; ret

2_2_10002D4E

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_10001A5D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json	Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

RDTSC instruction interceptor: First address: 00000000030C2A2F second address: 00000000030C2A2F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007EFC0CCA9B97h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test dx, dx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,	2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,	2_2_004026F8

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node			graph_2-4265
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node			graph_2-4453

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_10001A5D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

2_2_0040330D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order_002376662-579588_Date 24082022.exe	28%	Metadefender		Browse
Order_002376662-579588_Date 24082022.exe	65%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctnca2.crl0l	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca2.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_Error	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctsca2021.cer0	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctnca.crl0k	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com05	Order_002376662-579588_Date 24082022.exe	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com02	Order_002376662-579588_Date 24082022.exe	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	Order_002376662-579588_Date 24082022.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694559
Start date and time:	2022-08-31 23:50:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order_002376662-579588_Date 24082022.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@1/7@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.6% (good quality ratio 61.3%) Quality average: 89% Quality standard deviation: 21.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 57 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Order_002376662-579588_Date 24082022.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	Quotation_No 200000002504.exe	Get hash	malicious	Browse
	Quotation_No 200000002504.exe	Get hash	malicious	Browse
	07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe	Get hash	malicious	Browse
	07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	teddytanya.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11264
Entropy (8bit):	5.767999234165119
Encrypted:	false
SSDEEP:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
MD5:	C9473CB90D79A374B2BA6040CA16E45C
SHA1:	AB95B54F12796DCE57210D65F05124A6ED81234A
SHA-256:	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
SHA-512:	EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TT COPY_August 24 2022#124612011.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: teddytanya.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....uY...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	29564
Entropy (8bit):	3.9994965063204706
Encrypted:	false
SSDEEP:	768:K3xU0sST74YF3ZeaYDqKjmgtajzKmFGMiElvFoe2:2Tsusm3ODqK/Imlh
MD5:	61F8A1615921DA63C2609B90984F1D32
SHA1:	D188A91A6745481BB830704854FE61E2A41E0B9A
SHA-256:	DF023F32CE51FF8BA14F1147B1D7644D734AC9EF0FB5CF024A88A495E153EFF0
SHA-512:	9855CCCA3CF01993F04ECC48824FF8AD7084176F8A9411CF8E737FDAB5BB093B3FE19B8098D8206A1DFF546DA59D227D783470A2D1DCE1083C1FBC9661FBB3DC
Malicious:	false
Reputation:	low
Preview:	79F5033C9D5E8CB0E34E74DBA3F160A8A116FFBE99FFC4E7AB4189ABA94B8F01DD34E5CC3D75871F5B27143BFD1FAEF87C50308056EFCBC142ABE1F8C638BE972D7DE340583A9C76BD7ED307EFB159E8EE7844BBA73F5DD7B1DF60CD378221F6BCB008205C718C5C3D2C9978871B0F9B8B02370F79F12DAB84A9C7D793A5181FC249ED6136A6EF71E962E295EF440D9D4B0017F75253D1433B5E2E2BE721069D97AE1E0B31F4FC9F0CD109B46C79BA1D3F88D3DF73715581039E00D83F9F0EC2B48A52CBC4A37AD6779E4997433AB97D75FF78AE1C1AA7755E884D821FD65138A7930C0213E6FE7694ABAF56071B3AF05D5FBC7401A6D776E5FD88DA61BCC05675FF42FCC1CBBE2894A439183B853B6C170C338105B38468CFF07EFEED9A85C335E2F04F08F2DC0F9C3243C5319F3E4256A41FCB22BE16E71B4354F38E090AE14F8E7852031272A2063B58E48D78244C510AE6EE9C5387CFC359D0EE90882CDB81704DD368E0E963E9E0F81DFF503D71BC346492203B0E95A7E6AF23DE1289F222F7DA779BD9B0921560969C5F3FA94C0B3E7C9E627C5ABA4EEEC74E5259BBB5F80C1393C789B98CC7FEE06CB3AC2839022F745C4B8F402C5C24781278401E69ED99F56F08FD67C73117A09362CDAB03ED93295816298F51FBA17DEC31054D3E4A8ACB306B2682E11BDB133A1C1E14017EC7D3BB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31456
Entropy (8bit):	6.0996914820635295
Encrypted:	false
SSDEEP:	384:sQ1QmY/8eFuAYNAx4klQvhI0tUA9wZmjML9S/3oche5ZP2TFn0E0C04Haqk6Olkm:s0YvT4ZbzRj1foHGpzkkF2X9Dh/
MD5:	6213DFF7A0CE2E52FD61EC4097DF93E7
SHA1:	4087C8D803EE9E4298AA51EC05E18D020A0A2728
SHA-256:	D12DC4BBDACDE8FC92DCFB384807D793C67B9B7E88D52EE0240E8A1901B80071
SHA-512:	85446886691BE56B027519EB2C823399031CE549AA3BF8155A0E3897AAC04E4E8D960716E40E124E0E4980027CB3EB13241A9CF32D9227470F8E0EA45FFBC79D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TT COPY_August 24 2022#124612011.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: Quotation_No 200000002504.exe, Detection: malicious, Browse Filename: Quotation_No 200000002504.exe, Detection: malicious, Browse Filename: 07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe, Detection: malicious, Browse Filename: 07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._p.a.........." ..0..T............... ........... ...............................&....`...@......@............... ..................................`............\...............q............................................................... ..H............text....S... ...T.................. ..`.rsrc...`............V..............@..@........................................H.......x?...0..........Hp................................................(.....~....-.r...p.....(....o....s.........~.....~...........V(....re..p~....o....V(....rs..p~....o....V(....r...p~....o....V(....r...p~....o.....~......(....Vs....(....t..........0...........{....o.....{.....3......{.....(....&(.....o .....5...o!...r...p....+A.......~"...(#...,....($....+..r...po%...-..{.....o&...r...p...X....i2...&...{........................0...........{....o.....{.....3.......{.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	845
Entropy (8bit):	7.722985666159481
Encrypted:	false
SSDEEP:	24:47y7zZd6D14lz6mML1mc2TvTl4P5VwbxjoUWBx9:57mD14lz61gTv+P5Vwtj0
MD5:	EFB6B9E41A0DAAB0088A365317A4F635
SHA1:	5D5B2C92BB5870B15BFB383A4C749EE1B71E21AB
SHA-256:	40A5B74A33F7372AC62EC82CA65097B2BF411E6CAF2667C87DA374A06834AD05
SHA-512:	98BACE38224A53CCDA2039CD6089F704762A5D09D67CE924486800205596671A0BFC9A2BE26D36F77BAB7ECAF57E82C3D16739DBDA9FC1027A8E2B784D784C14
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR................a....IDATx.u..x.[..g]....m.f...m...=..y3...}......V)..&.v.S.}.KYr..<......n.%......q..n.Q.W.j....2....(...N5.....1{......&r/.......dE.1Tg^.!..T..F.C.:T.Ed..<.>.<.r..\.=..OIR.7Q..Ge.\|P..`0....X........>.m.E.p....>...>..M.~...........H4k.7.Z=.d....D.S3..].....f........E.....G.R.....'ND.}.eK...E.....V........ ...........p.g..)&0$...N%dc..n.x:.i..C:...l.Vg^_...r._..9..(....G...$M.....}...u-........}..o..Y.vLA........-Z.K;<.....)...GW.ph..E..c]+.....c.p..#.p[...Q....G.#.....G.......Vu...q....).yl.2.....v.\.0Mz.P/.;B....F..........{.!..T..G.}.._....".2w.m../l.JHs.x..h.....t.....a!.M.....qk. ....IX/@...w.\...2U.....u^.&N3.G..t.......8...Z6].6~..`...+......&.5&.*....ZO...$..Y..%...XF...^s[4...&.nw....?-./..T&.IS.H&.cX"...7..$c........T.9....IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	8419
Entropy (8bit):	7.8975477212121925
Encrypted:	false
SSDEEP:	192:oXRnOJl+MmnEjHXjbDkd914gmMJrq03QVWpen7d:KRHMmn2XjXQ1VqaQVWs7d
MD5:	EF9954E2C8A46E6F0BB6AAF1E0A7F499
SHA1:	F1639B6632F6B4B472A4A0AD653B82A48B008F6B
SHA-256:	6550954EBF87A006EDA7C80EA5EB26CD51753540C159DEA36E506C811D5261DD
SHA-512:	F00EAD97959335F95B4846A7DA20A51C2B31E255F2C013DB69CF6F595E3C0BCE299C640001E2B265864528B576F161C9105AC237F09A906E74B9AF406D211D6D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(..'...no./.....j..Z?...7..c....Z.....K.+.d....3....I.#..m@X\|S...T.....g.]..eo...#XI...\|D6......D......T.....da<..i5..!.M...I.mC.W.<O.x._...x.......Q..3..<.....4..."...@..p..y..SX.L...v..[....].+_m.k.Y..b.*X.v:..z....A.A.....>......f?..GG....s."..^......=:e@.X.{.- T.........).....g...O......_[.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	data
Category:	dropped
Size (bytes):	105498
Entropy (8bit):	6.8469376549161245
Encrypted:	false
SSDEEP:	1536:cYUYKcQR5Y+GAjmU8R20KnRFr/ASso1gQa0CozxqDkHHB+Q/vGmHi:cYvuY+1J8R2bFbAYGQa09zxqDk++GmHi
MD5:	34957562BCFF2DAE97F8009F22642EA5
SHA1:	F22431D76E12B5E4AC240E96F6856165C70A01EE
SHA-256:	69823BE330A7C9B93750E25AFB3BC29DC33F7DE4CA7935D787BE29DD80E711D1
SHA-512:	015BE4CE81774A334761017AA7C0E397B2DE9F91904D87CDBA163CBD4C584FCBFF25A6C787595F31ABD0C24970101671C9444139088161F7C3A4E5B1634808A4
Malicious:	false
Preview:	2.1.].F..Q....H........[.Geo.A,S........n...+.\|.......]..r.uh.%.Zng.#.;...2.a.>.....b@....f.m..........@u}.e.-..9...\P.2.(.!.z...#@..u.,.k..A9..q)}.....T...D.{.)f@z.,.....[{o.....)..S.p.&.....#SEu.L..F...mc}.......<..}lV.y.:.Z..N...8.........>.W..O...c9Q1@.~./.....6...... [8-..8EB...C.....X"x..`2[.f..P1..c.?.#.{..EvD....<6.D.,..1;p.b.....W#.4....N.G.).u.u...[JL.i.D.......@...W}).".3m...%.<..[....3.3...-7.z...{..$.lI......7~...lV.....................)y.......S......@:.%2;]u.D..z.3..wv..6[......!..O..zEeT...:.8.../..C.P....H...).&n7-.t.......S...=.8].+..OsD.......v(...K..Ea5.+b.'...?..?.<....'..o.3.`.Zx......3.<..7...~......6.. >z..Z....d.6<..4).+.<...y..A...5.._..M!.$l]9.y.:...7Z.dD....}...C.M!1.Zt.1....0.)q........=..HR....4..Z.&..s.W......q..pRc.Q{........S.X.......@......+..OA.....oyw...b...G..d.\|..b.)............. ..]YE.$.......$7U..7..P.Zh.2e.f...g...(..u...i..KB.....j.. <Lts..)1...O^.X]\|[s...!........._5..$..-t.`#...T

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	36718
Entropy (8bit):	4.260373998588477
Encrypted:	false
SSDEEP:	192:OU+NvXvwEXFo+Hco8/+8IXAMaM2LkAAVemLK9f8QayVEJUfYZqAmULr:OU+Eo8ZLMaMWlAVemOZwyyOwMAmUX
MD5:	062FC6431BF0FF5F8E7E62587FCBD686
SHA1:	06E2BF1BB06CE408EC2AAE8D9F7A8ABC0371B57D
SHA-256:	78FB090F4A54C8B5970EC04C7511F17EB767275A8D5358604A1E335440678617
SHA-512:	8EC9F46A24C2A0B0C54463EF23D14563DDA2F7D65D8B231B994C8DDA2D5212B4DC697C6DF67B477DD245A2A065023383576A6DB48A335FAB9AFB6AAE7F764194
Malicious:	false
Preview:	{. "3166-1": [. {. "alpha_2": "AW",. "alpha_3": "ABW",. "name": "Aruba",. "numeric": "533". },. {. "alpha_2": "AF",. "alpha_3": "AFG",. "name": "Afghanistan",. "numeric": "004",. "official_name": "Islamic Republic of Afghanistan". },. {. "alpha_2": "AO",. "alpha_3": "AGO",. "name": "Angola",. "numeric": "024",. "official_name": "Republic of Angola". },. {. "alpha_2": "AI",. "alpha_3": "AIA",. "name": "Anguilla",. "numeric": "660". },. {. "alpha_2": "AX",. "alpha_3": "ALA",. "name": ".land Islands",. "numeric": "248". },. {. "alpha_2": "AL",. "alpha_3": "ALB",. "name": "Albania",. "numeric": "008",. "official_name": "Republic of Albania". },. {. "alpha_2": "AD",. "alpha_3": "AND",. "name": "Andorra",. "numeric": "020",. "official_name": "Principality of Andorra". },. {. "alpha_2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.509543109745029
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_002376662-579588_Date 24082022.exe
File size:	195584
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
SHA512:	ca6d126b62418c1c9fe6b6c0b0418a7253b6200a179af844bd80f67c055375c51d9b268242ea9ff3e15b0c3d867d84c19508229580605cbaac8460fa9a9bec17
SSDEEP:	3072:RNzPHk9MpcDj6OzDjWubsfxAjaWde+mzaOyrxmIW//z7GfvGxkTjk3kfSD:RhRupsfKW7+me6//z7GvQ
TLSH:	7014F11D2507C7BECA53423049BA6A675EF6BA04FC8156436F637A983CD3170822F5BE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...*.uY.................b.........

File Icon


Icon Hash:	90b270f0e260b050

Static PE Info

General

Entrypoint:	0x40330d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952A [Mon Jul 24 06:35:22 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	57e98d9a5a72c8d7ad8fb7a6a58b3daf

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	2/20/2022 5:26:15 AM 2/19/2025 5:26:15 AM
Subject Chain	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Version:	3
Thumbprint MD5:	8BFEA38B193C49A0622C53FBF7CAADE9
Thumbprint SHA-1:	CA863CD76251E5155366225CECEF5915CDC6B279
Thumbprint SHA-256:	A8B4C4809B973CA3D72051C56C958A1F73702992E831E3DED8796A5C96627D06
Serial:	2F3B028675A5223C

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007EFC0CD39783h
push ebx
call 00007EFC0CD3C852h
cmp eax, ebx
je 00007EFC0CD39779h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007EFC0CD3C7CEh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007EFC0CD3975Dh
push 0000000Ah
call 00007EFC0CD3C826h
push 00000008h
call 00007EFC0CD3C81Fh
push 00000006h
mov dword ptr [00424724h], eax
call 00007EFC0CD3C813h
cmp eax, ebx
je 00007EFC0CD39781h
push 0000001Eh
call eax
test eax, eax
je 00007EFC0CD39779h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x74d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2d5a0	0x2660	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x603c	0x6200	False	0.6572464923469388	data	6.39361655287636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	False	0.4287109375	data	5.044261339836676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	False	0.6455078125	data	5.223134318413766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x17000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x74d0	0x7600	False	0.4656382415254237	data	4.073204340591157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c358	0x25a8	data	English	United States
RT_ICON	0x3e900	0x10a8	data	English	United States
RT_ICON	0x3f9a8	0xea8	data	English	United States
RT_ICON	0x40850	0x988	data	English	United States
RT_ICON	0x411d8	0x8a8	data	English	United States
RT_ICON	0x41a80	0x6c8	data	English	United States
RT_ICON	0x42148	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x426b0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x42b18	0x100	data	English	United States
RT_DIALOG	0x42c18	0x11c	data	English	United States
RT_DIALOG	0x42d38	0xc4	data	English	United States
RT_DIALOG	0x42e00	0x60	data	English	United States
RT_GROUP_ICON	0x42e60	0x76	data	English	United States
RT_VERSION	0x42ed8	0x2b4	data	English	United States
RT_MANIFEST	0x43190	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Order_002376662-579588_Date 24082022.exePID: 6508, Parent PID: 5336

General

Target ID:	2
Start time:	23:51:11
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Imagebase:	0x400000
File size:	195584 bytes
MD5 hash:	8C2A59BD88B7E2C26045A604ED544288
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Order_002376662-579588_Date 24082022.exePID: 6508, Parent PID: 5336COMMON

Execution Graph

Execution Coverage:	22.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1504
Total number of Limit Nodes:	42

Executed Functions

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				int _t67;
				signed int _t68;
				int _t69;
				signed int _t71;
				void* _t95;
				signed int _t111;
				void* _t114;
				void* _t119;
				intOrPtr* _t120;
				char _t123;
				signed int _t142;
				signed int _t143;
				int _t151;
				void* _t152;
				intOrPtr* _t154;
				CHAR* _t157;
				CHAR* _t158;
				void* _t160;
				char* _t161;
				void* _t164;
				void* _t165;
				char _t190;

				 *(_t165 + 0x18) = 0;
				 *((intOrPtr*)(_t165 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t165 + 0x20) = 0;
				 *(_t165 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42472c = _t42;
				if(_t42 != 6) {
					_t120 = E00406431(0);
					if(_t120 != 0) {
						 *_t120(0xc00);
					}
				}
				_t157 = "UXTHEME";
				do {
					E004063C3(_t157); // executed
					_t157 =  &(_t157[lstrlenA(_t157) + 1]);
				} while ( *_t157 != 0);
				E00406431(0xa);
				 *0x424724 = E00406431(8);
				_t47 = E00406431(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42472f =  *0x42472f | 0x00000040;
					}
				}
				__imp__#17(_t160);
				__imp__OleInitialize(0); // executed
				 *0x4247f8 = _t47;
				SHGetFileInfoA(0x41fcf0, 0, _t165 + 0x38, 0x160, 0); // executed
				E00406099(0x423f20, "NSIS Error");
				_t51 = GetCommandLineA();
				_t161 = "\"C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe\" ";
				E00406099(_t161, _t51);
				 *0x424720 = GetModuleHandleA(0);
				_t54 = _t161;
				if("\"C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe\" " == 0x22) {
					 *(_t165 + 0x14) = 0x22;
					_t54 =  &M0042A001;
				}
				_t56 = CharNextA(E00405A5C(_t54,  *(_t165 + 0x14)));
				 *(_t165 + 0x1c) = _t56;
				while(1) {
					_t123 =  *_t56;
					_t173 = _t123;
					if(_t123 == 0) {
						break;
					}
					__eflags = _t123 - 0x20;
					if(_t123 != 0x20) {
						L13:
						__eflags =  *_t56 - 0x22;
						 *(_t165 + 0x14) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *(_t165 + 0x14) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L25:
							_t56 = E00405A5C(_t56,  *(_t165 + 0x14));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 != 0x53) {
								L20:
								__eflags =  *_t56 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t56 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t56 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t56 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t56 - 2)) = 0;
										__eflags =  &(_t56[2]);
										E00406099("C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne",  &(_t56[2]));
										L30:
										_t158 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t158); // executed
										_t60 = E004032DC(_t173);
										_t174 = _t60;
										if(_t60 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t62 = E00402D98(_t176,  *(_t165 + 0x20)); // executed
											 *((intOrPtr*)(_t165 + 0x10)) = _t62;
											if(_t62 != 0) {
												L43:
												E004037F7();
												__imp__OleUninitialize();
												_t186 =  *((intOrPtr*)(_t165 + 0x10));
												if( *((intOrPtr*)(_t165 + 0x10)) == 0) {
													__eflags =  *0x4247d4;
													if( *0x4247d4 == 0) {
														L67:
														_t64 =  *0x4247ec;
														__eflags = _t64 - 0xffffffff;
														if(_t64 != 0xffffffff) {
															 *(_t165 + 0x14) = _t64;
														}
														ExitProcess( *(_t165 + 0x14));
													}
													_t67 = OpenProcessToken(GetCurrentProcess(), 0x28, _t165 + 0x18);
													__eflags = _t67;
													_t151 = 2;
													if(_t67 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t165 + 0x24);
														 *(_t165 + 0x38) = 1;
														 *(_t165 + 0x44) = _t151;
														AdjustTokenPrivileges( *(_t165 + 0x2c), 0, _t165 + 0x28, 0, 0, 0);
													}
													_t68 = E00406431(4);
													__eflags = _t68;
													if(_t68 == 0) {
														L65:
														_t69 = ExitWindowsEx(_t151, 0x80040002);
														__eflags = _t69;
														if(_t69 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t71;
														if(_t71 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E004057B5( *((intOrPtr*)(_t165 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x424740 == 0) {
												L42:
												 *0x4247ec =  *0x4247ec | 0xffffffff;
												 *(_t165 + 0x18) = E004038E9( *0x4247ec);
												goto L43;
											}
											_t154 = E00405A5C(_t161, 0);
											if(_t154 < _t161) {
												L39:
												_t183 = _t154 - _t161;
												 *((intOrPtr*)(_t165 + 0x10)) = "Error launching installer";
												if(_t154 < _t161) {
													_t152 = E00405720(_t186);
													lstrcatA(_t158, "~nsu");
													if(_t152 != 0) {
														lstrcatA(_t158, "A");
													}
													lstrcatA(_t158, ".tmp");
													_t163 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t158, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t158);
														if(_t152 == 0) {
															E00405703();
														} else {
															E00405686();
														}
														SetCurrentDirectoryA(_t158);
														_t190 = "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne"; // 0x43
														if(_t190 == 0) {
															E00406099("C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne", _t163);
														}
														E00406099(0x425000,  *(_t165 + 0x1c));
														_t138 = "A";
														_t164 = 0x1a;
														 *0x425400 = "A";
														do {
															E004060BB(0, 0x41f8f0, _t158, 0x41f8f0,  *((intOrPtr*)( *0x424734 + 0x120)));
															DeleteFileA(0x41f8f0);
															if( *((intOrPtr*)(_t165 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x41f8f0, 1) != 0) {
																E00405E78(_t138, 0x41f8f0, 0);
																E004060BB(0, 0x41f8f0, _t158, 0x41f8f0,  *((intOrPtr*)( *0x424734 + 0x124)));
																_t95 = E00405738(0x41f8f0);
																if(_t95 != 0) {
																	CloseHandle(_t95);
																	 *((intOrPtr*)(_t165 + 0x10)) = 0;
																}
															}
															 *0x425400 =  *0x425400 + 1;
															_t164 = _t164 - 1;
														} while (_t164 != 0);
														E00405E78(_t138, _t158, 0);
													}
													goto L43;
												}
												 *_t154 = 0;
												_t155 = _t154 + 4;
												if(E00405B1F(_t183, _t154 + 4) == 0) {
													goto L43;
												}
												E00406099("C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne", _t155);
												E00406099("C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79", _t155);
												 *((intOrPtr*)(_t165 + 0x10)) = 0;
												goto L42;
											}
											_t111 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t154 != _t111) {
												_t154 = _t154 - 1;
												if(_t154 >= _t161) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t158, 0x3fb);
										lstrcatA(_t158, "\\Temp");
										_t114 = E004032DC(_t174);
										_t175 = _t114;
										if(_t114 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t158);
										lstrcatA(_t158, "Low");
										SetEnvironmentVariableA("TEMP", _t158);
										SetEnvironmentVariableA("TMP", _t158);
										_t119 = E004032DC(_t175);
										_t176 = _t119;
										if(_t119 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t142 = _t56[4];
								__eflags = _t142 - 0x20;
								if(_t142 == 0x20) {
									L23:
									_t15 = _t165 + 0x20;
									 *_t15 =  *(_t165 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t142;
								if(_t142 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t143 = _t56[1];
							__eflags = _t143 - 0x20;
							if(_t143 == 0x20) {
								L19:
								 *0x4247e0 = 1;
								goto L20;
							}
							__eflags = _t143;
							if(_t143 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x0040331d
0x00403321
0x00403329
0x0040332d
0x00403332
0x0040333e
0x00403347
0x0040334c
0x0040334f
0x00403356
0x0040335d
0x0040335d
0x00403356
0x0040335f
0x00403364
0x00403365
0x00403371
0x00403375
0x0040337b
0x00403389
0x0040338e
0x00403395
0x00403399
0x0040339d
0x0040339f
0x0040339f
0x0040339d
0x004033a7
0x004033ae
0x004033b4
0x004033ca
0x004033da
0x004033df
0x004033e5
0x004033ec
0x004033ff
0x00403404
0x00403406
0x00403408
0x0040340d
0x0040340d
0x0040341d
0x00403423
0x004034ec
0x004034ec
0x004034ee
0x004034f0
0x00000000
0x00000000
0x0040342c
0x0040342f
0x00403437
0x00403437
0x0040343a
0x0040343f
0x00403441
0x00403441
0x00403442
0x00403442
0x00403447
0x0040344a
0x004034dc
0x004034e1
0x004034e6
0x004034e9
0x004034eb
0x004034eb
0x004034eb
0x00000000
0x00403450
0x00403450
0x00403451
0x00403454
0x0040346c
0x00403497
0x00403499
0x004034ac
0x004034d7
0x004034da
0x004034f8
0x004034fb
0x00403504
0x00403509
0x0040350f
0x0040351a
0x0040351c
0x00403521
0x00403523
0x0040357b
0x00403580
0x0040358a
0x00403591
0x00403595
0x00403629
0x00403629
0x0040362e
0x00403634
0x00403639
0x0040375d
0x00403763
0x004037df
0x004037df
0x004037e4
0x004037e7
0x004037e9
0x004037e9
0x004037f1
0x004037f1
0x00403773
0x0040377b
0x0040377d
0x0040377e
0x0040378b
0x0040379e
0x004037a6
0x004037aa
0x004037aa
0x004037b2
0x004037b7
0x004037be
0x004037cc
0x004037ce
0x004037d4
0x004037d6
0x00000000
0x00000000
0x00000000
0x004037c0
0x004037c6
0x004037c8
0x004037ca
0x004037d8
0x004037da
0x00000000
0x004037da
0x00000000
0x004037ca
0x004037be
0x00403648
0x0040364f
0x0040364f
0x004035a1
0x00403619
0x00403619
0x00403625
0x00000000
0x00403625
0x004035aa
0x004035ae
0x004035e4
0x004035e4
0x004035e6
0x004035ee
0x00403660
0x00403662
0x00403669
0x00403671
0x00403671
0x0040367c
0x00403681
0x00403690
0x00403694
0x00403695
0x0040369e
0x00403697
0x00403697
0x00403697
0x004036a4
0x004036aa
0x004036b0
0x004036b8
0x004036b8
0x004036c6
0x004036cb
0x004036dd
0x004036e5
0x004036eb
0x004036f7
0x004036fd
0x00403707
0x0040371d
0x0040372e
0x00403734
0x0040373b
0x0040373e
0x00403744
0x00403744
0x0040373b
0x00403748
0x0040374e
0x0040374e
0x00403753
0x00403753
0x00000000
0x00403690
0x004035f0
0x004035f2
0x004035fd
0x00000000
0x00000000
0x00403605
0x00403610
0x00403615
0x00000000
0x00403615
0x004035d9
0x004035db
0x004035df
0x004035e2
0x00000000
0x00000000
0x00000000
0x004035e2
0x00000000
0x004035db
0x0040352b
0x00403537
0x0040353c
0x00403541
0x00403543
0x00000000
0x00000000
0x0040354b
0x00403553
0x00403564
0x0040356c
0x0040356e
0x00403573
0x00403575
0x00000000
0x00000000
0x00000000
0x00403575
0x00000000
0x004034da
0x0040349b
0x0040349e
0x004034a1
0x004034a7
0x004034a7
0x004034a7
0x004034a7
0x00000000
0x004034a7
0x004034a3
0x004034a5
0x00000000
0x00000000
0x00000000
0x004034a5
0x00403456
0x00403459
0x0040345c
0x00403462
0x00403462
0x00000000
0x00403462
0x0040345e
0x00403460
0x00000000
0x00000000
0x00000000
0x00403460
0x00000000
0x00000000
0x00000000
0x00403431
0x00403431
0x00403431
0x00403432
0x00403432
0x00000000
0x00403431
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403332
GetVersion.KERNEL32 ref: 00403338
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033A7
OleInitialize.OLE32(00000000), ref: 004033AE
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004033CA
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004033DF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000000,?,00000006,00000008,0000000A), ref: 004033F2
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000020,?,00000006,00000008,0000000A), ref: 0040341D
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040351A
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040352B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403537
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040354B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403553
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403564
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040356C
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403580

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004038E9: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,766DFA90), ref: 004039D9
Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000), ref: 004039EC
Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(Call), ref: 004039F7
Part of subcall function 004038E9: LoadImageA.USER32 ref: 00403A40
Part of subcall function 004038E9: RegisterClassA.USER32 ref: 00403A7D

Part of subcall function 004037F7: CloseHandle.KERNEL32(00000278,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
Part of subcall function 004037F7: CloseHandle.KERNEL32(00000270,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040362E
ExitProcess.KERNEL32 ref: 0040364F
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040376C
OpenProcessToken.ADVAPI32(00000000), ref: 00403773
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
ExitProcess.KERNEL32 ref: 004037F1

Part of subcall function 004057B5: MessageBoxIndirectA.USER32 ref: 00405810

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040350F, 00403514, 0040352A, 00403536, 00403545, 00403552, 0040355E, 00403566, 0040365F, 00403670, 0040367B, 00403687, 00403694, 004036A3, 00403752
C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe, xrefs: 0040370C
~nsu, xrefs: 0040365A
\Temp, xrefs: 00403531
TMP, xrefs: 00403567
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 004034FF, 00403600, 004036AA, 004036B3
C:\Users\user\Desktop, xrefs: 00403681, 00403686, 004036B2
Error launching installer, xrefs: 004035E6
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 004033E5, 004033EB, 004035A4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403321
TEMP, xrefs: 0040355F
NSIS Error, xrefs: 004033D0
SeShutdownPrivilege, xrefs: 00403785
UXTHEME, xrefs: 0040335F, 00403364, 0040336A
1033, xrefs: 0040357B
.tmp, xrefs: 00403676
", xrefs: 00403442
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 0040360B
Low, xrefs: 0040354D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3704715180-2988739811
Opcode ID: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
Opcode Fuzzy Hash: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F

Uniqueness

Uniqueness Score: -1.00%

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004052FE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x423f04; // 0x10468
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E00405292, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004060BB(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x420d30;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x423eec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x424728, 8);
							__eflags =  *0x4247cc - _t150;
							if( *0x4247cc == _t150) {
								_t113 =  *0x420508; // 0x7ca8cc
								E004051C0( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404133(1);
							goto L25;
						}
						 *0x420100 = 2;
						E00404133(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041C1(_t157, _a12, _a16);
						}
						ShowWindow( *0x423ef0, _t150);
						ShowWindow(_v8, 8);
						E0040418F(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x424734;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x423ef0 = GetDlgItem(_a4, 0x403);
				 *0x423ee8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x423f04 = _t128;
				_v8 = _t128;
				E0040418F( *0x423ef0);
				 *0x423ef4 = E00404A5E(4);
				 *0x423f0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040415A(_a4);
				if(( *0x42473c & 0x00000003) != 0) {
					ShowWindow( *0x423ef0, _t150);
					if(( *0x42473c & 0x00000002) != 0) {
						 *0x423ef0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040418F( *0x423ee8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42473c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405304
0x0040530c
0x0040530f
0x00405317
0x0040531a
0x004054a9
0x004054af
0x004054cc
0x004054d3
0x004054d3
0x004054df
0x004054e5
0x00405507
0x00405507
0x0040550d
0x00405562
0x00405562
0x00405565
0x00000000
0x00000000
0x00405567
0x0040556a
0x0040556d
0x00000000
0x00000000
0x00405577
0x0040557d
0x0040557f
0x00405582
0x0040567f
0x00000000
0x0040567f
0x00405591
0x0040559d
0x004055a6
0x004055ad
0x004055b1
0x004055b4
0x004055bd
0x004055c3
0x004055c6
0x004055c6
0x004055d6
0x004055dc
0x004055df
0x004055ea
0x004055ea
0x004055eb
0x004055ee
0x004055f5
0x004055fc
0x00405604
0x00405604
0x00405612
0x00405618
0x0040561b
0x0040561b
0x00405622
0x00405628
0x00405631
0x00405638
0x00405641
0x00405643
0x00405646
0x00405655
0x00405657
0x0040565a
0x0040565b
0x0040565e
0x0040565f
0x00405660
0x00405660
0x00405668
0x00405673
0x00405679
0x00405679
0x00000000
0x004055df
0x0040550f
0x00405515
0x00405543
0x00405545
0x0040554b
0x0040554d
0x00405556
0x00405556
0x0040555d
0x00000000
0x0040555d
0x00405519
0x00405523
0x00000000
0x004054e7
0x004054e7
0x004054ed
0x00405528
0x00000000
0x0040552f
0x004054f6
0x004054fd
0x00405502
0x00000000
0x00405502
0x004054e5
0x00405320
0x00405324
0x0040532c
0x00405330
0x00405333
0x00405336
0x00405339
0x0040533c
0x0040533d
0x0040533e
0x00405357
0x0040535a
0x00405364
0x00405373
0x0040537b
0x00405383
0x00405388
0x0040538b
0x00405397
0x004053a0
0x004053a9
0x004053cb
0x004053d1
0x004053e2
0x004053e7
0x004053f5
0x00405403
0x00405403
0x00405408
0x00405416
0x00405416
0x0040541b
0x0040541e
0x00405423
0x0040542f
0x00405438
0x00405445
0x00405454
0x00405447
0x0040544c
0x0040544c
0x00405460
0x00405460
0x00405474
0x0040547d
0x00405486
0x00405496
0x004054a2
0x004054a2
0x00000000

APIs

GetDlgItem.USER32 ref: 0040535D
GetDlgItem.USER32 ref: 0040536C
GetClientRect.USER32 ref: 004053A9
GetSystemMetrics.USER32 ref: 004053B0
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
ShowWindow.USER32(?,00000008), ref: 0040544C
GetDlgItem.USER32 ref: 0040546D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
GetDlgItem.USER32 ref: 0040537B

Part of subcall function 0040418F: SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D

GetDlgItem.USER32 ref: 004054BE
CreateThread.KERNELBASE ref: 004054CC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054D3
ShowWindow.USER32(00000000), ref: 004054F6
ShowWindow.USER32(?,00000008), ref: 004054FD
ShowWindow.USER32(00000008), ref: 00405543
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
CreatePopupMenu.USER32 ref: 00405588
AppendMenuA.USER32 ref: 0040559D
GetWindowRect.USER32 ref: 004055BD
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055D6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
OpenClipboard.USER32(00000000), ref: 00405622
EmptyClipboard.USER32 ref: 00405628
GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
GlobalLock.KERNEL32 ref: 0040563B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
GlobalUnlock.KERNEL32(00000000), ref: 00405668
SetClipboardData.USER32 ref: 00405673
CloseClipboard.USER32 ref: 00405679

Strings

0B, xrefs: 004055EE

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 4154960007-4132856435
Opcode ID: a5f5f3cc739424e5cf19656b71d36e7551af8bff60425fe1d738586fb9b1efc5
Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
Opcode Fuzzy Hash: a5f5f3cc739424e5cf19656b71d36e7551af8bff60425fe1d738586fb9b1efc5
Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405861(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B1F(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4247c8 =  *0x4247c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406099(0x421d38, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405A78(_t73);
					} else {
						lstrcatA(0x421d38, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x421d38,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405A5C( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406099(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405819(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004051C0(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4247c8 =  *0x4247c8 + 1;
										} else {
											E004051C0(0xfffffff1, _t73);
											E00405E78(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405861(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x421d38 - 0x5c;
					if( *0x421d38 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040639C(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A31(_t73);
							_t40 = E00405819(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004051C0(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004051C0(0xfffffff1, _t73);
							return E00405E78(_t72, _t73, 0);
						}
						L33:
						 *0x4247c8 =  *0x4247c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040586b
0x00405870
0x00405879
0x0040587c
0x00405884
0x00405887
0x0040588a
0x00405892
0x00405894
0x00405895
0x00000000
0x00405895
0x004058a0
0x004058a3
0x004058a3
0x004058a3
0x004058a7
0x004058ba
0x004058c1
0x004058c6
0x004058ca
0x004058da
0x004058cc
0x004058d2
0x004058d2
0x004058df
0x004058e2
0x004058ed
0x004058f3
0x004058f8
0x00405908
0x0040590a
0x00405910
0x00405913
0x00405916
0x004059ce
0x004059ce
0x004059d2
0x004059d4
0x004059d4
0x004059d4
0x004059d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040591c
0x0040591c
0x00405925
0x0040592b
0x00405930
0x00405933
0x00405935
0x00405939
0x0040593b
0x0040593b
0x00405939
0x0040593e
0x00405941
0x00405954
0x00405956
0x0040595b
0x00405962
0x0040597d
0x00405982
0x00405984
0x004059a8
0x00405986
0x00405986
0x00405989
0x0040599d
0x0040598b
0x0040598e
0x00405996
0x00405996
0x00405989
0x00405964
0x0040596a
0x0040596c
0x00405972
0x00405972
0x0040596c
0x00000000
0x00405962
0x00405943
0x00405946
0x00405948
0x00000000
0x00000000
0x0040594a
0x0040594c
0x00000000
0x00000000
0x0040594e
0x00405952
0x00000000
0x00000000
0x00000000
0x004059ad
0x004059b7
0x004059bd
0x004059bd
0x004059c8
0x00000000
0x004059c8
0x004058e4
0x004058eb
0x00000000
0x00000000
0x00000000
0x004058a9
0x004058a9
0x004058ab
0x004059d8
0x004059da
0x004059dd
0x00405a2e
0x00405a2e
0x00405a2e
0x004059df
0x004059e2
0x004059ed
0x004059f2
0x004059f4
0x00000000
0x00000000
0x004059f7
0x00405a03
0x00405a08
0x00405a0a
0x00000000
0x00405a25
0x00405a0c
0x00405a0f
0x00000000
0x00000000
0x00405a14
0x00000000
0x00405a1b
0x004059e4
0x004059e4
0x00000000
0x004059e4
0x004058b1
0x004058b4
0x00000000
0x00000000
0x00000000
0x004058b4

APIs

DeleteFileA.KERNELBASE(?,?,766DFA90,766DF560,00000000), ref: 0040588A
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,766DFA90,766DF560,00000000), ref: 004058D2
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,766DFA90,766DF560,00000000), ref: 004058F3
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,766DFA90,766DF560,00000000), ref: 004058F9
FindFirstFileA.KERNELBASE(00421D38,?,?,?,0040A014,?,00421D38,?,?,766DFA90,766DF560,00000000), ref: 0040590A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
FindClose.KERNEL32(00000000), ref: 004059C8

Strings

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00405861
\*.*, xrefs: 004058CC

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $\*.*
API String ID: 2035342205-1074708321
Opcode ID: 077a36a50d83c1391667612b3efbe58f735d29fea3e92bce5bfb405d90697cf1
Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
Opcode Fuzzy Hash: 077a36a50d83c1391667612b3efbe58f735d29fea3e92bce5bfb405d90697cf1
Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406725() {
				void* _t452;
				signed int _t453;
				signed int _t486;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x34) = 1;
						 *(_t532 - 0x84) = 7;
						_t525 =  *(_t532 - 4) + 0x180 +  *(_t532 - 0x38) * 2;
						goto L117;
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							do {
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t216 = __edx + 1; // 0x1
									__ebx = _t216;
									__cx = __ax >> 5;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									goto L58;
								} else {
									if( *(__ebp - 0x6c) == 0) {
										 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
										goto L138;
									} else {
										__ecx =  *(__ebp - 0x70);
										__eax =  *(__ebp - 0xc);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
										__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
										 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
										 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										_t202 = __ebp - 0x70;
										 *_t202 =  *(__ebp - 0x70) + 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										goto L58;
									}
								}
								goto L140;
								L58:
							} while (__ebx < 0x100);
							goto L54;
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											goto L53;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t155 = __ebp - 0x70;
												 *_t155 =  *(__ebp - 0x70) + 1;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												continue;
											}
										}
										goto L140;
									}
									goto L53;
								} else {
									if(__ebx >= 0x100) {
										L53:
										_t172 = __ebp - 0x34;
										 *_t172 =  *(__ebp - 0x34) & 0x00000000;
										L54:
										__al =  *(__ebp - 0x44);
										 *(__ebp - 0x5c) =  *(__ebp - 0x44);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
											goto L138;
										} else {
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t191 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t191;
											L77:
											 *(__ebp - 0x14) = __edx;
											L78:
											 *((intOrPtr*)(__ebp - 0x88)) = 2;
											L1:
											_t452 =  *(_t532 - 0x88);
											if(_t452 > 0x1c) {
												L139:
												_t453 = _t452 | 0xffffffff;
											} else {
												switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
													case 0:
														if( *(_t532 - 0x6c) == 0) {
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															_t452 =  *( *(_t532 - 0x70));
															if(_t452 > 0xe1) {
																goto L139;
															} else {
																_t456 = _t452 & 0x000000ff;
																_push(0x2d);
																asm("cdq");
																_pop(_t488);
																_push(9);
																_pop(_t489);
																_t528 = _t456 / _t488;
																_t458 = _t456 % _t488 & 0x000000ff;
																asm("cdq");
																_t523 = _t458 % _t489 & 0x000000ff;
																 *(_t532 - 0x3c) = _t523;
																 *(_t532 - 0x1c) = (1 << _t528) - 1;
																 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t489) - 1;
																_t531 = (0x300 << _t523 + _t528) + 0x736;
																if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
																	L10:
																	if(_t531 != 0) {
																		do {
																			_t531 = _t531 - 1;
																			 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
																		} while (_t531 != 0);
																	}
																	 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
																	 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
																	goto L15;
																} else {
																	if( *(_t532 - 4) != 0) {
																		GlobalFree( *(_t532 - 4));
																	}
																	_t452 = GlobalAlloc(0x40, 0x600); // executed
																	 *(_t532 - 4) = _t452;
																	if(_t452 == 0) {
																		goto L139;
																	} else {
																		 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
																		goto L10;
																	}
																}
															}
														}
														goto L140;
													case 1:
														L13:
														__eflags =  *(_t532 - 0x6c);
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 1;
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															_t45 = _t532 - 0x48;
															 *_t45 =  *(_t532 - 0x48) + 1;
															__eflags =  *_t45;
															L15:
															if( *(_t532 - 0x48) < 4) {
																goto L13;
															} else {
																_t464 =  *(_t532 - 0x40);
																if(_t464 ==  *(_t532 - 0x74)) {
																	L20:
																	 *(_t532 - 0x48) = 5;
																	 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
																	goto L23;
																} else {
																	 *(_t532 - 0x74) = _t464;
																	if( *(_t532 - 8) != 0) {
																		GlobalFree( *(_t532 - 8));
																	}
																	_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
																	 *(_t532 - 8) = _t452;
																	if(_t452 == 0) {
																		goto L139;
																	} else {
																		goto L20;
																	}
																}
															}
														}
														goto L140;
													case 2:
														L24:
														_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
														 *(_t532 - 0x84) = 6;
														 *(_t532 - 0x4c) = _t471;
														_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
														goto L117;
													case 3:
														L21:
														__eflags =  *(_t532 - 0x6c);
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 3;
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															_t67 = _t532 - 0x70;
															 *_t67 =  &(( *(_t532 - 0x70))[1]);
															__eflags =  *_t67;
															 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
															L23:
															 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
															if( *(_t532 - 0x48) != 0) {
																goto L21;
															} else {
																goto L24;
															}
														}
														goto L140;
													case 4:
														L118:
														_t449 =  *_t525;
														_t508 = _t449 & 0x0000ffff;
														_t483 = ( *(_t532 - 0x10) >> 0xb) * _t508;
														if( *(_t532 - 0xc) >= _t483) {
															 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t483;
															 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t483;
															 *(_t532 - 0x40) = 1;
															_t450 = _t449 - (_t449 >> 5);
															__eflags = _t450;
															 *_t525 = _t450;
														} else {
															 *(_t532 - 0x10) = _t483;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
															 *_t525 = (0x800 - _t508 >> 5) + _t449;
														}
														if( *(_t532 - 0x10) >= 0x1000000) {
															goto L124;
														} else {
															goto L122;
														}
														goto L140;
													case 5:
														L122:
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 5;
															goto L138;
														} else {
															 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
															L124:
															_t451 =  *(_t532 - 0x84);
															 *(_t532 - 0x88) = _t451;
															goto L1;
														}
														goto L140;
													case 6:
														goto L0;
													case 7:
														__eflags =  *(__ebp - 0x40) - 1;
														if( *(__ebp - 0x40) != 1) {
															__eax =  *(__ebp - 0x24);
															 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
															 *(__ebp - 0x20) =  *(__ebp - 0x24);
															__eax =  *(__ebp - 0x28);
															 *(__ebp - 0x24) =  *(__ebp - 0x28);
															__eax =  *(__ebp - 0x2c);
															 *(__ebp - 0x28) =  *(__ebp - 0x2c);
															__eax = 0;
															__eflags =  *(__ebp - 0x38) - 7;
															0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
															__al = __al & 0x000000fd;
															__eax = (__eflags >= 0) - 1 + 0xa;
															 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
															__eax =  *(__ebp - 4);
															__eax =  *(__ebp - 4) + 0x664;
															__eflags = __eax;
															 *(__ebp - 0x58) = __eax;
															goto L67;
														} else {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 8;
															__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
														}
														goto L117;
													case 8:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
															__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
														} else {
															__eax =  *(__ebp - 0x38);
															__ecx =  *(__ebp - 4);
															__eax =  *(__ebp - 0x38) + 0xf;
															 *((intOrPtr*)(__ebp - 0x84)) = 9;
															 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
															__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
														}
														goto L117;
													case 9:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															goto L87;
														} else {
															__eflags =  *(__ebp - 0x60);
															if( *(__ebp - 0x60) == 0) {
																goto L139;
															} else {
																__eax = 0;
																__eflags =  *(__ebp - 0x38) - 7;
																0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
																 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
																__eflags =  *(__ebp - 0x64);
																if( *(__ebp - 0x64) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
																	goto L138;
																} else {
																	__eax =  *(__ebp - 0x14);
																	__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																	__eflags = __eax -  *(__ebp - 0x74);
																	if(__eax >=  *(__ebp - 0x74)) {
																		__eax = __eax +  *(__ebp - 0x74);
																		__eflags = __eax;
																	}
																	__edx =  *(__ebp - 8);
																	__cl =  *(__eax + __edx);
																	__eax =  *(__ebp - 0x14);
																	 *(__ebp - 0x5c) = __cl;
																	 *(__eax + __edx) = __cl;
																	__eax = __eax + 1;
																	__edx = 0;
																	_t274 = __eax %  *(__ebp - 0x74);
																	__eax = __eax /  *(__ebp - 0x74);
																	__edx = _t274;
																	__eax =  *(__ebp - 0x68);
																	 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																	 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																	_t283 = __ebp - 0x64;
																	 *_t283 =  *(__ebp - 0x64) - 1;
																	__eflags =  *_t283;
																	 *( *(__ebp - 0x68)) = __cl;
																	goto L77;
																}
															}
														}
														goto L140;
													case 0xa:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
															__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
														} else {
															__eax =  *(__ebp - 0x28);
															goto L86;
														}
														goto L117;
													case 0xb:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__ecx =  *(__ebp - 0x24);
															__eax =  *(__ebp - 0x20);
															 *(__ebp - 0x20) =  *(__ebp - 0x24);
														} else {
															__eax =  *(__ebp - 0x24);
														}
														__ecx =  *(__ebp - 0x28);
														 *(__ebp - 0x24) =  *(__ebp - 0x28);
														L86:
														__ecx =  *(__ebp - 0x2c);
														 *(__ebp - 0x2c) = __eax;
														 *(__ebp - 0x28) =  *(__ebp - 0x2c);
														L87:
														__eax =  *(__ebp - 4);
														 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
														__eax =  *(__ebp - 4) + 0xa68;
														 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
														L67:
														__esi =  *(__ebp - 0x58);
														 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
														L117:
														 *(_t532 - 0x54) = _t525;
														goto L118;
													case 0xc:
														while(1) {
															L88:
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																break;
															}
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t315 = __ebp - 0x70;
															 *_t315 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t315;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															__eax =  *(__ebp - 0x2c);
															while(1) {
																_t319 = __ebp - 0x48;
																 *_t319 =  *(__ebp - 0x48) - 1;
																__eflags =  *_t319;
																__eflags =  *(__ebp - 0x48);
																if( *(__ebp - 0x48) <= 0) {
																	break;
																}
																__ecx =  *(__ebp - 0xc);
																__ebx = __ebx + __ebx;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
																__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
																 *(__ebp - 0x44) = __ebx;
																if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
																	__ecx =  *(__ebp - 0x10);
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
																	__ebx = __ebx | 0x00000001;
																	__eflags = __ebx;
																	 *(__ebp - 0x44) = __ebx;
																}
																__eflags =  *(__ebp - 0x10) - 0x1000000;
																if( *(__ebp - 0x10) >= 0x1000000) {
																	continue;
																} else {
																	goto L88;
																}
																goto L140;
															}
															__eax = __eax + __ebx;
															 *(__ebp - 0x40) = 4;
															 *(__ebp - 0x2c) = __eax;
															__eax =  *(__ebp - 4);
															__eax =  *(__ebp - 4) + 0x644;
															__eflags = __eax;
															__ebx = 0;
															 *(__ebp - 0x58) = __eax;
															 *(__ebp - 0x50) = 1;
															 *(__ebp - 0x44) = 0;
															 *(__ebp - 0x48) = 0;
															while(1) {
																__eax =  *(__ebp - 0x40);
																__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
																if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
																	break;
																}
																__eax =  *(__ebp - 0x50);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
																__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
																__eax =  *(__ebp - 0x58);
																__esi = __edi + __eax;
																 *(__ebp - 0x54) = __esi;
																__ax =  *__esi;
																__ecx = __ax & 0x0000ffff;
																__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
																__eflags =  *(__ebp - 0xc) - __edx;
																if( *(__ebp - 0xc) >= __edx) {
																	__ecx = 0;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
																	__ecx = 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
																	__ebx = 1;
																	__ecx =  *(__ebp - 0x48);
																	__ebx = 1 << __cl;
																	__ecx = 1 << __cl;
																	__ebx =  *(__ebp - 0x44);
																	__ebx =  *(__ebp - 0x44) | __ecx;
																	__cx = __ax;
																	__cx = __ax >> 5;
																	__eax = __eax - __ecx;
																	__edi = __edi + 1;
																	__eflags = __edi;
																	 *(__ebp - 0x44) = __ebx;
																	 *__esi = __ax;
																	 *(__ebp - 0x50) = __edi;
																} else {
																	 *(__ebp - 0x10) = __edx;
																	0x800 = 0x800 - __ecx;
																	0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
																	 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
																	 *__esi = __dx;
																}
																__eflags =  *(__ebp - 0x10) - 0x1000000;
																if( *(__ebp - 0x10) >= 0x1000000) {
																	L100:
																	_t349 = __ebp - 0x48;
																	 *_t349 =  *(__ebp - 0x48) + 1;
																	__eflags =  *_t349;
																	continue;
																} else {
																	__eflags =  *(__ebp - 0x6c);
																	if( *(__ebp - 0x6c) == 0) {
																		 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																		goto L138;
																	} else {
																		__ecx =  *(__ebp - 0x70);
																		__eax =  *(__ebp - 0xc);
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																		__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																		 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																		 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																		_t346 = __ebp - 0x70;
																		 *_t346 =  *(__ebp - 0x70) + 1;
																		__eflags =  *_t346;
																		 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																		goto L100;
																	}
																}
																goto L140;
															}
															_t372 = __ebp - 0x2c;
															 *_t372 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t372;
															_t374 = __ebp - 0x2c;
															 *_t374 =  *(__ebp - 0x2c) + 1;
															__eflags =  *_t374;
															__eax =  *(__ebp - 0x2c);
															__eflags = __eax;
															if(__eax == 0) {
																 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
																goto L138;
															} else {
																__eflags = __eax -  *(__ebp - 0x60);
																if(__eax >  *(__ebp - 0x60)) {
																	goto L139;
																} else {
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
																	__eax =  *(__ebp - 0x30);
																	_t381 = __ebp - 0x60;
																	 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
																	__eflags =  *_t381;
																	while(1) {
																		__eflags =  *(__ebp - 0x64);
																		if( *(__ebp - 0x64) == 0) {
																			break;
																		}
																		__eax =  *(__ebp - 0x14);
																		__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																		__eflags = __eax -  *(__ebp - 0x74);
																		if(__eax >=  *(__ebp - 0x74)) {
																			__eax = __eax +  *(__ebp - 0x74);
																			__eflags = __eax;
																		}
																		__edx =  *(__ebp - 8);
																		__cl =  *(__eax + __edx);
																		__eax =  *(__ebp - 0x14);
																		 *(__ebp - 0x5c) = __cl;
																		 *(__eax + __edx) = __cl;
																		__eax = __eax + 1;
																		__edx = 0;
																		_t395 = __eax %  *(__ebp - 0x74);
																		__eax = __eax /  *(__ebp - 0x74);
																		__edx = _t395;
																		__eax =  *(__ebp - 0x68);
																		 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																		 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																		 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																		__eflags =  *(__ebp - 0x30);
																		 *( *(__ebp - 0x68)) = __cl;
																		 *(__ebp - 0x14) = __edx;
																		if( *(__ebp - 0x30) > 0) {
																			continue;
																		} else {
																			goto L78;
																		}
																		goto L140;
																	}
																	 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
																	goto L138;
																}
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
														goto L138;
													case 0xd:
														goto L36;
												}
											}
										}
									} else {
										goto L40;
									}
								}
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									L138:
									_t486 = 0x22;
									memcpy( *(_t532 - 0x90), _t532 - 0x88, _t486 << 2);
									_t453 = 0;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t121 = __ebp - 0x70;
									 *_t121 =  *(__ebp - 0x70) + 1;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									goto L38;
								}
							}
						}
					}
					L140:
					return _t453;
				}
			}

0x00000000
0x00406725
0x00406725
0x0040672a
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x00406751
0x00406758
0x0040675b
0x00406766
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x00406780
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406869
0x0040686c
0x004067e3
0x004067e3
0x004067e9
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x004065a9
0x004065a9
0x004065b2
0x00406fc0
0x00406fc0
0x004065b8
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00406e0d
0x00000000
0x00000000
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b8
0x004065b2
0x00000000
0x00000000
0x00000000
0x004067f5
0x00406872
0x004067be
0x004067c2
0x00406f2f
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067e0
0x00000000
0x004067e0
0x004067c2
0x0040686c
0x00406775
0x00406fc3
0x00406fc7
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040639C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x422580); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x422580;
			}

0x004063a7
0x004063b0
0x00000000
0x004063bd
0x004063b3
0x00000000

APIs

FindFirstFileA.KERNELBASE(766DFA90,00422580,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00405B62,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560), ref: 004063A7
FindClose.KERNEL32(00000000), ref: 004063B3

Strings

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 0040639C

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp
API String ID: 2295610775-2385664813
Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD

Uniqueness

Uniqueness Score: -1.00%

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403C86(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x420d18 = _t35;
					if(_t116 == 0x110) {
						 *0x424728 = _t126;
						 *0x420d2c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41fcf8 = _t92;
						E0040415A(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x423f08); // executed
						 *0x423eec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420d18 = 1;
					}
					_t123 =  *0x40a1f8; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x424760;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041A6(0x40b);
						while(1) {
							_t37 =  *0x420d18; // 0x1
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0x0
							__eflags = _t39 -  *0x424764;
							if(_t39 ==  *0x424764) {
								E0040140B(1);
							}
							__eflags =  *0x423eec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x424764; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004060BB(_t117, _t126, _t131, 0x42c800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040415A(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040415A(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040415A(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x4247cc - _t134;
							_v32 = _t49;
							if( *0x4247cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040417C(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x41fcf8, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x4247cc - _t134;
							if( *0x4247cc == _t134) {
								_push( *0x420d2c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x41fcf8);
							}
							E0040418F();
							E00406099(0x420d30, E00403C67());
							E004060BB(0x420d30, _t126, _t131,  &(0x420d30[lstrlenA(0x420d30)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x420d30); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x423ef8); // executed
									 *0x420508 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x424720,  *_t131 +  *0x423f00 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x423ef8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040415A(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x423ef8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x423eec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423ef8, 8); // executed
									E004041A6(0x405);
									goto L58;
								}
								__eflags =  *0x4247cc - _t134;
								if( *0x4247cc != _t134) {
									goto L61;
								}
								__eflags =  *0x4247c0 - _t134;
								if( *0x4247c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423ef8);
						 *0x424728 = _t134;
						EndDialog(_t126,  *0x420100);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x423ef8, 0x40f, 0, 1);
						__eflags =  *0x423eec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x420d10, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420d10,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041C1(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x423ef8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x4247cc - _t134;
										if( *0x4247cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x420100 = 1;
											L21:
											_push(0x78);
											L22:
											E00404133();
											goto L26;
										}
										E0040140B(_t128);
										 *0x420100 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x423ef8);
						 *0x423ef8 = _a12;
						L58:
						if( *0x421d30 == _t134) {
							_t143 =  *0x423ef8 - _t134; // 0x40460
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x421d30 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403c8f
0x00403c98
0x00403dd9
0x00403ddd
0x00403de1
0x00403de3
0x00403de8
0x00403df3
0x00403dfe
0x00403e03
0x00403e05
0x00403e07
0x00403e0a
0x00403e0f
0x00403e1d
0x00403e2a
0x00403e31
0x00403e31
0x00403e32
0x00403e32
0x00403e37
0x00403e3d
0x00403e44
0x00403e4a
0x00403e4c
0x00403e8c
0x00403e91
0x00403e96
0x00403e96
0x00403e9b
0x00403ea4
0x00403ea6
0x00403eab
0x00403eb1
0x00403eb5
0x00403eb5
0x00403eba
0x00403ec0
0x00000000
0x00000000
0x00403ecb
0x00403ed1
0x00000000
0x00000000
0x00403eda
0x00403ee2
0x00403ee7
0x00403eea
0x00403ef0
0x00403ef5
0x00403ef8
0x00403efe
0x00403f03
0x00403f06
0x00403f0c
0x00403f14
0x00403f1a
0x00403f20
0x00403f24
0x00403f2b
0x00403f2b
0x00403f2b
0x00403f35
0x00403f47
0x00403f53
0x00403f58
0x00403f62
0x00403f68
0x00403f6a
0x00403f6f
0x00403f6c
0x00403f6c
0x00403f6c
0x00403f7f
0x00403f97
0x00403f99
0x00403f9f
0x00403fb4
0x00403fa1
0x00403faa
0x00403fac
0x00403fac
0x00403fba
0x00403fcb
0x00403fdc
0x00403fe3
0x00403fe9
0x00403fed
0x00403ff2
0x00403ff4
0x00000000
0x00403ffa
0x00403ffa
0x00403ffc
0x00000000
0x00000000
0x00404002
0x00404006
0x0040402b
0x00404031
0x00404037
0x00404039
0x00000000
0x00000000
0x0040405f
0x00404065
0x00404067
0x0040406c
0x00000000
0x00000000
0x00404072
0x00404075
0x00404078
0x0040408f
0x0040409b
0x004040b4
0x004040ba
0x004040be
0x004040c3
0x004040c9
0x00000000
0x00000000
0x004040d3
0x004040de
0x00000000
0x004040de
0x00404008
0x0040400e
0x00000000
0x00000000
0x00404014
0x0040401a
0x00000000
0x00000000
0x00000000
0x00404020
0x00403ff4
0x004040eb
0x004040f7
0x004040fe
0x00000000
0x00403e4e
0x00403e4e
0x00403e51
0x00403e84
0x00403e84
0x00403e86
0x00000000
0x00000000
0x00000000
0x00403e86
0x00403e53
0x00403e57
0x00403e5c
0x00403e5e
0x00000000
0x00000000
0x00403e6e
0x00403e76
0x00000000
0x00403e7c
0x00403caa
0x00403caa
0x00403cae
0x00403cb3
0x00403cc2
0x00403cc2
0x00403ccb
0x00403cd4
0x00403cdf
0x00403cdf
0x00403ceb
0x00403d07
0x00403d0a
0x00403d1d
0x00403d23
0x00403dc6
0x00000000
0x00403dcf
0x00403d29
0x00403d36
0x00403d38
0x00403d3a
0x00403d59
0x00403d59
0x00403d5c
0x00403d61
0x00403d64
0x00403d74
0x00403d75
0x00403d77
0x00403dad
0x00403dc0
0x00000000
0x00403dc0
0x00403d79
0x00403d7f
0x00403d98
0x00403d9d
0x00403d9f
0x00000000
0x00000000
0x00403da1
0x00403d8d
0x00403d8d
0x00403d8f
0x00403d8f
0x00000000
0x00403d8f
0x00403d82
0x00403d87
0x00000000
0x00403d87
0x00403d66
0x00403d6c
0x00000000
0x00000000
0x00403d6e
0x00000000
0x00403d6e
0x00403d5e
0x00000000
0x00403d5e
0x00403d44
0x00403d4b
0x00403d51
0x00403d53
0x00000000
0x00000000
0x00000000
0x00403d53
0x00403d0f
0x00000000
0x00403ced
0x00403cf3
0x00403cfd
0x00404104
0x0040410a
0x0040410c
0x00404112
0x00404117
0x0040411d
0x0040411d
0x00404112
0x00404127
0x00000000
0x00404127
0x00403ceb

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
ShowWindow.USER32(?), ref: 00403CDF
DestroyWindow.USER32 ref: 00403CF3
SetWindowLongA.USER32 ref: 00403D0F
GetDlgItem.USER32 ref: 00403D30
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
IsWindowEnabled.USER32(00000000), ref: 00403D4B
GetDlgItem.USER32 ref: 00403DF9
GetDlgItem.USER32 ref: 00403E03
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E1D
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
GetDlgItem.USER32 ref: 00403F14
ShowWindow.USER32(00000000,?), ref: 00403F35
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F47
EnableWindow.USER32(?,?), ref: 00403F62
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
EnableMenuItem.USER32 ref: 00403F7F
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F97
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
lstrlenA.KERNEL32(Borerig Setup: Installing,?,Borerig Setup: Installing,00000000), ref: 00403FD4
SetWindowTextA.USER32(?,Borerig Setup: Installing), ref: 00403FE3
ShowWindow.USER32(?,0000000A), ref: 00404117

Strings

Borerig Setup: Installing, xrefs: 00403FC4, 00403FCA, 00403FD3, 00403FE1

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: Borerig Setup: Installing
API String ID: 3906175533-1266718173
Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004038E9(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x424734;
				_t17 = E00406431(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x420d30;
					"1033" = 0x30;
					 *0x42b001 = 0x78;
					 *0x42b002 = 0;
					E00405F80(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420d30, 0);
					__eflags =  *0x420d30; // 0x42
					if(__eflags == 0) {
						E00405F80(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040835A, 0x420d30, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405FF7("1033",  *_t17() & 0x0000ffff);
				}
				E00403BAE(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne";
				 *0x4247c0 =  *0x42473c & 0x00000020;
				 *0x4247dc = 0x10000;
				if(E00405B1F(_t84, "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne") != 0) {
					L16:
					if(E00405B1F(_t92, _t80) == 0) {
						E004060BB(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x424720, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423f08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BAE(_t71, __eflags);
							__eflags =  *0x4247e0;
							if( *0x4247e0 != 0) {
								_t28 = E00405292(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x423eec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420d10, 5); // executed
							_t34 = E004063C3("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004063C3("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x423ec0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423ec0);
								 *0x423ee4 = _t81;
								RegisterClassA(0x423ec0);
							}
							_t36 =  *0x423f00; // 0x0
							_t39 = DialogBoxParamA( *0x424720, _t36 + 0x00000069 & 0x0000ffff, 0, E00403C86, 0); // executed
							E00403839(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x424720;
						 *0x423ec4 = E00401000;
						 *0x423ed0 =  *0x424720;
						 *0x423ed4 = _t25;
						 *0x423ee4 = 0x40a210;
						if(RegisterClassA(0x423ec0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x420d10 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x424720, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4236c0;
					E00405F80(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x424778, 0x4236c0, 0);
					_t57 =  *0x4236c0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4236c1;
						 *((char*)(E00405A5C(0x4236c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406099(_t80, E00405A31(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405A78(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004038ef
0x004038f8
0x004038ff
0x00403901
0x00403915
0x00403927
0x0040392e
0x00403935
0x0040393b
0x00403940
0x00403946
0x00403959
0x00403959
0x00403964
0x00403903
0x0040390e
0x0040390e
0x00403969
0x00403973
0x0040397c
0x00403981
0x00403992
0x00403a19
0x00403a21
0x00403a2a
0x00403a2a
0x00403a40
0x00403a46
0x00403a54
0x00403ad5
0x00403add
0x00403ae7
0x00403aec
0x00403af2
0x00403b7c
0x00403b81
0x00403b83
0x00403b9f
0x00000000
0x00403b9f
0x00403b85
0x00403b8b
0x00403b93
0x00403b93
0x00000000
0x00403b8b
0x00403b00
0x00403b0b
0x00403b10
0x00403b12
0x00403b19
0x00403b19
0x00403b24
0x00403b2c
0x00403b2e
0x00403b30
0x00403b39
0x00403b3c
0x00403b42
0x00403b42
0x00403b48
0x00403b61
0x00403b72
0x00000000
0x00403b77
0x00403adf
0x00403ae1
0x00000000
0x00403a56
0x00403a56
0x00403a62
0x00403a6c
0x00403a72
0x00403a77
0x00403a86
0x00403ba4
0x00403ba4
0x00000000
0x00403ba4
0x00403a95
0x00403ad0
0x00000000
0x00403ad0
0x00403998
0x00403998
0x0040399b
0x0040399d
0x00000000
0x00000000
0x004039a7
0x004039b7
0x004039bc
0x004039c3
0x00000000
0x00000000
0x004039c7
0x004039c9
0x004039d6
0x004039d6
0x004039de
0x004039e4
0x00403a0c
0x00403a14
0x00000000
0x004039f6
0x004039f7
0x00403a00
0x00403a06
0x00403a07
0x00000000
0x00403a07
0x00403a02
0x00403a04
0x00000000
0x00000000
0x00000000
0x00403a04
0x004039e4

APIs

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

lstrcatA.KERNEL32(1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,766DFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000000), ref: 00403964
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,766DFA90), ref: 004039D9
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000), ref: 004039EC
GetFileAttributesA.KERNEL32(Call), ref: 004039F7
LoadImageA.USER32 ref: 00403A40

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

RegisterClassA.USER32 ref: 00403A7D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A95
CreateWindowExA.USER32 ref: 00403ACA
ShowWindow.USER32(00000005,00000000), ref: 00403B00
GetClassInfoA.USER32 ref: 00403B2C
GetClassInfoA.USER32 ref: 00403B39
RegisterClassA.USER32 ref: 00403B42
DialogBoxParamA.USER32 ref: 00403B61

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038EE
RichEd20, xrefs: 00403B06
RichEdit20A, xrefs: 00403B24, 00403B2A
_Nb, xrefs: 00403A5C, 00403AC4
Call, xrefs: 004039A7, 004039AF, 004039BC, 00403A06, 00403A0C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 00403973, 0040397B, 00403A13, 00403A19, 00403A29
Borerig Setup: Installing, xrefs: 00403915, 0040391B, 00403940, 00403949, 0040395E
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 004038ED
.DEFAULT\Control Panel\International, xrefs: 0040394F
1033, xrefs: 00403909, 0040395F
RichEdit, xrefs: 00403B33
RichEd32, xrefs: 00403B14
Control Panel\Desktop\ResourceLocale, xrefs: 0040391D
.exe, xrefs: 004039E6

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $.DEFAULT\Control Panel\International$.exe$1033$Borerig Setup: Installing$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2714494395
Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402D98(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x424730 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x400);
				_t105 = E00405C32("C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406099("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\Order_002376662-579588_Date 24082022.exe");
				E00406099(0x42c000, E00405A78("C:\\Users\\alfons\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x4178e8 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402CF9(1);
					__eflags =  *0x424738;
					if( *0x424738 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406556(0x40b850);
						E00405C61( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004032C5( *0x424738 + 0x1c);
							 *0x4178ec = _t65;
							 *0x4178e0 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E0040303E(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x424734 = _t110;
								 *0x42473c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x424740 =  *0x424740 + 1;
									__eflags =  *0x424740;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x4178dc; // 0x58ea
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405BED(0x424760, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004032C5( *0x4178d8);
					_t77 = E004032AF( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x424738) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004032AF(0x4178f0, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402CF9(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x424738;
						if( *0x424738 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CF9(0);
							}
							goto L19;
						}
						E00405BED( &_v40, 0x4178f0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x4178d8; // 0x8000
						 *0x4247e0 =  *0x4247e0 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x424738 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x4178e8; // 0x1559
						if(__eflags < 0) {
							_v8 = E004064E8(_v8, 0x4178f0, _t106);
						}
						 *0x4178d8 =  *0x4178d8 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402da6
0x00402da9
0x00402dc3
0x00402dc8
0x00402ddb
0x00402de0
0x00402de6
0x00000000
0x00402de8
0x00402df9
0x00402e0a
0x00402e11
0x00402e17
0x00402e19
0x00402e1e
0x00402e20
0x00402f10
0x00402f12
0x00402f17
0x00402f1e
0x00000000
0x00000000
0x00402f24
0x00402f27
0x00402f53
0x00402f58
0x00402f63
0x00402f65
0x00402f76
0x00402f91
0x00402f97
0x00402f9a
0x00402f9f
0x00402fbe
0x00402fce
0x00402fe0
0x00402fe5
0x00402fea
0x00402fed
0x00402ff6
0x00402ffa
0x00403002
0x00403007
0x00403009
0x00403009
0x00403009
0x00403011
0x00403011
0x00403014
0x00403015
0x00403015
0x00403018
0x0040301a
0x0040301a
0x0040301a
0x0040301d
0x00403024
0x00403030
0x00403035
0x00000000
0x00403035
0x00000000
0x00402fed
0x00000000
0x00402fa1
0x00402f2f
0x00402f3a
0x00402f3f
0x00402f41
0x00000000
0x00000000
0x00402f4a
0x00402f4d
0x00000000
0x00000000
0x00000000
0x00402e26
0x00402e26
0x00402e2b
0x00402e2f
0x00402e36
0x00402e3b
0x00402e3d
0x00402e3f
0x00402e3f
0x00402e47
0x00402e4c
0x00402e4e
0x00402fad
0x00402fef
0x00000000
0x00402fef
0x00402e54
0x00402e5a
0x00402eda
0x00402ede
0x00402ee1
0x00402ee6
0x00000000
0x00402ede
0x00402e67
0x00402e6c
0x00402e6f
0x00402e74
0x00000000
0x00000000
0x00402e76
0x00402e7d
0x00000000
0x00000000
0x00402e7f
0x00402e86
0x00000000
0x00000000
0x00402e88
0x00402e8f
0x00000000
0x00000000
0x00402e91
0x00402e98
0x00000000
0x00000000
0x00402e9a
0x00402ea0
0x00402ea9
0x00402eaf
0x00402eb2
0x00402eb4
0x00402eba
0x00000000
0x00000000
0x00402ec0
0x00402ec4
0x00402ecc
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed4
0x00402ed6
0x00402ed6
0x00000000
0x00402ed4
0x00402ec6
0x00402eca
0x00000000
0x00000000
0x00000000
0x00402ee7
0x00402ee7
0x00402eed
0x00402efd
0x00402efd
0x00402f00
0x00402f06
0x00402f08
0x00402f08
0x00000000
0x00402e26

APIs

GetTickCount.KERNEL32 ref: 00402DAC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,00000400), ref: 00402DC8

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00402E11
GlobalAlloc.KERNELBASE(00000040,0040A130), ref: 00402F58

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70
Error launching installer, xrefs: 00402DE8
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00402D98
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
Null, xrefs: 00402E91
C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2
soft, xrefs: 00402E88
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
Inst, xrefs: 00402E7F
C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3653858381
Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004060BB(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x423efc; // 0x7cd3ae
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x424778;
				_t39 = 0x4236c0;
				_t90 = 0x4236c0;
				if(_a4 >= 0x4236c0 && _a4 - 0x4236c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004060BB(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x4236c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x425000;
							E00406099(_t90, (_t97 << 0xa) + 0x425000);
						} else {
							E00405FF7(_t90,  *0x424728);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406303(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42472c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4247c4;
						if( *0x4247c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x424724;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x424728,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x424728,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405F80((_t80 & 0x0000003f) +  *0x424778, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x424778, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004060BB(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00406099(_a4, _t39);
			}

0x004060bb
0x004060bb
0x004060bb
0x004060c1
0x004060c6
0x004060c8
0x004060d7
0x004060d7
0x004060df
0x004060e0
0x004060e1
0x004060e2
0x004060e5
0x004060ed
0x004060ef
0x00406106
0x00406109
0x00406109
0x004062e0
0x004062e0
0x004062e4
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406123
0x00406126
0x00406129
0x004062d3
0x004062dd
0x004062df
0x004062df
0x004062d5
0x004062d7
0x004062d9
0x004062da
0x004062da
0x00000000
0x004062d3
0x0040612f
0x00406133
0x00406143
0x0040614a
0x0040614d
0x00406155
0x00406158
0x0040615f
0x00406160
0x00406163
0x00406280
0x00406283
0x004062b3
0x004062b6
0x004062bb
0x004062bf
0x004062bf
0x004062c4
0x004062ca
0x004062cc
0x00000000
0x004062cc
0x00406285
0x00406288
0x0040629d
0x004062a4
0x0040628a
0x00406291
0x00406291
0x004062ac
0x004062af
0x00406278
0x00406279
0x00406279
0x00000000
0x004062af
0x00406169
0x00406170
0x00406172
0x00406173
0x0040618d
0x0040618d
0x00406194
0x00406194
0x0040619b
0x0040619f
0x0040619f
0x004061a0
0x004061a2
0x004061db
0x004061de
0x004061ee
0x004061f1
0x004061f9
0x004061ff
0x004061ff
0x0040625e
0x0040625e
0x00406260
0x00000000
0x00000000
0x00406203
0x0040620a
0x0040620b
0x0040620d
0x00406227
0x00406235
0x0040623b
0x0040623d
0x0040625b
0x0040625b
0x0040625b
0x00000000
0x0040625b
0x00406243
0x0040624c
0x0040624f
0x00406255
0x00406259
0x00000000
0x00000000
0x00000000
0x00406259
0x0040620f
0x00406212
0x00000000
0x00000000
0x00406221
0x00406223
0x00406225
0x00000000
0x00000000
0x00000000
0x00406225
0x00000000
0x0040625e
0x004061e6
0x00000000
0x004061a4
0x004061bf
0x004061c4
0x004061c7
0x00406267
0x00406267
0x0040626b
0x00406273
0x00406273
0x00000000
0x0040626b
0x004061d1
0x00406262
0x00406262
0x00406265
0x00000000
0x00000000
0x00000000
0x00406265
0x004061a2
0x00406175
0x00406179
0x00000000
0x00000000
0x0040617b
0x0040617f
0x00000000
0x00000000
0x00406181
0x00406185
0x00000000
0x00406187
0x00406187
0x00000000
0x00406187
0x00406185
0x004062ea
0x004062f4
0x00406300
0x00406300
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004061E6
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000), ref: 004061F9
SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000), ref: 00406235
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406243
CoTaskMemFree.OLE32(00000000), ref: 0040624F
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 004062C5

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll, xrefs: 004060E0
Call, xrefs: 004060E5, 004061B2, 004061B3, 004061B4, 004061D0, 004061E5, 004061F8, 00406214, 0040623F, 00406272, 00406278, 00406290, 004062A3, 004062BE, 004062C4, 004062CC, 004062F6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040626D
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061B5

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3265152439
Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402AC1(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405A9E(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405A31(E00406099(0x40a400, "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79")), ??);
				} else {
					_push(0x40a400);
					E00406099();
				}
				E00406303(0x40a400);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040639C(0x40a400);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C0D(0x40a400);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C32(0x40a400, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004051C0(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4247c8;
						goto L32;
					} else {
						E00406099(0x40ac00, 0x425000);
						E00406099(0x425000, 0x40a400);
						E004060BB(_t75, 0x40ac00, 0x40a400, "C:\Users\alfons\AppData\Local\Temp\nsb3C99.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00406099(0x425000, 0x40ac00);
						_t62 = E004057B5("C:\Users\alfons\AppData\Local\Temp\nsb3C99.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4247c8 =  &( *0x4247c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a400);
								_push(0xfffffffa);
								E004051C0();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004051C0(0xffffffea,  *(_t85 - 8)); // executed
				 *0x4247f4 =  *0x4247f4 + 1;
				_t43 = E0040303E(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x4247f4 =  *0x4247f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004060BB(_t75, _t80, 0x40a400, 0x40a400, 0xffffffee);
					} else {
						E004060BB(_t75, _t80, 0x40a400, 0x40a400, 0xffffffe9);
						lstrcatA(0x40a400,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a400);
					E004057B5();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x00402716
0x00402716
0x00402951
0x00402954
0x00402954
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x0040295a
0x0040295a
0x0040295a
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e1
0x004022e1
0x004022e1
0x00401856
0x0040184f
0x0040295c
0x00402960
0x00402960
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022dc
0x00000000
0x004022dc
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp$C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79$Call
API String ID: 1941528284-1222054559
Opcode ID: c3cce3b1b11ccaad6b9a0a02c5ed75f3e7716a985c84d45dfc54a77f0996771f
Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
Opcode Fuzzy Hash: c3cce3b1b11ccaad6b9a0a02c5ed75f3e7716a985c84d45dfc54a77f0996771f
Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004051C0(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423f04; // 0x10468
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4247f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004060BB(0, _t39, 0x420510, 0x420510, _a4);
					}
					_t26 = lstrlenA(0x420510);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423ee8, 0x420510); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x420510;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x420510)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x420510, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x004051c6
0x004051d2
0x004051d5
0x004051db
0x004051e7
0x004051ea
0x004051ed
0x004051f3
0x004051f3
0x004051f9
0x00405201
0x00405204
0x00405221
0x00405225
0x0040522e
0x0040522e
0x00405238
0x00405241
0x0040524d
0x00405254
0x00405258
0x0040525b
0x0040526e
0x0040527c
0x0040527c
0x00405280
0x00405282
0x00405285
0x00000000
0x00405285
0x00405206
0x0040520e
0x00405216
0x0040521c
0x00000000
0x0040521c
0x00405216
0x00405204
0x0040528f

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll), ref: 0040522E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll, xrefs: 004051E0, 004051F2, 004051F8, 0040521B, 00405227

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll
API String ID: 2531174081-79381697
Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405686(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408374;
				_v36.Group = 0x408374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405691
0x00405695
0x00405698
0x0040569e
0x004056a2
0x004056a6
0x004056ae
0x004056b5
0x004056bb
0x004056c2
0x004056c9
0x004056d1
0x004056d3
0x00000000
0x004056d3
0x004056dd
0x004056e4
0x004056fa
0x00000000
0x00000000
0x00000000
0x004056fc
0x00405700

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
GetLastError.KERNEL32 ref: 004056DD
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
GetLastError.KERNEL32 ref: 004056FC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC
C:\Users\user\Desktop, xrefs: 00405686

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1521822154
Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004063C3(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004063da
0x004063e3
0x004063e5
0x004063e5
0x004063e9
0x004063fb
0x004063f5
0x004063f5
0x004063f5
0x004063ff
0x00406413
0x00406427
0x0040642e

APIs

GetSystemDirectoryA.KERNEL32 ref: 004063DA
wsprintfA.USER32 ref: 00406413
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427

Strings

%s%s.dll, xrefs: 0040640D
\, xrefs: 004063EB
UXTHEME, xrefs: 004063CC

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405C61(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3cc; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405c65
0x00405c6b
0x00405c6c
0x00405c6c
0x00405c71
0x00405c72
0x00405c75
0x00405c7f
0x00405c8c
0x00405c8f
0x00405c97
0x00000000
0x00000000
0x00405c9b
0x00000000
0x00000000
0x00405c9d
0x00000000
0x00405c9d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405C75
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C8F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00405C61
nsa, xrefs: 00405C6C

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4264195045
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758

Uniqueness

Uniqueness Score: -1.00%

Function 00406576 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406576(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				void* _v148;
				signed int _t455;
				signed int _t456;
				signed int _t490;

				_t490 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t490 << 2);
				if(_v52 != 0xffffffff) {
					while(1) {
						L3:
						_t455 = _v140;
						if(_t455 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t455 * 4 +  &M00406FC8))) {
							case 0:
								__eflags = _v112;
								if(_v112 == 0) {
									goto L141;
								}
								_v112 = _v112 - 1;
								_v116 = _v116 + 1;
								_t455 =  *_v116;
								__eflags = _t455 - 0xe1;
								if(_t455 > 0xe1) {
									goto L142;
								}
								_t460 = _t455 & 0x000000ff;
								_push(0x2d);
								asm("cdq");
								_pop(_t494);
								_push(9);
								_pop(_t495);
								_t540 = _t460 / _t494;
								_t462 = _t460 % _t494 & 0x000000ff;
								asm("cdq");
								_t535 = _t462 % _t495 & 0x000000ff;
								_v64 = _t535;
								_v32 = (1 << _t540) - 1;
								_v28 = (1 << _t462 / _t495) - 1;
								_t543 = (0x300 << _t535 + _t540) + 0x736;
								__eflags = 0x600 - _v124;
								if(0x600 == _v124) {
									L12:
									__eflags = _t543;
									if(_t543 == 0) {
										L14:
										_v76 = _v76 & 0x00000000;
										_v68 = _v68 & 0x00000000;
										goto L17;
									} else {
										goto L13;
									}
									do {
										L13:
										_t543 = _t543 - 1;
										__eflags = _t543;
										 *((short*)(_v8 + _t543 * 2)) = 0x400;
									} while (_t543 != 0);
									goto L14;
								}
								__eflags = _v8;
								if(_v8 != 0) {
									GlobalFree(_v8);
								}
								_t455 = GlobalAlloc(0x40, 0x600); // executed
								__eflags = _t455;
								_v8 = _t455;
								if(_t455 == 0) {
									goto L142;
								} else {
									_v124 = 0x600;
									goto L12;
								}
							case 1:
								L15:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 1;
									goto L141;
								}
								_v112 = _v112 - 1;
								_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
								_v116 = _v116 + 1;
								_t50 =  &_v76;
								 *_t50 = _v76 + 1;
								__eflags =  *_t50;
								L17:
								__eflags = _v76 - 4;
								if(_v76 < 4) {
									goto L15;
								}
								_t468 = _v68;
								__eflags = _t468 - _v120;
								if(_t468 == _v120) {
									L22:
									_v76 = 5;
									 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
									goto L25;
								}
								__eflags = _v12;
								_v120 = _t468;
								if(_v12 != 0) {
									GlobalFree(_v12);
								}
								_t455 = GlobalAlloc(0x40, _v68); // executed
								__eflags = _t455;
								_v12 = _t455;
								if(_t455 == 0) {
									goto L142;
								} else {
									goto L22;
								}
							case 2:
								L26:
								_t475 = _v100 & _v32;
								_v136 = 6;
								_v80 = _t475;
								_t544 = _v8 + ((_v60 << 4) + _t475) * 2;
								goto L120;
							case 3:
								L23:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 3;
									goto L141;
								}
								_v112 = _v112 - 1;
								_t72 =  &_v116;
								 *_t72 = _v116 + 1;
								__eflags =  *_t72;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L25:
								_v76 = _v76 - 1;
								__eflags = _v76;
								if(_v76 != 0) {
									goto L23;
								}
								goto L26;
							case 4:
								L121:
								_t477 =  *_t544;
								_t528 = _t477 & 0x0000ffff;
								_t509 = (_v20 >> 0xb) * _t528;
								__eflags = _v16 - _t509;
								if(_v16 >= _t509) {
									_v20 = _v20 - _t509;
									_v16 = _v16 - _t509;
									_v68 = 1;
									_t478 = _t477 - (_t477 >> 5);
									__eflags = _t478;
									 *_t544 = _t478;
								} else {
									_v20 = _t509;
									_v68 = _v68 & 0x00000000;
									 *_t544 = (0x800 - _t528 >> 5) + _t477;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									goto L127;
								}
								goto L125;
							case 5:
								L125:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 5;
									goto L141;
								}
								_v20 = _v20 << 8;
								_v112 = _v112 - 1;
								_t433 =  &_v116;
								 *_t433 = _v116 + 1;
								__eflags =  *_t433;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L127:
								_t479 = _v136;
								_v140 = _t479;
								goto L3;
							case 6:
								__edx = 0;
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v56 = 1;
									_v136 = 7;
									__esi = _v8 + 0x180 + _v60 * 2;
									goto L120;
								}
								__eax = _v96 & 0x000000ff;
								__esi = _v100;
								__cl = 8;
								__cl = 8 - _v64;
								__esi = _v100 & _v28;
								__eax = (_v96 & 0x000000ff) >> 8;
								__ecx = _v64;
								__esi = (_v100 & _v28) << 8;
								__ecx = _v8;
								((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
								__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
								__eflags = _v60 - 4;
								__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
								_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
								if(_v60 >= 4) {
									__eflags = _v60 - 0xa;
									if(_v60 >= 0xa) {
										_t103 =  &_v60;
										 *_t103 = _v60 - 6;
										__eflags =  *_t103;
									} else {
										_v60 = _v60 - 3;
									}
								} else {
									_v60 = 0;
								}
								__eflags = _v56 - __edx;
								if(_v56 == __edx) {
									__ebx = 0;
									__ebx = 1;
									do {
										__eax = _v92;
										__edx = __ebx + __ebx;
										__ecx = _v20;
										__esi = __edx + __eax;
										__ecx = _v20 >> 0xb;
										__ax =  *__esi;
										_v88 = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = (_v20 >> 0xb) * __edi;
										__eflags = _v16 - __ecx;
										if(_v16 >= __ecx) {
											_v20 = _v20 - __ecx;
											_v16 = _v16 - __ecx;
											__cx = __ax;
											_t222 = __edx + 1; // 0x1
											__ebx = _t222;
											__cx = __ax >> 5;
											__eflags = __eax;
											 *__esi = __ax;
										} else {
											_v20 = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										__eflags = _v20 - 0x1000000;
										_v72 = __ebx;
										if(_v20 < 0x1000000) {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0xf;
												goto L141;
											} else {
												__ecx = _v116;
												__eax = _v16;
												_v20 = _v20 << 8;
												__ecx =  *_v116 & 0x000000ff;
												_v112 = _v112 - 1;
												_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												_t208 =  &_v116;
												 *_t208 = _v116 + 1;
												__eflags =  *_t208;
												_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												goto L61;
											}
											goto L67;
										}
										L61:
										__eflags = __ebx - 0x100;
									} while (__ebx < 0x100);
									goto L57;
								} else {
									__eax = _v24;
									__eax = _v24 - _v48;
									__eflags = __eax - _v120;
									if(__eax >= _v120) {
										__eax = __eax + _v120;
										__eflags = __eax;
									}
									__ecx = _v12;
									__ebx = 0;
									__ebx = 1;
									__al =  *((intOrPtr*)(__eax + __ecx));
									_v95 =  *((intOrPtr*)(__eax + __ecx));
									goto L43;
								}
							case 7:
								L67:
								__eflags = _v68 - 1;
								if(_v68 != 1) {
									__eax = _v40;
									_v132 = 0x16;
									_v36 = _v40;
									__eax = _v44;
									_v40 = _v44;
									__eax = _v48;
									_v44 = _v48;
									__eax = 0;
									__eflags = _v60 - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									_v60 = (__eflags >= 0) - 1 + 0xa;
									__eax = _v8;
									__eax = _v8 + 0x664;
									__eflags = __eax;
									_v92 = __eax;
									goto L70;
								}
								__eax = _v8;
								__ecx = _v60;
								_v136 = 8;
								__esi = _v8 + 0x198 + _v60 * 2;
								goto L120;
							case 8:
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v136 = 0xa;
									__esi = _v8 + 0x1b0 + _v60 * 2;
								} else {
									__eax = _v60;
									__ecx = _v8;
									__eax = _v60 + 0xf;
									_v136 = 9;
									_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
									__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
								}
								goto L120;
							case 9:
								__eflags = _v68;
								if(_v68 != 0) {
									goto L90;
								}
								__eflags = _v100;
								if(_v100 == 0) {
									goto L142;
								}
								__eax = 0;
								__eflags = _v60 - 7;
								0 | _v60 - 0x00000007 >= 0x00000000 = (_v60 - 7 >= 0) + (_v60 - 7 >= 0) + 9;
								_v60 = (_v60 - 7 >= 0) + (_v60 - 7 >= 0) + 9;
								__eflags = _v104;
								if(_v104 == 0) {
									_v140 = 0x1b;
									goto L141;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__eax + __edx);
								__eax = _v24;
								_v96 = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t280 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t280;
								__eax = _v108;
								_v100 = _v100 + 1;
								_v108 = _v108 + 1;
								_t289 =  &_v104;
								 *_t289 = _v104 - 1;
								__eflags =  *_t289;
								 *_v108 = __cl;
								goto L80;
							case 0xa:
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v136 = 0xb;
									__esi = _v8 + 0x1c8 + _v60 * 2;
									goto L120;
								}
								__eax = _v44;
								goto L89;
							case 0xb:
								__eflags = _v68;
								if(_v68 != 0) {
									__ecx = _v40;
									__eax = _v36;
									_v36 = _v40;
								} else {
									__eax = _v40;
								}
								__ecx = _v44;
								_v40 = _v44;
								L89:
								__ecx = _v48;
								_v48 = __eax;
								_v44 = _v48;
								L90:
								__eax = _v8;
								_v132 = 0x15;
								__eax = _v8 + 0xa68;
								_v92 = _v8 + 0xa68;
								L70:
								__esi = _v92;
								_v136 = 0x12;
								L120:
								_v88 = _t544;
								goto L121;
							case 0xc:
								while(1) {
									L91:
									__eflags = _v112;
									if(_v112 == 0) {
										break;
									}
									__ecx = _v116;
									__eax = _v16;
									_v20 = _v20 << 8;
									__ecx =  *_v116 & 0x000000ff;
									_v112 = _v112 - 1;
									_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
									_t321 =  &_v116;
									 *_t321 = _v116 + 1;
									__eflags =  *_t321;
									_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
									__eax = _v48;
									while(1) {
										_t325 =  &_v76;
										 *_t325 = _v76 - 1;
										__eflags =  *_t325;
										__eflags = _v76;
										if(_v76 <= 0) {
											break;
										}
										__ecx = _v16;
										__ebx = __ebx + __ebx;
										_v20 = _v20 >> 1;
										__eflags = _v16 - _v20;
										_v72 = __ebx;
										if(_v16 >= _v20) {
											__ecx = _v20;
											_v16 = _v16 - _v20;
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											_v72 = __ebx;
										}
										__eflags = _v20 - 0x1000000;
										if(_v20 >= 0x1000000) {
											continue;
										} else {
											goto L91;
										}
									}
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									while(1) {
										__eax = _v68;
										__eflags = _v76 - _v68;
										if(_v76 >= _v68) {
											break;
										}
										__eax = _v84;
										_v20 = _v20 >> 0xb;
										__edi = _v84 + _v84;
										__eax = _v92;
										__esi = __edi + __eax;
										_v88 = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = (_v20 >> 0xb) * __ecx;
										__eflags = _v16 - __edx;
										if(_v16 >= __edx) {
											__ecx = 0;
											_v20 = _v20 - __edx;
											__ecx = 1;
											_v16 = _v16 - __edx;
											__ebx = 1;
											__ecx = _v76;
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx = _v72;
											__ebx = _v72 | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											_v72 = __ebx;
											 *__esi = __ax;
											_v84 = __edi;
										} else {
											_v20 = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											_v84 = _v84 << 1;
											 *__esi = __dx;
										}
										__eflags = _v20 - 0x1000000;
										if(_v20 >= 0x1000000) {
											L103:
											_t355 =  &_v76;
											 *_t355 = _v76 + 1;
											__eflags =  *_t355;
											continue;
										} else {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0x10;
												goto L141;
											}
											__ecx = _v116;
											__eax = _v16;
											_v20 = _v20 << 8;
											__ecx =  *_v116 & 0x000000ff;
											_v112 = _v112 - 1;
											_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
											_t352 =  &_v116;
											 *_t352 = _v116 + 1;
											__eflags =  *_t352;
											_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
											goto L103;
										}
									}
									_t378 =  &_v48;
									 *_t378 = _v48 + __ebx;
									__eflags =  *_t378;
									_t380 =  &_v48;
									 *_t380 = _v48 + 1;
									__eflags =  *_t380;
									__eax = _v48;
									__eflags = __eax;
									if(__eax == 0) {
										_v52 = _v52 | 0xffffffff;
										goto L141;
									}
									__eflags = __eax - _v100;
									if(__eax > _v100) {
										goto L142;
									}
									_v52 = _v52 + 2;
									__eax = _v52;
									_t387 =  &_v100;
									 *_t387 = _v100 + _v52;
									__eflags =  *_t387;
									while(1) {
										__eflags = _v104;
										if(_v104 == 0) {
											break;
										}
										__eax = _v24;
										__eax = _v24 - _v48;
										__eflags = __eax - _v120;
										if(__eax >= _v120) {
											__eax = __eax + _v120;
											__eflags = __eax;
										}
										__edx = _v12;
										__cl =  *(__eax + __edx);
										__eax = _v24;
										_v96 = __cl;
										 *(__eax + __edx) = __cl;
										__eax = __eax + 1;
										__edx = 0;
										_t401 = __eax % _v120;
										__eax = __eax / _v120;
										__edx = _t401;
										__eax = _v108;
										_v108 = _v108 + 1;
										_v104 = _v104 - 1;
										_v52 = _v52 - 1;
										__eflags = _v52;
										 *_v108 = __cl;
										_v24 = _t401;
										if(_v52 > 0) {
											continue;
										}
										goto L81;
									}
									_v140 = 0x1c;
									goto L141;
								}
								_v140 = 0xc;
								goto L141;
							case 0xd:
								L39:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 0xd;
									L141:
									_push(0x22);
									_pop(_t492);
									memcpy(_v148,  &_v140, _t492 << 2);
									return 0;
								}
								__ecx = _v116;
								__eax = _v16;
								_v20 = _v20 << 8;
								__ecx =  *_v116 & 0x000000ff;
								_v112 = _v112 - 1;
								_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								_t127 =  &_v116;
								 *_t127 = _v116 + 1;
								__eflags =  *_t127;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L41:
								__eax = _v68;
								__eflags = _v76 - _v68;
								if(_v76 != _v68) {
									while(1) {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											break;
										}
										__eax = _v92;
										__edx = __ebx + __ebx;
										__ecx = _v20;
										__esi = __edx + __eax;
										__ecx = _v20 >> 0xb;
										__ax =  *__esi;
										_v88 = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = (_v20 >> 0xb) * __edi;
										__eflags = _v16 - __ecx;
										if(_v16 >= __ecx) {
											_v20 = _v20 - __ecx;
											_v16 = _v16 - __ecx;
											__cx = __ax;
											_t175 = __edx + 1; // 0x1
											__ebx = _t175;
											__cx = __ax >> 5;
											__eflags = __eax;
											 *__esi = __ax;
										} else {
											_v20 = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										__eflags = _v20 - 0x1000000;
										_v72 = __ebx;
										if(_v20 >= 0x1000000) {
											continue;
										} else {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0xe;
												goto L141;
											} else {
												__ecx = _v116;
												__eax = _v16;
												_v20 = _v20 << 8;
												__ecx =  *_v116 & 0x000000ff;
												_v112 = _v112 - 1;
												_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												_t161 =  &_v116;
												 *_t161 = _v116 + 1;
												__eflags =  *_t161;
												_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												continue;
											}
											break;
										}
									}
									L56:
									_t178 =  &_v56;
									 *_t178 = _v56 & 0x00000000;
									__eflags =  *_t178;
									L57:
									__al = _v72;
									_v96 = _v72;
									__eflags = _v104;
									if(_v104 == 0) {
										_v140 = 0x1a;
										goto L141;
									}
									__ecx = _v108;
									__al = _v96;
									__edx = _v12;
									_v100 = _v100 + 1;
									_v108 = _v108 + 1;
									_v104 = _v104 - 1;
									 *_v108 = __al;
									__ecx = _v24;
									 *(_v12 + __ecx) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t197 = __eax % _v120;
									__eax = __eax / _v120;
									__edx = _t197;
									L80:
									_v24 = __edx;
									L81:
									_v140 = 2;
									goto L3;
								}
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									goto L56;
								}
								L43:
								__eax = _v95 & 0x000000ff;
								_v95 = _v95 << 1;
								__ecx = _v92;
								__eax = (_v95 & 0x000000ff) >> 7;
								_v76 = __eax;
								__eax = __eax + 1;
								__eax = __eax << 8;
								__eax = __eax + __ebx;
								__esi = _v92 + __eax * 2;
								_v20 = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edx = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edx;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_v68 = 1;
									__cx = __ax >> 5;
									__eflags = __eax;
									__ebx = __ebx + __ebx + 1;
									 *__esi = __ax;
								} else {
									_v68 = _v68 & 0x00000000;
									_v20 = __ecx;
									0x800 = 0x800 - __edx;
									0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									goto L41;
								} else {
									goto L39;
								}
						}
					}
					L142:
					_t456 = _t455 | 0xffffffff;
					return _t456;
				}
				return 1;
			}

0x00406586
0x0040658d
0x00406593
0x00406599
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065bf
0x004065c3
0x00000000
0x00000000
0x004065cc
0x004065cf
0x004065d2
0x004065d4
0x004065d6
0x00000000
0x00000000
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x0040661f
0x00406622
0x0040664a
0x0040664a
0x0040664c
0x0040665a
0x0040665a
0x0040665e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040664e
0x0040664e
0x00406651
0x00406651
0x00406652
0x00406652
0x00000000
0x0040664e
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663c
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x00406f14
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668a
0x0040668e
0x00000000
0x00000000
0x00406690
0x00406693
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x004066cd
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b5
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x00406f23
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fb
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da3
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406f95
0x00406df2
0x00406df9
0x00406e01
0x00406e01
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x004067b2
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x00000000
0x0040693f
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00000000
0x004069c4
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x00406a19
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00000000
0x00406a7b
0x00406a7f
0x00000000
0x00000000
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406f5f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00000000
0x00406afd
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406f77
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406f83
0x00406cff
0x00406d02
0x00000000
0x00000000
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00000000
0x00000000
0x00406d56
0x00406f89
0x00000000
0x00406f89
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00406fab
0x00406fb1
0x00406fb3
0x00406fba
0x00000000
0x00406fbc
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x00000000
0x0040687b
0x004068f9
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406f53
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067ef
0x004067f5
0x00000000
0x00000000
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00000000
0x00406fc0
0x00000000

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00406576

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 0-208995783
Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push(1);
				_t34 = E10001A5D();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023D8(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023D8(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023D8(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000239E(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002A9F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002587(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CCE

GlobalFree.KERNEL32 ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32 ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403146(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x4178dc; // 0x58ea
				_t34 = _t32 -  *0x40b848 + _a4;
				 *0x424730 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402CF9(1);
					return 0;
				}
				E004032C5( *0x4178ec);
				SetFilePointer( *0x40a01c,  *0x40b848, 0, 0); // executed
				 *0x4178e8 = _t34;
				 *0x4178d8 = 0;
				while(1) {
					_t10 =  *0x4178e0; // 0x2d595
					_t31 = 0x4000;
					_t11 = _t10 -  *0x4178ec;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004032AF(0x4138d8, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x4178ec =  *0x4178ec + _t31;
					 *0x40b868 = 0x4138d8;
					 *0x40b86c = _t31;
					L6:
					L6:
					if( *0x424734 != 0 &&  *0x4247e0 == 0) {
						_t19 =  *0x4178e8; // 0x1559
						 *0x4178d8 = _t19 -  *0x4178dc - _a4 +  *0x40b848;
						E00402CF9(0);
					}
					 *0x40b870 = 0x40b8d8;
					 *0x40b874 = 0x8000; // executed
					_t14 = E00406576(0x40b850); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40b870; // 0x40e0fc
					_t37 = _t36 - 0x40b8d8;
					if(_t37 == 0) {
						__eflags =  *0x40b86c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x4178dc; // 0x58ea
						if(_t16 -  *0x40b848 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405CD9( *0x40a01c, 0x40b8d8, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b848 =  *0x40b848 + _t37;
					_t49 =  *0x40b86c; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403149
0x00403156
0x00403169
0x0040316e
0x0040329e
0x004032a0
0x00000000
0x004032a6
0x0040317a
0x0040318d
0x00403193
0x00403199
0x004031a4
0x004031a4
0x004031a9
0x004031ae
0x004031b6
0x004031b8
0x004031b8
0x004031c1
0x004031c8
0x00000000
0x00000000
0x004031ce
0x004031d4
0x004031da
0x00000000
0x004031e0
0x004031e6
0x004031f0
0x00403206
0x0040320b
0x00403210
0x00403216
0x0040321c
0x00403226
0x0040322d
0x00000000
0x00000000
0x0040322f
0x00403235
0x00403237
0x0040325a
0x00403260
0x00000000
0x00000000
0x00403262
0x00403264
0x00000000
0x00000000
0x00403266
0x00403266
0x00403279
0x00000000
0x00000000
0x00403288
0x00000000
0x00403288
0x00403241
0x00403248
0x00403295
0x0040329b
0x0040329b
0x00000000
0x0040329b
0x0040324a
0x00403250
0x00403256
0x00000000
0x00000000
0x00000000
0x00403299
0x00403299
0x00000000
0x00403299
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040315A

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
SetFilePointer.KERNELBASE(000058EA,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 0040319F, 0040323A

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 1092082344-208995783
Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402A9F(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402A9F(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402AC1(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402AC1(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402AC1();
					_t32 = E00402AC1();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402A9F();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402A9F(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405FF7();
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c04
0x00401c06
0x00401c0d
0x00401c10
0x00401c13
0x00401c1d
0x00401c21
0x00401c24
0x00401c2d
0x00401c2d
0x00401c30
0x00401c34
0x00401c3d
0x00401c3d
0x00401c40
0x00401c44
0x00401c46
0x00401c9b
0x00401c9d
0x00401ca6
0x00401cae
0x00401cb1
0x00401cb1
0x00401cba
0x00000000
0x00401c48
0x00401c4f
0x00401c51
0x00401c54
0x00401c5a
0x00401c61
0x00401c64
0x00401c8c
0x00401cc0
0x00401cc0
0x00401c66
0x00401c74
0x00401c7c
0x00401c7f
0x00401c7f
0x00401c64
0x00401cc3
0x00401cc6
0x00401ccc
0x004028f9
0x004028f9
0x00402954
0x00402960

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004023D0(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				char _t25;
				int _t28;
				void* _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402AC1(2);
				_t18 = E00402AC1(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B51(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402AC1(0x23);
						_t22 = lstrlenA(0x40ac00) + 1;
					}
					if(_t35 == 4) {
						_t25 = E00402A9F(3);
						_pop(_t30);
						 *0x40ac00 = _t25;
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E0040303E(_t30,  *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40ac00, 0xc00);
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x40ac00, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *(_t37 - 4);
				return 0;
			}

0x004023d0
0x004023d0
0x004023d0
0x004023d3
0x004023da
0x004023e4
0x004023e7
0x004023f0
0x004023f7
0x004023fe
0x00402401
0x00402407
0x00402411
0x00402415
0x00402420
0x00402420
0x00402424
0x00402428
0x0040242d
0x0040242e
0x00402434
0x00402437
0x00402437
0x0040243b
0x00402447
0x00402447
0x00402458
0x00402460
0x00402462
0x00402462
0x00402465
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 0040240C, 0040241A, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp
API String ID: 2655323295-2385664813
Opcode ID: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
Opcode Fuzzy Hash: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401FFD(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4247f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4247c8 =  *0x4247c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402AC1(0xfffffff0);
				 *(_t34 + 8) = E00402AC1(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004051C0(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b804, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403889(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401ffd
0x00401ffd
0x00402002
0x00402009
0x004020c4
0x00402237
0x00402237
0x00402951
0x00402954
0x00402960
0x00402960
0x00402018
0x00402022
0x00402025
0x00402034
0x00402038
0x0040203e
0x00402042
0x004020bd
0x00000000
0x004020bd
0x00402044
0x0040204d
0x00402051
0x00402095
0x00402053
0x00402056
0x00402059
0x00402089
0x0040205b
0x0040205e
0x00402067
0x00402069
0x00402069
0x00402067
0x00402059
0x0040209d
0x004020b2
0x004020b2
0x00000000
0x0040209d
0x00402028
0x0040202e
0x00402032
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 4694ba33f5e8bacfeb5e3fcbfa85d02b4c6a72b11824bb7564f9b9a864f919fc
Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
Opcode Fuzzy Hash: 4694ba33f5e8bacfeb5e3fcbfa85d02b4c6a72b11824bb7564f9b9a864f919fc
Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402AC1(0xfffffff0);
				_t13 = E00405ACA(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405A5C(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405703(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405720(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405686(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406099("C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x00402237
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402954
0x00402960

APIs

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 00401631

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79
API String ID: 1892508949-664089103
Opcode ID: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction ID: e80d591928eb94818456189605928617e464058bd7b4ab9a9bc67e70efbf424e
Opcode Fuzzy Hash: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction Fuzzy Hash: D3112731208151EBCF217BB54D415BF26B0DA92324B28093FE9D1B22E2D63D4D436A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B1F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406099(0x422138, _a4);
				_t21 = E00405ACA(0x422138);
				if(_t21 != 0) {
					E00406303(_t21);
					if(( *0x42473c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x422138;
						while(1) {
							_t11 = lstrlenA(0x422138);
							_push(0x422138);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040639C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405A78(0x422138);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A31();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b2b
0x00405b36
0x00405b3a
0x00405b41
0x00405b4d
0x00405b59
0x00405b59
0x00405b71
0x00405b72
0x00405b79
0x00405b7a
0x00000000
0x00000000
0x00405b5d
0x00405b64
0x00405b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b64
0x00405b7c
0x00405b82
0x00000000
0x00405b90
0x00405b4f
0x00405b53
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b53
0x00405b3c
0x00000000

APIs

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560,00000000), ref: 00405B72
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560), ref: 00405B82

Strings

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 00405B25, 00405B2A, 00405B30, 00405B6B, 00405B71, 00405B79, 00405B81

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp
API String ID: 3248276644-2385664813
Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405F80(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F1F(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405f8e
0x00405f90
0x00405fa8
0x00405fad
0x00405fb2
0x00405fef
0x00405fef
0x00405fb4
0x00405fc6
0x00405fd1
0x00405fd7
0x00405fe1
0x00000000
0x00000000
0x00405fe1
0x00405ff4

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004061C4,80000002), ref: 00405FC6
RegCloseKey.KERNELBASE(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll), ref: 00405FD1

Strings

Call, xrefs: 00405F83, 00405FB7

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405738(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422538->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x422538,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405741
0x00405761
0x00405769
0x0040576e
0x00000000
0x00405774
0x00405778

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
CloseHandle.KERNEL32(?), ref: 0040576E

Strings

Error launching installer, xrefs: 0040574B

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B5A() {
				signed int _t492;
				void _t499;
				signed int _t500;
				signed int _t501;
				unsigned short _t531;
				signed int _t541;
				signed int _t569;
				void* _t589;
				signed int _t590;
				signed int _t597;
				signed int* _t605;
				void* _t606;

				_t492 =  *(_t606 - 0x30);
				if(_t492 >= 4) {
				}
				 *(_t606 - 0x40) = 6;
				 *(_t606 - 0x7c) = 0x19;
				 *((intOrPtr*)(_t606 - 0x58)) = (_t492 << 7) +  *(_t606 - 4) + 0x360;
				 *(_t606 - 0x50) = 1;
				 *(_t606 - 0x48) =  *(_t606 - 0x40);
				while(1) {
					if( *(_t606 - 0x48) <= 0) {
						break;
					}
					_t589 =  *(_t606 - 0x50) +  *(_t606 - 0x50);
					_t605 = _t589 +  *((intOrPtr*)(_t606 - 0x58));
					 *(_t606 - 0x54) = _t605;
					_t531 =  *_t605;
					_t597 = _t531 & 0x0000ffff;
					_t569 = ( *(_t606 - 0x10) >> 0xb) * _t597;
					if( *(_t606 - 0xc) >= _t569) {
						 *(_t606 - 0x10) =  *(_t606 - 0x10) - _t569;
						 *(_t606 - 0xc) =  *(_t606 - 0xc) - _t569;
						_t590 = _t589 + 1;
						 *_t605 = _t531 - (_t531 >> 5);
						 *(_t606 - 0x50) = _t590;
					} else {
						 *(_t606 - 0x10) = _t569;
						 *(_t606 - 0x50) =  *(_t606 - 0x50) << 1;
						 *_t605 = (0x800 - _t597 >> 5) + _t531;
					}
					if( *(_t606 - 0x10) >= 0x1000000) {
						L132:
						_t452 = _t606 - 0x48;
						 *_t452 =  *(_t606 - 0x48) - 1;
						continue;
					} else {
						if( *(_t606 - 0x6c) == 0) {
							 *(_t606 - 0x88) = 0x18;
							L153:
							_t541 = 0x22;
							memcpy( *(_t606 - 0x90), _t606 - 0x88, _t541 << 2);
							_t501 = 0;
						} else {
							 *(_t606 - 0x10) =  *(_t606 - 0x10) << 8;
							 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
							_t449 = _t606 - 0x70;
							 *_t449 =  &(( *(_t606 - 0x70))[1]);
							 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
							goto L132;
						}
					}
					L155:
					return _t501;
				}
				_t499 =  *(_t606 - 0x7c);
				 *((intOrPtr*)(_t606 - 0x44)) =  *(_t606 - 0x50) - (1 <<  *(_t606 - 0x40));
				while(1) {
					L128:
					 *(_t606 - 0x88) = _t499;
					while(1) {
						L1:
						_t500 =  *(_t606 - 0x88);
						if(_t500 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t500 * 4 +  &M00406FC8))) {
							case 0:
								if( *(_t606 - 0x6c) == 0) {
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									_t500 =  *( *(_t606 - 0x70));
									if(_t500 > 0xe1) {
										goto L154;
									} else {
										_t504 = _t500 & 0x000000ff;
										_push(0x2d);
										asm("cdq");
										_pop(_t543);
										_push(9);
										_pop(_t544);
										_t600 = _t504 / _t543;
										_t506 = _t504 % _t543 & 0x000000ff;
										asm("cdq");
										_t595 = _t506 % _t544 & 0x000000ff;
										 *(_t606 - 0x3c) = _t595;
										 *(_t606 - 0x1c) = (1 << _t600) - 1;
										 *((intOrPtr*)(_t606 - 0x18)) = (1 << _t506 / _t544) - 1;
										_t603 = (0x300 << _t595 + _t600) + 0x736;
										if(0x600 ==  *((intOrPtr*)(_t606 - 0x78))) {
											L10:
											if(_t603 != 0) {
												do {
													_t603 = _t603 - 1;
													 *((short*)( *(_t606 - 4) + _t603 * 2)) = 0x400;
												} while (_t603 != 0);
											}
											 *(_t606 - 0x48) =  *(_t606 - 0x48) & 0x00000000;
											 *(_t606 - 0x40) =  *(_t606 - 0x40) & 0x00000000;
											goto L15;
										} else {
											if( *(_t606 - 4) != 0) {
												GlobalFree( *(_t606 - 4));
											}
											_t500 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t606 - 4) = _t500;
											if(_t500 == 0) {
												goto L154;
											} else {
												 *((intOrPtr*)(_t606 - 0x78)) = 0x600;
												goto L10;
											}
										}
									}
								}
								goto L155;
							case 1:
								L13:
								__eflags =  *(_t606 - 0x6c);
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 1;
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x40) =  *(_t606 - 0x40) | ( *( *(_t606 - 0x70)) & 0x000000ff) <<  *(_t606 - 0x48) << 0x00000003;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									_t45 = _t606 - 0x48;
									 *_t45 =  *(_t606 - 0x48) + 1;
									__eflags =  *_t45;
									L15:
									if( *(_t606 - 0x48) < 4) {
										goto L13;
									} else {
										_t512 =  *(_t606 - 0x40);
										if(_t512 ==  *(_t606 - 0x74)) {
											L20:
											 *(_t606 - 0x48) = 5;
											 *( *(_t606 - 8) +  *(_t606 - 0x74) - 1) =  *( *(_t606 - 8) +  *(_t606 - 0x74) - 1) & 0x00000000;
											goto L23;
										} else {
											 *(_t606 - 0x74) = _t512;
											if( *(_t606 - 8) != 0) {
												GlobalFree( *(_t606 - 8));
											}
											_t500 = GlobalAlloc(0x40,  *(_t606 - 0x40)); // executed
											 *(_t606 - 8) = _t500;
											if(_t500 == 0) {
												goto L154;
											} else {
												goto L20;
											}
										}
									}
								}
								goto L155;
							case 2:
								L24:
								_t519 =  *(_t606 - 0x60) &  *(_t606 - 0x1c);
								 *(_t606 - 0x84) = 6;
								 *(_t606 - 0x4c) = _t519;
								_t604 =  *(_t606 - 4) + (( *(_t606 - 0x38) << 4) + _t519) * 2;
								goto L120;
							case 3:
								L21:
								__eflags =  *(_t606 - 0x6c);
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 3;
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									_t67 = _t606 - 0x70;
									 *_t67 =  &(( *(_t606 - 0x70))[1]);
									__eflags =  *_t67;
									 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
									L23:
									 *(_t606 - 0x48) =  *(_t606 - 0x48) - 1;
									if( *(_t606 - 0x48) != 0) {
										goto L21;
									} else {
										goto L24;
									}
								}
								goto L155;
							case 4:
								L121:
								_t521 =  *_t604;
								_t588 = _t521 & 0x0000ffff;
								_t558 = ( *(_t606 - 0x10) >> 0xb) * _t588;
								if( *(_t606 - 0xc) >= _t558) {
									 *(_t606 - 0x10) =  *(_t606 - 0x10) - _t558;
									 *(_t606 - 0xc) =  *(_t606 - 0xc) - _t558;
									 *(_t606 - 0x40) = 1;
									_t522 = _t521 - (_t521 >> 5);
									__eflags = _t522;
									 *_t604 = _t522;
								} else {
									 *(_t606 - 0x10) = _t558;
									 *(_t606 - 0x40) =  *(_t606 - 0x40) & 0x00000000;
									 *_t604 = (0x800 - _t588 >> 5) + _t521;
								}
								if( *(_t606 - 0x10) >= 0x1000000) {
									goto L127;
								} else {
									goto L125;
								}
								goto L155;
							case 5:
								L125:
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 5;
									goto L153;
								} else {
									 *(_t606 - 0x10) =  *(_t606 - 0x10) << 8;
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
									L127:
									_t499 =  *(_t606 - 0x84);
									goto L128;
								}
								goto L155;
							case 6:
								__edx = 0;
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *(__ebp - 0x34) = 1;
									 *((intOrPtr*)(__ebp - 0x84)) = 7;
									__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
									goto L120;
								} else {
									__eax =  *(__ebp - 0x5c) & 0x000000ff;
									__esi =  *(__ebp - 0x60);
									__cl = 8;
									__cl = 8 -  *(__ebp - 0x3c);
									__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
									__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
									__ecx =  *(__ebp - 0x3c);
									__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
									__ecx =  *(__ebp - 4);
									(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
									__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
									__eflags =  *(__ebp - 0x38) - 4;
									__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									if( *(__ebp - 0x38) >= 4) {
										__eflags =  *(__ebp - 0x38) - 0xa;
										if( *(__ebp - 0x38) >= 0xa) {
											_t98 = __ebp - 0x38;
											 *_t98 =  *(__ebp - 0x38) - 6;
											__eflags =  *_t98;
										} else {
											 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
										}
									} else {
										 *(__ebp - 0x38) = 0;
									}
									__eflags =  *(__ebp - 0x34) - __edx;
									if( *(__ebp - 0x34) == __edx) {
										__ebx = 0;
										__ebx = 1;
										do {
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L59;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
													goto L153;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t203 = __ebp - 0x70;
													 *_t203 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t203;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													goto L59;
												}
											}
											goto L155;
											L59:
											__eflags = __ebx - 0x100;
										} while (__ebx < 0x100);
										goto L55;
									} else {
										__eax =  *(__ebp - 0x14);
										__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
										__eflags = __eax -  *(__ebp - 0x74);
										if(__eax >=  *(__ebp - 0x74)) {
											__eax = __eax +  *(__ebp - 0x74);
											__eflags = __eax;
										}
										__ecx =  *(__ebp - 8);
										__ebx = 0;
										__ebx = 1;
										__al =  *((intOrPtr*)(__eax + __ecx));
										 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
										goto L41;
									}
								}
								goto L155;
							case 7:
								__eflags =  *(__ebp - 0x40) - 1;
								if( *(__ebp - 0x40) != 1) {
									__eax =  *(__ebp - 0x24);
									 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x28);
									 *(__ebp - 0x24) =  *(__ebp - 0x28);
									__eax =  *(__ebp - 0x2c);
									 *(__ebp - 0x28) =  *(__ebp - 0x2c);
									__eax = 0;
									__eflags =  *(__ebp - 0x38) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x664;
									__eflags = __eax;
									 *(__ebp - 0x58) = __eax;
									goto L68;
								} else {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 8;
									__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
								}
								goto L120;
							case 8:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
									__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x38);
									__ecx =  *(__ebp - 4);
									__eax =  *(__ebp - 0x38) + 0xf;
									 *((intOrPtr*)(__ebp - 0x84)) = 9;
									 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
									__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
								}
								goto L120;
							case 9:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									goto L88;
								} else {
									__eflags =  *(__ebp - 0x60);
									if( *(__ebp - 0x60) == 0) {
										goto L154;
									} else {
										__eax = 0;
										__eflags =  *(__ebp - 0x38) - 7;
										0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										__eflags =  *(__ebp - 0x64);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
											goto L153;
										} else {
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											goto L78;
										}
									}
								}
								goto L155;
							case 0xa:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
									__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x28);
									goto L87;
								}
								goto L120;
							case 0xb:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__ecx =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x20);
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
								} else {
									__eax =  *(__ebp - 0x24);
								}
								__ecx =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								L87:
								__ecx =  *(__ebp - 0x2c);
								 *(__ebp - 0x2c) = __eax;
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								L88:
								__eax =  *(__ebp - 4);
								 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
								__eax =  *(__ebp - 4) + 0xa68;
								 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
								L68:
								__esi =  *(__ebp - 0x58);
								 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
								L120:
								 *(_t606 - 0x54) = _t604;
								goto L121;
							case 0xc:
								while(1) {
									L91:
									__eflags =  *(__ebp - 0x6c);
									if( *(__ebp - 0x6c) == 0) {
										break;
									}
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t322 = __ebp - 0x70;
									 *_t322 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t322;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									__eax =  *(__ebp - 0x2c);
									while(1) {
										_t326 = __ebp - 0x48;
										 *_t326 =  *(__ebp - 0x48) - 1;
										__eflags =  *_t326;
										__eflags =  *(__ebp - 0x48);
										if( *(__ebp - 0x48) <= 0) {
											break;
										}
										__ecx =  *(__ebp - 0xc);
										__ebx = __ebx + __ebx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
										__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
											__ecx =  *(__ebp - 0x10);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											 *(__ebp - 0x44) = __ebx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											goto L91;
										}
										goto L155;
									}
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									while(1) {
										__eax =  *(__ebp - 0x40);
										__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
										if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
											break;
										}
										__eax =  *(__ebp - 0x50);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
										__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
										__eax =  *(__ebp - 0x58);
										__esi = __edi + __eax;
										 *(__ebp - 0x54) = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
										__eflags =  *(__ebp - 0xc) - __edx;
										if( *(__ebp - 0xc) >= __edx) {
											__ecx = 0;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
											__ecx = 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
											__ebx = 1;
											__ecx =  *(__ebp - 0x48);
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx =  *(__ebp - 0x44);
											__ebx =  *(__ebp - 0x44) | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											 *(__ebp - 0x44) = __ebx;
											 *__esi = __ax;
											 *(__ebp - 0x50) = __edi;
										} else {
											 *(__ebp - 0x10) = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
											 *__esi = __dx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											L103:
											_t356 = __ebp - 0x48;
											 *_t356 =  *(__ebp - 0x48) + 1;
											__eflags =  *_t356;
											continue;
										} else {
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
												goto L153;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t353 = __ebp - 0x70;
												 *_t353 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t353;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L103;
											}
										}
										goto L155;
									}
									_t379 = __ebp - 0x2c;
									 *_t379 =  *(__ebp - 0x2c) + __ebx;
									__eflags =  *_t379;
									_t381 = __ebp - 0x2c;
									 *_t381 =  *(__ebp - 0x2c) + 1;
									__eflags =  *_t381;
									__eax =  *(__ebp - 0x2c);
									__eflags = __eax;
									if(__eax == 0) {
										 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
										goto L153;
									} else {
										__eflags = __eax -  *(__ebp - 0x60);
										if(__eax >  *(__ebp - 0x60)) {
											goto L154;
										} else {
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
											__eax =  *(__ebp - 0x30);
											_t388 = __ebp - 0x60;
											 *_t388 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
											__eflags =  *_t388;
											while(1) {
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t402 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t402;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t402;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													goto L79;
												}
												goto L155;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
											goto L153;
										}
									}
									goto L155;
								}
								 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
								goto L153;
							case 0xd:
								L37:
								__eflags =  *(__ebp - 0x6c);
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									goto L153;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t122 = __ebp - 0x70;
									 *_t122 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t122;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									L39:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
										while(1) {
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t170 = __edx + 1; // 0x1
												__ebx = _t170;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												continue;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
													goto L153;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t156 = __ebp - 0x70;
													 *_t156 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t156;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													continue;
												}
											}
											goto L155;
										}
										goto L54;
									} else {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											L55:
											__al =  *(__ebp - 0x44);
											 *(__ebp - 0x5c) =  *(__ebp - 0x44);
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
												goto L153;
											} else {
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												L78:
												 *(__ebp - 0x14) = __edx;
												L79:
												 *((intOrPtr*)(__ebp - 0x88)) = 2;
												goto L1;
											}
										} else {
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										}
									}
								}
								goto L155;
						}
					}
					L154:
					_t501 = _t500 | 0xffffffff;
					goto L155;
				}
			}

0x00406b5a
0x00406b60
0x00406b64
0x00406b68
0x00406b72
0x00406b80
0x00406e59
0x00406e60
0x00406e8d
0x00406e91
0x00000000
0x00000000
0x00406e9c
0x00406ea2
0x00406ea5
0x00406ea8
0x00406eab
0x00406eae
0x00406eb4
0x00406ecd
0x00406ed0
0x00406edc
0x00406edd
0x00406ee0
0x00406eb6
0x00406eb6
0x00406ec5
0x00406ec8
0x00406ec8
0x00406eea
0x00406e8a
0x00406e8a
0x00406e8a
0x00000000
0x00406eec
0x00406e69
0x00406fa1
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406e6f
0x00406e75
0x00406e7c
0x00406e84
0x00406e84
0x00406e87
0x00000000
0x00406e87
0x00406e69
0x00406fc3
0x00406fc7
0x00406fc7
0x00406efe
0x00406f01
0x00406e0d
0x00406e0d
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00000000
0x00406e07
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00000000
0x00406fc0

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406D5B() {
				void _t501;
				signed int _t502;
				signed int _t503;
				signed int _t535;
				signed int* _t573;
				void* _t580;

				if( *(_t580 - 0x40) != 0) {
					 *(_t580 - 0x84) = 0x13;
					_t573 =  *((intOrPtr*)(_t580 - 0x58)) + 2;
					goto L121;
				} else {
					__eax =  *(__ebp - 0x4c);
					 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
					__ecx =  *(__ebp - 0x58);
					__eax =  *(__ebp - 0x4c) << 4;
					__eax =  *(__ebp - 0x58) + __eax + 4;
					 *(__ebp - 0x58) = __eax;
					 *(__ebp - 0x40) = 3;
					 *(__ebp - 0x7c) = 0x14;
					__eax =  *(__ebp - 0x40);
					 *(__ebp - 0x50) = 1;
					 *(__ebp - 0x48) =  *(__ebp - 0x40);
					while(1) {
						if( *(__ebp - 0x48) <= 0) {
							break;
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							L134:
							_t458 = __ebp - 0x48;
							 *_t458 =  *(__ebp - 0x48) - 1;
							continue;
						} else {
							if( *(__ebp - 0x6c) == 0) {
								 *((intOrPtr*)(__ebp - 0x88)) = 0x18;
								L155:
								_t535 = 0x22;
								memcpy( *(_t580 - 0x90), _t580 - 0x88, _t535 << 2);
								_t503 = 0;
							} else {
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t455 = __ebp - 0x70;
								 *_t455 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L134;
							}
						}
						goto L157;
					}
					__ecx =  *(__ebp - 0x40);
					__ebx =  *(__ebp - 0x50);
					0 = 1;
					__eax = 1 << __cl;
					__ebx =  *(__ebp - 0x50) - (1 << __cl);
					__eax =  *(__ebp - 0x7c);
					 *(__ebp - 0x44) = __ebx;
					L129:
					 *(_t580 - 0x88) = _t501;
					while(1) {
						L1:
						_t502 =  *(_t580 - 0x88);
						if(_t502 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t502 * 4 +  &M00406FC8))) {
							case 0:
								if( *(_t580 - 0x6c) == 0) {
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									_t502 =  *( *(_t580 - 0x70));
									if(_t502 > 0xe1) {
										goto L156;
									} else {
										_t506 = _t502 & 0x000000ff;
										_push(0x2d);
										asm("cdq");
										_pop(_t537);
										_push(9);
										_pop(_t538);
										_t576 = _t506 / _t537;
										_t508 = _t506 % _t537 & 0x000000ff;
										asm("cdq");
										_t571 = _t508 % _t538 & 0x000000ff;
										 *(_t580 - 0x3c) = _t571;
										 *(_t580 - 0x1c) = (1 << _t576) - 1;
										 *((intOrPtr*)(_t580 - 0x18)) = (1 << _t508 / _t538) - 1;
										_t579 = (0x300 << _t571 + _t576) + 0x736;
										if(0x600 ==  *((intOrPtr*)(_t580 - 0x78))) {
											L10:
											if(_t579 != 0) {
												do {
													_t579 = _t579 - 1;
													 *((short*)( *(_t580 - 4) + _t579 * 2)) = 0x400;
												} while (_t579 != 0);
											}
											 *(_t580 - 0x48) =  *(_t580 - 0x48) & 0x00000000;
											 *(_t580 - 0x40) =  *(_t580 - 0x40) & 0x00000000;
											goto L15;
										} else {
											if( *(_t580 - 4) != 0) {
												GlobalFree( *(_t580 - 4));
											}
											_t502 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t580 - 4) = _t502;
											if(_t502 == 0) {
												goto L156;
											} else {
												 *((intOrPtr*)(_t580 - 0x78)) = 0x600;
												goto L10;
											}
										}
									}
								}
								goto L157;
							case 1:
								L13:
								__eflags =  *(_t580 - 0x6c);
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 1;
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x40) =  *(_t580 - 0x40) | ( *( *(_t580 - 0x70)) & 0x000000ff) <<  *(_t580 - 0x48) << 0x00000003;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									_t45 = _t580 - 0x48;
									 *_t45 =  *(_t580 - 0x48) + 1;
									__eflags =  *_t45;
									L15:
									if( *(_t580 - 0x48) < 4) {
										goto L13;
									} else {
										_t514 =  *(_t580 - 0x40);
										if(_t514 ==  *(_t580 - 0x74)) {
											L20:
											 *(_t580 - 0x48) = 5;
											 *( *(_t580 - 8) +  *(_t580 - 0x74) - 1) =  *( *(_t580 - 8) +  *(_t580 - 0x74) - 1) & 0x00000000;
											goto L23;
										} else {
											 *(_t580 - 0x74) = _t514;
											if( *(_t580 - 8) != 0) {
												GlobalFree( *(_t580 - 8));
											}
											_t502 = GlobalAlloc(0x40,  *(_t580 - 0x40)); // executed
											 *(_t580 - 8) = _t502;
											if(_t502 == 0) {
												goto L156;
											} else {
												goto L20;
											}
										}
									}
								}
								goto L157;
							case 2:
								L24:
								_t521 =  *(_t580 - 0x60) &  *(_t580 - 0x1c);
								 *(_t580 - 0x84) = 6;
								 *(_t580 - 0x4c) = _t521;
								_t573 =  *(_t580 - 4) + (( *(_t580 - 0x38) << 4) + _t521) * 2;
								goto L121;
							case 3:
								L21:
								__eflags =  *(_t580 - 0x6c);
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 3;
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									_t67 = _t580 - 0x70;
									 *_t67 =  &(( *(_t580 - 0x70))[1]);
									__eflags =  *_t67;
									 *(_t580 - 0xc) =  *(_t580 - 0xc) << 0x00000008 |  *( *(_t580 - 0x70)) & 0x000000ff;
									L23:
									 *(_t580 - 0x48) =  *(_t580 - 0x48) - 1;
									if( *(_t580 - 0x48) != 0) {
										goto L21;
									} else {
										goto L24;
									}
								}
								goto L157;
							case 4:
								L122:
								_t499 =  *_t573;
								_t556 = _t499 & 0x0000ffff;
								_t532 = ( *(_t580 - 0x10) >> 0xb) * _t556;
								if( *(_t580 - 0xc) >= _t532) {
									 *(_t580 - 0x10) =  *(_t580 - 0x10) - _t532;
									 *(_t580 - 0xc) =  *(_t580 - 0xc) - _t532;
									 *(_t580 - 0x40) = 1;
									_t500 = _t499 - (_t499 >> 5);
									__eflags = _t500;
									 *_t573 = _t500;
								} else {
									 *(_t580 - 0x10) = _t532;
									 *(_t580 - 0x40) =  *(_t580 - 0x40) & 0x00000000;
									 *_t573 = (0x800 - _t556 >> 5) + _t499;
								}
								if( *(_t580 - 0x10) >= 0x1000000) {
									goto L128;
								} else {
									goto L126;
								}
								goto L157;
							case 5:
								L126:
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 5;
									goto L155;
								} else {
									 *(_t580 - 0x10) =  *(_t580 - 0x10) << 8;
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									 *(_t580 - 0xc) =  *(_t580 - 0xc) << 0x00000008 |  *( *(_t580 - 0x70)) & 0x000000ff;
									L128:
									_t501 =  *(_t580 - 0x84);
									goto L129;
								}
								goto L157;
							case 6:
								__edx = 0;
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *(__ebp - 0x34) = 1;
									 *((intOrPtr*)(__ebp - 0x84)) = 7;
									__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
									goto L121;
								} else {
									__eax =  *(__ebp - 0x5c) & 0x000000ff;
									__esi =  *(__ebp - 0x60);
									__cl = 8;
									__cl = 8 -  *(__ebp - 0x3c);
									__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
									__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
									__ecx =  *(__ebp - 0x3c);
									__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
									__ecx =  *(__ebp - 4);
									(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
									__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
									__eflags =  *(__ebp - 0x38) - 4;
									__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									if( *(__ebp - 0x38) >= 4) {
										__eflags =  *(__ebp - 0x38) - 0xa;
										if( *(__ebp - 0x38) >= 0xa) {
											_t98 = __ebp - 0x38;
											 *_t98 =  *(__ebp - 0x38) - 6;
											__eflags =  *_t98;
										} else {
											 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
										}
									} else {
										 *(__ebp - 0x38) = 0;
									}
									__eflags =  *(__ebp - 0x34) - __edx;
									if( *(__ebp - 0x34) == __edx) {
										__ebx = 0;
										__ebx = 1;
										do {
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L59;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
													goto L155;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t203 = __ebp - 0x70;
													 *_t203 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t203;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													goto L59;
												}
											}
											goto L157;
											L59:
											__eflags = __ebx - 0x100;
										} while (__ebx < 0x100);
										goto L55;
									} else {
										__eax =  *(__ebp - 0x14);
										__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
										__eflags = __eax -  *(__ebp - 0x74);
										if(__eax >=  *(__ebp - 0x74)) {
											__eax = __eax +  *(__ebp - 0x74);
											__eflags = __eax;
										}
										__ecx =  *(__ebp - 8);
										__ebx = 0;
										__ebx = 1;
										__al =  *((intOrPtr*)(__eax + __ecx));
										 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
										goto L41;
									}
								}
								goto L157;
							case 7:
								__eflags =  *(__ebp - 0x40) - 1;
								if( *(__ebp - 0x40) != 1) {
									__eax =  *(__ebp - 0x24);
									 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x28);
									 *(__ebp - 0x24) =  *(__ebp - 0x28);
									__eax =  *(__ebp - 0x2c);
									 *(__ebp - 0x28) =  *(__ebp - 0x2c);
									__eax = 0;
									__eflags =  *(__ebp - 0x38) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x664;
									__eflags = __eax;
									 *(__ebp - 0x58) = __eax;
									goto L68;
								} else {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 8;
									__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
								}
								goto L121;
							case 8:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
									__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x38);
									__ecx =  *(__ebp - 4);
									__eax =  *(__ebp - 0x38) + 0xf;
									 *((intOrPtr*)(__ebp - 0x84)) = 9;
									 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
									__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
								}
								goto L121;
							case 9:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									goto L88;
								} else {
									__eflags =  *(__ebp - 0x60);
									if( *(__ebp - 0x60) == 0) {
										goto L156;
									} else {
										__eax = 0;
										__eflags =  *(__ebp - 0x38) - 7;
										0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										__eflags =  *(__ebp - 0x64);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
											goto L155;
										} else {
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											goto L78;
										}
									}
								}
								goto L157;
							case 0xa:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
									__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x28);
									goto L87;
								}
								goto L121;
							case 0xb:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__ecx =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x20);
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
								} else {
									__eax =  *(__ebp - 0x24);
								}
								__ecx =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								L87:
								__ecx =  *(__ebp - 0x2c);
								 *(__ebp - 0x2c) = __eax;
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								L88:
								__eax =  *(__ebp - 4);
								 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
								__eax =  *(__ebp - 4) + 0xa68;
								 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
								L68:
								__esi =  *(__ebp - 0x58);
								 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
								L121:
								 *(_t580 - 0x54) = _t573;
								goto L122;
							case 0xc:
								while(1) {
									L89:
									__eflags =  *(__ebp - 0x6c);
									if( *(__ebp - 0x6c) == 0) {
										break;
									}
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t316 = __ebp - 0x70;
									 *_t316 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t316;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									__eax =  *(__ebp - 0x2c);
									while(1) {
										_t320 = __ebp - 0x48;
										 *_t320 =  *(__ebp - 0x48) - 1;
										__eflags =  *_t320;
										__eflags =  *(__ebp - 0x48);
										if( *(__ebp - 0x48) <= 0) {
											break;
										}
										__ecx =  *(__ebp - 0xc);
										__ebx = __ebx + __ebx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
										__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
											__ecx =  *(__ebp - 0x10);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											 *(__ebp - 0x44) = __ebx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											goto L89;
										}
										goto L157;
									}
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									while(1) {
										__eax =  *(__ebp - 0x40);
										__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
										if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
											break;
										}
										__eax =  *(__ebp - 0x50);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
										__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
										__eax =  *(__ebp - 0x58);
										__esi = __edi + __eax;
										 *(__ebp - 0x54) = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
										__eflags =  *(__ebp - 0xc) - __edx;
										if( *(__ebp - 0xc) >= __edx) {
											__ecx = 0;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
											__ecx = 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
											__ebx = 1;
											__ecx =  *(__ebp - 0x48);
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx =  *(__ebp - 0x44);
											__ebx =  *(__ebp - 0x44) | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											 *(__ebp - 0x44) = __ebx;
											 *__esi = __ax;
											 *(__ebp - 0x50) = __edi;
										} else {
											 *(__ebp - 0x10) = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
											 *__esi = __dx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											L101:
											_t350 = __ebp - 0x48;
											 *_t350 =  *(__ebp - 0x48) + 1;
											__eflags =  *_t350;
											continue;
										} else {
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
												goto L155;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t347 = __ebp - 0x70;
												 *_t347 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t347;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L101;
											}
										}
										goto L157;
									}
									_t373 = __ebp - 0x2c;
									 *_t373 =  *(__ebp - 0x2c) + __ebx;
									__eflags =  *_t373;
									_t375 = __ebp - 0x2c;
									 *_t375 =  *(__ebp - 0x2c) + 1;
									__eflags =  *_t375;
									__eax =  *(__ebp - 0x2c);
									__eflags = __eax;
									if(__eax == 0) {
										 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
										goto L155;
									} else {
										__eflags = __eax -  *(__ebp - 0x60);
										if(__eax >  *(__ebp - 0x60)) {
											goto L156;
										} else {
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
											__eax =  *(__ebp - 0x30);
											_t382 = __ebp - 0x60;
											 *_t382 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
											__eflags =  *_t382;
											while(1) {
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t396 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t396;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t396;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													goto L79;
												}
												goto L157;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
											goto L155;
										}
									}
									goto L157;
								}
								 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
								goto L155;
							case 0xd:
								L37:
								__eflags =  *(__ebp - 0x6c);
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									goto L155;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t122 = __ebp - 0x70;
									 *_t122 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t122;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									L39:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
										while(1) {
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t170 = __edx + 1; // 0x1
												__ebx = _t170;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												continue;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
													goto L155;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t156 = __ebp - 0x70;
													 *_t156 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t156;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													continue;
												}
											}
											goto L157;
										}
										goto L54;
									} else {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											L55:
											__al =  *(__ebp - 0x44);
											 *(__ebp - 0x5c) =  *(__ebp - 0x44);
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
												goto L155;
											} else {
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												L78:
												 *(__ebp - 0x14) = __edx;
												L79:
												 *((intOrPtr*)(__ebp - 0x88)) = 2;
												goto L1;
											}
										} else {
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										}
									}
								}
								goto L157;
						}
					}
					L156:
					_t503 = _t502 | 0xffffffff;
				}
				L157:
				return _t503;
			}

0x00406d5f
0x00406d84
0x00406d8e
0x00000000
0x00406d61
0x00406d61
0x00406d64
0x00406d68
0x00406d6b
0x00406d6e
0x00406d72
0x00406d75
0x00406e4f
0x00406e56
0x00406e59
0x00406e60
0x00406e8d
0x00406e91
0x00000000
0x00000000
0x00406e93
0x00406e99
0x00406e9c
0x00406e9f
0x00406ea2
0x00406ea5
0x00406ea8
0x00406eab
0x00406eae
0x00406eb4
0x00406ecd
0x00406ed0
0x00406ed3
0x00406ed6
0x00406eda
0x00406edc
0x00406edd
0x00406ee0
0x00406eb6
0x00406eb6
0x00406ebe
0x00406ec3
0x00406ec5
0x00406ec8
0x00406ec8
0x00406eea
0x00406e8a
0x00406e8a
0x00406e8a
0x00000000
0x00406eec
0x00406e69
0x00406fa1
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406e6f
0x00406e6f
0x00406e72
0x00406e75
0x00406e79
0x00406e7c
0x00406e82
0x00406e84
0x00406e84
0x00406e87
0x00000000
0x00406e87
0x00406e69
0x00000000
0x00406eea
0x00406ef1
0x00406ef4
0x00406ef9
0x00406efa
0x00406efc
0x00406efe
0x00406f01
0x00406e0d
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00000000
0x00406e07
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406fc0
0x00406fc3
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A71(void* __ebx) {
				void* _t453;
				signed int _t454;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						L87:
						 *((intOrPtr*)(_t532 - 0x80)) = 0x15;
						 *(_t532 - 0x58) =  *(_t532 - 4) + 0xa68;
						goto L68;
					} else {
						if( *(__ebp - 0x60) == 0) {
							L139:
							_t454 = _t453 | 0xffffffff;
						} else {
							__eax = 0;
							0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
							 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
							if( *(__ebp - 0x64) == 0) {
								 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
								goto L138;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t274 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t274;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								_t283 = __ebp - 0x64;
								 *_t283 =  *(__ebp - 0x64) - 1;
								 *( *(__ebp - 0x68)) = __cl;
								L77:
								 *(__ebp - 0x14) = __edx;
								L78:
								 *((intOrPtr*)(__ebp - 0x88)) = 2;
								L1:
								_t453 =  *(_t532 - 0x88);
								if(_t453 > 0x1c) {
									goto L139;
								} else {
									switch( *((intOrPtr*)(_t453 * 4 +  &M00406FC8))) {
										case 0:
											if( *(_t532 - 0x6c) == 0) {
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t453 =  *( *(_t532 - 0x70));
												if(_t453 > 0xe1) {
													goto L139;
												} else {
													_t457 = _t453 & 0x000000ff;
													_push(0x2d);
													asm("cdq");
													_pop(_t489);
													_push(9);
													_pop(_t490);
													_t528 = _t457 / _t489;
													_t459 = _t457 % _t489 & 0x000000ff;
													asm("cdq");
													_t523 = _t459 % _t490 & 0x000000ff;
													 *(_t532 - 0x3c) = _t523;
													 *(_t532 - 0x1c) = (1 << _t528) - 1;
													 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t459 / _t490) - 1;
													_t531 = (0x300 << _t523 + _t528) + 0x736;
													if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
														L10:
														if(_t531 != 0) {
															do {
																_t531 = _t531 - 1;
																 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
															} while (_t531 != 0);
														}
														 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
														 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
														goto L15;
													} else {
														if( *(_t532 - 4) != 0) {
															GlobalFree( *(_t532 - 4));
														}
														_t453 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t532 - 4) = _t453;
														if(_t453 == 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
															goto L10;
														}
													}
												}
											}
											goto L140;
										case 1:
											L13:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 1;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t45 = _t532 - 0x48;
												 *_t45 =  *(_t532 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t532 - 0x48) < 4) {
													goto L13;
												} else {
													_t465 =  *(_t532 - 0x40);
													if(_t465 ==  *(_t532 - 0x74)) {
														L20:
														 *(_t532 - 0x48) = 5;
														 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
														goto L23;
													} else {
														 *(_t532 - 0x74) = _t465;
														if( *(_t532 - 8) != 0) {
															GlobalFree( *(_t532 - 8));
														}
														_t453 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
														 *(_t532 - 8) = _t453;
														if(_t453 == 0) {
															goto L139;
														} else {
															goto L20;
														}
													}
												}
											}
											goto L140;
										case 2:
											L24:
											_t472 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
											 *(_t532 - 0x84) = 6;
											 *(_t532 - 0x4c) = _t472;
											_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t472) * 2;
											goto L117;
										case 3:
											L21:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 3;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												_t67 = _t532 - 0x70;
												 *_t67 =  &(( *(_t532 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L23:
												 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
												if( *(_t532 - 0x48) != 0) {
													goto L21;
												} else {
													goto L24;
												}
											}
											goto L140;
										case 4:
											L118:
											_t450 =  *_t525;
											_t508 = _t450 & 0x0000ffff;
											_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
											if( *(_t532 - 0xc) >= _t484) {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
												 *(_t532 - 0x40) = 1;
												_t451 = _t450 - (_t450 >> 5);
												__eflags = _t451;
												 *_t525 = _t451;
											} else {
												 *(_t532 - 0x10) = _t484;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
												 *_t525 = (0x800 - _t508 >> 5) + _t450;
											}
											if( *(_t532 - 0x10) >= 0x1000000) {
												goto L124;
											} else {
												goto L122;
											}
											goto L140;
										case 5:
											L122:
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 5;
												goto L138;
											} else {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L124:
												_t452 =  *(_t532 - 0x84);
												 *(_t532 - 0x88) = _t452;
												goto L1;
											}
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *((intOrPtr*)(__ebp - 0x84)) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L117;
											} else {
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													do {
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t217 = __edx + 1; // 0x1
															__ebx = _t217;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L59;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t203 = __ebp - 0x70;
																 *_t203 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t203;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L59;
															}
														}
														goto L140;
														L59:
														__eflags = __ebx - 0x100;
													} while (__ebx < 0x100);
													goto L55;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											}
											goto L140;
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												L68:
												_t525 =  *(_t532 - 0x58);
												 *(_t532 - 0x84) = 0x12;
											} else {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											}
											goto L117;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *((intOrPtr*)(__ebp - 0x84)) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
											}
											goto L117;
										case 9:
											goto L0;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x28);
												goto L86;
											}
											L117:
											 *(_t532 - 0x54) = _t525;
											goto L118;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L86:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											goto L87;
										case 0xc:
											while(1) {
												L88:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													break;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t315 = __ebp - 0x70;
												 *_t315 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t315;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												while(1) {
													_t319 = __ebp - 0x48;
													 *_t319 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t319;
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														break;
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L88;
													}
													goto L140;
												}
												__eax = __eax + __ebx;
												 *(__ebp - 0x40) = 4;
												 *(__ebp - 0x2c) = __eax;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x644;
												__eflags = __eax;
												__ebx = 0;
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x44) = 0;
												 *(__ebp - 0x48) = 0;
												while(1) {
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														break;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L100:
														_t349 = __ebp - 0x48;
														 *_t349 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t349;
														continue;
													} else {
														__eflags =  *(__ebp - 0x6c);
														if( *(__ebp - 0x6c) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t346 = __ebp - 0x70;
															 *_t346 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t346;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															goto L100;
														}
													}
													goto L140;
												}
												_t372 = __ebp - 0x2c;
												 *_t372 =  *(__ebp - 0x2c) + __ebx;
												__eflags =  *_t372;
												_t374 = __ebp - 0x2c;
												 *_t374 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t374;
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L138;
												} else {
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L139;
													} else {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
														__eax =  *(__ebp - 0x30);
														_t381 = __ebp - 0x60;
														 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
														__eflags =  *_t381;
														while(1) {
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																break;
															}
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t395 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t395;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
															__eflags =  *(__ebp - 0x30);
															 *( *(__ebp - 0x68)) = __cl;
															 *(__ebp - 0x14) = _t395;
															if( *(__ebp - 0x30) > 0) {
																continue;
															} else {
																goto L78;
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
														goto L138;
													}
												}
												goto L140;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
											goto L138;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													while(1) {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L54;
														}
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t170 = __edx + 1; // 0x1
															__ebx = _t170;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t156 = __ebp - 0x70;
																 *_t156 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t156;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																continue;
															}
														}
														goto L140;
													}
													goto L54;
												} else {
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L54:
														_t173 = __ebp - 0x34;
														 *_t173 =  *(__ebp - 0x34) & 0x00000000;
														__eflags =  *_t173;
														L55:
														__al =  *(__ebp - 0x44);
														 *(__ebp - 0x5c) =  *(__ebp - 0x44);
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
															L138:
															_push(0x22);
															_pop(_t487);
															memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
															_t454 = 0;
														} else {
															__ecx =  *(__ebp - 0x68);
															__al =  *(__ebp - 0x5c);
															__edx =  *(__ebp - 8);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *( *(__ebp - 0x68)) = __al;
															__ecx =  *(__ebp - 0x14);
															 *(__ecx +  *(__ebp - 8)) = __al;
															__eax = __ecx + 1;
															__edx = 0;
															_t192 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t192;
															goto L77;
														}
													} else {
														L41:
														__eax =  *(__ebp - 0x5b) & 0x000000ff;
														 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
														__ecx =  *(__ebp - 0x58);
														__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
														 *(__ebp - 0x48) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__eax = __eax + __ebx;
														__esi =  *(__ebp - 0x58) + __eax * 2;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edx = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															 *(__ebp - 0x40) = 1;
															__cx = __ax >> 5;
															__eflags = __eax;
															__ebx = __ebx + __ebx + 1;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L39;
														} else {
															goto L37;
														}
													}
												}
											}
											goto L140;
									}
								}
							}
						}
					}
					L140:
					return _t454;
				}
			}

0x00000000
0x00406a71
0x00406a71
0x00406a75
0x00406b2c
0x00406b2f
0x00406b3b
0x00000000
0x00406a7b
0x00406a7f
0x00406fc0
0x00406fc0
0x00406a85
0x00406a85
0x00406a8e
0x00406a92
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406ace
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x004065b8
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00406e0d
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1f
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00406fab
0x00406fb1
0x00406fb3
0x00406fba
0x00406fbc
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00000000
0x00406933
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x004065b2
0x00406a99
0x00406a7f
0x00406fc3
0x00406fc7
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004069C4(void* __ebx) {
				unsigned short _t458;
				void _t460;
				signed int _t461;
				signed int _t462;
				signed int _t492;
				signed int _t495;
				signed int _t516;
				short* _t533;
				void* _t540;

				L0:
				while(1) {
					L0:
					if( *(_t540 - 0x40) != 1) {
						 *((intOrPtr*)(_t540 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t540 - 0x20)) =  *((intOrPtr*)(_t540 - 0x24));
						 *((intOrPtr*)(_t540 - 0x24)) =  *((intOrPtr*)(_t540 - 0x28));
						 *((intOrPtr*)(_t540 - 0x28)) =  *((intOrPtr*)(_t540 - 0x2c));
						 *(_t540 - 0x38) = ((0 |  *(_t540 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						 *((intOrPtr*)(_t540 - 0x58)) =  *(_t540 - 4) + 0x664;
						goto L67;
					} else {
						 *((intOrPtr*)(__ebp - 0x84)) = 8;
						while(1) {
							L117:
							 *((intOrPtr*)(_t540 - 0x54)) = _t533;
							while(1) {
								L118:
								_t458 =  *_t533;
								_t516 = _t458 & 0x0000ffff;
								_t492 = ( *(_t540 - 0x10) >> 0xb) * _t516;
								if( *(_t540 - 0xc) >= _t492) {
									 *(_t540 - 0x10) =  *(_t540 - 0x10) - _t492;
									 *(_t540 - 0xc) =  *(_t540 - 0xc) - _t492;
									 *(_t540 - 0x40) = 1;
									 *_t533 = _t458 - (_t458 >> 5);
								} else {
									 *(_t540 - 0x10) = _t492;
									 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
									 *_t533 = (0x800 - _t516 >> 5) + _t458;
								}
								L121:
								if( *(_t540 - 0x10) >= 0x1000000) {
									L124:
									_t460 =  *(_t540 - 0x84);
									 *(_t540 - 0x88) = _t460;
									while(1) {
										L1:
										_t461 =  *(_t540 - 0x88);
										if(_t461 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t461 * 4 +  &M00406FC8))) {
											case 0:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													_t461 =  *( *(_t540 - 0x70));
													if(_t461 > 0xe1) {
														goto L139;
													} else {
														_t465 = _t461 & 0x000000ff;
														_push(0x2d);
														asm("cdq");
														_pop(_t497);
														_push(9);
														_pop(_t498);
														_t536 = _t465 / _t497;
														_t467 = _t465 % _t497 & 0x000000ff;
														asm("cdq");
														_t531 = _t467 % _t498 & 0x000000ff;
														 *(_t540 - 0x3c) = _t531;
														 *(_t540 - 0x1c) = (1 << _t536) - 1;
														 *((intOrPtr*)(_t540 - 0x18)) = (1 << _t467 / _t498) - 1;
														_t539 = (0x300 << _t531 + _t536) + 0x736;
														if(0x600 ==  *((intOrPtr*)(_t540 - 0x78))) {
															L10:
															if(_t539 != 0) {
																do {
																	_t539 = _t539 - 1;
																	 *((short*)( *(_t540 - 4) + _t539 * 2)) = 0x400;
																} while (_t539 != 0);
															}
															 *(_t540 - 0x48) =  *(_t540 - 0x48) & 0x00000000;
															 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
															goto L15;
														} else {
															if( *(_t540 - 4) != 0) {
																GlobalFree( *(_t540 - 4));
															}
															_t461 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t540 - 4) = _t461;
															if(_t461 == 0) {
																goto L139;
															} else {
																 *((intOrPtr*)(_t540 - 0x78)) = 0x600;
																goto L10;
															}
														}
													}
												}
												goto L140;
											case 1:
												L13:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													 *(_t540 - 0x88) = 1;
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x40) =  *(_t540 - 0x40) | ( *( *(_t540 - 0x70)) & 0x000000ff) <<  *(_t540 - 0x48) << 0x00000003;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													 *(_t540 - 0x48) =  *(_t540 - 0x48) + 1;
													L15:
													if( *(_t540 - 0x48) < 4) {
														goto L13;
													} else {
														_t473 =  *(_t540 - 0x40);
														if(_t473 ==  *(_t540 - 0x74)) {
															L20:
															 *(_t540 - 0x48) = 5;
															 *( *(_t540 - 8) +  *(_t540 - 0x74) - 1) =  *( *(_t540 - 8) +  *(_t540 - 0x74) - 1) & 0x00000000;
															goto L23;
														} else {
															 *(_t540 - 0x74) = _t473;
															if( *(_t540 - 8) != 0) {
																GlobalFree( *(_t540 - 8));
															}
															_t461 = GlobalAlloc(0x40,  *(_t540 - 0x40)); // executed
															 *(_t540 - 8) = _t461;
															if(_t461 == 0) {
																goto L139;
															} else {
																goto L20;
															}
														}
													}
												}
												goto L140;
											case 2:
												L24:
												_t480 =  *(_t540 - 0x60) &  *(_t540 - 0x1c);
												 *(_t540 - 0x84) = 6;
												 *(_t540 - 0x4c) = _t480;
												_t533 =  *(_t540 - 4) + (( *(_t540 - 0x38) << 4) + _t480) * 2;
												goto L117;
											case 3:
												L21:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													 *(_t540 - 0x88) = 3;
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													 *(_t540 - 0xc) =  *(_t540 - 0xc) << 0x00000008 |  *( *(_t540 - 0x70)) & 0x000000ff;
													L23:
													 *(_t540 - 0x48) =  *(_t540 - 0x48) - 1;
													if( *(_t540 - 0x48) != 0) {
														goto L21;
													} else {
														goto L24;
													}
												}
												goto L140;
											case 4:
												L118:
												_t458 =  *_t533;
												_t516 = _t458 & 0x0000ffff;
												_t492 = ( *(_t540 - 0x10) >> 0xb) * _t516;
												if( *(_t540 - 0xc) >= _t492) {
													 *(_t540 - 0x10) =  *(_t540 - 0x10) - _t492;
													 *(_t540 - 0xc) =  *(_t540 - 0xc) - _t492;
													 *(_t540 - 0x40) = 1;
													 *_t533 = _t458 - (_t458 >> 5);
												} else {
													 *(_t540 - 0x10) = _t492;
													 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
													 *_t533 = (0x800 - _t516 >> 5) + _t458;
												}
												goto L121;
											case 5:
												goto L122;
											case 6:
												__edx = 0;
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *((intOrPtr*)(__ebp - 0x84)) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													goto L117;
												} else {
													__eax =  *(__ebp - 0x5c) & 0x000000ff;
													__esi =  *(__ebp - 0x60);
													__cl = 8;
													__cl = 8 -  *(__ebp - 0x3c);
													__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
													__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
													__ecx =  *(__ebp - 0x3c);
													__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
													__ecx =  *(__ebp - 4);
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9 = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													if( *(__ebp - 0x38) >= 4) {
														if( *(__ebp - 0x38) >= 0xa) {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 6;
														} else {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
														}
													} else {
														 *(__ebp - 0x38) = 0;
													}
													if( *(__ebp - 0x34) == __edx) {
														__ebx = 0;
														__ebx = 1;
														do {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t217 = __edx + 1; // 0x1
																__ebx = _t217;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L59;
															} else {
																if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	goto L59;
																}
															}
															goto L140;
															L59:
														} while (__ebx < 0x100);
														goto L55;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
														}
														__ecx =  *(__ebp - 8);
														__ebx = 0;
														__ebx = 1;
														__al =  *((intOrPtr*)(__eax + __ecx));
														 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
														goto L41;
													}
												}
												goto L140;
											case 7:
												goto L0;
											case 8:
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *((intOrPtr*)(__ebp - 0x84)) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
												}
												goto L117;
											case 9:
												if( *(__ebp - 0x40) != 0) {
													goto L87;
												} else {
													if( *(__ebp - 0x60) == 0) {
														goto L139;
													} else {
														0 = 0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000;
														__eax = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														if( *((intOrPtr*)(__ebp - 0x64)) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
															goto L138;
														} else {
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t274 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t274;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
															 *( *(__ebp - 0x68)) = __cl;
															goto L77;
														}
													}
												}
												goto L140;
											case 0xa:
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L117:
														 *((intOrPtr*)(_t540 - 0x54)) = _t533;
														goto L118;
													}
												} else {
													__eax =  *(__ebp - 0x28);
													goto L86;
												}
												while(1) {
													L117:
													 *((intOrPtr*)(_t540 - 0x54)) = _t533;
													goto L118;
												}
											case 0xb:
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L86:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L87:
												__eax =  *(__ebp - 4);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												L67:
												_t533 =  *((intOrPtr*)(_t540 - 0x58));
												 *(_t540 - 0x84) = 0x12;
												while(1) {
													L117:
													 *((intOrPtr*)(_t540 - 0x54)) = _t533;
													goto L118;
												}
											case 0xc:
												L88:
												while( *((intOrPtr*)(__ebp - 0x6c)) != 0) {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													__eax =  *(__ebp - 0x2c);
													while(1) {
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														if( *(__ebp - 0x48) <= 0) {
															break;
														}
														__ecx =  *(__ebp - 0xc);
														__ebx = __ebx + __ebx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
															__ebx = __ebx | 0x00000001;
															 *(__ebp - 0x44) = __ebx;
														}
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															goto L88;
														}
														goto L140;
													}
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													while(1) {
														__eax =  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															break;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														if( *(__ebp - 0x10) >= 0x1000000) {
															L100:
															 *(__ebp - 0x48) =  *(__ebp - 0x48) + 1;
															continue;
														} else {
															if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L100;
															}
														}
														goto L140;
													}
													 *(__ebp - 0x2c) =  *(__ebp - 0x2c) + __ebx;
													 *(__ebp - 0x2c) =  *(__ebp - 0x2c) + 1;
													__eax =  *(__ebp - 0x2c);
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L138;
													} else {
														if(__eax >  *(__ebp - 0x60)) {
															goto L139;
														} else {
															 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
															__eax =  *(__ebp - 0x30);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) +  *(__ebp - 0x30);
															while( *((intOrPtr*)(__ebp - 0x64)) != 0) {
																__eax =  *(__ebp - 0x14);
																__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																if(__eax >=  *(__ebp - 0x74)) {
																	__eax = __eax +  *(__ebp - 0x74);
																}
																__edx =  *(__ebp - 8);
																__cl =  *(__eax + __edx);
																__eax =  *(__ebp - 0x14);
																 *(__ebp - 0x5c) = __cl;
																 *(__eax + __edx) = __cl;
																__eax = __eax + 1;
																__edx = 0;
																_t395 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t395;
																__eax =  *(__ebp - 0x68);
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *( *(__ebp - 0x68)) = __cl;
																 *(__ebp - 0x14) = _t395;
																if( *(__ebp - 0x30) > 0) {
																	continue;
																} else {
																	goto L78;
																}
																goto L140;
															}
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
															goto L138;
														}
													}
													goto L140;
												}
												 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
												goto L138;
											case 0xd:
												L37:
												if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
													goto L138;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													L39:
													__eax =  *(__ebp - 0x40);
													if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
														while(__ebx < 0x100) {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t170 = __edx + 1; // 0x1
																__ebx = _t170;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																continue;
															} else {
																if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	continue;
																}
															}
															goto L140;
														}
														goto L54;
													} else {
														if(__ebx >= 0x100) {
															L54:
															 *(__ebp - 0x34) =  *(__ebp - 0x34) & 0x00000000;
															L55:
															__al =  *(__ebp - 0x44);
															 *(__ebp - 0x5c) =  *(__ebp - 0x44);
															if( *((intOrPtr*)(__ebp - 0x64)) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x68);
																__al =  *(__ebp - 0x5c);
																__edx =  *(__ebp - 8);
																 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
																 *( *(__ebp - 0x68)) = __al;
																__ecx =  *(__ebp - 0x14);
																 *(__ecx +  *(__ebp - 8)) = __al;
																__eax = __ecx + 1;
																__edx = 0;
																_t192 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t192;
																L77:
																 *(__ebp - 0x14) = __edx;
																L78:
																 *((intOrPtr*)(__ebp - 0x88)) = 2;
																goto L1;
															}
														} else {
															L41:
															__eax =  *(__ebp - 0x5b) & 0x000000ff;
															 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
															__ecx =  *(__ebp - 0x58);
															__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
															 *(__ebp - 0x48) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__eax = __eax + __ebx;
															__esi =  *(__ebp - 0x58) + __eax * 2;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edx = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																 *(__ebp - 0x40) = 1;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																__ebx = __ebx + __ebx + 1;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L39;
															} else {
																goto L37;
															}
														}
													}
												}
												goto L140;
										}
									}
									L139:
									_t462 = _t461 | 0xffffffff;
								} else {
									L122:
									if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
										 *(_t540 - 0x88) = 5;
										L138:
										_t495 = 0x22;
										memcpy( *(_t540 - 0x90), _t540 - 0x88, _t495 << 2);
										_t462 = 0;
									} else {
										 *(_t540 - 0x10) =  *(_t540 - 0x10) << 8;
										 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
										 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
										 *(_t540 - 0xc) =  *(_t540 - 0xc) << 0x00000008 |  *( *(_t540 - 0x70)) & 0x000000ff;
										goto L124;
									}
								}
								L140:
								return _t462;
							}
						}
					}
					L117:
					 *((intOrPtr*)(_t540 - 0x54)) = _t533;
					goto L118;
				}
			}

0x00000000
0x004069c4
0x004069c4
0x004069c8
0x004069e9
0x004069f0
0x004069f6
0x004069fc
0x00406a0e
0x00406a19
0x00000000
0x004069ca
0x004069d0
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x00406751
0x00406758
0x0040675b
0x00406766
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x00406780
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a75
0x00000000
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a8b
0x00406a8e
0x00406a92
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c13
0x00406c13
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce7
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cf1
0x00406cf4
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d12
0x00406d1c
0x00406d1f
0x00406d25
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e9
0x0040689c
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406AE2(void* __ebx) {
				unsigned short _t449;
				signed int _t450;
				void _t451;
				signed int _t452;
				signed int _t453;
				signed int _t484;
				signed int _t487;
				signed int _t508;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x84) = 0xb;
						_t525 =  *(_t532 - 4) + 0x1c8 +  *(_t532 - 0x38) * 2;
					} else {
						__eax =  *(__ebp - 0x28);
						L86:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L87:
						__eax =  *(__ebp - 4);
						 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L68:
						 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
						while(1) {
							L117:
							 *(_t532 - 0x54) = _t525;
							while(1) {
								L118:
								_t449 =  *_t525;
								_t508 = _t449 & 0x0000ffff;
								_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
								if( *(_t532 - 0xc) >= _t484) {
									 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
									 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
									 *(_t532 - 0x40) = 1;
									_t450 = _t449 - (_t449 >> 5);
									 *_t525 = _t450;
								} else {
									 *(_t532 - 0x10) = _t484;
									 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
									 *_t525 = (0x800 - _t508 >> 5) + _t449;
								}
								L121:
								if( *(_t532 - 0x10) >= 0x1000000) {
									L124:
									_t451 =  *(_t532 - 0x84);
									 *(_t532 - 0x88) = _t451;
									while(1) {
										L1:
										_t452 =  *(_t532 - 0x88);
										if(_t452 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
											case 0:
												if( *(_t532 - 0x6c) == 0) {
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
													_t452 =  *( *(_t532 - 0x70));
													if(_t452 > 0xe1) {
														goto L139;
													} else {
														_t456 = _t452 & 0x000000ff;
														_push(0x2d);
														asm("cdq");
														_pop(_t489);
														_push(9);
														_pop(_t490);
														_t528 = _t456 / _t489;
														_t458 = _t456 % _t489 & 0x000000ff;
														asm("cdq");
														_t523 = _t458 % _t490 & 0x000000ff;
														 *(_t532 - 0x3c) = _t523;
														 *(_t532 - 0x1c) = (1 << _t528) - 1;
														 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t490) - 1;
														_t531 = (0x300 << _t523 + _t528) + 0x736;
														if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
															L10:
															if(_t531 != 0) {
																do {
																	_t531 = _t531 - 1;
																	 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
																} while (_t531 != 0);
															}
															 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
															goto L15;
														} else {
															if( *(_t532 - 4) != 0) {
																GlobalFree( *(_t532 - 4));
															}
															_t452 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t532 - 4) = _t452;
															if(_t452 == 0) {
																goto L139;
															} else {
																 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
																goto L10;
															}
														}
													}
												}
												goto L140;
											case 1:
												L13:
												__eflags =  *(_t532 - 0x6c);
												if( *(_t532 - 0x6c) == 0) {
													 *(_t532 - 0x88) = 1;
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
													 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
													_t45 = _t532 - 0x48;
													 *_t45 =  *(_t532 - 0x48) + 1;
													__eflags =  *_t45;
													L15:
													if( *(_t532 - 0x48) < 4) {
														goto L13;
													} else {
														_t464 =  *(_t532 - 0x40);
														if(_t464 ==  *(_t532 - 0x74)) {
															L20:
															 *(_t532 - 0x48) = 5;
															 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
															goto L23;
														} else {
															 *(_t532 - 0x74) = _t464;
															if( *(_t532 - 8) != 0) {
																GlobalFree( *(_t532 - 8));
															}
															_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
															 *(_t532 - 8) = _t452;
															if(_t452 == 0) {
																goto L139;
															} else {
																goto L20;
															}
														}
													}
												}
												goto L140;
											case 2:
												L24:
												_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
												 *(_t532 - 0x84) = 6;
												 *(_t532 - 0x4c) = _t471;
												_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
												goto L117;
											case 3:
												L21:
												__eflags =  *(_t532 - 0x6c);
												if( *(_t532 - 0x6c) == 0) {
													 *(_t532 - 0x88) = 3;
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													_t67 = _t532 - 0x70;
													 *_t67 =  &(( *(_t532 - 0x70))[1]);
													__eflags =  *_t67;
													 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
													L23:
													 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
													if( *(_t532 - 0x48) != 0) {
														goto L21;
													} else {
														goto L24;
													}
												}
												goto L140;
											case 4:
												L118:
												_t449 =  *_t525;
												_t508 = _t449 & 0x0000ffff;
												_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
												if( *(_t532 - 0xc) >= _t484) {
													 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
													 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
													 *(_t532 - 0x40) = 1;
													_t450 = _t449 - (_t449 >> 5);
													 *_t525 = _t450;
												} else {
													 *(_t532 - 0x10) = _t484;
													 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
													 *_t525 = (0x800 - _t508 >> 5) + _t449;
												}
												goto L121;
											case 5:
												goto L122;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *((intOrPtr*)(__ebp - 0x84)) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													goto L117;
												} else {
													__eax =  *(__ebp - 0x5c) & 0x000000ff;
													__esi =  *(__ebp - 0x60);
													__cl = 8;
													__cl = 8 -  *(__ebp - 0x3c);
													__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
													__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
													__ecx =  *(__ebp - 0x3c);
													__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
													__ecx =  *(__ebp - 4);
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
													__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
													__eflags =  *(__ebp - 0x38) - 4;
													__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													if( *(__ebp - 0x38) >= 4) {
														__eflags =  *(__ebp - 0x38) - 0xa;
														if( *(__ebp - 0x38) >= 0xa) {
															_t98 = __ebp - 0x38;
															 *_t98 =  *(__ebp - 0x38) - 6;
															__eflags =  *_t98;
														} else {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
														}
													} else {
														 *(__ebp - 0x38) = 0;
													}
													__eflags =  *(__ebp - 0x34) - __edx;
													if( *(__ebp - 0x34) == __edx) {
														__ebx = 0;
														__ebx = 1;
														do {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t217 = __edx + 1; // 0x1
																__ebx = _t217;
																__cx = __ax >> 5;
																__eflags = __eax;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L59;
															} else {
																__eflags =  *(__ebp - 0x6c);
																if( *(__ebp - 0x6c) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	_t203 = __ebp - 0x70;
																	 *_t203 =  *(__ebp - 0x70) + 1;
																	__eflags =  *_t203;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	goto L59;
																}
															}
															goto L140;
															L59:
															__eflags = __ebx - 0x100;
														} while (__ebx < 0x100);
														goto L55;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														__eflags = __eax -  *(__ebp - 0x74);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
															__eflags = __eax;
														}
														__ecx =  *(__ebp - 8);
														__ebx = 0;
														__ebx = 1;
														__al =  *((intOrPtr*)(__eax + __ecx));
														 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
														goto L41;
													}
												}
												goto L140;
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L68;
												} else {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 8;
													__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
													while(1) {
														L117:
														 *(_t532 - 0x54) = _t525;
														goto L118;
													}
												}
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *((intOrPtr*)(__ebp - 0x84)) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
												}
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L87;
												} else {
													__eflags =  *(__ebp - 0x60);
													if( *(__ebp - 0x60) == 0) {
														goto L139;
													} else {
														__eax = 0;
														__eflags =  *(__ebp - 0x38) - 7;
														0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
															goto L138;
														} else {
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t275 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t275;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															_t284 = __ebp - 0x64;
															 *_t284 =  *(__ebp - 0x64) - 1;
															__eflags =  *_t284;
															 *( *(__ebp - 0x68)) = __cl;
															goto L78;
														}
													}
												}
												goto L140;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L86;
											case 0xc:
												while(1) {
													L88:
													__eflags =  *(__ebp - 0x6c);
													if( *(__ebp - 0x6c) == 0) {
														break;
													}
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t315 = __ebp - 0x70;
													 *_t315 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t315;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													__eax =  *(__ebp - 0x2c);
													while(1) {
														_t319 = __ebp - 0x48;
														 *_t319 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t319;
														__eflags =  *(__ebp - 0x48);
														if( *(__ebp - 0x48) <= 0) {
															break;
														}
														__ecx =  *(__ebp - 0xc);
														__ebx = __ebx + __ebx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
														__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
															__ebx = __ebx | 0x00000001;
															__eflags = __ebx;
															 *(__ebp - 0x44) = __ebx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															goto L88;
														}
														goto L140;
													}
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													while(1) {
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															break;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L100:
															_t349 = __ebp - 0x48;
															 *_t349 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t349;
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t346 = __ebp - 0x70;
																 *_t346 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t346;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L100;
															}
														}
														goto L140;
													}
													_t372 = __ebp - 0x2c;
													 *_t372 =  *(__ebp - 0x2c) + __ebx;
													__eflags =  *_t372;
													_t374 = __ebp - 0x2c;
													 *_t374 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t374;
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L138;
													} else {
														__eflags = __eax -  *(__ebp - 0x60);
														if(__eax >  *(__ebp - 0x60)) {
															goto L139;
														} else {
															 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
															__eax =  *(__ebp - 0x30);
															_t381 = __ebp - 0x60;
															 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
															__eflags =  *_t381;
															while(1) {
																__eflags =  *(__ebp - 0x64);
																if( *(__ebp - 0x64) == 0) {
																	break;
																}
																__eax =  *(__ebp - 0x14);
																__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																__eflags = __eax -  *(__ebp - 0x74);
																if(__eax >=  *(__ebp - 0x74)) {
																	__eax = __eax +  *(__ebp - 0x74);
																	__eflags = __eax;
																}
																__edx =  *(__ebp - 8);
																__cl =  *(__eax + __edx);
																__eax =  *(__ebp - 0x14);
																 *(__ebp - 0x5c) = __cl;
																 *(__eax + __edx) = __cl;
																__eax = __eax + 1;
																__edx = 0;
																_t395 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t395;
																__eax =  *(__ebp - 0x68);
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																 *( *(__ebp - 0x68)) = __cl;
																 *(__ebp - 0x14) = _t395;
																if( *(__ebp - 0x30) > 0) {
																	continue;
																} else {
																	goto L79;
																}
																goto L140;
															}
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
															goto L138;
														}
													}
													goto L140;
												}
												 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
												goto L138;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
													goto L138;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t122 = __ebp - 0x70;
													 *_t122 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t122;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													L39:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
														while(1) {
															__eflags = __ebx - 0x100;
															if(__ebx >= 0x100) {
																goto L54;
															}
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t170 = __edx + 1; // 0x1
																__ebx = _t170;
																__cx = __ax >> 5;
																__eflags = __eax;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																continue;
															} else {
																__eflags =  *(__ebp - 0x6c);
																if( *(__ebp - 0x6c) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	_t156 = __ebp - 0x70;
																	 *_t156 =  *(__ebp - 0x70) + 1;
																	__eflags =  *_t156;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	continue;
																}
															}
															goto L140;
														}
														goto L54;
													} else {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															L54:
															_t173 = __ebp - 0x34;
															 *_t173 =  *(__ebp - 0x34) & 0x00000000;
															__eflags =  *_t173;
															L55:
															__al =  *(__ebp - 0x44);
															 *(__ebp - 0x5c) =  *(__ebp - 0x44);
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x68);
																__al =  *(__ebp - 0x5c);
																__edx =  *(__ebp - 8);
																 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																 *( *(__ebp - 0x68)) = __al;
																__ecx =  *(__ebp - 0x14);
																 *(__ecx +  *(__ebp - 8)) = __al;
																__eax = __ecx + 1;
																__edx = 0;
																_t192 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t192;
																L78:
																 *(__ebp - 0x14) = __edx;
																L79:
																 *((intOrPtr*)(__ebp - 0x88)) = 2;
																goto L1;
															}
														} else {
															L41:
															__eax =  *(__ebp - 0x5b) & 0x000000ff;
															 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
															__ecx =  *(__ebp - 0x58);
															__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
															 *(__ebp - 0x48) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__eax = __eax + __ebx;
															__esi =  *(__ebp - 0x58) + __eax * 2;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edx = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																 *(__ebp - 0x40) = 1;
																__cx = __ax >> 5;
																__eflags = __eax;
																__ebx = __ebx + __ebx + 1;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L39;
															} else {
																goto L37;
															}
														}
													}
												}
												goto L140;
										}
									}
									L139:
									_t453 = _t452 | 0xffffffff;
								} else {
									L122:
									if( *(_t532 - 0x6c) == 0) {
										 *(_t532 - 0x88) = 5;
										L138:
										_t487 = 0x22;
										memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
										_t453 = 0;
									} else {
										 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
										 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
										 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
										 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
										goto L124;
									}
								}
								L140:
								return _t453;
							}
						}
					}
					L117:
					 *(_t532 - 0x54) = _t525;
					goto L118;
				}
			}

0x00000000
0x00406ae2
0x00406ae2
0x00406ae6
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A2E(void* __ebx) {
				unsigned short _t449;
				signed int _t450;
				void _t451;
				signed int _t452;
				signed int _t453;
				signed int _t484;
				signed int _t487;
				signed int _t508;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x84) = 0xa;
						_t525 =  *(_t532 - 4) + 0x1b0 +  *(_t532 - 0x38) * 2;
					} else {
						 *((intOrPtr*)(__ebp - 0x84)) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
					}
					while(1) {
						L117:
						 *(_t532 - 0x54) = _t525;
						while(1) {
							L118:
							_t449 =  *_t525;
							_t508 = _t449 & 0x0000ffff;
							_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
							if( *(_t532 - 0xc) >= _t484) {
								 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
								 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
								 *(_t532 - 0x40) = 1;
								_t450 = _t449 - (_t449 >> 5);
								 *_t525 = _t450;
							} else {
								 *(_t532 - 0x10) = _t484;
								 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
								 *_t525 = (0x800 - _t508 >> 5) + _t449;
							}
							L121:
							if( *(_t532 - 0x10) >= 0x1000000) {
								L124:
								_t451 =  *(_t532 - 0x84);
								 *(_t532 - 0x88) = _t451;
								while(1) {
									L1:
									_t452 =  *(_t532 - 0x88);
									if(_t452 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
										case 0:
											if( *(_t532 - 0x6c) == 0) {
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t452 =  *( *(_t532 - 0x70));
												if(_t452 > 0xe1) {
													goto L139;
												} else {
													_t456 = _t452 & 0x000000ff;
													_push(0x2d);
													asm("cdq");
													_pop(_t489);
													_push(9);
													_pop(_t490);
													_t528 = _t456 / _t489;
													_t458 = _t456 % _t489 & 0x000000ff;
													asm("cdq");
													_t523 = _t458 % _t490 & 0x000000ff;
													 *(_t532 - 0x3c) = _t523;
													 *(_t532 - 0x1c) = (1 << _t528) - 1;
													 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t490) - 1;
													_t531 = (0x300 << _t523 + _t528) + 0x736;
													if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
														L10:
														if(_t531 != 0) {
															do {
																_t531 = _t531 - 1;
																 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
															} while (_t531 != 0);
														}
														 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
														 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
														goto L15;
													} else {
														if( *(_t532 - 4) != 0) {
															GlobalFree( *(_t532 - 4));
														}
														_t452 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t532 - 4) = _t452;
														if(_t452 == 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
															goto L10;
														}
													}
												}
											}
											goto L140;
										case 1:
											L13:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 1;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t45 = _t532 - 0x48;
												 *_t45 =  *(_t532 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t532 - 0x48) < 4) {
													goto L13;
												} else {
													_t464 =  *(_t532 - 0x40);
													if(_t464 ==  *(_t532 - 0x74)) {
														L20:
														 *(_t532 - 0x48) = 5;
														 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
														goto L23;
													} else {
														 *(_t532 - 0x74) = _t464;
														if( *(_t532 - 8) != 0) {
															GlobalFree( *(_t532 - 8));
														}
														_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
														 *(_t532 - 8) = _t452;
														if(_t452 == 0) {
															goto L139;
														} else {
															goto L20;
														}
													}
												}
											}
											goto L140;
										case 2:
											L24:
											_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
											 *(_t532 - 0x84) = 6;
											 *(_t532 - 0x4c) = _t471;
											_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
											goto L117;
										case 3:
											L21:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 3;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												_t67 = _t532 - 0x70;
												 *_t67 =  &(( *(_t532 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L23:
												 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
												if( *(_t532 - 0x48) != 0) {
													goto L21;
												} else {
													goto L24;
												}
											}
											goto L140;
										case 4:
											L118:
											_t449 =  *_t525;
											_t508 = _t449 & 0x0000ffff;
											_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
											if( *(_t532 - 0xc) >= _t484) {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
												 *(_t532 - 0x40) = 1;
												_t450 = _t449 - (_t449 >> 5);
												 *_t525 = _t450;
											} else {
												 *(_t532 - 0x10) = _t484;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
												 *_t525 = (0x800 - _t508 >> 5) + _t449;
											}
											goto L121;
										case 5:
											goto L122;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *((intOrPtr*)(__ebp - 0x84)) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L117;
											} else {
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													do {
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t217 = __edx + 1; // 0x1
															__ebx = _t217;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L59;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t203 = __ebp - 0x70;
																 *_t203 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t203;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L59;
															}
														}
														goto L140;
														L59:
														__eflags = __ebx - 0x100;
													} while (__ebx < 0x100);
													goto L55;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											}
											goto L140;
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L68;
											} else {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											}
											L117:
											 *(_t532 - 0x54) = _t525;
											goto L118;
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L87;
											} else {
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L139;
												} else {
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
													 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
														goto L138;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														__eflags = __eax -  *(__ebp - 0x74);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
															__eflags = __eax;
														}
														__edx =  *(__ebp - 8);
														__cl =  *(__eax + __edx);
														__eax =  *(__ebp - 0x14);
														 *(__ebp - 0x5c) = __cl;
														 *(__eax + __edx) = __cl;
														__eax = __eax + 1;
														__edx = 0;
														_t274 = __eax %  *(__ebp - 0x74);
														__eax = __eax /  *(__ebp - 0x74);
														__edx = _t274;
														__eax =  *(__ebp - 0x68);
														 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
														 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
														_t283 = __ebp - 0x64;
														 *_t283 =  *(__ebp - 0x64) - 1;
														__eflags =  *_t283;
														 *( *(__ebp - 0x68)) = __cl;
														goto L77;
													}
												}
											}
											goto L140;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											} else {
												__eax =  *(__ebp - 0x28);
												goto L86;
											}
											while(1) {
												L117:
												 *(_t532 - 0x54) = _t525;
												goto L118;
											}
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L86:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L87:
											__eax =  *(__ebp - 4);
											 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											L68:
											__esi =  *(__ebp - 0x58);
											 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
											while(1) {
												L117:
												 *(_t532 - 0x54) = _t525;
												goto L118;
											}
										case 0xc:
											while(1) {
												L88:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													break;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t315 = __ebp - 0x70;
												 *_t315 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t315;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												while(1) {
													_t319 = __ebp - 0x48;
													 *_t319 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t319;
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														break;
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L88;
													}
													goto L140;
												}
												__eax = __eax + __ebx;
												 *(__ebp - 0x40) = 4;
												 *(__ebp - 0x2c) = __eax;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x644;
												__eflags = __eax;
												__ebx = 0;
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x44) = 0;
												 *(__ebp - 0x48) = 0;
												while(1) {
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														break;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L100:
														_t349 = __ebp - 0x48;
														 *_t349 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t349;
														continue;
													} else {
														__eflags =  *(__ebp - 0x6c);
														if( *(__ebp - 0x6c) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t346 = __ebp - 0x70;
															 *_t346 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t346;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															goto L100;
														}
													}
													goto L140;
												}
												_t372 = __ebp - 0x2c;
												 *_t372 =  *(__ebp - 0x2c) + __ebx;
												__eflags =  *_t372;
												_t374 = __ebp - 0x2c;
												 *_t374 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t374;
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L138;
												} else {
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L139;
													} else {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
														__eax =  *(__ebp - 0x30);
														_t381 = __ebp - 0x60;
														 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
														__eflags =  *_t381;
														while(1) {
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																break;
															}
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t395 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t395;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
															__eflags =  *(__ebp - 0x30);
															 *( *(__ebp - 0x68)) = __cl;
															 *(__ebp - 0x14) = _t395;
															if( *(__ebp - 0x30) > 0) {
																continue;
															} else {
																goto L78;
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
														goto L138;
													}
												}
												goto L140;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
											goto L138;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													while(1) {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L54;
														}
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t170 = __edx + 1; // 0x1
															__ebx = _t170;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t156 = __ebp - 0x70;
																 *_t156 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t156;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																continue;
															}
														}
														goto L140;
													}
													goto L54;
												} else {
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L54:
														_t173 = __ebp - 0x34;
														 *_t173 =  *(__ebp - 0x34) & 0x00000000;
														__eflags =  *_t173;
														L55:
														__al =  *(__ebp - 0x44);
														 *(__ebp - 0x5c) =  *(__ebp - 0x44);
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x68);
															__al =  *(__ebp - 0x5c);
															__edx =  *(__ebp - 8);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *( *(__ebp - 0x68)) = __al;
															__ecx =  *(__ebp - 0x14);
															 *(__ecx +  *(__ebp - 8)) = __al;
															__eax = __ecx + 1;
															__edx = 0;
															_t192 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t192;
															L77:
															 *(__ebp - 0x14) = __edx;
															L78:
															 *((intOrPtr*)(__ebp - 0x88)) = 2;
															goto L1;
														}
													} else {
														L41:
														__eax =  *(__ebp - 0x5b) & 0x000000ff;
														 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
														__ecx =  *(__ebp - 0x58);
														__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
														 *(__ebp - 0x48) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__eax = __eax + __ebx;
														__esi =  *(__ebp - 0x58) + __eax * 2;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edx = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															 *(__ebp - 0x40) = 1;
															__cx = __ax >> 5;
															__eflags = __eax;
															__ebx = __ebx + __ebx + 1;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L39;
														} else {
															goto L37;
														}
													}
												}
											}
											goto L140;
									}
								}
								L139:
								_t453 = _t452 | 0xffffffff;
							} else {
								L122:
								if( *(_t532 - 0x6c) == 0) {
									 *(_t532 - 0x88) = 5;
									L138:
									_t487 = 0x22;
									memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
									_t453 = 0;
								} else {
									 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
									 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
									 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
									 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
									goto L124;
								}
							}
							L140:
							return _t453;
						}
					}
				}
			}

0x00000000
0x00406a2e
0x00406a2e
0x00406a32
0x00406a5b
0x00406a65
0x00406a34
0x00406a3d
0x00406a4a
0x00406a4d
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 100027E4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 156
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E100027E4(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				void* _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004040 != 0 && E10002765(_a4) == 0) {
					 *0x10004044 = _t106;
					if( *0x1000403c != 0) {
						_t106 =  *0x1000403c;
					} else {
						E10002D20(E1000275F(), __ecx);
						 *0x1000403c = _t106;
					}
				}
				_t31 = E100027A1(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E10002795();
					_t81 = _a4;
					_t90 =  *0x10004048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004048 = _t81;
					E1000278F();
					_t36 = VirtualAlloc(??, ??, ??, ??); // executed
					 *0x1000401c = _t36;
					 *0x10004020 = _t90;
					if( *0x10004040 != 0 && E10002765( *0x10004048) == 0) {
						 *0x1000403c = _t107;
						_t107 =  *0x10004044;
					}
					_t91 =  *0x10004048;
					_a4 = _t91;
					 *0x10004048 =  *((intOrPtr*)(E10002795() + _t91));
					_t40 = E10002773(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E100027A1(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E100027AC() + _a4 + _v8);
							_push(E100027B6());
							if( *0x10004040 <= 0 || E10002765(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000403c =  *0x1000403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004048 == 0) {
						 *0x1000403c = 0;
					}
					_t94 = _a4 + E100027AC();
					 *(E100027BA() + _t94) =  *0x1000401c;
					 *((intOrPtr*)(E100027BE() + _t94)) =  *0x10004020;
					E100027CE(_a4);
					if(E10002781() != 0) {
						 *0x10004058 = GetLastError();
					}
					return _a4;
				}
				_push(E100027AC() + _a4);
				_t65 = E100027B2();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E100027BE();
				_t100 = E100027BA();
				_t103 = E100027B6();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100027f4
0x10002805
0x10002812
0x10002826
0x10002814
0x10002819
0x1000281e
0x1000281e
0x10002812
0x1000282f
0x10002834
0x1000283a
0x1000287e
0x1000287e
0x10002883
0x10002888
0x1000288e
0x10002890
0x10002896
0x100028a3
0x100028a5
0x100028aa
0x100028b7
0x100028ca
0x100028d0
0x100028d6
0x100028d7
0x100028dd
0x100028e9
0x100028ef
0x100028f7
0x100028f8
0x100028fb
0x10002906
0x10002908
0x10002914
0x1000291a
0x10002922
0x1000294e
0x1000294f
0x10002955
0x10002955
0x1000295c
0x10002932
0x10002932
0x10002933
0x10002941
0x1000294a
0x1000294a
0x10002922
0x10002906
0x10002965
0x10002967
0x10002967
0x10002979
0x10002986
0x10002994
0x1000299a
0x100029a8
0x100029b0
0x100029b0
0x100029be
0x100029be
0x10002845
0x10002846
0x1000284b
0x1000284f
0x10002854
0x10002868
0x10002869
0x1000286a
0x1000286c
0x10002871
0x10002873
0x10002873
0x10002876
0x1000287c
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Strings

@Mhv, xrefs: 100029AA

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID: @Mhv
API String ID: 497505419-3595611156
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Uniqueness

Uniqueness Score: -1.00%

Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024DF(int* __ebx, intOrPtr __edx, char* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				char* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402B01(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402A9F(3);
				 *((intOrPtr*)(_t26 - 0x3c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueA(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyA(_t22, _t10, __esi, 0x3ff); // executed
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024df
0x004024df
0x004024df
0x004024e4
0x004024eb
0x004024ed
0x004024f5
0x004024f8
0x004024fa
0x00402716
0x00402500
0x00402508
0x0040250b
0x00402524
0x0040252a
0x0040252c
0x0040252e
0x0040252e
0x0040250d
0x00402511
0x00402511
0x00402535
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
RegEnumValueA.ADVAPI32 ref: 00402524
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 48b7f54743d05fe993f7ca0d5b308b8535ceec46d0e8e1fe29002ae7db816acf
Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
Opcode Fuzzy Hash: 48b7f54743d05fe993f7ca0d5b308b8535ceec46d0e8e1fe29002ae7db816acf
Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CD9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405cdd
0x00405ced
0x00405cf5
0x00000000
0x00405cfc
0x00000000
0x00405cfe

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040E0FC,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,00403246,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,0040E0FC,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00405CD9

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileWrite
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 3934441357-208995783
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CAA(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405cae
0x00405cbe
0x00405cc6
0x00000000
0x00405ccd
0x00000000
0x00405ccf

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00405CAA

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileRead
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 2738559852-208995783
Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4

Uniqueness

Uniqueness Score: -1.00%

Function 10002709 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002712
0x10002717
0x10002727
0x1000272f
0x10002736
0x1000273b
0x10002740
0x10002745
0x1000274a
0x1000274f
0x10002754
0x10002754
0x1000275c

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727

Strings

`ghv@Mhv, xrefs: 10002727

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ProtectVirtual
String ID: `ghv@Mhv
API String ID: 544645111-2667177705
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040303E(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x424798;
					 *0x4178dc = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403146(4);
				if(_t22 >= 0) {
					_t24 = E00405CAA( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x4178dc =  *0x4178dc + 4;
						_t36 = E00403146(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x4178dc =  *0x4178dc + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405CAA( *0x40a01c, 0x4138d8, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405CD9(_a8, 0x4138d8, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x4178dc =  *0x4178dc + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403042
0x0040304b
0x00403054
0x00403058
0x00403063
0x00403063
0x0040306b
0x00403072
0x00403084
0x0040308b
0x00403130
0x00403130
0x00000000
0x00403091
0x00403094
0x004030a0
0x004030a4
0x0040313e
0x0040313e
0x004030aa
0x004030ad
0x0040310c
0x00403112
0x00403114
0x00403114
0x00403126
0x0040312e
0x00403135
0x00403138
0x00000000
0x00000000
0x00000000
0x00000000
0x004030af
0x004030b2
0x00000000
0x004030b8
0x004030bd
0x004030c4
0x004030c7
0x004030c9
0x004030c9
0x004030d6
0x004030d9
0x004030e0
0x00000000
0x00000000
0x004030e9
0x004030f0
0x00403108
0x00403132
0x00403132
0x004030f2
0x004030f2
0x004030f5
0x004030f8
0x004030fe
0x00403104
0x00000000
0x00403106
0x00000000
0x00403106
0x00403104
0x00000000
0x004030f0
0x00000000
0x004030bd
0x004030b2
0x004030ad
0x004030a4
0x0040308b
0x00403140
0x00403143

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040246D(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B01(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402AC1(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405FF7(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *(_t37 - 4);
				return 0;
			}

0x0040246d
0x0040246d
0x00402472
0x00402479
0x0040247b
0x00402482
0x00402484
0x00402716
0x0040248a
0x0040248d
0x004024a8
0x004024d8
0x004024d8
0x004024da
0x004024aa
0x004024ae
0x004024c7
0x004024ce
0x004024d1
0x004024b0
0x004024b3
0x004024be
0x00402535
0x00000000
0x00000000
0x00000000
0x004024b3
0x004024ae
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: dfe6487634654fd1de603517f960d75db9e2524c9ca12b0faf19cce1f4693636
Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
Opcode Fuzzy Hash: dfe6487634654fd1de603517f960d75db9e2524c9ca12b0faf19cce1f4693636
Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x424770;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x423f0c =  *0x423f0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x423f0c, 0x7530,  *0x423ef4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction ID: f710efbc4c9934798fb848b4930091ab6df2b9d686602449302b85490548aed4
Opcode Fuzzy Hash: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction Fuzzy Hash: C8E01272B082119FD714EBB6EA495AD77B4EF40315B11403BE415F11D1DE7888419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406431(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004063C3(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406439
0x0040643c
0x00406443
0x0040644b
0x00406457
0x00000000
0x0040645e
0x0040644e
0x00406455
0x00000000
0x00406466
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32 ref: 004063DA
Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C32(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c36
0x00405c43
0x00405c58
0x00405c5e

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C0D Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C0D(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c12
0x00405c18
0x00405c1d
0x00405c26
0x00405c26
0x00405c2f

APIs

GetFileAttributesA.KERNELBASE(?,?,00405825,?,?,00000000,00405A08,?,?,?,?), ref: 00405C12
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C26

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: 434021fb132f1a115613134526c1ca1f9a267fea60db19119bc25123d282abd2
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: 6FD0C972504121BBD2102728EE0889FBB55DB54271702CA35F8A9A26B1DB304C5A9A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405703(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405709
0x00405711
0x00000000
0x00405717
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405709
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405717

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D

Uniqueness

Uniqueness Score: -1.00%

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025C4(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402A9F(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x4247c8 =  *0x4247c8 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00406010(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405CAA( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405FF7(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025c4
0x004025c6
0x004025c9
0x004025ce
0x004025d2
0x004025d5
0x004025d8
0x00402951
0x00402954
0x004025de
0x004025de
0x004025e5
0x004025e7
0x004025e7
0x004025ec
0x00402674
0x00402674
0x00000000
0x004025f2
0x004025f3
0x004025fe
0x00402601
0x00000000
0x00402603
0x00402603
0x00402606
0x00402606
0x0040260f
0x00402616
0x00000000
0x00000000
0x0040261b
0x00402644
0x0040261d
0x00402621
0x0040264e
0x00402654
0x0040266c
0x0040265e
0x0040265e
0x00402661
0x00402661
0x00000000
0x00402629
0x00402629
0x0040262c
0x0040262f
0x00402632
0x00402635
0x00000000
0x00402637
0x0040263a
0x00000000
0x0040263c
0x00000000
0x0040263c
0x0040263a
0x00402635
0x00402621
0x00000000
0x0040261b
0x00402677
0x00402677
0x004015b0
0x00402716
0x00402716
0x00000000
0x004015b0
0x00402601
0x004025ec
0x0040295a
0x00402960

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction ID: 014ce3e67ccbc0a67955049e33e6e2fc18f0270869ac9b4e1a99f60d8e299e74
Opcode Fuzzy Hash: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction Fuzzy Hash: CC21F970D04295BEDF318B699948AAEBF749F11304F04457FE4D0B62D5C6BE8A82CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402682(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402A9F(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00406010(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405FF7();
					}
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402682
0x00402682
0x00402683
0x0040268b
0x00402690
0x00402691
0x004026a0
0x004026a9
0x004028f7
0x004028f9
0x004028f9
0x004026a9
0x00402954
0x00402960

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction ID: daba68e88d81473494fab100d986bdd4d5457abcde4f4dc52411d400b48531e4
Opcode Fuzzy Hash: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction Fuzzy Hash: BCE09B71B04116ABD700FB95AA4997E7768DF40304F10403FF515F00C1CA7D4C025B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022F6(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402AC1(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402AC1(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402AC1(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402AC1(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x004022f6
0x004022f6
0x004022f8
0x004022fc
0x004022ff
0x00402307
0x0040230b
0x00402314
0x00402314
0x00402319
0x00402322
0x00402322
0x0040232f
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F4D(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EA4(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f57
0x00405f60
0x00405f76
0x00000000
0x00405f76
0x00405f64
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74

Uniqueness

Uniqueness Score: -1.00%

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040171F() {
				long _t5;
				CHAR* _t8;
				CHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathA(_t8, E00402AC1(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401733
0x00401739
0x0040173b
0x004026ea
0x004026f1
0x004026f1
0x00402954
0x00402960

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e2de62c67f626fd7cbb2d648b6900a9fb7c637aefb91bc1b9a881cf0db71d773
Instruction ID: df229b99d0cfb4b3fe493512c75d53ef4dff6bb2c14726edf2e4ac3df3ce4b05
Opcode Fuzzy Hash: e2de62c67f626fd7cbb2d648b6900a9fb7c637aefb91bc1b9a881cf0db71d773
Instruction Fuzzy Hash: 9FE020B1304101AFD700DB64DD59BAE3B98DF40368F30453AE515E60C1D2B4C9428728

Uniqueness

Uniqueness Score: -1.00%

Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040233A(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402AC1(1);
				 *(_t21 - 0x3c) = E00402AC1(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x3c), _t21 + 0xa, _t19, 0x3ff, E00402AC1(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040233a
0x00402342
0x00402346
0x00402356
0x0040236d
0x00402373
0x0040173b
0x004026ea
0x004026f1
0x004026f1
0x00402954
0x00402960

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040236D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction ID: 8896498bc3bf22cdd75c41d4cee83ceff5cc5a9cf36b2948d6df5d4522980b60
Opcode Fuzzy Hash: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction Fuzzy Hash: 82E08634B44308BADF10AFA19D49EAD3668AF41710F14403AFD547B0E2EEB844429B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F1F(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EA4(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f29
0x00405f30
0x00405f43
0x00000000
0x00405f43
0x00405f34
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FAD,?,?,?,?,00000002,Call), ref: 00405F43

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402AC1(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c70efac3b327c3c2a8914d2433bfa69d707dc7d7600d38acd60cc2a8dccf06db
Instruction ID: ce3aa80a16c353682a4fc60f6c60757a41c4294f2dd63ac0650dc91194aad8f9
Opcode Fuzzy Hash: c70efac3b327c3c2a8914d2433bfa69d707dc7d7600d38acd60cc2a8dccf06db
Instruction Fuzzy Hash: E1D0127270811197CB10DBA8AB4869D77A4EB80325B318137D515F21D1E6B9C945671D

Uniqueness

Uniqueness Score: -1.00%

Function 004041A6 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041A6(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x423ef8; // 0x40460
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004041a6
0x004041ad
0x004041b8
0x00000000
0x004041b8
0x004041be

APIs

SendMessageA.USER32(00040460,00000000,00000000,00000000), ref: 004041B8

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction ID: 55b95b209562bae9886b89f2f6925b48322e85585088ac1ac71ede26d93296ac
Opcode Fuzzy Hash: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction Fuzzy Hash: 77C09B717407017BEA208F509E4DF0777A96750701F2944397760F60D0C6F4D450DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032C5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004032d3
0x004032d9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040418F Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040418F(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x424728, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040419d
0x004041a3

APIs

SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction ID: 10cfd25431557a88665167ebbf17620150c727a9bd7140e907e4ecff4ccdfc3e
Opcode Fuzzy Hash: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction Fuzzy Hash: 30B09236280A00AAEE218B00DE09F457AA2E7A8742F028028B250240B0CAB200A1DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040417C Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040417C(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x420d2c, _a4); // executed
				return _t2;
			}

0x00404186
0x0040418c

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F58), ref: 00404186

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction ID: bd711969ba89efe8629f231cafa01baa053f2358784498ab8b3cf30639ef5a41
Opcode Fuzzy Hash: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction Fuzzy Hash: 55A012320000009FCB014B50EF04C057F71AB543007018435E140400338A310821FF0C

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402A9F(_t7);
				 *((intOrPtr*)(_t13 - 0x3c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d6
0x004014d7
0x004014e0
0x004014e3
0x004014e7
0x004014e7
0x004014e9
0x00402954
0x00402960

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction ID: 570e0916f0090f26c7ee0a6088be2661e77b817c4cb0ee023996dcc8b23dd1f7
Opcode Fuzzy Hash: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction Fuzzy Hash: 96D05E73B141518BD754EBB9BA8845E73E4EB903153214837E852E2091EA78C8424A28

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404B3D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x424768;
				_t282 = 0;
				_v24 =  *0x424734 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42473d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A8B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42473c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x420d14; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x420d28; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x420d14 = _t282;
								 *0x420d28 = _t282;
								 *0x4247a0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42473d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404B0B();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x420d28; // 0x0
									_v32 = _t194;
									_t195 =  *0x424768;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42476c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x423efc; // 0x7cd3ae
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404A46(0x3ff, 0xfffffffb, E00404A5E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42476c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x420d28);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x4247a0 = _t306;
					 *0x420d28 = GlobalAlloc(0x40,  *0x42476c << 2);
					_t252 = LoadBitmapA( *0x424720, 0x6e);
					 *0x420d1c =  *0x420d1c | 0xffffffff;
					_t313 = _t252;
					 *0x420d24 = SetWindowLongA(_v8, 0xfffffffc, E00405134);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420d14 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x420d14);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E004060BB(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E0040415A(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E0040415A(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42476c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x420d28; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x420d28; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x420d28; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42476c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040418F(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040418F(_v12);
								L91:
								return E004041C1(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b4c
0x00404b5d
0x00404b62
0x00404b6a
0x00404b70
0x00404b78
0x00404b86
0x00404b89
0x00404da9
0x00404db0
0x00404dc4
0x00404db2
0x00404db4
0x00404db7
0x00404db8
0x00404dbf
0x00404dbf
0x00404dd0
0x00404dde
0x00404de1
0x00404df7
0x00404e6c
0x00404e6f
0x00404e71
0x00404e7b
0x00404e89
0x00404e89
0x00404e8b
0x00404e95
0x00404e9b
0x00404e9e
0x00404ea1
0x00404ebc
0x00404ea3
0x00404ead
0x00404ead
0x00404ea1
0x00404e95
0x00000000
0x00404e6f
0x00404dfc
0x00404e07
0x00404e0c
0x00404e13
0x00404e18
0x00404e1c
0x00404e27
0x00404e27
0x00404e2b
0x00404e2f
0x00404e33
0x00404e46
0x00404e35
0x00404e35
0x00404e3c
0x00404e42
0x00404e3e
0x00404e3e
0x00404e3e
0x00404e3c
0x00404e4a
0x00404e4c
0x00404e5f
0x00404e62
0x00404e65
0x00404e65
0x00404e2f
0x00000000
0x00404e1c
0x00404dfe
0x00404e05
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ebf
0x00404ebf
0x00404ec6
0x00404f37
0x00404f3f
0x00404f47
0x00404f47
0x00404f50
0x00404f52
0x00404f59
0x00404f5c
0x00404f5c
0x00404f62
0x00404f69
0x00404f6c
0x00404f6c
0x00404f72
0x00404f78
0x00404f7e
0x00404f7e
0x00404f8b
0x004050e1
0x004050e8
0x00405105
0x0040510b
0x0040511d
0x0040511d
0x00000000
0x00404f91
0x00404f93
0x00404f98
0x00404f9d
0x00404fa2
0x00404fa4
0x00404fa4
0x00404fa5
0x00404fa6
0x00404fa8
0x00404fa8
0x00404fb0
0x00404ff1
0x00404ff3
0x00404ff8
0x00405003
0x00405006
0x0040500b
0x00405012
0x00405015
0x004050b7
0x004050bd
0x004050c3
0x004050cb
0x004050dc
0x004050dc
0x00000000
0x004050cb
0x0040501b
0x0040501e
0x00405024
0x00405029
0x0040502b
0x0040502d
0x00405033
0x0040503a
0x0040503f
0x00405046
0x00405049
0x00405049
0x00405050
0x0040505c
0x00405060
0x00405062
0x00405062
0x00405052
0x00405054
0x00405054
0x00405082
0x0040508e
0x0040509d
0x0040509d
0x0040509f
0x004050a2
0x004050ab
0x00000000
0x00404fb2
0x00404fbd
0x00404fc0
0x00404fc5
0x00404fc7
0x00404fcb
0x00404fdb
0x00404fe5
0x00404fe7
0x00404fea
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fcd
0x00404fcd
0x00404fd3
0x00404fd5
0x00404fd5
0x00404fd6
0x00404fd7
0x00000000
0x00404fcd
0x00404fb0
0x00404f8b
0x00404ece
0x00000000
0x00404ee4
0x00404eee
0x00404ef3
0x00000000
0x00000000
0x00404f05
0x00404f0a
0x00404f16
0x00404f16
0x00404f18
0x00404f27
0x00404f29
0x00404f2d
0x00404f30
0x00000000
0x00404f30
0x00404ece
0x00404b8f
0x00404b94
0x00404b9d
0x00404ba4
0x00404bb2
0x00404bbd
0x00404bc3
0x00404bd1
0x00404be5
0x00404bea
0x00404bf7
0x00404bfc
0x00404c12
0x00404c23
0x00404c30
0x00404c30
0x00404c33
0x00404c39
0x00404c3b
0x00404c3e
0x00404c43
0x00404c48
0x00404c4a
0x00404c4a
0x00404c6a
0x00404c6a
0x00404c6c
0x00404c6d
0x00404c72
0x00404c75
0x00404c78
0x00404c7c
0x00404c81
0x00404c86
0x00404c8a
0x00404c8f
0x00404c94
0x00404c96
0x00404c9e
0x00404d68
0x00404d7b
0x00000000
0x00404ca4
0x00404ca7
0x00404caa
0x00404cad
0x00404cad
0x00404cb3
0x00404cb9
0x00404cbc
0x00404cc2
0x00404cc3
0x00404cc8
0x00404cd1
0x00404cd8
0x00404cdb
0x00404cde
0x00404ce1
0x00404d1d
0x00404d3e
0x00404d40
0x00404d46
0x00404d1f
0x00404d2c
0x00404d2c
0x00404ce3
0x00404ce6
0x00404cf5
0x00404cff
0x00404d01
0x00404d07
0x00404d0e
0x00404d11
0x00404d16
0x00404d16
0x00404ce1
0x00404d4c
0x00404d4d
0x00404d59
0x00404d59
0x00404d66
0x00404d81
0x00404d85
0x00404da2
0x00404da7
0x00000000
0x00404d87
0x00404d8c
0x00404d95
0x0040511f
0x00405131
0x00405131
0x00404d85
0x00000000
0x00404d66
0x00404c9e

APIs

GetDlgItem.USER32 ref: 00404B55
GetDlgItem.USER32 ref: 00404B60
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BAA
LoadBitmapA.USER32 ref: 00404BBD
SetWindowLongA.USER32 ref: 00404BD6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BEA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C30
DeleteObject.GDI32(00000000), ref: 00404C33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
GetWindowLongA.USER32 ref: 00404D6D
SetWindowLongA.USER32 ref: 00404D7B
ShowWindow.USER32(?,00000005), ref: 00404D8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F03
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F27
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
ImageList_Destroy.COMCTL32(00000000), ref: 00404F5C
GlobalFree.KERNEL32 ref: 00404F6C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
ShowWindow.USER32(?,00000000), ref: 0040510B
GetDlgItem.USER32 ref: 00405116
ShowWindow.USER32(00000000), ref: 0040511D

Strings

N, xrefs: 00404DC7
M, xrefs: 00404CE6
, xrefs: 004050F5

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t317 = GlobalAlloc(0x40, 0x14a4);
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t43 = _t317 + 8; // 0x8
							_t207 = _t43;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(8);
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(4);
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t178 = _t317 + 8; // 0x8
						_t311 = _t178;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311);
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t80 = _t317 + 8; // 0x8
					_t284 = _t80;
					_t313 = E100012FE(_t80);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32 ref: 10001BCC
GlobalFree.KERNEL32 ref: 10001CC4
GlobalFree.KERNEL32 ref: 10001CC9
GlobalFree.KERNEL32 ref: 10001CCE
GlobalFree.KERNEL32 ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Strings

Nhv, xrefs: 100020A7

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID: Nhv
API String ID: 4227406936-1159304218
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004045CA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004045CA(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x420508; // 0x7ca8cc
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405799(0x3fb, _t146);
					E00406303(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405799(0x3fb, _t146);
							if(E00405B1F(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00406099(0x41fd00, _t146);
							_t87 = E00406431(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406099(0x41fd00, _t146);
								_t89 = E00405ACA(0x41fd00);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41fd00,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41fd00) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41fd00,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405A78(0x41fd00);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41fd00) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404A5E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x423efc; // 0x7cd3ae
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A46(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41fcf0);
									} else {
										E00404981(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4247e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040417C(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x420d20 - _t158; // 0x0
									if(_t205 == 0) {
										E00404523();
									}
								}
								 *0x420d20 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420d30;
							_v60 = E0040491B;
							_v56 = _t146;
							_v68 = E004060BB(_t146, 0x420d30, _t166, 0x420108, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A31(_t146);
								_t125 =  *((intOrPtr*)( *0x424734 + 0x11c));
								if( *((intOrPtr*)( *0x424734 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne") {
									E004060BB(_t146, 0x420d30, _t166, 0, _t125);
									if(lstrcmpiA(0x4236c0, 0x420d30) != 0) {
										lstrcatA(_t146, 0x4236c0);
									}
								}
								 *0x420d20 =  *0x420d20 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405A9E(_t146) != 0 && E00405ACA(_t146) == 0) {
						E00405A31(_t146);
					}
					 *0x423ef8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040415A(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040415A(_t166);
					E0040418F(_t165);
					_t138 = E00406431(7);
					if(_t138 == 0) {
						L53:
						return E004041C1(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004045ca
0x004045d0
0x004045d6
0x004045e3
0x004045f1
0x004045f4
0x004045fc
0x00404602
0x00404602
0x0040460e
0x00404611
0x0040467f
0x00404686
0x0040475d
0x00404764
0x00404773
0x00404773
0x00404777
0x00404781
0x0040478e
0x00404790
0x00404790
0x0040479e
0x004047a5
0x004047ac
0x004047af
0x004047e6
0x004047e8
0x004047ee
0x004047f3
0x004047f7
0x004047f9
0x004047f9
0x00404815
0x00000000
0x00404817
0x0040481a
0x00404828
0x0040482e
0x0040482f
0x00404832
0x00404835
0x00000000
0x00404835
0x004047b1
0x004047b3
0x004047b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047b9
0x004047b9
0x004047c6
0x004047cb
0x00000000
0x00000000
0x004047cf
0x004047d1
0x004047d1
0x004047d9
0x004047db
0x004047de
0x004047e1
0x004047e4
0x00000000
0x00000000
0x00000000
0x00000000
0x004047e4
0x00404841
0x0040484b
0x0040484e
0x00404851
0x00404858
0x00404858
0x0040485a
0x0040485a
0x0040485f
0x00404861
0x00404869
0x00404870
0x00404872
0x0040487d
0x0040487d
0x00404872
0x00404884
0x0040488d
0x00404897
0x0040489f
0x004048ba
0x004048a1
0x004048aa
0x004048aa
0x0040489f
0x004048bf
0x004048c4
0x004048c9
0x004048d2
0x004048d2
0x004048db
0x004048dd
0x004048dd
0x004048e9
0x004048f1
0x004048f3
0x004048f9
0x004048fb
0x004048fb
0x004048f9
0x00404900
0x00000000
0x00404900
0x004047af
0x00404766
0x0040476d
0x00000000
0x00000000
0x00000000
0x0040476d
0x0040468c
0x00404695
0x004046af
0x004046b4
0x004046be
0x004046c5
0x004046d1
0x004046d4
0x004046d7
0x004046de
0x004046e6
0x004046e9
0x004046ed
0x004046f4
0x004046fc
0x00404756
0x004046fe
0x004046ff
0x00404706
0x00404710
0x00404718
0x00404725
0x00404739
0x0040473d
0x0040473d
0x00404739
0x00404742
0x0040474f
0x0040474f
0x004046fc
0x00000000
0x004046b4
0x004046a2
0x00000000
0x004046a8
0x004046a8
0x00000000
0x004046a8
0x00404613
0x00404620
0x00404629
0x00404636
0x00404636
0x0040463d
0x00404643
0x0040464c
0x0040464f
0x00404652
0x0040465a
0x0040465d
0x00404660
0x00404666
0x0040466d
0x00404674
0x00404906
0x00404918
0x0040467a
0x0040467d
0x00000000
0x0040467d
0x00404674

APIs

GetDlgItem.USER32 ref: 00404619
SetWindowTextA.USER32(00000000,?), ref: 00404643
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
CoTaskMemFree.OLE32(00000000), ref: 004046FF
lstrcmpiA.KERNEL32(Call,Borerig Setup: Installing,00000000,?,?), ref: 00404731
lstrcatA.KERNEL32(?,Call), ref: 0040473D
SetDlgItemTextA.USER32 ref: 0040474F

Part of subcall function 00405799: GetDlgItemTextA.USER32 ref: 004057AC

Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
Part of subcall function 00406303: CharPrevA.USER32(?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828

Part of subcall function 00404981: lstrlenA.KERNEL32(Borerig Setup: Installing,Borerig Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
Part of subcall function 00404981: SetDlgItemTextA.USER32 ref: 00404A3A

Strings

A, xrefs: 004046ED
Call, xrefs: 0040472B, 00404730, 0040473B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 0040471A
Borerig Setup: Installing, xrefs: 004046C7, 0040472A

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Borerig Setup: Installing$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$Call
API String ID: 2624150263-2677588017
Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020CB() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402AC1(0xfffffff0);
				 *(_t111 - 0xc) = E00402AC1(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402AC1(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402AC1(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402AC1(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405A9E( *(_t111 - 0xc)) == 0) {
					E00402AC1(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408408, _t87, 1, 0x4083f8, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408418, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020d4
0x004020de
0x004020e8
0x004020f2
0x004020fd
0x00402100
0x0040211a
0x00402120
0x00402126
0x00402129
0x00402133
0x00402137
0x00402137
0x0040213c
0x0040214d
0x00402155
0x0040222e
0x0040222e
0x00402235
0x0040215b
0x0040215b
0x0040216a
0x0040216e
0x00402171
0x00402177
0x00402185
0x00402188
0x0040218a
0x00402195
0x00402195
0x0040219a
0x0040219c
0x004021a3
0x004021a3
0x004021a6
0x004021af
0x004021b2
0x004021b7
0x004021b9
0x004021c6
0x004021c6
0x004021c9
0x004021d2
0x004021d5
0x004021de
0x004021e4
0x004021eb
0x00402204
0x00402206
0x00402214
0x00402214
0x00402204
0x00402217
0x0040221d
0x0040221d
0x00402220
0x00402226
0x0040222c
0x00402241
0x00000000
0x00000000
0x00000000
0x0040222c
0x00402237
0x00402954
0x00402960

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79
API String ID: 123533781-664089103
Opcode ID: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
Opcode Fuzzy Hash: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026F8(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402AC1(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405FF7(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00406099();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402710
0x00402724
0x0040272f
0x00402730
0x0040286f
0x00402712
0x00402712
0x00402714
0x00402716
0x00402716
0x00402954
0x00402960

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
Opcode Fuzzy Hash: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 004042A3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004042A3(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41fcfc =  *0x41fcfc + 1;
								__eflags =  *0x41fcfc;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041C1(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4236c0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404547(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x424728, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x424728, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41fcfc; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x420508; // 0x7ca8cc
					_t25 = _t103 + 0x14; // 0x7ca8e0
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040417C(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404523();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x423efc; // 0x7cd3ae
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x424778;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040426E;
					E0040415A(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040415A(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040417C( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040418F(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x424734 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41fcfc = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41fcfc = 0;
					return 0;
				}
			}

0x004042b3
0x004043c5
0x004043d8
0x00404434
0x00404434
0x00404438
0x004044fe
0x00404505
0x00404507
0x00404507
0x00404507
0x0040450d
0x0040450d
0x00404510
0x00000000
0x00404517
0x00404446
0x00404448
0x0040444b
0x00404452
0x00404454
0x0040445b
0x0040445d
0x00404460
0x00404463
0x00404468
0x0040446e
0x00404471
0x00404478
0x00404486
0x0040449e
0x004044a0
0x004044a8
0x004044b7
0x004044b9
0x004044b9
0x00404478
0x0040445b
0x004044bc
0x004044c3
0x00000000
0x004044c5
0x004044c5
0x004044cc
0x00000000
0x00000000
0x004044ce
0x004044d2
0x004044e3
0x004044e3
0x004044e5
0x004044e9
0x004044f7
0x004044f7
0x00000000
0x004044fb
0x004044c3
0x004043e0
0x004043e3
0x00000000
0x00000000
0x004043eb
0x004043f1
0x00000000
0x00000000
0x004043f7
0x004043fd
0x004043fd
0x00404400
0x00404403
0x00000000
0x00000000
0x00404426
0x00404426
0x00404428
0x0040442a
0x0040442f
0x00000000
0x004042b9
0x004042b9
0x004042bc
0x004042c1
0x004042c3
0x004042d2
0x004042d2
0x004042d9
0x004042dc
0x004042de
0x004042e3
0x004042ec
0x004042f2
0x004042fe
0x00404301
0x0040430a
0x0040430f
0x00404312
0x00404317
0x0040432e
0x00404335
0x00404348
0x0040434b
0x00404360
0x00404367
0x0040436c
0x00404371
0x00404371
0x00404380
0x0040438f
0x004043a1
0x004043a6
0x004043b6
0x004043b8
0x00000000
0x004043be

APIs

CheckDlgButton.USER32 ref: 0040432E
GetDlgItem.USER32 ref: 00404342
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
GetSysColor.USER32(?), ref: 00404371
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenA.KERNEL32(?), ref: 00404392
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
GetDlgItem.USER32 ref: 00404418
SendMessageA.USER32(00000000), ref: 0040441B
GetDlgItem.USER32 ref: 00404446
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
LoadCursorA.USER32 ref: 00404495
SetCursor.USER32(00000000), ref: 0040449E
LoadCursorA.USER32 ref: 004044B4
SetCursor.USER32(00000000), ref: 004044B7
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
SendMessageA.USER32(00000010,00000000,00000000), ref: 004044F7

Strings

N, xrefs: 00404434
nB@, xrefs: 004044A2
Call, xrefs: 00404471

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$nB@
API String ID: 3103080414-3023683851
Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x424734;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423f20, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x424728;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x422ac0 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x422ec0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4226c0, "%s=%s\r\n", 0x422ac0, 0x422ec0);
						_t53 = _t52 + 0x10;
						E004060BB(_t37, 0x400, 0x422ec0, 0x422ec0,  *((intOrPtr*)( *0x424734 + 0x128)));
						_t12 = E00405C32(0x422ec0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405CAA(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405B97(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405B97(_t38, _t21 + 0xa, 0x40a3d0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405BED(_t24 + _t46, 0x4226c0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405CD9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C32(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x422ac0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d08
0x00405d11
0x00405d18
0x00405d2c
0x00405d54
0x00405d5f
0x00405d63
0x00405d83
0x00405d8a
0x00405d94
0x00405da1
0x00405da6
0x00405dab
0x00405daf
0x00405dbe
0x00405dc0
0x00405dcd
0x00405dd1
0x00405e6c
0x00000000
0x00405de7
0x00405df4
0x00405e18
0x00405e1c
0x00405e3b
0x00405e3f
0x00405e3f
0x00405e41
0x00405e4a
0x00405e55
0x00405e60
0x00405e66
0x00000000
0x00405e66
0x00405e1e
0x00405e21
0x00405e2c
0x00405e28
0x00405e2a
0x00405e2b
0x00405e2b
0x00405e33
0x00405e35
0x00000000
0x00405e35
0x00405dff
0x00405e05
0x00000000
0x00405e05
0x00405dd1
0x00405daf
0x00405d2e
0x00405d39
0x00405d42
0x00405d46
0x00000000
0x00000000
0x00405d46
0x00405e77

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
GetShortPathNameA.KERNEL32 ref: 00405D42

Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

GetShortPathNameA.KERNEL32 ref: 00405D5F
wsprintfA.USER32 ref: 00405D7D
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405DB8
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DC7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
GlobalFree.KERNEL32 ref: 00405E66
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Strings

%s=%s, xrefs: 00405D73
[Rename], xrefs: 00405DE7, 00405DF9

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023D8(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FB))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e4
0x100023e6
0x100023f0
0x100023f6
0x10002400
0x10002404
0x10002408
0x10002408
0x10002410
0x10002416
0x1000241c
0x00000000
0x10002423
0x00000000
0x00000000
0x10002427
0x00000000
0x00000000
0x10002431
0x00000000
0x00000000
0x10002441
0x00000000
0x00000000
0x1000246d
0x10002475
0x1000247f
0x10002481
0x10002486
0x00000000
0x00000000
0x10002449
0x1000244d
0x1000244f
0x10002450
0x10002452
0x10002462
0x10002469
0x00000000
0x00000000
0x1000248c
0x1000248e
0x10002494
0x1000249a
0x1000249a
0x00000000
0x00000000
0x1000241c
0x1000249d
0x1000249d
0x100024a2
0x100024b3
0x100024b3
0x100024b9
0x100024be
0x100024c3
0x100024cf
0x100024d4
0x00000000
0x100024d9
0x100024c5
0x100024c6
0x100024da
0x100024da
0x100024c3
0x100024db
0x100024df
0x100024e2
0x100024fa

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32 ref: 100024B3
GlobalFree.KERNEL32 ref: 100024ED

Strings

{v@uv, xrefs: 10002452

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: {v@uv
API String ID: 1780285237-3152101019
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t41;
				void* _t46;
				signed int* _t48;
				signed int* _t49;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t49 = (_v4 << 5) + _t9;
					_t36 = _t49[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t46 = 0x1a;
					if(_t36 == _t46) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t49[6] = _t46;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t41 = _t36;
						_t13 =  &(_t49[2]); // 0x820
						_t48 = _t13;
						if(_t49[1] != 0xffffffff) {
						}
						_t37 =  *_t49;
						_t49[7] = _t49[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t41);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M1000237E))) {
								case 0:
									 *_t48 =  *_t48 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E100012FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebx,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E100012FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002347
0x10002348
0x10002353
0x1000237d
0x1000237d
0x10002363
0x1000236f
0x10002365
0x10002365
0x10002365
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a1
0x00000000
0x00000000
0x100022aa
0x100022af
0x100022b2
0x100022b3
0x00000000
0x00000000
0x100022c0
0x100022cb
0x100022da
0x100022e3
0x10002306
0x10002309
0x100022e5
0x100022e9
0x100022ef
0x100022f0
0x100022f3
0x100022f4
0x100022f7
0x100022fe
0x100022fe
0x00000000
0x00000000
0x10002311
0x10002314
0x10002320
0x10002322
0x00000000
0x00000000
0x10002325
0x10002328
0x10002329
0x10002330
0x10002337
0x1000233a
0x1000233c
0x1000233f
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32 ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32 ref: 100022FE

Strings

@uv, xrefs: 100022F7

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @uv
API String ID: 3730416702-666577103
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406303(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405A9E(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405A5C("*?|<>/\":", _t5))) == 0) {
							E00405BED(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406305
0x0040630d
0x00406321
0x00406321
0x00406327
0x00406334
0x00406334
0x00406335
0x00406337
0x0040633b
0x0040633d
0x00406346
0x00406348
0x00406362
0x0040636a
0x0040636a
0x0040636f
0x00406371
0x00406373
0x00406377
0x00406378
0x0040637b
0x00406383
0x00406385
0x00406389
0x00000000
0x00000000
0x0040638f
0x00406394
0x00000000
0x00000000
0x00000000
0x00406394
0x00406399

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
CharNextA.USER32(?,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
CharPrevA.USER32(?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406304
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 0040633F
*?|<>/":, xrefs: 0040634B

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1827431553
Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041C1(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x004041d3
0x00404267
0x00000000
0x00404267
0x004041e4
0x004041e8
0x00000000
0x00000000
0x004041ee
0x004041f7
0x004041fa
0x004041fa
0x00404200
0x00404206
0x00404206
0x00404212
0x00404218
0x0040421f
0x00404222
0x00404225
0x00404227
0x00404227
0x0040422f
0x00404235
0x00404235
0x0040423f
0x00404244
0x00404247
0x0040424c
0x0040424f
0x0040424f
0x0040425f
0x0040425f
0x00000000

APIs

GetWindowLongA.USER32 ref: 004041DE
GetSysColor.USER32(00000000), ref: 004041FA
SetTextColor.GDI32(?,00000000), ref: 00404206
SetBkMode.GDI32(?,?), ref: 00404212
GetSysColor.USER32(?), ref: 00404225
SetBkColor.GDI32(?,?), ref: 00404235
DeleteObject.GDI32(?), ref: 0040424F
CreateBrushIndirect.GDI32(?), ref: 00404259

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CF9(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x4178e4; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x4178e4 = 0;
					return _t15;
				}
				__eflags =  *0x4178e4; // 0x0
				if(__eflags != 0) {
					return E0040646D(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x424730;
				if(_t6 >  *0x424730) {
					__eflags =  *0x424728;
					if( *0x424728 == 0) {
						_t7 = CreateDialogParamA( *0x424720, 0x6f, 0, E00402C61, 0);
						 *0x4178e4 = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x4247f4 & 0x00000001;
					if(( *0x4247f4 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402CDD());
						return E004051C0(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402d05
0x00402d07
0x00402d0e
0x00402d11
0x00402d11
0x00402d17
0x00000000
0x00402d17
0x00402d1f
0x00402d25
0x00000000
0x00402d28
0x00402d2f
0x00402d35
0x00402d3b
0x00402d3d
0x00402d43
0x00402d81
0x00402d8a
0x00000000
0x00402d8f
0x00402d45
0x00402d4c
0x00402d5d
0x00000000
0x00402d6b
0x00402d4c
0x00402d97

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D11
GetTickCount.KERNEL32 ref: 00402D2F
wsprintfA.USER32 ref: 00402D5D

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
ShowWindow.USER32(00000000,00000005), ref: 00402D8F

Part of subcall function 00402CDD: MulDiv.KERNEL32(00008000,00000064,00001559), ref: 00402CF2

Strings

... %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 29f14afc1eacec068b050b43fe7c2713e2b8c303e0bcf1944afa507be0b4a5e5
Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
Opcode Fuzzy Hash: 29f14afc1eacec068b050b43fe7c2713e2b8c303e0bcf1944afa507be0b4a5e5
Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A8B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404a99
0x00404aa6
0x00404aac
0x00404aea
0x00404aea
0x00404af9
0x00404b00
0x00000000
0x00404b02
0x00404aae
0x00404abd
0x00404ac5
0x00404ac8
0x00404ada
0x00404ae0
0x00404ae7
0x00000000
0x00404ae7
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
GetMessagePos.USER32 ref: 00404AAE
ScreenToClient.USER32 ref: 00404AC8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00

Strings

f, xrefs: 00404ADC

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94

Uniqueness

Uniqueness Score: -1.00%

Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C61(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402CDD();
					_t19 = "unpacking data: %d%%";
					if( *0x424734 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c6e
0x00402c7c
0x00402c82
0x00402c82
0x00402c90
0x00402c92
0x00402c9e
0x00402ca3
0x00402ca5
0x00402ca5
0x00402cb0
0x00402cc0
0x00402cd2
0x00402cd2
0x00402cda

APIs

SetTimer.USER32 ref: 00402C7C
wsprintfA.USER32 ref: 00402CB0
SetWindowTextA.USER32(?,?), ref: 00402CC0
SetDlgItemTextA.USER32 ref: 00402CD2

Strings

unpacking data: %d%%, xrefs: 00402C9E
verifying installer: %d%%, xrefs: 00402CA5, 00402CAE

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99

Uniqueness

Uniqueness Score: -1.00%

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402736(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402AC1(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E00405A9E(_t50) == 0) {
					E00402AC1(0xffffffed);
				}
				E00405C0D(_t50);
				_t26 = E00405C32(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x424738;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004032C5(_t45);
						E004032AF(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E0040303E(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405BED( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405CD9( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E0040303E(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402736
0x00402738
0x00402744
0x00402747
0x00402751
0x00402755
0x00402755
0x0040275b
0x00402768
0x00402770
0x00402773
0x00402779
0x00402787
0x0040278c
0x00402790
0x00402793
0x0040279c
0x004027a8
0x004027ac
0x004027af
0x004027b9
0x004027de
0x004027c0
0x004027c5
0x004027cd
0x004027d3
0x004027d8
0x004027d8
0x004027e5
0x004027e5
0x004027f2
0x004027f8
0x0040280a
0x0040280a
0x00402810
0x00402810
0x0040281b
0x0040281c
0x00402820
0x00402824
0x0040282a
0x0040282a
0x00402831
0x00402237
0x00402954
0x00402960

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32 ref: 004027E5
GlobalFree.KERNEL32 ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
Instruction ID: 2027d9f4b10c536beff5d97c30926d1382b99fb2686dd4663458e7dd77d5dad7
Opcode Fuzzy Hash: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
Instruction Fuzzy Hash: C5219C71800128BBDF216FA5DE49DAE7A79EF05324F14423EF524762E1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404981(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004060BB(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004060BB(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004060BB(_t41, _t47, 0x420d30, 0x420d30, _a8);
				wsprintfA(_t32 + lstrlenA(0x420d30), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423ef8, _a4, 0x420d30);
			}

0x00404987
0x0040498c
0x00404994
0x00404995
0x004049a2
0x004049aa
0x004049ab
0x004049ad
0x004049af
0x004049b1
0x004049b4
0x004049b4
0x004049bb
0x004049c1
0x004049c1
0x004049c8
0x004049cf
0x004049d2
0x004049d5
0x004049d5
0x004049d9
0x004049e9
0x004049eb
0x004049ee
0x00404997
0x00404997
0x0040499e
0x0040499e
0x004049f6
0x00404a01
0x00404a17
0x00404a27
0x00404a43

APIs

lstrlenA.KERNEL32(Borerig Setup: Installing,Borerig Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
wsprintfA.USER32 ref: 00404A27
SetDlgItemTextA.USER32 ref: 00404A3A

Strings

%u.%u%s%s, xrefs: 00404A09
Borerig Setup: Installing, xrefs: 00404A11, 00404A16, 00404A1C, 00404A30

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Borerig Setup: Installing
API String ID: 3540041739-772784106
Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9

Uniqueness

Uniqueness Score: -1.00%

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000180D(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				void _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000405c = _a8;
				_t59 = 0;
				 *0x10004060 = _a16;
				_v12 = 0;
				_v8 = E1000123B();
				_t89 = E100012FE(_t41);
				_t86 = _t84;
				_t43 = E1000123B();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E1000123B();
					_t59 = E100012FE(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3c;
						if( *((char*)(_t43 + 1)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001429(_t84, _t89, _t86,  &_v52);
								E10001266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002CD0(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3e;
						if( *((char*)(_t43 + 1)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002CF0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x7c;
						if( *((char*)(_t43 + 1)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002B60(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002C10(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((char*)(_t43 + 1)) - 0x26;
					if( *((char*)(_t43 + 1)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002B20(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}

0x1000180d
0x10001817
0x10001820
0x10001823
0x10001828
0x10001831
0x1000183a
0x1000183c
0x1000183e
0x10001843
0x10001845
0x1000184b
0x10001858
0x10001861
0x10001866
0x10001869
0x1000186f
0x1000186f
0x10001872
0x10001875
0x10001878
0x1000193e
0x1000193e
0x10001941
0x100019aa
0x100019ae
0x100019bd
0x100019c0
0x100019c8
0x100019c8
0x100019c8
0x100019ca
0x100019ca
0x100019cb
0x100019cb
0x100019cd
0x100019cd
0x100019cf
0x100019d5
0x100019de
0x100019ef
0x100019fa
0x100019fa
0x100019c2
0x100019a5
0x100019a5
0x100019a7
0x100019a7
0x00000000
0x100019a7
0x100019c4
0x100019c6
0x00000000
0x00000000
0x00000000
0x100019c6
0x100019b2
0x100019b6
0x00000000
0x100019b6
0x10001943
0x10001943
0x10001944
0x1000199c
0x1000199e
0x00000000
0x00000000
0x100019a0
0x100019a3
0x00000000
0x00000000
0x00000000
0x100019a3
0x10001946
0x10001946
0x10001947
0x1000197c
0x10001980
0x1000198f
0x10001992
0x00000000
0x00000000
0x10001994
0x00000000
0x00000000
0x10001996
0x10001998
0x00000000
0x00000000
0x00000000
0x1000199a
0x10001984
0x10001988
0x00000000
0x10001988
0x10001949
0x10001949
0x1000194c
0x10001975
0x10001977
0x00000000
0x10001977
0x1000194e
0x1000194e
0x10001951
0x1000195d
0x10001961
0x1000196e
0x10001970
0x00000000
0x10001970
0x10001963
0x10001965
0x00000000
0x00000000
0x10001967
0x1000196a
0x00000000
0x00000000
0x00000000
0x1000196c
0x10001954
0x10001955
0x10001957
0x10001959
0x10001959
0x00000000
0x10001955
0x1000187e
0x100018f6
0x100018f8
0x100018fb
0x10001917
0x1000191a
0x10001925
0x10001927
0x100018fd
0x100018fd
0x10001901
0x10001905
0x10001905
0x1000192a
0x1000192d
0x00000000
0x10001933
0x10001933
0x10001936
0x00000000
0x10001936
0x1000192d
0x10001880
0x10001883
0x100018e7
0x100018e9
0x100018eb
0x00000000
0x00000000
0x00000000
0x100018f1
0x10001885
0x10001888
0x00000000
0x00000000
0x1000188a
0x1000188b
0x100018c1
0x100018c5
0x100018dd
0x100018df
0x00000000
0x100018df
0x100018c7
0x100018c9
0x00000000
0x00000000
0x100018cf
0x100018d2
0x00000000
0x00000000
0x00000000
0x100018d8
0x1000188d
0x10001890
0x100018b7
0x00000000
0x10001892
0x10001892
0x10001893
0x100018a7
0x100018a9
0x10001895
0x10001897
0x1000189d
0x1000189f
0x1000189f
0x10001897
0x00000000
0x10001893

APIs

GlobalFree.KERNEL32 ref: 10001869
GlobalFree.KERNEL32 ref: 100019EF
GlobalFree.KERNEL32 ref: 100019F4

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402A9F(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b808->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b818 = E00402A9F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b81f = 1;
				 *0x40b81c = _t15 & 0x00000001;
				 *0x40b81d = _t15 & 0x00000002;
				 *0x40b81e = _t15 & 0x00000004;
				E004060BB(_t9, _t31, _t33, 0x40b824,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b808);
				_push(_t18);
				_push(_t33);
				E00405FF7();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d95
0x00401da0
0x00401da2
0x00401daf
0x00401dc6
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de1
0x00401dec
0x00401df3
0x00401e05
0x00401e0b
0x00401e10
0x00401e1a
0x00402577
0x00401569
0x004028f9
0x00402954
0x00402960

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32 ref: 00401DCB
CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402AC1(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d45
0x00401d4c
0x00401d7b
0x00401d83
0x00401d8a
0x00401d8a
0x00402954
0x00402960

APIs

GetDlgItem.USER32 ref: 00401D3F
GetClientRect.USER32 ref: 00401D4C
LoadImageA.USER32 ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
Opcode Fuzzy Hash: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A31(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a32
0x00405a49
0x00405a51
0x00405a51
0x00405a59

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A37
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A40
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405A51

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BB4(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E00405F1F(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402BB4(__eflags, _v8,  &_v272, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E00406431(3);
					if(_t28 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402bbf
0x00402bc8
0x00402bd1
0x00402bdd
0x00402be4
0x00402c08
0x00402bee
0x00402bf0
0x00402c43
0x00000000
0x00402c4b
0x00402bff
0x00402c04
0x00402c06
0x00000000
0x00000000
0x00402c06
0x00402c22
0x00402c2a
0x00402c31
0x00000000
0x00402c54
0x00000000
0x00402c3c
0x00402c5e

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ACA(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405A5C(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405ad3
0x00405ada
0x00405add
0x00405adf
0x00405ae3
0x00405af8
0x00405b17
0x00000000
0x00405aff
0x00405b01
0x00405b02
0x00405b05
0x00405b06
0x00405b0e
0x00000000
0x00000000
0x00405b10
0x00405b13
0x00000000
0x00000000
0x00000000
0x00405b13
0x00000000
0x00405b02
0x00405af0
0x00000000
0x00405af1

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,C:\Users\user\AppData\Local\Temp\nsb3C99.tmp,766DFA90,?,766DF560,00405881,?,766DFA90,766DF560,00000000), ref: 00405AD8
CharNextA.USER32(00000000), ref: 00405ADD
CharNextA.USER32(00000000), ref: 00405AF1

Strings

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 00405ACB

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp
API String ID: 3213498283-2385664813
Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037F7() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x278
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x270
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403854();
				return E00405861(_t11, "C:\\Users\\alfons\\AppData\\Local\\Temp\\nsb3C99.tmp", 7);
			}

0x004037f7
0x00403806
0x00403809
0x0040380b
0x0040380b
0x00403812
0x0040381a
0x0040381d
0x0040381f
0x0040381f
0x0040381f
0x00403826
0x00403838

APIs

CloseHandle.KERNEL32(00000278,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
CloseHandle.KERNEL32(00000270,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
C:\Users\user\AppData\Local\Temp\nsb3C99.tmp, xrefs: 0040382D

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb3C99.tmp
API String ID: 2962429428-2572920431
Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405134(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x420d1c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x420d1c = _t16;
								E00404B0B();
							}
						}
						L11:
						return CallWindowProcA( *0x420d24, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A8B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E004041A6(0x413);
					return 0;
				}
				goto L10;
			}

0x00405138
0x00405142
0x00405158
0x0040515e
0x00405180
0x00405183
0x00405183
0x00405189
0x0040518b
0x00405191
0x00405193
0x00405194
0x00405196
0x0040519c
0x0040519c
0x00405191
0x004051a6
0x00000000
0x004051b4
0x00405163
0x00405169
0x0040516b
0x004051a3
0x004051a3
0x00000000
0x004051a3
0x00405177
0x00405179
0x00000000
0x00405179
0x00405148
0x0040514f
0x00000000
0x00405154
0x00000000

APIs

IsWindowVisible.USER32 ref: 00405163
CallWindowProcA.USER32 ref: 004051B4

Part of subcall function 004041A6: SendMessageA.USER32(00040460,00000000,00000000,00000000), ref: 004041B8

Strings

, xrefs: 00405144

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A78(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405a79
0x00405a83
0x00405a85
0x00405a8c
0x00405a94
0x00000000
0x00000000
0x00000000
0x00405a94
0x00405a96
0x00405a9b

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405A7E
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405A8C

Strings

C:\Users\user\Desktop, xrefs: 00405A78

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32 ref: 100011B4
GlobalFree.KERNEL32 ref: 100011C7
GlobalFree.KERNEL32 ref: 100011F5

Memory Dump Source

Source File: 00000002.00000002.829318135.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.829312318.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829324628.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.829330878.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B97(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405ba7
0x00405ba9
0x00405bac
0x00405bd8
0x00405bb1
0x00405bba
0x00405bbf
0x00405bca
0x00405bcd
0x00405be9
0x00405bcf
0x00405bd6
0x00000000
0x00405bd6
0x00405be2
0x00405be6
0x00405be6
0x00405be0
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BBF
CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

Memory Dump Source

Source File: 00000002.00000002.828426856.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.828421147.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828435977.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828443210.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828500860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828534818.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828569138.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828593685.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.828607874.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_002376662-579588_Date 24082022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00406576 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 100027E4 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 156
memoryCOMMON

Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Function 00405CD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Function 00405CAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Function 10002709 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405C0D Relevance: 3.0, APIs: 2, Instructions: 13
COMMON