Edit tour

Windows Analysis Report
DHL04AWB01173903102023PDF.scr.exe

Overview

General Information

Sample Name:	DHL04AWB01173903102023PDF.scr.exe
Analysis ID:	828071
MD5:	1bf124cc783ff47a91ada4e6d4ac9e6b
SHA1:	b78f2ffb785071ab785830cdd4cbc5f010b7480b
SHA256:	494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
Tags:	DHLexeRemcosRATscrsigned
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Found potential ransomware demand text

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

DHL04AWB01173903102023PDF.scr.exe (PID: 1308 cmdline: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe MD5: 1BF124CC783FF47A91ADA4E6D4AC9E6B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.832197103.0000000006825000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL04AWB01173903102023PDF.scr.exe

Virustotal: Detection: 13%

Perma Link

Source: DHL04AWB01173903102023PDF.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr
Source:	Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_004061E0 FindFirstFileW,FindClose,	0_2_004061E0

Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DHL04AWB01173903102023PDF.scr.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://www.nero.com
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_00405290 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405290

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: nseEDA7.tmp.0.dr	String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ
Source: ContactsApi.dll.0.dr	String found in binary or memory: __m2mep@?__global_unlock@?A0x27fb6efc@@$$FYA_NXZ

Source: DHL04AWB01173903102023PDF.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: msado25.tlb.0.dr

Static PE information: No import functions for PE file found

Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsado25.tlbj% vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDefConvertor.DLL vs DHL04AWB01173903102023PDF.scr.exe
Source: DHL04AWB01173903102023PDF.scr.exe	Binary or memory string: OriginalFilenameStoressters.exe` vs DHL04AWB01173903102023PDF.scr.exe

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040331C

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_00404ACD		0_2_00404ACD
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_004064F2		0_2_004064F2

Source: DHL04AWB01173903102023PDF.scr.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Process Stats: CPU usage > 98%

Source: DHL04AWB01173903102023PDF.scr.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File read: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Jump to behavior

Source: DHL04AWB01173903102023PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File created: C:\Users\user\Nonhieratical

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File created: C:\Users\user\AppData\Local\Temp\nseEDA6.tmp

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File written: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini

Jump to behavior

Source: classification engine

Classification label: mal64.rans.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_00404587 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404587

Source: DHL04AWB01173903102023PDF.scr.exe

Static file information: File size 1211760 > 1048576

Source:	Binary string: D:\SCM\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\UI\BtTray\libs\x64\ContactsApi.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, ContactsApi.dll.0.dr
Source:	Binary string: D:\Builds\149\N2\HO_MMC_g_2016_r_2016\Sources\AudioPluginMgr\plugins\DefConvertor\Release\DefConvertor.pdb source: DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.000000000299F000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.832197103.0000000006825000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_10002D50 push eax; ret

0_2_10002D7E

Source: ContactsApi.dll.0.dr

Static PE information: section name: .nep

Source: msado25.tlb.0.dr

Static PE information: 0x8DBA1FD3 [Sun May 7 15:54:59 2045 UTC]

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406207

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	File created: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	File created: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb	Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	File created: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	File created: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll	Jump to dropped file

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

RDTSC instruction interceptor: First address: 0000000006948C31 second address: 0000000006948C31 instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, edx 0x00000004 cmp ecx, edx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F18C8FF67D2h 0x0000000a test ecx, edx 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cmp ebx, eax 0x00000010 rdtsc

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb	Jump to dropped file
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Dropped PE file which has not been started: C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll	Jump to dropped file

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_0040572C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040572C
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	Code function: 0_2_004061E0 FindFirstFileW,FindClose,	0_2_004061E0

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	API call chain: ExitProcess graph end node			graph_0-4737
Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe	API call chain: ExitProcess graph end node			graph_0-4743

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_00406207 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406207

Source: C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe

Code function: 0_2_00405EBF GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405EBF

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	Path Interception	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Timestomp	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL04AWB01173903102023PDF.scr.exe	8%	ReversingLabs
DHL04AWB01173903102023PDF.scr.exe	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb	0%	ReversingLabs
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb	0%	Virustotal	Browse
C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll	0%	ReversingLabs
C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll	0%	Virustotal	Browse
C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll	0%	ReversingLabs
C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	DHL04AWB01173903102023PDF.scr.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	false		high
http://www.symauth.com/cps0(	DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	false		high
http://www.symauth.com/rpa00	DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	false		high
http://ocsp.thawte.com0	DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.nero.com	DHL04AWB01173903102023PDF.scr.exe, 00000000.00000002.831811356.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, nseEDA7.tmp.0.dr, APM_DefConvertor.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828071
Start date and time:	2023-03-16 18:03:16 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	DHL04AWB01173903102023PDF.scr.exe
Detection:	MAL
Classification:	mal64.rans.troj.evad.winEXE@1/11@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63% (good quality ratio 61.6%) Quality average: 88.1% Quality standard deviation: 22.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll	recibo de pago 00028384757767868 01172023.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	recibo de pago 00028384757767868 01172023.exe	Get hash	malicious	GuLoader	Browse
	DEME DEKONTU 000284757757575756 01172023.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	DEME DEKONTU 000284757757575756 01172023.exe	Get hash	malicious	GuLoader	Browse
	copia de pago 000284857577688 01162023.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	copia de pago 000284857577688 01162023.exe	Get hash	malicious	GuLoader	Browse
	ODEME BILGILENDIRME 000284857577688 01162023.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	ODEME BILGILENDIRME 000284857577688 01162023.exe	Get hash	malicious	GuLoader	Browse
	SOA.bat.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	SOA.bat.exe	Get hash	malicious	Unknown	Browse
	NCONTA#U007e1.EXE	Get hash	malicious	GuLoader	Browse
	7JJTfoqSdP.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.11417.21410.24427.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.11417.21410.24427.exe	Get hash	malicious	GuLoader	Browse
	7xcnQ2Jwq7.exe	Get hash	malicious	FormBook, GuLoader	Browse
	7xcnQ2Jwq7.exe	Get hash	malicious	GuLoader	Browse
	5.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nseEDA7.tmp

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	1831716
Entropy (8bit):	7.308492575684153
Encrypted:	false
SSDEEP:	49152:lf4WAQduqXBweZG32poHRS2tQuWikK9jM3:lJAQlnANE2tQTaM3
MD5:	9B4D8ABA094C64270F7878FAE618AC65
SHA1:	FA3D773625A7FE13C127925856A2B015C986E598
SHA-256:	CB136F81690F426D253696166DE342FF05A1C1F3C0C780BBE800A06396424751
SHA-512:	87EBE9A0C8BD59D98236943710F7A739AEE413FD8B198F1F92479434819423857252B6D160AB42A0EE8B976AAE3972185E2CC467FB9842AFEB9BF3C3D7577B73
Malicious:	false
Reputation:	low
Preview:	.3......,........................!.......2.......3..............................................w...........-.J.............................................................................................................................................................................G...X...............j...............................................................................................................................f.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.774411073650885
Encrypted:	false
SSDEEP:	192:eB2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsE+:3S62Gw947ExuGDI7J8EF7KIE
MD5:	BE2621A78A13A56CF09E00DD98488360
SHA1:	75F0539DC6AF200A07CDB056CDDDDEC595C6CFD2
SHA-256:	852047023BA0CAE91C7A43365878613CFB4E64E36FF98C460E113D5088D68EF5
SHA-512:	B80CF1F678E6885276B9A1BFD9227374B2EB9E38BB20446D52EBE2C3DBA89764AA50CB4D49DF51A974478F3364B5DBCBC5B4A16DC8F1123B40C89C01725BE3D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: recibo de pago 00028384757767868 01172023.exe, Detection: malicious, Browse Filename: recibo de pago 00028384757767868 01172023.exe, Detection: malicious, Browse Filename: DEME DEKONTU 000284757757575756 01172023.exe, Detection: malicious, Browse Filename: DEME DEKONTU 000284757757575756 01172023.exe, Detection: malicious, Browse Filename: copia de pago 000284857577688 01162023.exe, Detection: malicious, Browse Filename: copia de pago 000284857577688 01162023.exe, Detection: malicious, Browse Filename: ODEME BILGILENDIRME 000284857577688 01162023.exe, Detection: malicious, Browse Filename: ODEME BILGILENDIRME 000284857577688 01162023.exe, Detection: malicious, Browse Filename: SOA.bat.exe, Detection: malicious, Browse Filename: SOA.bat.exe, Detection: malicious, Browse Filename: NCONTA#U007e1.EXE, Detection: malicious, Browse Filename: 7JJTfoqSdP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.11417.21410.24427.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.11417.21410.24427.exe, Detection: malicious, Browse Filename: 7xcnQ2Jwq7.exe, Detection: malicious, Browse Filename: 7xcnQ2Jwq7.exe, Detection: malicious, Browse Filename: 5.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....e.Q...........!................9'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..@....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Nonhieratical\Apicad\Outjinx\Nonnavigableness\Competed\Coccosteid.Udr

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	202342
Entropy (8bit):	7.5372236610693095
Encrypted:	false
SSDEEP:	3072:YTz6SobCaMo6ljmx23UrLpvJvOc9CuKjrDee/jKOVox2EcIHuysfzFC64:w6SPaMo6l4XvOZ5rDtKOVoQrF0
MD5:	E2901A2B3EFA6BB00F2AD1D4AD963F52
SHA1:	1F2C771CEAE379DF9FA7FA1FA5E4ABC36638A42E
SHA-256:	FEFA0B1539475BF0ED224A8D9934FD4558DD0B1297FB661DAB776ABC96C333FF
SHA-512:	DA39BCB8E8C2BD79160B33A7767C58CC7CE204B56005B16AF6825DD6E25612D4C08E2C69A2DF288EC6635A24E740C23C5842E5DA3C08BDCCE9FC677D456C9B5E
Malicious:	false
Reputation:	low
Preview:	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\TableTextServiceYi.txt

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	45170
Entropy (8bit):	3.7626877360483184
Encrypted:	false
SSDEEP:	384:wBMdoEQYh/Iq7rwSM+jNyql218nyeEJFFCEeFe73c3+AC+mviFuqOtSS0uK3l/:wadoAr7s1+jNyqr6FFweIT0h0/
MD5:	AC05652AF93A583226FD118E23D3652F
SHA1:	DA5BB4AE245369888D1AF981AF6785FAE21C7BC9
SHA-256:	54E26FC4F586B39C4CCB6655735E8AA03AD31498EFD0119AB8406258D5561627
SHA-512:	2C24F1CBD45D5B06DF0A187793E02DA4F085E6E03CF1A697416F3F0B34FE4E96ECFCFD4E25DA3288383B98E1BC112A2418EFF5EA8E69BFBF153F28A20A687BF2
Malicious:	false
Reputation:	low
Preview:	..[.S.y.s.t.e.m.].....L.a.n.g.I.d. .=. .L.A.N.G._.Y.I.,. .S.U.B.L.A.N.G._.D.E.F.A.U.L.T.....G.u.i.d.P.r.o.f.i.l.e.=.{.4.0.9.C.8.3.7.6.-.0.0.7.B.-.4.3.5.7.-.A.E.8.E.-.2.6.3.1.6.E.E.3.F.B.0.D.}.....D.e.s.c.r.i.p.t.i.o.n.=.".Y.i. .I.n.p.u.t. .M.e.t.h.o.d.".....D.i.s.p.l.a.y. .D.e.s.c.r.i.p.t.i.o.n.=.".@.%.p.r.o.g.r.a.m.F.i.l.e.s.%.\.W.i.n.d.o.w.s. .N.T.\.T.a.b.l.e.T.e.x.t.S.e.r.v.i.c.e.\.T.a.b.l.e.T.e.x.t.S.e.r.v.i.c.e...d.l.l.,.-.1.6.".....I.c.o.n.I.n.d.e.x.=.I.C.O.N._.Y.I.........[.C.o.n.f.i.g.u.r.a.t.i.o.n.].....S.h.o.w.I.n.c.r.e.m.e.n.t.a.l.C.a.n.d.i.d.a.t.e.I.m.m.e.d.i.a.t.e.l.y.=.1.....R.e.a.d.i.n.g.W.i.n.d.o.w...W.i.d.t.h.=.3.....F.o.n.t.F.a.c.e.N.a.m.e.=.M.i.c.r.o.s.o.f.t. .Y.i. .B.a.i.t.i.....F.o.n.t.S.i.z.e.=.1.4.........[.P.r.e.s.e.r.v.e.d.K.e.y.].....G.u.i.d.I.m.e.M.o.d.e.=.{.9.8.2.1.3.4.9.4.-.3.6.7.A.-.4.8.5.5.-.9.0.A.1.-.9.7.D.9.1.7.E.3.E.C.3.D.}.....K.e.y.D.e.f.i.n.e.I.m.e.M.o.d.e.=.V.K._.S.H.I.F.T.,. .T.F._.M.O.D._.O.N._.K.E.Y.U.P._.S.H.I.F.T._.O.N.L.Y.....D.e.s.c.r.i.p.t.

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	Generic INItialization configuration [allData0]
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	4.623864089058378
Encrypted:	false
SSDEEP:	96:KGz5QTZR5ATsj5sjc9sjnljnDQcaufEjnOAvtDAvVY:BzmTZbAojyjnjljspu8jXvtMvVY
MD5:	CA003CF1D99CDF717768E88DD64BB84C
SHA1:	A0326E46EA68C4649DD6645368B43922B6126FF6
SHA-256:	44100D5F41FE4CDDD1D77EF7124FEC4F8071E5A1678339ACE0DA3DD7E826EF2F
SHA-512:	94D1EB659C22A3614F250C79D1C957876A617158BE538E35E906F12E68C6E12CCBE9C364D1F1C18D280F72FD7958D753348C056CAF320B6843EC3873B59C9926
Malicious:	false
Reputation:	low
Preview:	[Config]..modeIndex=1..allIndex=1..wasdIndex=0..qwerIndex=0..fourIndex=0..syncIndex=0....[allData0]..ColorR=255..ColorG=0..ColorB=0..Color2R=0..Color2G=0..Color2B=0..Color3R=0..Color3G=0..Color3B=0..Color4R=0..Color4G=0..Color4B=0..SpeedType=2..DirectType=1..MusicType=0..TemperatureH=0..TemperatureL=0..StrobingRandom=0....[allData1]..ColorR=8..ColorG=255..ColorB=240..Color2R=255..Color2G=0..Color2B=0..Color3R=0..Color3G=0..Color3B=0..Color4R=0..Color4G=0..Color4B=0..SpeedType=2..DirectType=1..MusicType=0..TemperatureH=0..TemperatureL=0..StrobingRandom=0....[allData2]..ColorR=255..ColorG=0..ColorB=0..Color2R=0..Color2G=0..Color2B=0..Color3R=0..Color3G=0..Color3B=0..Color4R=0..Color4G=0..Color4B=0..SpeedType=2..DirectType=1..MusicType=0..TemperatureH=0..TemperatureL=0..StrobingRandom=0....[allData3]..ColorR=0..ColorG=0..ColorB=0..Color2R=0..Color2G=0..Color2B=0..Color3R=0..Color3G=0..Color3B=0..Color4R=0..Color4G=0..Color4B=0..SpeedType=2..DirectType=1..MusicType=3..TemperatureH=0..Tempe

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.63717105728589
Encrypted:	false
SSDEEP:	768:5U0SzA63tPY1AcbERQzuahkbzM7hX2O4HvypROPzMiibjUsqK0M49uo:5OU63tPY114RX3M7MvPy/OPz/CF09F
MD5:	299DBB927B6390C6B925757DD5B2B7FF
SHA1:	FFCE563E42AF7B1086CB5AE92014801B2C66DC0C
SHA-256:	D9D2BD64DE6176B31A4E704D7E5D08FA9BB75A6A8AC007A61C4DF38F6FA82262
SHA-512:	E88F9DA34960BC13C27F2B236A28410AC8B71619D8175103D0BD5E7F03F395F773BCDF399E805D2150BECF2EE107147287D6FE0C00BD41AC591F868E62296347
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d................." .........................................................0.......Z....`.......................................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .....A..R...)h.s.V.2..d.v.9...............................................................................................................................................................................................................................................................................................................................

C:\Users\user\Nonhieratical\Counts\Convolution\Dottily\ArtDeco_brown_22.bmp

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, components 3
Category:	dropped
Size (bytes):	7968
Entropy (8bit):	7.906040167483731
Encrypted:	false
SSDEEP:	192:oXRXorJ1fquj4/Ms9hHCQyTscIhlMN58ZB5oEx5/U8qn8kyx:KRoqu0ksEIhCOjZU8M8kM
MD5:	162F6BB32D6D5AC380A80DA07C13E213
SHA1:	7985EAC367E0B19CC0E30B24399A37663E8436F6
SHA-256:	686310A1A5B8BB4D4EAA316FC0A3970EE878CC39F75E8C68F49ED51A5AD562DF
SHA-512:	F4DC70FB483303906CA8C4D5AE404653C7B761BEB38B3DC88ABDEBED4B28A85F3A02F6E2E1E5D28A1625F09A8EEA7A66F12959AA12E98733023CE5908B9FF199
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(..5...l...K.4.....t{.k..........^SD'...g....H.7.......d....=.....RmQ..{.x.. .mj....\|Z.m'.\|;<l.ykc...j.0X.h...f.O,..M.K.>.xG.......K..sZ...H\|U.j.Z...y?,.m.n.[...l...J.(..QUG...(...z_....#....Ys=....?......>....?.}.;.V..@7..5..-.O...o.\F.....v.........~)...c}.O.....}b.%.........>a..Z.di.l.cH\|.a

C:\Users\user\Nonhieratical\Counts\Convolution\Dottily\Iconology.Ess

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	ASCII text, with very long lines (57606), with no line terminators
Category:	dropped
Size (bytes):	57606
Entropy (8bit):	2.670628012232385
Encrypted:	false
SSDEEP:	768:Ip+EachJRWeyBP/QmazA5Bnh+QuGkvrOYKT2Rrt6UptqyBcerao1CEzSkNu8R2QP:uquzgxiGXNyHlqgdeo1CtNQP
MD5:	1EE3EA9EB5F7142B93FE99689B2038A6
SHA1:	AB0D94BDBDC97EEA61B226010584C12D9AED43EA
SHA-256:	67D1985FCBEB4E6FB84785F6304B3CB63A9326B328921E04CCFD50539825FDB7
SHA-512:	BBC7EAEA47011BB96FD26ADB3B71F981AE20FDACCF1A72BAFE96EC8E3071AD29AE052B279465FA700B3AD327DC2EA97408B52FD5A0D73B716F21FCD500D30B67
Malicious:	false
Preview:	0000DB00000000B3B300008E0037373700E100DF0091910000D2D2D20000C1C100DFDF000000006A6A006F000000D800000000000030000047000000000000003737373737006E6E003F3F000000B70000C0C00000DDDDDDDD0000DE00B50000007E000303030034005D000900E1E1E1E1003A3A3A3A3A00E0000000A900000000D7D70000FCFC00007500F400950000515100EB00DD0000F000920000006A000018005300616100002222000072001B000010006D00B9B9B9000087878700FEFEFE00007200000000004D00CFCF00007373000000A3A3008B8B000000000000262600003E000000000000001C0000000000F500007676760000606000001010100030000000F1000000002828000000020000656500000000000000C7C70000004A005B00E1E1E1E1001A0000004800565600686868000000C1000046006700B3B300810000003900737300DA00292929000000BFBF009100005E000000131313002626000000000000460000FFFFFFFFFF00B9B9B9B900000027000000E1E1E1000000003800F1F1F10000001F002C00000089000000006161616100A0001F00B200002C2C2C2C2C009E00000000AC000045450063000A0A00F70000D900000003030300AF00003300010100989800FDFD0000002424242400830056002D2D0053000000000000000000000000AB00000000EF

C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	251376
Entropy (8bit):	5.684541726348285
Encrypted:	false
SSDEEP:	3072:njOJemjvYiYtrWTovAYYYlDvNYXzMgv9/PuMKISOe1sWQuCyY+2JHfYavRkRYI1N:n+6v671nuMKRv1sHyaJ/YavRkRYIBYA1
MD5:	B44ED270A186763E1DA753AA39553B68
SHA1:	10390F85EA5DB841A8BC70E8ED931A5D34026BE8
SHA-256:	E24E9B9C79199B66B9F847F1E07A2769B82CB7FCCA98E5B53F28B481EEBCABD8
SHA-512:	0BF049851CBD5D29221E7C721F15E58286C030023A9BF66E88A5EE6D4D940F89CBBFB8A4E0376382472940450D631E7E3D0162C871443CA12169DFED4E7C91B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......43..pR..pR..pR..y^.qR..yN.xR....sR....}R....xR..pR..-S....wR......JR..pR..dR......zR......oR......qR......qR..pRJ.qR......qR..RichpR..................PE..L...L..V...........!......................................................................@..........................P.......A...................................+......8...........................@...@............................................text............................... ..`.rdata..=A.......B..................@..@.data...D....`.......F..............@....rsrc............ ...V..............@..@.reloc...G.......H...v..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	384128
Entropy (8bit):	5.921054568677329
Encrypted:	false
SSDEEP:	6144:zJteC/kw/VKk3g6ZK5RoyPAzv2B9NAlYRuKJOllo:zreCsO3g6QRoyPAw6eRh
MD5:	7E49C04017D860D5EE299FFB104203DF
SHA1:	DDF55616BDABC91EB801CE14A45ACDAD2142B78F
SHA-256:	1AC6E64459440B6EFB03FC256E24BCCBBC512CF6E7DCD85DD3C45E1CA7584176
SHA-512:	EC125C3CD1EDE0F4C24915BC39EA641F58F1D78048E0CCB631F249839440218B02706CC8ACA785DA2B3993EDBABEFB433BF19BA29A9F1EDFB6ACACBDDC0A4F50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p...p...p....j..p...?...p.......p.......p.......p...p...p.......p.......p.......p..Rich.p..........................PE..d....=.N.........." ..... ..........L........................................@............@.......................................................... ..........@............0......`E...............................................@..............\|E..H............text............................... ..`.nep......... ...................... ..`.rdata..v....@.......$..............@..@.data....<..........................@....pdata..@...........................@..@.rsrc........ ......................@..@.reloc..`....0......................@..B................................................................................................................................................................................................................

C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\Sports-Wallpapers-1.jpg

Download File

Process:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x786, components 3
Category:	dropped
Size (bytes):	782753
Entropy (8bit):	7.972739118836816
Encrypted:	false
SSDEEP:	12288:1xE6g9kiViGNq+W6nQNIDO0tVGb34eaR6fUnMlkTFztQywzV0jyB4Dl9l+qfkwPN:7E6G3VibpHIdebodR6jlKFtQVUv+iP8S
MD5:	E269DECCAC13CF01A0377872E79BC676
SHA1:	54D196FDE9529310F9E5A3EBA6548DAB4F179542
SHA-256:	255874E0A6A5CA862CBAE5C783D582729B343C70C5697062D7F1E587F15F25EC
SHA-512:	08ADAD38BE3472CF8814C40F99D6DCFDA313C2FED765B872AA30C0995B027F2BEDABF75DB625F3C40F003A8EFC3F41169CBA4AF706EC637018DEEF02EC92F6CC
Malicious:	false
Preview:	......JFIF.....`.`.....XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9924781293877105
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL04AWB01173903102023PDF.scr.exe
File size:	1211760
MD5:	1bf124cc783ff47a91ada4e6d4ac9e6b
SHA1:	b78f2ffb785071ab785830cdd4cbc5f010b7480b
SHA256:	494d5735144af171cc15708b37b491b74be1522494958e605ac348dd4897dcf9
SHA512:	b5e35fda41aedb7c40961098745153efa13470d065ac2cfb343c542011ed58869494770615db8a7e4b64b77ac6dd2de4f1cfd1403efeceee8425993bdf66670b
SSDEEP:	24576:7RNsMRW/uL9M7e36FgHRcMSbA22c91uwozF2KDQcvhNfSf7a09Xe+bUe:c4suGm6SxcD2SczF2aQcffSDb99
TLSH:	214533D212E2B0B3D690D93B5D5D6E7EE173D60014B2274B7340A8AE6F38165AB1F374
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....e.Q.................`..........3.......p....@

File Icon


Icon Hash:	74f0d0c0ccd4f0c4

Static PE Info

General

Entrypoint:	0x40331c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x519965DC [Sun May 19 23:53:00 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	17b7d61bda0f7478e36d9ce3d4170680

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=inertnesses@Forbetoning20.En, OU="Falskspillere Unrelinquishable ", O=Inalterableness, L=Montague, S=Texas, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/10/2022 7:04:55 AM 7/9/2025 7:04:55 AM
Subject Chain	E=inertnesses@Forbetoning20.En, OU="Falskspillere Unrelinquishable ", O=Inalterableness, L=Montague, S=Texas, C=US
Version:	3
Thumbprint MD5:	B6296BD55FD696653A6ECFD645239E12
Thumbprint SHA-1:	7B9D3A3205DB42A6F338C423028B131EDDD4F064
Thumbprint SHA-256:	F7E0D7AFE23FD9E15D7B7C6CB47B4662581AE209B91E9046AE6A7AAFDC37720B
Serial:	04D25D90CEF83AEC304DC1F83B1B5CCF54893695

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+14h], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F18C9476A2Dh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F18C9476698h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F18C9476686h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F18C9473B8Ah
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F18C94760F4h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+1Ch], eax
jmp 00007F18C9473C49h
push 00000020h
pop edx
cmp cx, dx
jne 00007F18C9473B89h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F18C9473B7Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x7fc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x127368	0xa08
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e1c	0x6000	False	0.6542561848958334	data	6.407290112650426	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	False	0.43046875	data	5.037834422880877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	False	0.47265625	data	3.7587363087821926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x24000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4e000	0x7fc0	0x8000	False	0.949371337890625	data	7.7369782578420665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4e1d8	0x7562	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x55740	0x100	data	English	United States
RT_DIALOG	0x55840	0xf8	data	English	United States
RT_DIALOG	0x55938	0x60	data	English	United States
RT_GROUP_ICON	0x55998	0x14	data	English	United States
RT_VERSION	0x559b0	0x25c	data	English	United States
RT_MANIFEST	0x55c10	0x3b0	XML 1.0 document, ASCII text, with very long lines (944), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, MultiByteToWideChar, FindClose, MulDiv, ReadFile, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: DHL04AWB01173903102023PDF.scr.exePID: 1308, Parent PID: 3528

General

Target ID:	0
Start time:	18:04:13
Start date:	16/03/2023
Path:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe
Imagebase:	0x400000
File size:	1211760 bytes
MD5 hash:	1BF124CC783FF47A91ADA4E6D4AC9E6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.832197103.0000000006825000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: DHL04AWB01173903102023PDF.scr.exePID: 1308, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	14.5%
Signature Coverage:	18.4%
Total number of Nodes:	1535
Total number of Limit Nodes:	41

Executed Functions

Function 0040331C Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			_entry_() {
				struct _SHFILEINFOW _v700;
				struct _SECURITY_ATTRIBUTES* _v716;
				struct _SECURITY_ATTRIBUTES* _v720;
				WCHAR* _v724;
				char _v736;
				int _v740;
				signed int _v744;
				struct _SECURITY_ATTRIBUTES* _v748;
				intOrPtr _v752;
				int _v756;
				intOrPtr _v760;
				struct _SECURITY_ATTRIBUTES* _v764;
				void* _v772;
				int _t36;
				WCHAR* _t41;
				char* _t44;
				WCHAR* _t46;
				void* _t52;
				intOrPtr _t54;
				signed int _t56;
				int _t59;
				int _t60;
				int _t64;
				void* _t86;
				signed int _t96;
				void* _t99;
				void* _t104;
				char* _t107;
				int _t108;
				void* _t109;
				int _t127;
				int _t128;
				void* _t129;
				short _t131;
				WCHAR* _t132;
				int _t133;
				void* _t138;
				void* _t139;
				int _t141;
				intOrPtr* _t144;
				short _t167;

				_t138 = 0x20;
				_v716 = 0;
				_v724 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v720 = 0;
				__imp__#17();
				_t36 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x429298 = _t36;
				 *0x4291e4 = E00406207(8);
				SHGetFileInfoW(0x420690, 0,  &_v700, 0x2b4, 0); // executed
				E00405E9D(0x4281e0, L"NSIS Error");
				_t41 = GetCommandLineW();
				_t107 = L"user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)";
				E00405E9D(_t107, _t41);
				 *0x4291e0 = GetModuleHandleW(0);
				_t44 = _t107;
				if(L"user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)" == 0x22) {
					_t44 =  &M00434002;
					_t138 = 0x22;
				}
				_t46 = CharNextW(E00405932(_t44, _t138));
				_v744 = _t46;
				while(1) {
					_t110 =  *_t46;
					_t151 = _t110;
					if(_t110 == 0) {
						break;
					}
					_t129 = 0x20;
					__eflags = _t110 - _t129;
					if(_t110 != _t129) {
						L5:
						__eflags =  *_t46 - 0x22;
						_t139 = _t129;
						if( *_t46 == 0x22) {
							_t46 =  &(_t46[1]);
							__eflags = _t46;
							_t139 = 0x22;
						}
						__eflags =  *_t46 - 0x2f;
						if( *_t46 != 0x2f) {
							L19:
							_t46 = E00405932(_t46, _t139);
							__eflags =  *_t46 - 0x22;
							if(__eflags == 0) {
								_t46 =  &(_t46[1]);
								__eflags = _t46;
							}
							continue;
						}
						_t46 =  &(_t46[1]);
						__eflags =  *_t46 - 0x53;
						if( *_t46 != 0x53) {
							L12:
							_t131 =  *_t46;
							__eflags = _t131 - (( *0x409372 & 0x0000ffff) << 0x00000010 | L"NCRC" & 0x0000ffff);
							if(_t131 != (( *0x409372 & 0x0000ffff) << 0x00000010 | L"NCRC" & 0x0000ffff)) {
								L17:
								__eflags =  *((intOrPtr*)(_t46 - 4)) - (( *0x409366 & 0x0000ffff) << 0x00000010 | L" /D=" & 0x0000ffff);
								if( *((intOrPtr*)(_t46 - 4)) != (( *0x409366 & 0x0000ffff) << 0x00000010 | L" /D=" & 0x0000ffff)) {
									goto L19;
								}
								_t110 = ( *0x40936a & 0x0000ffff) << 0x00000010 |  *0x409368 & 0x0000ffff;
								__eflags = _t131 - (( *0x40936a & 0x0000ffff) << 0x00000010 |  *0x409368 & 0x0000ffff);
								if(_t131 == (( *0x40936a & 0x0000ffff) << 0x00000010 |  *0x409368 & 0x0000ffff)) {
									 *((short*)(_t46 - 4)) = 0;
									__eflags =  &(_t46[2]);
									E00405E9D(L"C:\\Users\\jones\\Nonhieratical",  &(_t46[2]));
									break;
								}
								goto L19;
							}
							__eflags = _t46[2] - (( *0x409376 & 0x0000ffff) << 0x00000010 |  *0x409374 & 0x0000ffff);
							if(_t46[2] != (( *0x409376 & 0x0000ffff) << 0x00000010 |  *0x409374 & 0x0000ffff)) {
								goto L17;
							}
							_t127 = _t46[4];
							__eflags = _t127 - 0x20;
							if(_t127 == 0x20) {
								L16:
								_t11 =  &_v744;
								 *_t11 = _v744 | 0x00000004;
								__eflags =  *_t11;
								goto L17;
							}
							__eflags = _t127;
							if(_t127 != 0) {
								goto L17;
							}
							goto L16;
						}
						_t128 = _t46[1];
						__eflags = _t128 - _t129;
						if(_t128 == _t129) {
							L11:
							_t7 =  &_v744;
							 *_t7 = _v744 | 0x00000002;
							__eflags =  *_t7;
							goto L12;
						}
						__eflags = _t128;
						if(_t128 != 0) {
							goto L12;
						}
						goto L11;
					} else {
						goto L4;
					}
					do {
						L4:
						_t46 =  &(_t46[1]);
						__eflags =  *_t46 - _t129;
					} while ( *_t46 == _t129);
					goto L5;
				}
				_t132 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
				GetTempPathW(0x400, _t132);
				_t52 = E004032E8(_t110, _t151);
				_t152 = _t52;
				if(_t52 != 0) {
					L27:
					DeleteFileW(L"1033"); // executed
					_t54 = E00402D52(_t154, _v744); // executed
					_v752 = _t54;
					if(_t54 != 0) {
						L38:
						E0040377F();
						__imp__OleUninitialize();
						if(_v748 == 0) {
							__eflags =  *0x429274;
							if( *0x429274 != 0) {
								_t108 = E00406207(3);
								_t141 = E00406207(4);
								_t59 = E00406207(5);
								__eflags = _t108;
								_t133 = _t59;
								if(_t108 != 0) {
									__eflags = _t141;
									if(_t141 != 0) {
										__eflags = _t133;
										if(_t133 != 0) {
											_t64 =  *_t108(GetCurrentProcess(), 0x28,  &_v736);
											__eflags = _t64;
											if(_t64 != 0) {
												 *_t141(0, L"SeShutdownPrivilege",  &_v740);
												_v756 = 1;
												_v744 = 2;
												 *_t133(_v760, 0,  &_v756, 0, 0, 0);
											}
										}
									}
								}
								_t60 = ExitWindowsEx(2, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									E0040140B(9);
								}
							}
							_t56 =  *0x42928c;
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								_v740 = _t56;
							}
							ExitProcess(_v740);
						}
						E00405680(_v748, 0x200010);
						ExitProcess(2);
					}
					if( *0x4291fc == 0) {
						L37:
						 *0x42928c =  *0x42928c | 0xffffffff;
						_v740 = E00403871();
						goto L38;
					}
					_t144 = E00405932(_t107, 0);
					if(_t144 < _t107) {
						L34:
						_t162 = _t144 - _t107;
						_v748 = L"Error launching installer";
						if(_t144 < _t107) {
							lstrcatW(_t132, L"~nsu.tmp");
							if(lstrcmpiW(_t132, L"C:\\Users\\jones\\Desktop") == 0) {
								goto L38;
							}
							CreateDirectoryW(_t132, 0);
							SetCurrentDirectoryW(_t132);
							_t167 = L"C:\\Users\\jones\\Nonhieratical"; // 0x43
							if(_t167 == 0) {
								E00405E9D(L"C:\\Users\\jones\\Nonhieratical", L"C:\\Users\\jones\\Desktop");
							}
							E00405E9D(0x42a000, _v736);
							 *0x42a800 = ( *0x409316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
							_t109 = 0x1a;
							do {
								E00405EBF(_t109, _t132, 0x41fe90, 0x41fe90,  *((intOrPtr*)( *0x4291f0 + 0x120)));
								DeleteFileW(0x41fe90);
								if(_v756 != 0 && CopyFileW(L"C:\\Users\\jones\\Desktop\\DHL04AWB01173903102023PDF.scr.exe", 0x41fe90, 1) != 0) {
									E00405D37(0x41fe90, 0);
									E00405EBF(_t109, _t132, 0x41fe90, 0x41fe90,  *((intOrPtr*)( *0x4291f0 + 0x124)));
									_t86 = E0040561F(0x41fe90);
									if(_t86 != 0) {
										CloseHandle(_t86);
										_v748 = 0;
									}
								}
								 *0x42a800 =  *0x42a800 + 1;
								_t109 = _t109 - 1;
							} while (_t109 != 0);
							E00405D37(_t132, 0);
							goto L38;
						}
						 *_t144 = 0;
						_t145 = _t144 + 8;
						if(E00405A0D(_t162, _t144 + 8) == 0) {
							goto L38;
						}
						E00405E9D(L"C:\\Users\\jones\\Nonhieratical", _t145);
						E00405E9D(L"C:\\Users\\jones\\Nonhieratical\\Clavichordist\\benenders\\Actionfilm\\Sortsrenheden", _t145);
						_v764 = 0;
						goto L37;
					}
					_t96 = ( *0x409332 & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
					while( *_t144 != _t96 ||  *((intOrPtr*)(_t144 + 4)) != (( *0x409336 & 0x0000ffff) << 0x00000010 |  *0x409334 & 0x0000ffff)) {
						_t144 = _t144;
						if(_t144 >= _t107) {
							continue;
						}
						goto L34;
					}
					goto L34;
				}
				GetWindowsDirectoryW(_t132, 0x3fb);
				lstrcatW(_t132, L"\\Temp");
				_t99 = E004032E8(_t110, _t152);
				_t153 = _t99;
				if(_t99 != 0) {
					goto L27;
				}
				GetTempPathW(0x3fc, _t132);
				lstrcatW(_t132, L"Low");
				SetEnvironmentVariableW(L"TEMP", _t132);
				SetEnvironmentVariableW(L"TMP", _t132);
				_t104 = E004032E8(_t110, _t153);
				_t154 = _t104;
				if(_t104 == 0) {
					goto L38;
				}
				goto L27;
			}

0x0040332a
0x0040332b
0x0040332f
0x00403337
0x0040333b
0x00403346
0x0040334d
0x00403355
0x0040335f
0x00403375
0x00403385
0x0040338a
0x00403390
0x00403397
0x004033ab
0x004033b0
0x004033b2
0x004033b6
0x004033bb
0x004033bb
0x004033c4
0x004033ca
0x00403497
0x00403497
0x0040349a
0x0040349d
0x004034a3
0x004034a3
0x004033d5
0x004033d6
0x004033d9
0x004033e2
0x004033e2
0x004033e6
0x004033e8
0x004033ed
0x004033ed
0x004033ee
0x004033ee
0x004033ef
0x004033f3
0x00403488
0x0040348a
0x0040348f
0x00403493
0x00403496
0x00403496
0x00403496
0x00000000
0x00403493
0x004033fa
0x004033fb
0x004033ff
0x00403414
0x00403422
0x00403429
0x0040342b
0x00403459
0x0040346c
0x0040346f
0x00000000
0x00000000
0x00403482
0x00403484
0x00403486
0x004034a5
0x004034a9
0x004034b2
0x00000000
0x004034b2
0x00000000
0x00403486
0x00403440
0x00403443
0x00000000
0x00000000
0x00403445
0x00403449
0x0040344d
0x00403454
0x00403454
0x00403454
0x00403454
0x00000000
0x00403454
0x0040344f
0x00403452
0x00000000
0x00000000
0x00000000
0x00403452
0x00403401
0x00403405
0x00403408
0x0040340f
0x0040340f
0x0040340f
0x0040340f
0x00000000
0x0040340f
0x0040340a
0x0040340d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004033db
0x004033db
0x004033dc
0x004033dd
0x004033dd
0x00000000
0x004033db
0x004034bd
0x004034c8
0x004034ca
0x004034cf
0x004034d1
0x00403529
0x0040352e
0x00403538
0x0040353f
0x00403543
0x004035d9
0x004035d9
0x004035de
0x004035e8
0x004036e4
0x004036ea
0x004036f5
0x004036fe
0x00403700
0x00403705
0x00403707
0x00403709
0x0040370b
0x0040370d
0x0040370f
0x00403711
0x00403721
0x00403723
0x00403725
0x00403732
0x00403741
0x00403749
0x00403751
0x00403751
0x00403725
0x00403711
0x0040370d
0x00403756
0x0040375c
0x0040375e
0x00403762
0x00403762
0x0040375e
0x00403767
0x0040376c
0x0040376f
0x00403771
0x00403771
0x00403779
0x00403779
0x004035f7
0x004035fe
0x004035fe
0x0040354f
0x004035c9
0x004035c9
0x004035d5
0x00000000
0x004035d5
0x00403558
0x0040355c
0x00403593
0x00403593
0x00403595
0x0040359d
0x0040360a
0x0040361e
0x00000000
0x00000000
0x00403622
0x00403629
0x0040362f
0x00403636
0x0040363e
0x0040363e
0x0040364c
0x00403666
0x0040366b
0x00403671
0x0040367d
0x00403683
0x0040368d
0x004036a3
0x004036b4
0x004036ba
0x004036c1
0x004036c4
0x004036ca
0x004036ca
0x004036c1
0x004036ce
0x004036d5
0x004036d5
0x004036da
0x00000000
0x004036da
0x0040359f
0x004035a2
0x004035ad
0x00000000
0x00000000
0x004035b5
0x004035c0
0x004035c5
0x00000000
0x004035c5
0x0040356f
0x00403571
0x0040358e
0x00403591
0x00000000
0x00000000
0x00000000
0x00403591
0x00000000
0x00403571
0x004034d9
0x004034e5
0x004034ea
0x004034ef
0x004034f1
0x00000000
0x00000000
0x004034f9
0x00403501
0x00403512
0x0040351a
0x0040351c
0x00403521
0x00403523
0x00000000
0x00000000
0x00000000

APIs

#17.COMCTL32 ref: 0040333B
SetErrorMode.KERNELBASE(00008001), ref: 00403346
OleInitialize.OLE32(00000000), ref: 0040334D

Part of subcall function 00406207: GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 00406219
Part of subcall function 00406207: LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406224
Part of subcall function 00406207: GetProcAddress.KERNEL32(00000000,?), ref: 00406235

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 00403375

Part of subcall function 00405E9D: lstrcpynW.KERNEL32(?,?,00000400,0040338A,004281E0,NSIS Error), ref: 00405EAA

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 0040338A
GetModuleHandleW.KERNEL32(00000000,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),00000000), ref: 0040339D
CharNextW.USER32(00000000,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),00000020), ref: 004033C4
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004034C8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E5
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403501
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403512
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040351A
DeleteFileW.KERNELBASE(1033), ref: 0040352E
OleUninitialize.OLE32(?), ref: 004035DE
ExitProcess.KERNEL32 ref: 004035FE
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040360A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),00000000,?), ref: 00403616
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403622
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403629
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 00403683
CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,0041FE90,00000001), ref: 00403697
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 004036C4
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 0040371A
ExitWindowsEx.USER32(00000002,00000000), ref: 00403756
ExitProcess.KERNEL32 ref: 00403779

Strings

Low, xrefs: 004034FB
TMP, xrefs: 00403515
SeShutdownPrivilege, xrefs: 0040372C
TEMP, xrefs: 0040350D
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00403390, 00403396, 00403552
C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe, xrefs: 00403692
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden, xrefs: 004035BB
\Temp, xrefs: 004034DF
Error launching installer, xrefs: 00403595
NSIS Error, xrefs: 0040337B
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BD, 004034C2, 004034D8, 004034E4, 004034F3, 00403500, 0040350C, 00403514, 00403609, 00403615, 00403621, 00403628, 004036D9
1033, xrefs: 00403529
~nsu.tmp, xrefs: 00403604
C:\Users\user\Nonhieratical, xrefs: 004034AD, 004035B0, 0040362F, 00403639
C:\Users\user\Desktop, xrefs: 0040360F, 00403614, 00403638
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040332F

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe$C:\Users\user\Nonhieratical$C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)$~nsu.tmp
API String ID: 4107622049-284238486
Opcode ID: c42b5927fb7c622071b2a930d6cf04b00b37f2f7dec868ddebeef8cd43eff1cd
Instruction ID: 421065c5a1ff222b8a3ad17e082498d2e7d713505ed84e3db2b015794f7a16d7
Opcode Fuzzy Hash: c42b5927fb7c622071b2a930d6cf04b00b37f2f7dec868ddebeef8cd43eff1cd
Instruction Fuzzy Hash: DFB1B670904211BAD7207F629D49A3B3EACEB45706F40453FF542B62E2D7785A41CB7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405290 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405290(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t90;
				unsigned int _t95;
				int _t97;
				int _t98;
				void* _t105;
				intOrPtr _t116;
				void* _t124;
				intOrPtr _t127;
				struct HWND__* _t131;
				int _t153;
				int _t154;
				struct HMENU__* _t159;
				struct HWND__* _t163;
				struct HWND__* _t164;
				void* _t166;
				void* _t167;
				short* _t168;
				short* _t170;

				_t164 =  *0x4281c4;
				_t153 = 0;
				_v8 = _t164;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t124 = CreateThread(0, 0, E00405224, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t124); // executed
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t164) {
								goto L20;
							} else {
								_t90 = SendMessageW(_t164, 0x1004, _t153, _t153);
								_a8 = _t90;
								if(_t90 <= _t153) {
									L37:
									return 0;
								}
								_t159 = CreatePopupMenu();
								AppendMenuW(_t159, _t153, 1, E00405EBF(_t153, _t159, _t164, _t153, 0xffffffe1));
								_t95 = _a16;
								if(_t95 != 0xffffffff) {
									_t154 = _t95;
									_t97 = _t95 >> 0x10;
								} else {
									GetWindowRect(_t164,  &_v28);
									_t154 = _v28.left;
									_t97 = _v28.top;
								}
								_t98 = TrackPopupMenu(_t159, 0x180, _t154, _t97, _t153, _a4, _t153);
								_t166 = 1;
								if(_t98 == 1) {
									_v60 = _t153;
									_v48 = 0x4226d0;
									_v44 = 0x1fff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t166 = _t166 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
									} while (_a4 != _t153);
									OpenClipboard(_t153);
									EmptyClipboard();
									_t105 = GlobalAlloc(0x42, _t166 + _t166);
									_a4 = _t105;
									_t167 = GlobalLock(_t105);
									do {
										_v48 = _t167;
										_t168 = _t167 + SendMessageW(_v8, 0x1073, _t153,  &_v68) * 2;
										 *_t168 = 0xd;
										_t170 = _t168 + 2;
										 *_t170 = 0xa;
										_t167 = _t170 + 2;
										_t153 = _t153 + 1;
									} while (_t153 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(0xd, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x4281ac == _t153) {
							ShowWindow( *0x4291e8, 8);
							if( *0x42926c == _t153) {
								_t116 =  *0x4216a8; // 0x4fa104
								E00405151( *((intOrPtr*)(_t116 + 0x34)), _t153);
							}
							E004040C5(1);
							goto L25;
						}
						 *0x420ea0 = 2;
						E004040C5(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404153(_a8, _a12, _a16);
						}
						ShowWindow( *0x4281b0, _t153);
						ShowWindow(_t164, 8);
						E00404121(_t164);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t127 =  *0x4291f0;
				_a8 =  *((intOrPtr*)(_t127 + 0x5c));
				_a12 =  *((intOrPtr*)(_t127 + 0x60));
				 *0x4281b0 = GetDlgItem(_a4, 0x403);
				 *0x4281a8 = GetDlgItem(_a4, 0x3ee);
				_t131 = GetDlgItem(_a4, 0x3f8);
				 *0x4281c4 = _t131;
				_v8 = _t131;
				E00404121( *0x4281b0);
				 *0x4281b4 = E004049EE(4);
				 *0x4281cc = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t153) {
					SendMessageW(_v8, 0x1024, _t153, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004040EC(_a4);
				if(( *0x4291f8 & 0x00000003) != 0) {
					ShowWindow( *0x4281b0, _t153); // executed
					if(( *0x4291f8 & 0x00000002) != 0) {
						 *0x4281b0 = _t153;
					} else {
						ShowWindow(_v8, 8); // executed
					}
					E00404121( *0x4281a8);
				}
				_t163 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t163, 0x401, _t153, 0x75300000);
				if(( *0x4291f8 & 0x00000004) != 0) {
					SendMessageW(_t163, 0x409, _t153, _a12);
					SendMessageW(_t163, 0x2001, _t153, _a8);
				}
				goto L37;
			}

0x00405298
0x0040529e
0x004052a8
0x004052ab
0x00405443
0x00405460
0x00405467
0x00405467
0x0040547a
0x00405498
0x0040549f
0x004054f6
0x004054fa
0x00000000
0x00405501
0x00405509
0x00405511
0x00405514
0x00405618
0x00000000
0x00405618
0x00405523
0x0040552f
0x00405535
0x0040553b
0x00405550
0x00405556
0x0040553d
0x00405542
0x00405548
0x0040554b
0x0040554b
0x00405566
0x0040556e
0x00405571
0x0040557a
0x0040557d
0x00405584
0x0040558b
0x00405593
0x00405593
0x004055aa
0x004055aa
0x004055b1
0x004055b7
0x004055c3
0x004055ca
0x004055d3
0x004055d5
0x004055d8
0x004055e7
0x004055ea
0x004055f0
0x004055f1
0x004055f7
0x004055f8
0x004055f9
0x00405601
0x0040560c
0x00405612
0x00405612
0x00000000
0x00405571
0x004054fa
0x004054a7
0x004054d7
0x004054df
0x004054e1
0x004054ea
0x004054ea
0x004054f1
0x00000000
0x004054f1
0x004054ab
0x004054b5
0x00000000
0x0040547c
0x00405482
0x004054ba
0x00000000
0x004054c3
0x0040548b
0x00405490
0x00405493
0x00000000
0x00405493
0x0040547a
0x004052b1
0x004052b5
0x004052be
0x004052c5
0x004052c8
0x004052cb
0x004052ce
0x004052cf
0x004052d0
0x004052e9
0x004052ec
0x004052f6
0x00405305
0x0040530d
0x00405315
0x0040531a
0x0040531d
0x00405329
0x00405332
0x0040533b
0x0040535e
0x00405364
0x00405375
0x0040537a
0x00405388
0x00405396
0x00405396
0x0040539b
0x004053a9
0x004053a9
0x004053ae
0x004053b1
0x004053b6
0x004053c2
0x004053cb
0x004053d8
0x004053e7
0x004053da
0x004053df
0x004053df
0x004053f3
0x004053f3
0x00405407
0x00405410
0x00405419
0x00405429
0x00405435
0x00405435
0x00000000

APIs

GetDlgItem.USER32 ref: 004052EF
GetDlgItem.USER32 ref: 004052FE
GetClientRect.USER32 ref: 0040533B
GetSystemMetrics.USER32 ref: 00405343
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405364
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405375
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405388
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405396
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053A9
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053CB
ShowWindow.USER32(?,00000008), ref: 004053DF
GetDlgItem.USER32 ref: 00405400
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405410
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405429
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405435
GetDlgItem.USER32 ref: 0040530D

Part of subcall function 00404121: SendMessageW.USER32(00000028,?,00000001,00403F4D), ref: 0040412F

GetDlgItem.USER32 ref: 00405452
CreateThread.KERNELBASE ref: 00405460
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405467
ShowWindow.USER32(00000000), ref: 0040548B
ShowWindow.USER32(?,00000008), ref: 00405490
ShowWindow.USER32(00000008), ref: 004054D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405509
CreatePopupMenu.USER32 ref: 0040551A
AppendMenuW.USER32 ref: 0040552F
GetWindowRect.USER32 ref: 00405542
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405566
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055A1
OpenClipboard.USER32(00000000), ref: 004055B1
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004055B7
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 004055C3
GlobalLock.KERNEL32 ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E1
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405601
SetClipboardData.USER32 ref: 0040560C
CloseClipboard.USER32 ref: 00405612

Strings

{, xrefs: 004054F6

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 48389dd44a5c73f2eab6de5290a9134d980a474c89115d82e2134959610b7160
Instruction ID: 7f091298f7becab3225670bd1778210264cbfa36252335df8667ee54f0bbe998
Opcode Fuzzy Hash: 48389dd44a5c73f2eab6de5290a9134d980a474c89115d82e2134959610b7160
Instruction Fuzzy Hash: B4A15B70900208BFEB119F61DD89AAE3B79FB48355F00803AFA05BA1A0C7755E52DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405EBF(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t48 =  *( *0x4281bc - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x429218 + _t48 * 2;
				_t49 = 0x427180;
				_t114 = 0x427180;
				if(_a4 >= 0x427180 && _a4 - 0x427180 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00405EBF(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x427180;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x42a000;
							E00405E9D(_t114, (_a8 << 0xb) + 0x42a000);
						} else {
							E00405DE4(_t114,  *0x4291e8);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E00406131(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x429264;
						if( *0x429264 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x4291e4;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x4291e8,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x4291e8,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E00405D6A(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x429218 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405EBF(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00405E9D(_a4, _t49);
			}

0x00405ebf
0x00405ebf
0x00405ebf
0x00405ec5
0x00405eca
0x00405edb
0x00405edb
0x00405ee3
0x00405ee4
0x00405ee5
0x00405ee6
0x00405ee9
0x00405ef1
0x00405ef3
0x00405f0c
0x00405f0f
0x00405f0f
0x0040610b
0x0040610b
0x00406111
0x00000000
0x00000000
0x00405f1f
0x00405f25
0x00000000
0x00000000
0x00405f2d
0x00405f2e
0x00405f30
0x00405f34
0x00405f37
0x004060f8
0x00406106
0x00406109
0x00406109
0x004060fa
0x004060fd
0x00406100
0x00406102
0x00406102
0x00000000
0x004060f8
0x00405f3d
0x00405f40
0x00405f4f
0x00405f55
0x00405f58
0x00405f5b
0x00405f65
0x00405f6a
0x00405f6c
0x00405f70
0x00405f73
0x00405f76
0x00405f79
0x00406099
0x0040609d
0x004060d2
0x004060d6
0x004060db
0x004060e0
0x004060e0
0x004060e5
0x004060e6
0x004060eb
0x004060ee
0x004060f1
0x00000000
0x004060f1
0x0040609f
0x004060a3
0x004060b9
0x004060c0
0x004060a5
0x004060ac
0x004060ac
0x004060cb
0x004060ce
0x00406091
0x00406092
0x00406092
0x00000000
0x004060ce
0x00405f81
0x00405f82
0x00405f88
0x00405f8a
0x00405fa4
0x00405fa4
0x00405fab
0x00405fab
0x00405fb2
0x00405fb6
0x00405fb6
0x00405fb7
0x00405fb9
0x00405ff5
0x00405ff8
0x00406008
0x0040600b
0x00406013
0x00406019
0x00406019
0x00406076
0x00406076
0x00406078
0x00000000
0x00000000
0x0040601d
0x00406024
0x00406025
0x00406027
0x00406041
0x0040604f
0x00406055
0x00406057
0x00406072
0x00406072
0x00406072
0x00000000
0x00406072
0x0040605d
0x00406068
0x0040606e
0x00406070
0x00000000
0x00000000
0x00000000
0x00406070
0x00406029
0x0040602c
0x00000000
0x00000000
0x0040603b
0x0040603d
0x0040603f
0x00000000
0x00000000
0x00000000
0x0040603f
0x00000000
0x00406076
0x00406000
0x00000000
0x00405fbb
0x00405fbd
0x00405fd8
0x00405fdd
0x00405fe1
0x00406080
0x00406080
0x00406084
0x0040608c
0x0040608c
0x00000000
0x00406084
0x00405feb
0x0040607a
0x0040607a
0x0040607e
0x00000000
0x00000000
0x00000000
0x0040607e
0x00405fb9
0x00405f8c
0x00405f90
0x00000000
0x00000000
0x00405f92
0x00405f96
0x00000000
0x00000000
0x00405f98
0x00405f9c
0x00000000
0x00405f9e
0x00405f9e
0x00000000
0x00405f9e
0x00405f9c
0x00406117
0x00406122
0x0040612e
0x0040612e
0x00000000

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,?,00405188,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000), ref: 00405F82
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406000
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406013
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040604F
SHGetPathFromIDListW.SHELL32(?,Call), ref: 0040605D
CoTaskMemFree.OLE32(?), ref: 00406068
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040608C
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,?,00405188,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000), ref: 004060E6

Strings

Call, xrefs: 00405EE9, 00405FC9, 00405FEA, 00405FFF, 00406012, 0040602E, 00406059, 0040608B, 00406091, 004060AB, 004060BF, 004060DF, 004060E5, 004060F1, 00406124
Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll, xrefs: 00405EE4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406086
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FCE

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-3257910424
Opcode ID: a306e896c1b2368d8e86cd8f96ae9dc8e6cf991007632883e970c29bf9e806ff
Instruction ID: 9863521ec92f495de4d89549310d97fc585f704d921e86bdef6722fc19056b92
Opcode Fuzzy Hash: a306e896c1b2368d8e86cd8f96ae9dc8e6cf991007632883e970c29bf9e806ff
Instruction Fuzzy Hash: 5D61E171A40515AAEF208F25CC44AAF37A5EF40314F11C13BE546BA2D0D77D9AA2CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040572C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040572C(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAW _v608;
				signed int _t42;
				signed int* _t55;
				signed int _t57;
				signed int _t60;
				signed int _t66;
				signed int _t68;
				void* _t70;
				signed char _t71;
				WCHAR* _t72;
				WCHAR* _t74;
				short* _t77;

				_t71 = _a8;
				_t74 = _a4;
				_v8 = _t71 & 0x00000004;
				_t42 = E00405A0D(__eflags, _t74);
				_v16 = _t42;
				if((_t71 & 0x00000008) != 0) {
					_t68 = DeleteFileW(_t74); // executed
					asm("sbb eax, eax");
					_t70 =  ~_t68 + 1;
					 *0x429268 =  *0x429268 + _t70;
					return _t70;
				}
				_a4 = _t71;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405E9D(0x4246d8, _t74);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405951(_t74);
					} else {
						lstrcatW(0x4246d8, L"\\*.*");
					}
					__eflags =  *_t74;
					if( *_t74 != 0) {
						L10:
						lstrcatW(_t74, 0x409014);
						L11:
						_t72 =  &(_t74[lstrlenW(_t74)]);
						_t42 = FindFirstFileW(0x4246d8,  &_v608);
						__eflags = _t42 - 0xffffffff;
						_v12 = _t42;
						if(_t42 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t34 = _t72 - 2;
								 *_t34 =  *(_t72 - 2) & 0x00000000;
								__eflags =  *_t34;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t77 =  &(_v608.cFileName);
							_t55 = E00405932( &(_v608.cFileName), 0x3f);
							__eflags =  *_t55;
							if( *_t55 != 0) {
								__eflags = _v608.cAlternateFileName;
								if(_v608.cAlternateFileName != 0) {
									_t77 =  &(_v608.cAlternateFileName);
								}
							}
							__eflags =  *_t77 - 0x2e;
							if( *_t77 != 0x2e) {
								L19:
								E00405E9D(_t72, _t77);
								__eflags = _v608.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t57 = E004056E4(__eflags, _t74, _v8);
									__eflags = _t57;
									if(_t57 != 0) {
										E00405151(0xfffffff2, _t74);
									} else {
										__eflags = _v8 - _t57;
										if(_v8 == _t57) {
											 *0x429268 =  *0x429268 + 1;
										} else {
											E00405151(0xfffffff1, _t74);
											E00405D37(_t74, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040572C(__eflags, _t74, _a8);
									}
								}
								goto L27;
							}
							_t21 = _t77 + 2; // 0x94358b56
							_t66 =  *_t21;
							__eflags = _t66;
							if(_t66 == 0) {
								goto L27;
							}
							__eflags = _t66 - 0x2e;
							if(_t66 != 0x2e) {
								goto L19;
							}
							__eflags =  *(_t77 + 4);
							if( *(_t77 + 4) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t60 = FindNextFileW(_v12,  &_v608);
							__eflags = _t60;
						} while (_t60 != 0);
						_t42 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x4246d8 - 0x5c;
					if( *0x4246d8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t42;
					if(_t42 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t42;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t42 = E004061E0(_t74);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L39;
							}
							E00405905(_t74);
							_t42 = E004056E4(__eflags, _t74, _v8 | 0x00000001);
							__eflags = _t42;
							if(_t42 != 0) {
								return E00405151(0xffffffe5, _t74);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405151(0xfffffff1, _t74);
							return E00405D37(_t74, 0);
						}
						L33:
						 *0x429268 =  *0x429268 + 1;
						return _t42;
					}
					__eflags = _t71 & 0x00000002;
					if((_t71 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405736
0x0040573b
0x00405744
0x00405747
0x0040574f
0x00405752
0x00405755
0x0040575d
0x0040575f
0x00405760
0x00000000
0x00405760
0x0040576b
0x0040576e
0x0040576e
0x0040576e
0x00405772
0x00405785
0x0040578c
0x00405791
0x00405795
0x004057a5
0x00405797
0x0040579d
0x0040579d
0x004057aa
0x004057ae
0x004057ba
0x004057c0
0x004057c5
0x004057cb
0x004057d6
0x004057dc
0x004057df
0x004057e2
0x004058a1
0x004058a1
0x004058a5
0x004058a7
0x004058a7
0x004058a7
0x004058a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004057e8
0x004057e8
0x004057f1
0x004057f7
0x004057fe
0x00405801
0x00405803
0x00405807
0x00405809
0x00405809
0x00405807
0x0040580c
0x00405810
0x00405827
0x00405829
0x0040582e
0x00405835
0x00405850
0x00405855
0x00405857
0x0040587b
0x00405859
0x00405859
0x0040585c
0x00405870
0x0040585e
0x00405861
0x00405869
0x00405869
0x0040585c
0x00405837
0x0040583d
0x0040583f
0x00405845
0x00405845
0x0040583f
0x00000000
0x00405835
0x00405812
0x00405812
0x00405816
0x00405819
0x00000000
0x00000000
0x0040581b
0x0040581f
0x00000000
0x00000000
0x00405821
0x00405825
0x00000000
0x00000000
0x00000000
0x00405880
0x0040588a
0x00405890
0x00405890
0x0040589b
0x00000000
0x0040589b
0x004057b0
0x004057b8
0x00000000
0x00000000
0x00000000
0x00405774
0x00405774
0x00405776
0x004058ac
0x004058ae
0x004058b1
0x00405902
0x00405902
0x00405902
0x004058b3
0x004058b6
0x004058c1
0x004058c6
0x004058c8
0x00000000
0x00000000
0x004058cb
0x004058d7
0x004058dc
0x004058de
0x00000000
0x004058f9
0x004058e0
0x004058e3
0x00000000
0x00000000
0x004058e8
0x00000000
0x004058ef
0x004058b8
0x004058b8
0x00000000
0x004058b8
0x0040577c
0x0040577f
0x00000000
0x00000000
0x00000000
0x0040577f

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,7476F560,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)), ref: 00405755
lstrcatW.KERNEL32(004246D8,\*.*), ref: 0040579D
lstrcatW.KERNEL32(?,00409014), ref: 004057C0
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,7476F560,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)), ref: 004057C6
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,7476F560,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)), ref: 004057D6
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,?,?,0000003F), ref: 0040588A
FindClose.KERNEL32(00000000), ref: 0040589B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040573A
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00405735
\*.*, xrefs: 00405797

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$\*.*$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)
API String ID: 2035342205-1343413037
Opcode ID: f42205b60c0d464ea879611f20c792e7dcfa5bd4a3bc34a47f8ae8dcfb6d9e70
Instruction ID: f7207511d910f4bfe7abcbafb813c080bba2142cc0009da2f81b5d75fad62bf7
Opcode Fuzzy Hash: f42205b60c0d464ea879611f20c792e7dcfa5bd4a3bc34a47f8ae8dcfb6d9e70
Instruction Fuzzy Hash: 3E519D32901A04EADB21BB618C89AAF7778EF41754F50813BFC00B62D1D73C8A91DE6D

Uniqueness

Uniqueness Score: -1.00%

Function 004064F2 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004064F2() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406D95))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004064f2
0x004064f2
0x004064f7
0x0040656e
0x00406575
0x0040657f
0x00406b5e
0x00406b5e
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00000000
0x00406baf
0x00406baf
0x00406bb3
0x00406d62
0x00000000
0x00406d62
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00000000
0x00406bd1
0x004064f9
0x004064f9
0x004064fd
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651e
0x00406525
0x00406528
0x00406533
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x00406542
0x00406560
0x00406562
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406787
0x0040678a
0x0040672d
0x00406733
0x00000000
0x00000000
0x00000000
0x0040678c
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x0040672a
0x00000000
0x0040672a
0x00406544
0x00406544
0x00406547
0x0040654d
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x00406636
0x00406639
0x004065b0
0x004065b0
0x004065b6
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066c3
0x004066c6
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406666
0x00406666
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066d1
0x004066d1
0x004066d4
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x0040689d
0x0040689d
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x004065c2
0x00000000
0x00000000
0x00000000
0x0040663f
0x0040658b
0x0040658f
0x00406cfc
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00406d94
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065ad
0x00000000
0x004065ad
0x00406639
0x00406542
0x00406376
0x00406376
0x0040637f
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00000000
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00000000
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00000000
0x004068ca
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00000000
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00000000
0x00406b5b
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00000000
0x00406cce
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x00000000
0x00406b23
0x00406b21
0x00406d56
0x00000000
0x00000000
0x00406385

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad35e46a53c7c03b9a5032a24da5fc3cb8cdafb003eb0037a62da6a5fa4b3048
Instruction ID: f569ceef42f0f39e48b799419d56e1865f5d2c2dacee3b47c7b28df88ff47306
Opcode Fuzzy Hash: ad35e46a53c7c03b9a5032a24da5fc3cb8cdafb003eb0037a62da6a5fa4b3048
Instruction Fuzzy Hash: 45F16571D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D7385A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004061E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061E0(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x425720); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x425720;
			}

0x004061eb
0x004061f4
0x00000000
0x00406201
0x004061f7
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A56,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,7476F560,0040574C,?,C:\Users\user\AppData\Local\Temp\,7476F560), ref: 004061EB
FindClose.KERNEL32(00000000), ref: 004061F7

Strings

WB, xrefs: 004061E1

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: a18d0603e464bea63c835829bd33f37d5ec7140dfa5c6ab6a69e128ad9cde999
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 96D012319580209BD60067787D4C85B7A599B493707514AB6F436F23E0C7389C6586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406207 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406207(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409408);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40940c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x0040620f
0x00406212
0x00406219
0x00406221
0x0040622e
0x00000000
0x00406235
0x00406224
0x0040622c
0x00000000
0x00000000
0x0040623d

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 00406219
LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406224
GetProcAddress.KERNEL32(00000000,?), ref: 00406235

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: ca5e794469ed53c1716c653d1fb5523d35979d69368e52f8fb4ba297bcecd224
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 89E0CD36A08120B7C7115B249D4496777ACEFE9601305043DF545F6240C774AC2297A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00402706(short __ebx, short* __esi) {
				void* _t8;
				void* _t21;

				_t8 = FindFirstFileW(E00402AD0(2), _t21 - 0x2b4); // executed
				if(_t8 != 0xffffffff) {
					E00405DE4( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x288);
					_push(__esi);
					E00405E9D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402715
0x0040271e
0x00402739
0x00402744
0x00402745
0x00402881
0x00402720
0x00402723
0x00402726
0x00402729
0x00402729
0x00402960
0x0040296c

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402715

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0131a0fa84d391cf457f9a882f4b1d4084178b825c6f27f2e0a852eff8bc9f44
Instruction ID: de57b5a0ef50dfb909a553590d6c3963445b4d30fa831f727388a8f815a4e581
Opcode Fuzzy Hash: 0131a0fa84d391cf457f9a882f4b1d4084178b825c6f27f2e0a852eff8bc9f44
Instruction Fuzzy Hash: 9EF08271A04115EBDB00EBA4DA499EEB378EF04314F6045B7E115F31D1D7B44A41DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00403871 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403871() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				struct HINSTANCE__* _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t88;

				_t82 =  *0x4291f0;
				_t22 = E00406207(6);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x4226d0;
					L"1033" = 0x30;
					 *0x436002 = 0x78;
					 *0x436004 = 0;
					E00405D6A(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x4226d0, 0);
					__eflags =  *0x4226d0;
					if(__eflags == 0) {
						E00405D6A(0x80000003, L".DEFAULT\\Control Panel\\International",  &M0040739C, 0x4226d0, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00405DE4(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403B47(_t78, _t90);
				_t87 = L"C:\\Users\\jones\\Nonhieratical";
				 *0x429260 =  *0x4291f8 & 0x00000020;
				 *0x42927c = 0x10000;
				if(E00405A0D(_t90, L"C:\\Users\\jones\\Nonhieratical") != 0) {
					L16:
					if(E00405A0D(_t98, _t87) == 0) {
						E00405EBF(_t76, 0, _t82, _t87,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x4291e0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x4281c8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403B47(_t78, __eflags);
							__eflags =  *0x429280;
							if( *0x429280 != 0) {
								_t33 = E00405224(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4281ac;
								if( *0x4281ac == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4226b0, 5); // executed
							_t39 = LoadLibraryW(L"RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								LoadLibraryW(L"RichEd32");
							}
							_t88 = L"RichEdit20A";
							_t40 = GetClassInfoW(0, _t88, 0x428180);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x428180);
								 *0x4281a4 = _t88;
								RegisterClassW(0x428180);
							}
							_t44 = DialogBoxParamW( *0x4291e0,  *0x4281c0 + 0x00000069 & 0x0000ffff, 0, E00403C14, 0); // executed
							E004037C1(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x4291e0;
						 *0x428184 = E00401000;
						 *0x428190 =  *0x4291e0;
						 *0x428194 = _t30;
						 *0x4281a4 = 0x4093ac;
						if(RegisterClassW(0x428180) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4226b0 = CreateWindowExW(0x80, 0x4093ac, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x4291e0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x427180;
					E00405D6A( *((intOrPtr*)(_t82 + 0x44)),  *0x429218 + _t78 * 2,  *0x429218 +  *(_t82 + 0x4c) * 2, 0x427180, 0);
					_t63 =  *0x427180; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x427182;
						 *((short*)(E00405932(0x427182, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00405E9D(_t87, E00405905(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405951(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403877
0x00403880
0x00403887
0x00403889
0x0040389d
0x004038af
0x004038b8
0x004038c1
0x004038c8
0x004038cd
0x004038d4
0x004038e7
0x004038e7
0x004038f2
0x0040388b
0x00403896
0x00403896
0x004038f7
0x00403901
0x0040390a
0x0040390f
0x00403920
0x004039b2
0x004039ba
0x004039c3
0x004039c3
0x004039d9
0x004039df
0x004039ed
0x00403a6e
0x00403a76
0x00403a80
0x00403a85
0x00403a8b
0x00403b15
0x00403b1a
0x00403b1c
0x00403b38
0x00000000
0x00403b38
0x00403b1e
0x00403b24
0x00403b2c
0x00403b2c
0x00000000
0x00403b24
0x00403a99
0x00403aaa
0x00403aac
0x00403aae
0x00403ab5
0x00403ab5
0x00403abd
0x00403ac5
0x00403ac7
0x00403ac9
0x00403ad2
0x00403ad5
0x00403adb
0x00403adb
0x00403afa
0x00403b0b
0x00000000
0x00403b10
0x00403a78
0x00403a7a
0x00000000
0x004039ef
0x004039ef
0x004039fb
0x00403a05
0x00403a0b
0x00403a10
0x00403a1f
0x00403b3d
0x00403b3d
0x00000000
0x00403b3d
0x00403a2e
0x00403a69
0x00000000
0x00403a69
0x00403926
0x00403926
0x0040392b
0x00000000
0x00000000
0x00403939
0x0040394b
0x00403950
0x00403959
0x00000000
0x00000000
0x0040395f
0x00403961
0x0040396e
0x0040396e
0x00403977
0x0040397d
0x004039a5
0x004039ad
0x00000000
0x0040398f
0x00403990
0x00403999
0x0040399f
0x004039a0
0x00000000
0x004039a0
0x0040399b
0x0040399d
0x00000000
0x00000000
0x00000000
0x0040399d
0x0040397d

APIs

Part of subcall function 00406207: GetModuleHandleA.KERNEL32(?,?,00000020,0040335F,00000008), ref: 00406219
Part of subcall function 00406207: LoadLibraryA.KERNELBASE(?,?,00000020,0040335F,00000008), ref: 00406224
Part of subcall function 00406207: GetProcAddress.KERNEL32(00000000,?), ref: 00406235

lstrcatW.KERNEL32(1033,004226D0), ref: 004038F2
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\Nonhieratical,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403972
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\Nonhieratical,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 00403985
GetFileAttributesW.KERNEL32(Call), ref: 00403990
LoadImageW.USER32 ref: 004039D9

Part of subcall function 00405DE4: wsprintfW.USER32 ref: 00405DF1

RegisterClassW.USER32 ref: 00403A16
SystemParametersInfoW.USER32 ref: 00403A2E
CreateWindowExW.USER32 ref: 00403A63
ShowWindow.USER32(00000005,00000000), ref: 00403A99
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AAA
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AB5
GetClassInfoW.USER32 ref: 00403AC5
GetClassInfoW.USER32 ref: 00403AD2
RegisterClassW.USER32 ref: 00403ADB
DialogBoxParamW.USER32 ref: 00403AFA

Strings

RichEd20, xrefs: 00403AA5
Control Panel\Desktop\ResourceLocale, xrefs: 004038A5
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00403874
.exe, xrefs: 0040397F
C:\Users\user\AppData\Local\Temp\, xrefs: 0040387D
1033, xrefs: 00403891, 004038ED
RichEdit, xrefs: 00403ACC
RichEd32, xrefs: 00403AB0
.DEFAULT\Control Panel\International, xrefs: 004038DD
Call, xrefs: 00403939, 00403942, 00403950, 0040399F, 004039A5
C:\Users\user\Nonhieratical, xrefs: 00403901, 00403909, 004039AC, 004039B2, 004039C2
_Nb, xrefs: 004039F5, 00403A5D
RichEdit20A, xrefs: 00403ABD, 00403AC3

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Nonhieratical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)
API String ID: 914957316-3790569936
Opcode ID: 29a24fdd2de35a4d79c6d80585d1405e496615c8223757502deabd1a5a02d68b
Instruction ID: 1e8b60db43c4652e5f5ba3298663f294323028fb92c4853f3cd4a992f45b2dfd
Opcode Fuzzy Hash: 29a24fdd2de35a4d79c6d80585d1405e496615c8223757502deabd1a5a02d68b
Instruction Fuzzy Hash: C661D970604200BAE720AF269D46F3B3A7CEB44749F40453FF941B62E2D77C6902CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C14 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403C14(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x4226b8 = _t37;
					if(_t117 == 0x110) {
						 *0x4291e8 = _t127;
						 *0x4226cc = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x420698 = _t93;
						E004040EC(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x4281c8); // executed
						 *0x4281ac = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x4226b8 = 1;
					}
					_t124 =  *0x409394; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x429200;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404138(0x40b);
						while(1) {
							_t39 =  *0x4226b8;
							 *0x409394 =  *0x409394 + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x409394; // 0x0
							__eflags = _t41 -  *0x429204;
							if(_t41 ==  *0x429204) {
								E0040140B(1);
							}
							__eflags =  *0x4281ac - _t135;
							if( *0x4281ac != _t135) {
								break;
							}
							__eflags =  *0x409394 -  *0x429204; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00405EBF(_t118, _t127, _t132, 0x439000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004040EC(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004040EC(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004040EC(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x42926c - _t135;
							_v32 = _t51;
							if( *0x42926c != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E0040410E(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x420698, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x42926c - _t135;
							if( *0x42926c == _t135) {
								_push( *0x4226cc);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x420698);
							}
							E00404121();
							E00405E9D(0x4226d0, 0x4281e0);
							E00405EBF(0x4226d0, _t127, _t132,  &(0x4226d0[lstrlenW(0x4226d0)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x4226d0); // executed
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)), _t135);
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x4281b8); // executed
									 *0x4216a8 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x4291e0,  *_t132 +  *0x4281c0 & 0x0000ffff, _t127,  *(0x409398 +  *(_t132 + 4) * 4), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x4281b8 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004040EC(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x4281b8, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									E00401389( *((intOrPtr*)(_t132 + 0xc)), _t135);
									__eflags =  *0x4281ac - _t135;
									if( *0x4281ac != _t135) {
										goto L61;
									}
									ShowWindow( *0x4281b8, 8); // executed
									E00404138(0x405);
									goto L58;
								}
								__eflags =  *0x42926c - _t135;
								if( *0x42926c != _t135) {
									goto L61;
								}
								__eflags =  *0x429260 - _t135;
								if( *0x429260 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x4281b8);
						 *0x4291e8 = _t135;
						EndDialog(_t127,  *0x420ea0);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)), 0);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x4281b8, 0x40f, 0, 1);
						__eflags =  *0x4281ac;
						return 0 |  *0x4281ac == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x4226b0, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x4226b0,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E00404153(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x4281b8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42926c - _t135;
										if( *0x42926c == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x420ea0 = 1;
											L21:
											_push(0x78);
											L22:
											E004040C5();
											goto L26;
										}
										E0040140B(_t129);
										 *0x420ea0 = _t129;
										goto L21;
									}
									__eflags =  *0x409394 - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x4281b8);
						 *0x4281b8 = _a12;
						L58:
						if( *0x4246d0 == _t135 &&  *0x4281b8 != _t135) {
							ShowWindow(_t127, 0xa); // executed
							 *0x4246d0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403c1d
0x00403c26
0x00403d67
0x00403d6b
0x00403d6f
0x00403d71
0x00403d76
0x00403d81
0x00403d8c
0x00403d91
0x00403d93
0x00403d95
0x00403d98
0x00403d9d
0x00403dab
0x00403db8
0x00403dbf
0x00403dbf
0x00403dc0
0x00403dc0
0x00403dc5
0x00403dcb
0x00403dd2
0x00403dd8
0x00403dda
0x00403e1a
0x00403e1f
0x00403e24
0x00403e24
0x00403e29
0x00403e32
0x00403e34
0x00403e39
0x00403e3f
0x00403e43
0x00403e43
0x00403e48
0x00403e4e
0x00000000
0x00000000
0x00403e59
0x00403e5f
0x00000000
0x00000000
0x00403e68
0x00403e70
0x00403e75
0x00403e78
0x00403e7e
0x00403e83
0x00403e86
0x00403e8c
0x00403e91
0x00403e94
0x00403e9a
0x00403ea2
0x00403ea8
0x00403eae
0x00403eb2
0x00403eb9
0x00403eb9
0x00403eb9
0x00403ec3
0x00403ed5
0x00403ee1
0x00403ee6
0x00403ef0
0x00403ef6
0x00403ef8
0x00403efd
0x00403efa
0x00403efa
0x00403efa
0x00403f0d
0x00403f25
0x00403f27
0x00403f2d
0x00403f42
0x00403f2f
0x00403f38
0x00403f3a
0x00403f3a
0x00403f48
0x00403f58
0x00403f6e
0x00403f75
0x00403f7f
0x00403f84
0x00403f86
0x00000000
0x00403f8c
0x00403f8c
0x00403f8e
0x00000000
0x00000000
0x00403f94
0x00403f98
0x00403fbd
0x00403fc3
0x00403fc9
0x00403fcb
0x00000000
0x00000000
0x00403ff1
0x00403ff7
0x00403ff9
0x00403ffe
0x00000000
0x00000000
0x00404004
0x00404007
0x0040400a
0x00404021
0x0040402d
0x00404046
0x00404050
0x00404055
0x0040405b
0x00000000
0x00000000
0x00404065
0x00404070
0x00000000
0x00404070
0x00403f9a
0x00403fa0
0x00000000
0x00000000
0x00403fa6
0x00403fac
0x00000000
0x00000000
0x00000000
0x00403fb2
0x00403f86
0x0040407d
0x00404089
0x00404090
0x00000000
0x00403ddc
0x00403ddc
0x00403ddf
0x00403e12
0x00403e12
0x00403e14
0x00000000
0x00000000
0x00000000
0x00403e14
0x00403de5
0x00403dea
0x00403dec
0x00000000
0x00000000
0x00403dfc
0x00403e04
0x00000000
0x00403e0a
0x00403c38
0x00403c38
0x00403c3c
0x00403c41
0x00403c50
0x00403c50
0x00403c59
0x00403c62
0x00403c6d
0x00403c6d
0x00403c79
0x00403c95
0x00403c98
0x00403cab
0x00403cb1
0x00403d54
0x00000000
0x00403d5d
0x00403cb7
0x00403cc4
0x00403cc6
0x00403cc8
0x00403ce7
0x00403ce7
0x00403cea
0x00403cef
0x00403cf2
0x00403d02
0x00403d03
0x00403d05
0x00403d3b
0x00403d4e
0x00000000
0x00403d4e
0x00403d07
0x00403d0d
0x00403d26
0x00403d2b
0x00403d2d
0x00000000
0x00000000
0x00403d2f
0x00403d1b
0x00403d1b
0x00403d1d
0x00403d1d
0x00000000
0x00403d1d
0x00403d10
0x00403d15
0x00000000
0x00403d15
0x00403cf4
0x00403cfa
0x00000000
0x00000000
0x00403cfc
0x00000000
0x00403cfc
0x00403cec
0x00000000
0x00403cec
0x00403cd2
0x00403cd9
0x00403cdf
0x00403ce1
0x00000000
0x00000000
0x00000000
0x00403ce1
0x00403c9d
0x00000000
0x00403c7b
0x00403c81
0x00403c8b
0x00404096
0x0040409c
0x004040a9
0x004040af
0x004040af
0x004040b9
0x00000000
0x004040b9
0x00403c79

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C50
ShowWindow.USER32(?), ref: 00403C6D
DestroyWindow.USER32 ref: 00403C81
SetWindowLongW.USER32 ref: 00403C9D
GetDlgItem.USER32 ref: 00403CBE
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CD2
IsWindowEnabled.USER32(00000000), ref: 00403CD9
GetDlgItem.USER32 ref: 00403D87
GetDlgItem.USER32 ref: 00403D91
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00403DAB
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DFC
GetDlgItem.USER32 ref: 00403EA2
ShowWindow.USER32(00000000,?), ref: 00403EC3
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ED5
EnableWindow.USER32(?,?), ref: 00403EF0
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F06
EnableMenuItem.USER32 ref: 00403F0D
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F25
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F38
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403F61
SetWindowTextW.USER32(?,004226D0), ref: 00403F75
ShowWindow.USER32(?,0000000A), ref: 004040A9

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: df32e88edd0ce9c72aeea6d97329f6782db9a598ff72242bf1baddfb4268c4cd
Instruction ID: 66321d32c1eaa25cde9017618ff6dc5f2a3eb2e937a5eaef653dbb825e011b30
Opcode Fuzzy Hash: df32e88edd0ce9c72aeea6d97329f6782db9a598ff72242bf1baddfb4268c4cd
Instruction Fuzzy Hash: E5C1AF71A04204BBDB306F61ED45E2B3AA8EB85745F40053EF641B11F1C77AA852DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402D52 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00402D52(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x4291ec = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\DHL04AWB01173903102023PDF.scr.exe", 0x400);
				_t105 = E00405B26(L"C:\\Users\\jones\\Desktop\\DHL04AWB01173903102023PDF.scr.exe", 0x80000000, 3);
				 *0x409018 = _t105;
				if(_t105 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00405E9D(L"C:\\Users\\jones\\Desktop", L"C:\\Users\\jones\\Desktop\\DHL04AWB01173903102023PDF.scr.exe");
				E00405E9D(0x438000, E00405951(L"C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41fe88 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402CB0(1);
					__eflags =  *0x4291f4;
					if( *0x4291f4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406323(0x40bdf0);
						E00405B55(0x40bdf0,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40901c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004032D1( *0x4291f4 + 0x1c);
							 *0x41fe8c = _t65;
							 *0x417e80 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402FF8(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x4291f0 = _t110;
								 *0x4291f8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x4291fc =  *0x4291fc + 1;
									__eflags =  *0x4291fc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x417e7c; // 0x1bf324
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405AE1(0x429200, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004032D1( *0x417e78);
					_t77 = E0040329F( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x4291f4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E0040329F(0x417e88, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402CB0(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x4291f4;
						if( *0x4291f4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CB0(0);
							}
							goto L19;
						}
						E00405AE1( &_v40, 0x417e88, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417e78; // 0x8000
						 *0x429280 =  *0x429280 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x4291f4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41fe88; // 0x9507
						if(__eflags < 0) {
							_v8 = E004062B5(_v8, 0x417e88, _t106);
						}
						 *0x417e78 =  *0x417e78 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402d60
0x00402d63
0x00402d7d
0x00402d82
0x00402d95
0x00402d9a
0x00402da0
0x00000000
0x00402da2
0x00402db3
0x00402dc4
0x00402dcb
0x00402dd1
0x00402dd3
0x00402dd8
0x00402dda
0x00402eca
0x00402ecc
0x00402ed1
0x00402ed8
0x00000000
0x00000000
0x00402ede
0x00402ee1
0x00402f0d
0x00402f12
0x00402f1d
0x00402f1f
0x00402f30
0x00402f4b
0x00402f51
0x00402f54
0x00402f59
0x00402f78
0x00402f88
0x00402f9a
0x00402f9f
0x00402fa4
0x00402fa7
0x00402fb0
0x00402fb4
0x00402fbc
0x00402fc1
0x00402fc3
0x00402fc3
0x00402fc3
0x00402fcb
0x00402fcb
0x00402fce
0x00402fcf
0x00402fcf
0x00402fd2
0x00402fd4
0x00402fd4
0x00402fd4
0x00402fd7
0x00402fde
0x00402fea
0x00402fef
0x00000000
0x00402fef
0x00000000
0x00402fa7
0x00000000
0x00402f5b
0x00402ee9
0x00402ef4
0x00402ef9
0x00402efb
0x00000000
0x00000000
0x00402f04
0x00402f07
0x00000000
0x00000000
0x00000000
0x00402de0
0x00402de0
0x00402de5
0x00402de9
0x00402df0
0x00402df5
0x00402df7
0x00402df9
0x00402df9
0x00402e01
0x00402e06
0x00402e08
0x00402f67
0x00402fa9
0x00000000
0x00402fa9
0x00402e0e
0x00402e14
0x00402e94
0x00402e98
0x00402e9b
0x00402ea0
0x00000000
0x00402e98
0x00402e21
0x00402e26
0x00402e29
0x00402e2e
0x00000000
0x00000000
0x00402e30
0x00402e37
0x00000000
0x00000000
0x00402e39
0x00402e40
0x00000000
0x00000000
0x00402e42
0x00402e49
0x00000000
0x00000000
0x00402e4b
0x00402e52
0x00000000
0x00000000
0x00402e54
0x00402e5a
0x00402e63
0x00402e69
0x00402e6c
0x00402e6e
0x00402e74
0x00000000
0x00000000
0x00402e7a
0x00402e7e
0x00402e86
0x00402e86
0x00402e89
0x00402e8c
0x00402e8e
0x00402e90
0x00402e90
0x00000000
0x00402e8e
0x00402e80
0x00402e84
0x00000000
0x00000000
0x00000000
0x00402ea1
0x00402ea1
0x00402ea7
0x00402eb7
0x00402eb7
0x00402eba
0x00402ec0
0x00402ec2
0x00402ec2
0x00000000
0x00402de0

APIs

GetTickCount.KERNEL32 ref: 00402D66
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,00000400), ref: 00402D82

Part of subcall function 00405B26: GetFileAttributesW.KERNELBASE(00000003,00402D95,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00405B2A
Part of subcall function 00405B26: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B4C

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00402DCB
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F12

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402D5F, 00402F2A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FA9
soft, xrefs: 00402E42
Null, xrefs: 00402E4B
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00402D5B
C:\Users\user\Desktop, xrefs: 00402DAD, 00402DB2, 00402DB8
C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe, xrefs: 00402D6C, 00402D7B, 00402D8F, 00402DAC
Inst, xrefs: 00402E39
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402F5B
Error launching installer, xrefs: 00402DA2

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)
API String ID: 2803837635-2089497518
Opcode ID: 54c1c94191ceb75ceab29d2f85f1815ee4eb193c07aa9e765ba2f968c5ff87f5
Instruction ID: c73d5286ac481db20549ed65c9440939ce178e101c1697b83fbf5401ef520cb0
Opcode Fuzzy Hash: 54c1c94191ceb75ceab29d2f85f1815ee4eb193c07aa9e765ba2f968c5ff87f5
Instruction Fuzzy Hash: 1E61E371940206ABDB209F65DE89BAE37B8EB04358F20417BF904B72D1D7BC9D419B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00401752(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 0x38) = E00402AD0(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x2c) & 0x00000007;
				_t35 = E0040597C( *(_t86 - 0x38));
				_push( *(_t86 - 0x38));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405905(E00405E9D(_t84, L"C:\\Users\\jones\\Nonhieratical\\Clavichordist\\benenders\\Actionfilm\\Sortsrenheden")), ??);
				} else {
					E00405E9D();
				}
				E00406131(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004061E0(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x20);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405B01(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405B26(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x14) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405151(0xffffffe2,  *(_t86 - 0x38));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x429268;
						goto L32;
					} else {
						E00405E9D("C:\Users\jones\AppData\Local\Temp\nsoF960.tmp", _t81);
						E00405E9D(_t81, _t84);
						E00405EBF(_t77, _t81, _t84, "C:\Users\jones\AppData\Local\Temp\nsoF960.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x18)));
						E00405E9D(_t81, "C:\Users\jones\AppData\Local\Temp\nsoF960.tmp");
						_t64 = E00405680("C:\Users\jones\AppData\Local\Temp\nsoF960.tmp\System.dll",  *(_t86 - 0x2c) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x429268 =  &( *0x429268->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405151();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405151(0xffffffea,  *(_t86 - 0x38));
				 *0x429294 =  *0x429294 + 1;
				_t45 = E00402FF8(_t79,  *((intOrPtr*)(_t86 - 0x24)),  *(_t86 - 0x14), _t77, _t77); // executed
				 *0x429294 =  *0x429294 - 1;
				__eflags =  *(_t86 - 0x20) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x20) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x14), _t86 - 0x20, _t77, _t86 - 0x20); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x1c)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x14)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00405EBF(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00405EBF(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 0x38));
					}
					_push(0x200010);
					_push(_t84);
					E00405680();
					goto L29;
				}
				goto L33;
			}

0x00401752
0x00401759
0x00401765
0x00401768
0x0040176d
0x00401770
0x00401777
0x00401793
0x00401779
0x0040177a
0x0040177a
0x00401799
0x0040179e
0x0040179e
0x004017a2
0x004017a5
0x004017aa
0x004017ac
0x004017ae
0x004017b3
0x004017b3
0x004017be
0x004017be
0x004017cf
0x004017d1
0x004017d1
0x004017d2
0x004017d2
0x004017d5
0x004017d8
0x004017db
0x004017db
0x004017e2
0x004017f1
0x004017f6
0x004017f9
0x004017fc
0x00000000
0x00000000
0x004017fe
0x00401801
0x00401857
0x0040185c
0x004015ae
0x00402729
0x00402729
0x0040295d
0x00402960
0x00402960
0x00000000
0x00401803
0x00401809
0x00401810
0x0040181d
0x00401828
0x0040183e
0x0040183e
0x00401841
0x00000000
0x00401847
0x00401847
0x00401848
0x00401865
0x00402966
0x00402966
0x00402966
0x0040184a
0x0040184a
0x0040184b
0x00401493
0x0040223c
0x0040223c
0x0040223c
0x00401848
0x00401841
0x00402968
0x0040296c
0x0040296c
0x00401875
0x0040187a
0x00401888
0x0040188d
0x00401893
0x00401897
0x00401899
0x004018a1
0x004018ad
0x0040189b
0x0040189b
0x0040189f
0x00000000
0x00000000
0x0040189f
0x004018b6
0x004018bc
0x004018be
0x00000000
0x004018c4
0x004018c4
0x004018c7
0x004018df
0x004018c9
0x004018cc
0x004018d5
0x004018d5
0x004018e4
0x004018e9
0x00402237
0x00000000
0x00402237
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden,?,?,00000031), ref: 004017B8

Part of subcall function 00405E9D: lstrcpynW.KERNEL32(?,?,00000400,0040338A,004281E0,NSIS Error), ref: 00405EAA

Part of subcall function 00405151: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 00405189
Part of subcall function 00405151: lstrlenW.KERNEL32(00402D2A,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 00405199
Part of subcall function 00405151: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00402D2A), ref: 004051AC
Part of subcall function 00405151: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll), ref: 004051BE
Part of subcall function 00405151: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E4
Part of subcall function 00405151: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004051FE
Part of subcall function 00405151: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040520C

Strings

C:\Users\user\AppData\Local\Temp\nsoF960.tmp, xrefs: 00401804, 00401822
C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll, xrefs: 00401818, 00401834
C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden, xrefs: 00401781
Call, xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsoF960.tmp$C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll$C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden$Call
API String ID: 1941528284-2252448009
Opcode ID: f73c6c57ed740d0db14e1fb13e6d6813b81d301232faecdfbfada63b9952b30e
Instruction ID: eb6c258bbd42e96f7b1007724571da25d0db5cf0c4821fb25f07f4136c187502
Opcode Fuzzy Hash: f73c6c57ed740d0db14e1fb13e6d6813b81d301232faecdfbfada63b9952b30e
Instruction Fuzzy Hash: 8A41C471A00514BADF10BBB5CD46DAF3678EF05368F20463BF421B11E1D63C8A41DAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402FF8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402FF8(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x429238;
					 *0x417e7c = _t44;
					SetFilePointer( *0x40901c, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403123(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x40901c,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417e7c =  *0x417e7c + _t57;
						_t32 = E00403123(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x40901c, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417e7c =  *0x417e7c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x40901c, 0x413e78, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413e78, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417e7c =  *0x417e7c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402ffd
0x00403007
0x00403010
0x00403014
0x0040301f
0x0040301f
0x00403027
0x00403029
0x00403030
0x0040304c
0x00403050
0x00403119
0x00403119
0x00000000
0x0040305f
0x00403062
0x00403068
0x0040306f
0x00403072
0x0040307b
0x004030e8
0x004030ee
0x004030f0
0x004030f0
0x00403102
0x00403106
0x00000000
0x00403108
0x00403108
0x0040310b
0x00403111
0x00000000
0x00403111
0x0040307d
0x00403080
0x00403114
0x00403114
0x00403086
0x0040308b
0x0040308b
0x00403093
0x00403095
0x00403095
0x004030a6
0x004030aa
0x00000000
0x00000000
0x004030be
0x004030c6
0x004030e4
0x0040311b
0x0040311b
0x004030cd
0x004030cd
0x004030d0
0x004030d3
0x004030d6
0x004030e0
0x00000000
0x004030e2
0x00000000
0x004030e2
0x004030e0
0x00000000
0x004030c6
0x00000000
0x0040308b
0x00403080
0x0040307b
0x00403072
0x00403050
0x0040311c
0x00403120

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 0040301F
ReadFile.KERNELBASE(00409230,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000,00000000,00409230), ref: 0040304C
ReadFile.KERNELBASE(00413E78,00004000,?,00000000,00409230,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 004030A6
WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,?,00402FA4,000000FF,00000000,00000000,00409230,?), ref: 004030BE

Strings

x>A, xrefs: 00403086

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: x>A
API String ID: 2113905535-3854404225
Opcode ID: d62910b3130867b8d2b2b4b66368bca281eb4fe54e9a8637888efbc56b62b4fa
Instruction ID: 8d48c07fc761829a1fe9f1a1938812e098a54f4c61c40dafa2fa98847bc1c045
Opcode Fuzzy Hash: d62910b3130867b8d2b2b4b66368bca281eb4fe54e9a8637888efbc56b62b4fa
Instruction Fuzzy Hash: F4311631500209FBDF21CF56DC45ADE7FBCEB89365B20803AF514AA1A1D3349E51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403123 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403123(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x417e7c; // 0x1bf324
				_t37 = _t35 -  *0x40bde8 + _a4;
				 *0x4291ec = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402CB0(1);
					return 0;
				}
				E004032D1( *0x41fe8c);
				SetFilePointer( *0x40901c,  *0x40bde8, 0, 0); // executed
				 *0x41fe88 = _t37;
				 *0x417e78 = 0;
				while(1) {
					_t12 =  *0x417e80; // 0x127361
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41fe8c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E0040329F(0x413e78, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41fe8c =  *0x41fe8c + _t34;
					 *0x40be08 = 0x413e78;
					 *0x40be0c = _t34;
					L6:
					L6:
					if( *0x4291f0 != 0 &&  *0x429280 == 0) {
						_t22 =  *0x41fe88; // 0x9507
						 *0x417e78 = _t22 -  *0x417e7c - _a4 +  *0x40bde8;
						E00402CB0(0);
					}
					 *0x40be10 = 0x40be78;
					 *0x40be14 = 0x8000; // executed
					_t16 = E00406343(0x40bdf0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40be10; // 0x40ff83
					_t40 = _t39 - 0x40be78;
					if(_t40 == 0) {
						__eflags =  *0x40be0c; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x417e7c; // 0x1bf324
						if(_t18 -  *0x40bde8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40901c, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x40901c, 0x40be78, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40bde8 =  *0x40bde8 + _t40;
						_t53 =  *0x40be0c; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403127
0x00403134
0x00403147
0x0040314c
0x0040328d
0x0040328f
0x00000000
0x00403295
0x00403158
0x0040316b
0x00403171
0x00403177
0x00403182
0x00403182
0x00403187
0x0040318c
0x00403194
0x00403196
0x00403196
0x0040319f
0x004031a6
0x00000000
0x00000000
0x004031ac
0x004031b2
0x004031b8
0x00000000
0x004031be
0x004031c4
0x004031ce
0x004031e4
0x004031e9
0x004031ee
0x004031f4
0x004031fa
0x00403204
0x0040320b
0x00000000
0x00000000
0x0040320d
0x00403213
0x00403215
0x00403249
0x0040324f
0x00000000
0x00000000
0x00403251
0x00403253
0x00000000
0x00000000
0x00403255
0x00403255
0x00403268
0x00000000
0x00000000
0x00403277
0x00000000
0x00403277
0x00403225
0x0040322d
0x00403284
0x0040328a
0x0040328a
0x00000000
0x00403235
0x00403235
0x0040323b
0x00403241
0x00000000
0x00000000
0x00000000
0x00403247
0x00403288
0x00403288
0x00000000
0x00403288
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403138

Part of subcall function 004032D1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F7D,?), ref: 004032DF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?,?,00402FA4,000000FF,00000000), ref: 0040316B
WriteFile.KERNELBASE(0040BE78,0040FF83,00000000,00000000,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?), ref: 00403225
SetFilePointer.KERNELBASE(001BF324,00000000,00000000,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000,00000000,?,?), ref: 00403277

Strings

x>A, xrefs: 00403198

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: 9fcdebe3483bddc409f0d09b442584c3c34955c0019be521db32dbb29a713a16
Instruction ID: 94ad4d6799e6b6dba6afe725b10163dcf05135c1b3a504befffb94a2c2d9e515
Opcode Fuzzy Hash: 9fcdebe3483bddc409f0d09b442584c3c34955c0019be521db32dbb29a713a16
Instruction Fuzzy Hash: 3341CE325042019BDB10AF29ED848AA7BACFB55316724827FE910B22F0D7799D41DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00402571(void* __ebx, void* __esi) {
				intOrPtr _t37;
				void* _t46;
				void* _t49;

				_t37 = E00402AB3(2);
				_t49 = _t37 - 1;
				 *((intOrPtr*)(_t46 - 0x38)) = _t37;
				if(_t49 < 0) {
					L30:
					 *0x429268 =  *0x429268 +  *(_t46 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x38) = 0x3ff;
					}
					if( *__esi == __bx) {
						L28:
						__eax =  *(__ebp - 0xc);
						 *( *(__ebp - 0xc) + __edi * 2) = __bx;
						if(_t49 == 0) {
							 *(_t46 - 4) = 1;
						}
						goto L30;
					} else {
						 *(__ebp - 0x14) = __ebx;
						 *(__ebp - 8) = E00405DFD(__ecx, __esi);
						if( *(__ebp - 0x38) > __ebx) {
							__esi = ReadFile;
							do {
								__eax = __ebp - 0x34;
								_push(__ebx);
								_push(__ebp - 0x34);
								if( *((intOrPtr*)(__ebp - 0x30)) != 0x39) {
									__eax = __ebp - 0x10;
									if(ReadFile( *(__ebp - 8), __ebp - 0x10, 2, ??, ??) == 0 ||  *(__ebp - 0x34) != 2) {
										goto L28;
									} else {
										goto L15;
									}
								} else {
									__eax = __ebp + 0xb;
									__eax = ReadFile( *(__ebp - 8), __ebp + 0xb, 1, ??, ??); // executed
									if(__eax == 0 ||  *(__ebp - 0x34) != 1) {
										goto L28;
									} else {
										__ebp - 0x10 = __ebp + 0xb;
										if(MultiByteToWideChar(__ebx, __ebx, __ebp + 0xb, 1, __ebp - 0x10, 1) != 0) {
											L15:
											__eax =  *(__ebp - 0x10);
										} else {
											__eax = 0x3f;
											 *(__ebp - 0x10) = __eax;
										}
										if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
											__ax & 0x0000ffff = E00405DE4( *(__ebp - 0xc), __ax & 0x0000ffff);
										} else {
											if( *(__ebp - 0x14) == 0xd ||  *(__ebp - 0x14) == 0xa) {
												if( *(__ebp - 0x14) == __ax || __ax != 0xd && __ax != 0xa) {
													__eax = SetFilePointer( *(__ebp - 8), 0xfffffffe, __ebx, 1);
												} else {
													__ecx =  *(__ebp - 0xc);
													 *( *(__ebp - 0xc) + __edi * 2) = __ax;
													__edi = __edi + 1;
												}
												goto L28;
											} else {
												__ecx =  *(__ebp - 0xc);
												 *(__ebp - 0x14) = __eax;
												 *( *(__ebp - 0xc) + __edi * 2) = __ax;
												__edi = __edi + 1;
												if(__ax == __bx) {
													goto L28;
												} else {
													goto L20;
												}
											}
										}
									}
								}
								goto L31;
								L20:
							} while (__edi <  *(__ebp - 0x38));
						}
						goto L28;
					}
				}
				L31:
				return 0;
			}

0x00402575
0x0040257a
0x0040257d
0x00402580
0x0040295d
0x00402960
0x00402586
0x00402586
0x0040258d
0x0040258f
0x0040258f
0x00402595
0x0040267f
0x0040267f
0x00402684
0x004015ae
0x00402729
0x00402729
0x00000000
0x0040259b
0x0040259c
0x004025a7
0x004025aa
0x004025b0
0x004025b6
0x004025ba
0x004025bd
0x004025be
0x004025bf
0x004025fe
0x0040260b
0x00000000
0x00000000
0x00000000
0x00000000
0x004025c1
0x004025c1
0x004025ca
0x004025ce
0x00000000
0x004025de
0x004025e4
0x004025f4
0x00402613
0x00402613
0x004025f6
0x004025f8
0x004025f9
0x004025f9
0x00402619
0x0040264b
0x0040261b
0x00402620
0x00402659
0x00402679
0x00402667
0x00402667
0x0040266a
0x0040266e
0x0040266e
0x00000000
0x00402629
0x00402629
0x0040262c
0x0040262f
0x00402633
0x00402637
0x00000000
0x00000000
0x00000000
0x00000000
0x00402637
0x00402620
0x00402619
0x004025ce
0x00000000
0x00402639
0x00402639
0x00402642
0x00000000
0x004025aa
0x00402595
0x00402966
0x0040296c

APIs

ReadFile.KERNELBASE(?,?,00000001,?), ref: 004025CA
MultiByteToWideChar.KERNEL32(?,?,?,00000001,?,00000001), ref: 004025EC
ReadFile.KERNEL32(?,?,00000002,?), ref: 00402607

Part of subcall function 00405DE4: wsprintfW.USER32 ref: 00405DF1

Strings

9, xrefs: 004025B6

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FileRead$ByteCharMultiWidewsprintf
String ID: 9
API String ID: 3029736425-2366072709
Opcode ID: 3de2ff507f840a9cd0ff0423fe2054a566c9a0a86e2d1db14fbdab867d3898fe
Instruction ID: d9fcc2c193a703a2e4ba0b150603bd81988566c42459e49aac520d2be98189f9
Opcode Fuzzy Hash: 3de2ff507f840a9cd0ff0423fe2054a566c9a0a86e2d1db14fbdab867d3898fe
Instruction Fuzzy Hash: 6A316170D0021AEADF20DF94DA88EBE7779FB10344F50447BE401B62D4D7B98A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040232F(void* __eax, void* __eflags) {
				void* _t17;
				short* _t20;
				int _t21;
				long _t24;
				char _t26;
				int _t29;
				intOrPtr _t37;
				void* _t39;

				_t17 = E00402BC5(__eax);
				_t37 =  *((intOrPtr*)(_t39 - 0x1c));
				 *(_t39 - 8) =  *(_t39 - 0x18);
				 *(_t39 - 0x10) = E00402AD0(2);
				_t20 = E00402AD0(0x11);
				_t33 =  *0x429290 | 0x00000002;
				 *(_t39 - 4) = 1;
				_t21 = RegCreateKeyExW(_t17, _t20, _t29, _t29, _t29,  *0x429290 | 0x00000002, _t29, _t39 + 8, _t29); // executed
				if(_t21 == 0) {
					if(_t37 == 1) {
						E00402AD0(0x23);
						_t21 = lstrlenW(0x40a580) + _t28 + 2;
					}
					if(_t37 == 4) {
						_t26 = E00402AB3(3);
						 *0x40a580 = _t26;
						_t21 = _t37;
					}
					if(_t37 == 3) {
						_t21 = E00402FF8(_t33,  *((intOrPtr*)(_t39 - 0x20)), _t29, 0x40a580, 0x1800);
					}
					_t24 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x10), _t29,  *(_t39 - 8), 0x40a580, _t21); // executed
					if(_t24 == 0) {
						 *(_t39 - 4) = _t29;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x429268 =  *0x429268 +  *(_t39 - 4);
				return 0;
			}

0x00402330
0x00402335
0x0040233f
0x00402349
0x0040234c
0x0040235c
0x00402366
0x0040236d
0x00402375
0x00402383
0x00402387
0x00402392
0x00402392
0x00402399
0x0040239d
0x004023a3
0x004023a8
0x004023a8
0x004023ac
0x004023b8
0x004023b8
0x004023c9
0x004023d1
0x004023d3
0x004023d3
0x004023d6
0x004024aa
0x004024aa
0x00402960
0x0040296c

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoF960.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Strings

C:\Users\user\AppData\Local\Temp\nsoF960.tmp, xrefs: 0040237E, 004023A3, 004023B3, 004023BE

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsoF960.tmp
API String ID: 1356686001-2055704150
Opcode ID: 2cea1bc861a0d8056b8cb23a8372dea7c393012d49f169da38cb3e8ebc25f54a
Instruction ID: 4af7caeeffd73b39530f6c003e3188f3106747c718089b514efe1a2bd4ab93e8
Opcode Fuzzy Hash: 2cea1bc861a0d8056b8cb23a8372dea7c393012d49f169da38cb3e8ebc25f54a
Instruction Fuzzy Hash: 27118171A00109BFEB10AFA0DE4AEAF777CEB00358F10043AF505B61D0D7B85D419B69

Uniqueness

Uniqueness Score: -1.00%

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B9(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES** _t15;
				int _t21;
				int _t23;
				signed char _t25;
				struct _SECURITY_ATTRIBUTES* _t26;
				struct _SECURITY_ATTRIBUTES* _t29;
				struct _SECURITY_ATTRIBUTES** _t32;
				void* _t34;

				_t26 = __ebx;
				 *(_t34 + 8) = E00402AD0(0xfffffff0);
				_t15 = E004059B0(_t14);
				_t30 = _t15;
				if(_t15 != __ebx) {
					do {
						_t32 = E00405932(_t30, 0x5c);
						_t29 =  *_t32;
						 *_t32 = _t26; // executed
						_t23 = CreateDirectoryW( *(_t34 + 8), _t26); // executed
						if(_t23 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t34 - 4)) =  *((intOrPtr*)(_t34 - 4)) + 1;
							} else {
								_t25 = GetFileAttributesW( *(_t34 + 8)); // executed
								if((_t25 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						 *_t32 = _t29;
						_t30 =  &(_t32[0]);
					} while (_t29 != _t26);
				}
				if( *((intOrPtr*)(_t34 - 0x28)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405E9D(L"C:\\Users\\jones\\Nonhieratical\\Clavichordist\\benenders\\Actionfilm\\Sortsrenheden",  *(_t34 + 8));
					_t21 = SetCurrentDirectoryW( *(_t34 + 8)); // executed
					if(_t21 == 0) {
						 *((intOrPtr*)(_t34 - 4)) =  *((intOrPtr*)(_t34 - 4)) + 1;
					}
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t34 - 4));
				return 0;
			}

0x004015b9
0x004015c1
0x004015c4
0x004015c9
0x004015cd
0x004015cf
0x004015d7
0x004015dd
0x004015e0
0x004015e3
0x004015eb
0x004015f8
0x00401607
0x00401607
0x004015fa
0x004015fd
0x00401605
0x00000000
0x00000000
0x00401605
0x004015f8
0x0040160a
0x0040160e
0x0040160f
0x004015cf
0x00401617
0x00401646
0x00402190
0x00401619
0x0040161b
0x00401628
0x00401630
0x00401638
0x0040163e
0x0040163e
0x00401638
0x00402960
0x0040296c

APIs

Part of subcall function 004059B0: CharNextW.USER32(?,?,00424ED8,?,00405A24,00424ED8,00424ED8,?,?,7476F560,0040574C,?,C:\Users\user\AppData\Local\Temp\,7476F560,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)), ref: 004059BE
Part of subcall function 004059B0: CharNextW.USER32(00000000), ref: 004059C3
Part of subcall function 004059B0: CharNextW.USER32(00000000), ref: 004059DB

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden
API String ID: 3751793516-131915481
Opcode ID: 974302c0242d9ca9b85d9149cce944e5afdd7c9e4e9171542445a693203e9837
Instruction ID: ff242de1000ccdb8e912c415b56d53cf55a452cb0bc731cc045a5214b7b0d861
Opcode Fuzzy Hash: 974302c0242d9ca9b85d9149cce944e5afdd7c9e4e9171542445a693203e9837
Instruction Fuzzy Hash: CA11A331A04111EBDB206FA0CD4499E3AA0EF05365B240537E995B62E1D6394981DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402B10(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x429290 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402B10(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406207(2);
					if(_t27 == 0) {
						if( *0x429290 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x429290, 0);
				}
				return _t18;
			}

0x00402b31
0x00402b39
0x00402b61
0x00402b4b
0x00402b9b
0x00402ba1
0x00000000
0x00402ba3
0x00402b5f
0x00000000
0x00000000
0x00402b5f
0x00402b76
0x00402b7e
0x00402b85
0x00402bb1
0x00000000
0x00000000
0x00402bb9
0x00402bc1
0x00000000
0x00000000
0x00000000
0x00402bc1
0x00000000
0x00402b94
0x00402ba8

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B31
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402B6D
RegCloseKey.ADVAPI32(?), ref: 00402B76
RegCloseKey.ADVAPI32(?), ref: 00402B9B
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402BB9

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b58f2765db8b9cf295b1794f872d13371f1b57ced3d8450bc5699b704d7acbf4
Instruction ID: 86cee00300bf81491e376e9f03091c3f1c06afbb44f928b6456b38475e3a943c
Opcode Fuzzy Hash: b58f2765db8b9cf295b1794f872d13371f1b57ced3d8450bc5699b704d7acbf4
Instruction Fuzzy Hash: D2114F7150010CFFDF119F90DE89DAA3B79EB04348F10047AFA05B11A0D3B9AE51EB69

Uniqueness

Uniqueness Score: -1.00%

Function 1000177A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000177A(char* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				char* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015D2);
				_push(1);
				_t34 = E10001B47();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002244(_t50);
					}
					E1000228E(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E10002430(_t65, _t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015D5(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E10002430(_t65, _t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E10002430(_t65, _t50);
							_t34 = GlobalFree(E10001280(E100015D5(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E100023F3(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E10001555( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002ACF(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E10002814(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E100025B7(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x1000177a
0x1000177a
0x1000177a
0x10001784
0x1000178c
0x10001799
0x100017a7
0x100017aa
0x100017ac
0x100017b1
0x100017b6
0x100018c9
0x100018c9
0x100017bc
0x100017c0
0x100017c3
0x100017c8
0x100017ca
0x100017d0
0x100017d6
0x10001806
0x1000180d
0x10001831
0x10001870
0x10001833
0x10001833
0x10001834
0x10001837
0x1000183d
0x10001841
0x10001844
0x10001849
0x10001849
0x10001850
0x10001856
0x1000185c
0x10001868
0x10001869
0x1000186c
0x1000180f
0x10001810
0x10001825
0x10001825
0x1000187a
0x1000187d
0x1000188a
0x10001891
0x10001899
0x1000189c
0x1000189c
0x10001899
0x100018a9
0x100018b1
0x100018b6
0x100018a9
0x100018be
0x00000000
0x100018c0
0x00000000
0x100018c1
0x100018be
0x100017da
0x100017dd
0x100017fb
0x00000000
0x00000000
0x100017fe
0x10001803
0x10001803
0x10001805
0x00000000
0x10001805
0x100017df
0x100017e0
0x100017e8
0x100017e9
0x00000000
0x100017e9
0x100017e2
0x100017e3
0x100017f1
0x00000000
0x100017f1
0x100017e6
0x00000000
0x00000000
0x00000000
0x100017e6

APIs

Part of subcall function 10001B47: GlobalFree.KERNEL32 ref: 10001D93
Part of subcall function 10001B47: GlobalFree.KERNEL32 ref: 10001D98
Part of subcall function 10001B47: GlobalFree.KERNEL32 ref: 10001D9D

GlobalFree.KERNEL32 ref: 10001825
FreeLibrary.KERNEL32(?), ref: 1000189C
GlobalFree.KERNEL32 ref: 100018C1

Part of subcall function 10002244: GlobalAlloc.KERNEL32(00000040,206AC300), ref: 10002276

Part of subcall function 100025B7: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017F6,00000000), ref: 10002629

Part of subcall function 100015D5: lstrcpyW.KERNEL32 ref: 100015EE

Part of subcall function 10002430: wsprintfW.USER32 ref: 10002484
Part of subcall function 10002430: GlobalFree.KERNEL32 ref: 10002505
Part of subcall function 10002430: GlobalFree.KERNEL32 ref: 1000252E

Strings

, xrefs: 100018A2

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 36dc1c73e2cca8cecdbe642052fcefd0b2c26daac984d3216c7242988de7a3ce
Instruction ID: 9ce5796c09468563b87854c93ff8b18313010149d0a68b51a988a72ae56cc889
Opcode Fuzzy Hash: 36dc1c73e2cca8cecdbe642052fcefd0b2c26daac984d3216c7242988de7a3ce
Instruction Fuzzy Hash: 1831BF75800244AAFB51DF749CC5BDA37E8EB043D0F158425FA4A9A08EDF74EA84C760

Uniqueness

Uniqueness Score: -1.00%

Function 00405D6A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405D6A(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x00405d7a
0x00405d7c
0x00405d89
0x00405d94
0x00405d9c
0x00405da1
0x00405db5
0x00405dbd
0x00405dcb
0x00405dcb
0x00405dd1
0x00405dd8
0x00000000
0x00405dd8
0x00405de1

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00405FDD,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405D94
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00405FDD,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DB5
RegCloseKey.KERNELBASE(?,?,00405FDD,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DD8

Strings

Call, xrefs: 00405D6D

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: 06cf2bc006907d9dc691c2cdb046e1412817040800c53bf2eae2c2fcf76f5586
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: 2301487115020AAADB218F16EC09EDB3FACEF44350F00802AF904D6260D334D960CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405B55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B55(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x409540; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405b5b
0x00405b61
0x00405b62
0x00405b62
0x00405b67
0x00405b68
0x00405b6b
0x00405b70
0x00405b73
0x00405b7d
0x00405b8a
0x00405b8e
0x00405b96
0x00000000
0x00000000
0x00405b9a
0x00000000
0x00405b9c
0x00405b9c
0x00405b9c
0x00405b9f
0x00405ba2
0x00405ba2
0x00405ba5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B73
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040331A,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405B8E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B5A, 00405B5E
nsa, xrefs: 00405B62

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: 02f4298b2735c8bc6763aba9009af15b74291808c03273d77d84cf499ff03378
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 50F09676A00204BBDB008F59DC05B9BB7BCEB91710F10803AE901F7180E2B4BE408B64

Uniqueness

Uniqueness Score: -1.00%

Function 10002814 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E10002814(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004050 != 0 && E10002795(_a4) == 0) {
					 *0x10004054 = _t106;
					if( *0x1000404c != 0) {
						_t106 =  *0x1000404c;
					} else {
						E10002D50(E1000278F(), __ecx);
						 *0x1000404c = _t106;
					}
				}
				_t31 = E100027D1(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E100027C5();
					_t81 = _a4;
					_t90 =  *0x10004058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004058 = _t81;
					E100027BF();
					_t36 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x10004034 = _t36;
					 *0x10004038 = _t90;
					if( *0x10004050 != 0 && E10002795( *0x10004058) == 0) {
						 *0x1000404c = _t107;
						_t107 =  *0x10004054;
					}
					_t91 =  *0x10004058;
					_a4 = _t91;
					 *0x10004058 =  *((intOrPtr*)(E100027C5() + _t91));
					_t40 = E100027A3(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E100027D1(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E100027DC() + _a4 + _v8);
							_push(E100027E6());
							if( *0x10004050 <= 0 || E10002795(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000404c =  *0x1000404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004058 == 0) {
						 *0x1000404c = 0;
					}
					_t94 = _a4 + E100027DC();
					 *(E100027EA() + _t94) =  *0x10004034;
					 *((intOrPtr*)(E100027EE() + _t94)) =  *0x10004038;
					E100027FE(_a4);
					if(E100027B1() != 0) {
						 *0x10004068 = GetLastError();
					}
					return _a4;
				}
				_push(E100027DC() + _a4);
				_t65 = E100027E2();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E100027EE();
				_t100 = E100027EA();
				_t103 = E100027E6();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x10002824
0x10002835
0x10002842
0x10002856
0x10002844
0x10002849
0x1000284e
0x1000284e
0x10002842
0x1000285f
0x10002864
0x1000286a
0x100028ae
0x100028ae
0x100028b3
0x100028b8
0x100028be
0x100028c0
0x100028c6
0x100028d3
0x100028d5
0x100028da
0x100028e7
0x100028fa
0x10002900
0x10002906
0x10002907
0x1000290d
0x10002919
0x1000291f
0x10002927
0x10002928
0x1000292b
0x10002936
0x10002938
0x10002944
0x1000294a
0x10002952
0x1000297e
0x1000297f
0x10002985
0x10002985
0x1000298c
0x10002962
0x10002962
0x10002963
0x10002971
0x1000297a
0x1000297a
0x10002952
0x10002936
0x10002995
0x10002997
0x10002997
0x100029a9
0x100029b6
0x100029c4
0x100029ca
0x100029d8
0x100029e0
0x100029e0
0x100029ee
0x100029ee
0x10002875
0x10002876
0x1000287b
0x1000287f
0x10002884
0x10002898
0x10002899
0x1000289a
0x1000289c
0x100028a1
0x100028a3
0x100028a3
0x100028a6
0x100028ac
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 100028D3
GetLastError.KERNEL32 ref: 100029DA

Strings

@Mqt, xrefs: 100029DA

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: @Mqt
API String ID: 1948546556-2740872224
Opcode ID: 7086f14c4ed73921c32663dd50e35cd757691b5a96ac4a6e5be154c5209038fc
Instruction ID: 3fd83e1d41dfb8cbcb71a2ed35d47142bd90d8930b2c892e55557bfc521562a3
Opcode Fuzzy Hash: 7086f14c4ed73921c32663dd50e35cd757691b5a96ac4a6e5be154c5209038fc
Instruction Fuzzy Hash: E85183B9408215DFFB10DFA4DCC2B5937B4EB443D4F22846AEA08E721DDE34A881CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004032E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032E8(void* __ecx, void* __eflags) {
				void* _t2;
				void* _t5;
				void* _t6;
				WCHAR* _t7;

				_t6 = __ecx;
				_t7 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00406131(_t7);
				_t2 = E0040597C(_t7);
				if(_t2 != 0) {
					E00405905(_t7);
					CreateDirectoryW(_t7, 0); // executed
					_t5 = E00405B55(_t6, L"1033", _t7); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004032e8
0x004032e9
0x004032ef
0x004032f5
0x004032fc
0x00403301
0x00403309
0x00403315
0x0040331b
0x004032ff
0x004032ff
0x004032ff

APIs

Part of subcall function 00406131: CharNextW.USER32(?,*?|<>/":,00000000,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 00406194
Part of subcall function 00406131: CharNextW.USER32(?,?,?,00000000), ref: 004061A3
Part of subcall function 00406131: CharNextW.USER32(?,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061A8
Part of subcall function 00406131: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061BB

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 00403309

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004032E9, 004032EE, 004032F4, 00403300, 00403308, 0040330F
1033, xrefs: 00403310

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 0a711d7fd79276dd11a8b98ab0dbe8e63dd6040eaeebf00d4c3c17c85ae4f526
Instruction ID: e4eef6cf2ac797def9908a1650f112827c27e5ea106c4e55d3622050badd3659
Opcode Fuzzy Hash: 0a711d7fd79276dd11a8b98ab0dbe8e63dd6040eaeebf00d4c3c17c85ae4f526
Instruction Fuzzy Hash: B3D0922150693171C956322A3D06FCF1A1C8F4A32AF229077F809B50C6DA6C2A8209FE

Uniqueness

Uniqueness Score: -1.00%

Function 00406927 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406927() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406D95))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406927
0x00406927
0x00406927
0x00406927
0x0040692d
0x00406931
0x00406935
0x0040693f
0x0040694d
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00406c5a
0x00406c5a
0x00406c5e
0x00000000
0x00000000
0x00406c60
0x00406c69
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c92
0x00406c95
0x00406c95
0x00406cb7
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5e
0x00000000
0x00000000
0x00000000
0x00406cb9
0x00406cb9
0x00406c32
0x00406c36
0x00406d6e
0x00406d6e
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00406d94
0x00406c3c
0x00406c42
0x00406c49
0x00406c51
0x00406c51
0x00406c54
0x00000000
0x00406c54
0x00406cbe
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00406bda
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00406385
0x00000000
0x0040638c
0x00406390
0x00000000
0x00000000
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f1
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00406ce1
0x00000000
0x00406ce1
0x0040643b
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406465
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00406cf0
0x00000000
0x00406cf0
0x004064ab
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406baf
0x00406bb3
0x00406d62
0x00406d62
0x00000000
0x00406d62
0x00406bb9
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00000000
0x00000000
0x004064f2
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00000000
0x0040657f
0x004064f9
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00406791
0x00406791
0x00406795
0x004067b3
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00000000
0x00000000
0x004067fb
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00000000
0x00000000
0x0040683e
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068af
0x004068b3
0x004068ba
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00000000
0x004068ca
0x004068b5
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00000000
0x00000000
0x00406b28
0x00406b28
0x00406b2c
0x00406b4e
0x00406b4e
0x00406b51
0x00406b5b
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b2e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00406c30
0x00406beb
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd6
0x00406cd9
0x00406bda
0x00406bda
0x00406bda
0x00000000
0x00406be0
0x00000000
0x00406910
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00406c30
0x00000000
0x00000000
0x00000000
0x00406955
0x00406955
0x00406958
0x0040698e
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069ee
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00406d56
0x00000000
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406bda
0x00406c5a
0x00406c23

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e696e36f3b29b383a9b49e269a2ec244692faf4f486f7bfaefcd1a300f4ae5f
Instruction ID: e7210dd1bf7ae6e57bc6f0661249977e4dc153e3877de65058e0b8e50aa98617
Opcode Fuzzy Hash: 0e696e36f3b29b383a9b49e269a2ec244692faf4f486f7bfaefcd1a300f4ae5f
Instruction Fuzzy Hash: 92A12171E00229CBDF28CFA8C8447ADBBB1FF44305F15816AD856BB281D7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406B28 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B28() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406D95))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406b28
0x00406b28
0x00406b2c
0x00406b51
0x00406b5b
0x00000000
0x00406b2e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b3b
0x00406b3f
0x00406b3f
0x00406b42
0x00406c1c
0x00406c1c
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00406bda
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406baf
0x00406bb3
0x00406d62
0x00000000
0x00406d62
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00000000
0x0040657f
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00000000
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00000000
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00000000
0x004068ca
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00406b5e
0x00406b5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00000000
0x00406c15
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00406bda
0x00406bda
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00000000
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00406d78
0x00406d7e
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406bda
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00406cb7
0x00000000
0x00406b2c

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07ff9958cc0a5c4b54172b6dd09b52a9778fceec85a53f3aef8393d05b91ce7
Instruction ID: dfe22e26bf84c875961fb60aea0a0c0c7e72c4959145387287e6a66c2e3a903c
Opcode Fuzzy Hash: f07ff9958cc0a5c4b54172b6dd09b52a9778fceec85a53f3aef8393d05b91ce7
Instruction Fuzzy Hash: 57912171E00228CBEF28CF98C8487ADBBB1FF44305F15812AD856BB291C7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040683E Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040683E() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406D95))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040683e
0x0040683e
0x00406842
0x004068f9
0x004068fc
0x00406908
0x004067e9
0x004067e9
0x004067ec
0x00406b5e
0x00406b5e
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00000000
0x00406baf
0x00406baf
0x00406bb3
0x00406d62
0x00000000
0x00406d62
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00000000
0x00406bd1
0x00406848
0x0040684c
0x00406d8d
0x00406d8d
0x00406d90
0x00406d94
0x00406d94
0x00406852
0x00406858
0x0040685b
0x0040685f
0x00406862
0x00406866
0x00406d2c
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00000000
0x00406d89
0x0040686c
0x0040686f
0x00406875
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x004068a0
0x004068a0
0x004068a0
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00000000
0x0040657f
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00000000
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00000000
0x00000000
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00000000
0x004068ca
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00000000
0x00406b5b
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00000000
0x00406cce
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x00000000
0x00406b23
0x00406b21
0x00406d56
0x00000000
0x00000000
0x00406385

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ca0652709b176c29e3933bfdb586e85df19df44de81321453fc3f387266e06
Instruction ID: 1ece14ab204a377bacf4c4112b7b549093c5c53d3c7361c28d4bce1b221be6f9
Opcode Fuzzy Hash: 84ca0652709b176c29e3933bfdb586e85df19df44de81321453fc3f387266e06
Instruction Fuzzy Hash: 2F812371E00228CBDF24CFA8C844BADBBB1FF45305F25816AD856BB291C7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406343 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406343(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406D95))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406353
0x0040635a
0x00406360
0x00406366
0x00000000
0x0040636a
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x0040638c
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ec
0x004063ef
0x00406417
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f1
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x00406409
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406460
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406465
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406482
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b70
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406ba6
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406baf
0x00406baf
0x00406bb3
0x00406d62
0x00000000
0x00406d62
0x00406bbf
0x00406bc6
0x00406bce
0x00406bce
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00000000
0x0040657f
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406562
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00000000
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00000000
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00000000
0x004068ca
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00000000
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00000000
0x00406bda
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00406d78
0x00406d7e
0x00406d80
0x00406d87
0x00000000
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d2d79ee1698e02166a76d9f9a75bf30fcfc58c5aa246c05a5e38c1e28bf93f
Instruction ID: 55e4fbe980d9bb336d6d60fded90e401283c30e73d491835107477025b5cbc5b
Opcode Fuzzy Hash: 53d2d79ee1698e02166a76d9f9a75bf30fcfc58c5aa246c05a5e38c1e28bf93f
Instruction Fuzzy Hash: 54815671E00228DBDB24CFA8C844BADBBB1FF44305F21816AD856BB2C1D7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406791 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406791() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406D95))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406791
0x00406791
0x00406795
0x004067b6
0x004067bd
0x004067c3
0x004067c9
0x004067db
0x004067e1
0x004067e6
0x00000000
0x00406797
0x0040679d
0x00406b5e
0x00406b5e
0x00406b5e
0x00406b61
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00406baf
0x00406bb3
0x00406d62
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00406d94
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00000000
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00406bda
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00000000
0x00406be0
0x00406bda
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00000000
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406bda
0x00406b61
0x00406b5e
0x00000000
0x00406795

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d9f51867212772dee741ab9c18754d56a3a41be47b7569f38bf25e23bbafc0
Instruction ID: 4cad12e65499f98a1e9a29a7deb55be6e12762dba8a3afdeca5477d8d2c46e15
Opcode Fuzzy Hash: 18d9f51867212772dee741ab9c18754d56a3a41be47b7569f38bf25e23bbafc0
Instruction Fuzzy Hash: EC71F171E00228DBDF24CF98C844BADBBB1FF48305F15806AD856BB281D7789A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004068AF Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004068AF() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406D95))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004068af
0x004068af
0x004068b3
0x004068c0
0x004068ca
0x00000000
0x004068b5
0x004068b5
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x004067e9
0x004067ec
0x00406b5e
0x00406b5e
0x00406b5e
0x00406b61
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00406baf
0x00406bb3
0x00406d62
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00406d94
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00406b5e
0x00406b5e
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x004067fb
0x004067ff
0x00406822
0x00406825
0x00406828
0x00406832
0x00406801
0x00406801
0x00406804
0x00406807
0x0040680a
0x00406817
0x0040681a
0x0040681a
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00406b5e
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00406bda
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00000000
0x00406be0
0x00406bda
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00000000
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406bda
0x00406b61
0x00406b5e
0x00000000
0x004068b3

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafc4ef3cf5fc15c77afc2c3035f81c90f672b18eaa7a72c9fa3cfe729f71c07
Instruction ID: 6e97a9b2b3f34bbdfba53a0547d40dc4a7f1d3480b40024671b6a3b54fbfd1b0
Opcode Fuzzy Hash: cafc4ef3cf5fc15c77afc2c3035f81c90f672b18eaa7a72c9fa3cfe729f71c07
Instruction Fuzzy Hash: 54711271E00228DBDF28CF98C844BADBBB1FF44305F15806AD856BB291C7785A96DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004067FB Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004067FB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406D95))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x004067fb
0x004067fb
0x004067ff
0x00406828
0x00406832
0x00406801
0x0040680a
0x00406817
0x0040681a
0x00406b5e
0x00406b5e
0x00406b61
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00406baf
0x00406bb3
0x00406d62
0x00406d78
0x00406d80
0x00406d87
0x00406d89
0x00406d90
0x00406d94
0x00406d94
0x00406bbf
0x00406bc6
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd4
0x00406bda
0x00406bda
0x00406376
0x00406376
0x00406376
0x0040637f
0x00000000
0x00000000
0x00406385
0x00000000
0x00406390
0x00000000
0x00000000
0x00406399
0x0040639c
0x0040639f
0x004063a3
0x00000000
0x00000000
0x004063a9
0x004063ac
0x004063ae
0x004063af
0x004063b2
0x004063b4
0x004063b5
0x004063b7
0x004063ba
0x004063bf
0x004063c4
0x004063cd
0x004063e0
0x004063e3
0x004063ef
0x00406417
0x00406419
0x00406427
0x00406427
0x0040642b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040641b
0x0040641b
0x0040641e
0x0040641f
0x0040641f
0x00000000
0x0040641b
0x004063f5
0x004063fa
0x004063fa
0x00406403
0x0040640b
0x0040640e
0x00000000
0x00406414
0x00406414
0x00000000
0x00406414
0x00000000
0x00406431
0x00406431
0x00406435
0x00406ce1
0x00000000
0x00406ce1
0x0040643e
0x0040644e
0x00406451
0x00406454
0x00406454
0x00406454
0x00406457
0x0040645b
0x00000000
0x00000000
0x0040645d
0x00406463
0x0040648d
0x00406493
0x0040649a
0x00000000
0x0040649a
0x00406469
0x0040646c
0x00406471
0x00406471
0x0040647c
0x00406484
0x00406487
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064cc
0x004064d2
0x004064d5
0x004064e2
0x004064ea
0x00406b5e
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x00406cf0
0x00000000
0x00406cf0
0x004064b1
0x004064bc
0x004064bc
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b61
0x00406b61
0x00406b67
0x00406b6d
0x00406b73
0x00406b8d
0x00406b90
0x00406b96
0x00406ba1
0x00406ba3
0x00406b75
0x00406b75
0x00406b84
0x00406b88
0x00406b88
0x00406bad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f2
0x004064f4
0x004064f7
0x00406568
0x0040656b
0x0040656e
0x00406575
0x0040657f
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x004064f9
0x004064fd
0x00406500
0x00406502
0x00406505
0x00406508
0x0040650a
0x0040650d
0x0040650f
0x00406514
0x00406517
0x0040651a
0x0040651e
0x00406525
0x00406528
0x0040652f
0x00406533
0x0040653b
0x0040653b
0x0040653b
0x00406535
0x00406535
0x00406535
0x0040652a
0x0040652a
0x0040652a
0x0040653f
0x00406542
0x00406560
0x00406562
0x00000000
0x00406544
0x00406544
0x00406547
0x0040654a
0x0040654d
0x0040654f
0x0040654f
0x0040654f
0x00406552
0x00406555
0x00406557
0x00406558
0x0040655b
0x00000000
0x0040655b
0x00000000
0x00406791
0x00406795
0x004067b3
0x004067b6
0x004067bd
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067ce
0x004067d5
0x004067d6
0x004067d8
0x004067db
0x004067de
0x004067e1
0x004067e1
0x004067e6
0x00000000
0x004067e6
0x00406797
0x0040679a
0x0040679d
0x004067a7
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x00000000
0x00000000
0x0040683e
0x00406842
0x00000000
0x00000000
0x00406848
0x0040684c
0x00000000
0x00000000
0x00406852
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00000000
0x00000000
0x004068af
0x004068b3
0x004068ba
0x004068bd
0x004068c0
0x004068ca
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x004068b5
0x00000000
0x00000000
0x004068d6
0x004068da
0x004068e1
0x004068e4
0x004068e7
0x004068dc
0x004068dc
0x004068dc
0x004068ea
0x004068ed
0x004068f0
0x004068f0
0x004068f3
0x004068f6
0x004068f9
0x004068f9
0x004068fc
0x00406903
0x00406908
0x00000000
0x00000000
0x00406996
0x00406996
0x0040699a
0x00406d38
0x00000000
0x00406d38
0x004069a0
0x004069a3
0x004069a6
0x004069aa
0x004069ad
0x004069b3
0x004069b5
0x004069b5
0x004069b5
0x004069b8
0x004069bb
0x00000000
0x00000000
0x0040658b
0x0040658b
0x0040658f
0x00406cfc
0x00000000
0x00406cfc
0x00406595
0x00406598
0x0040659b
0x0040659f
0x004065a2
0x004065a8
0x004065aa
0x004065aa
0x004065aa
0x004065ad
0x004065b0
0x004065b0
0x004065b3
0x004065b6
0x00000000
0x00000000
0x004065bc
0x004065c2
0x00000000
0x00000000
0x004065c8
0x004065c8
0x004065cc
0x004065cf
0x004065d2
0x004065d5
0x004065d8
0x004065d9
0x004065dc
0x004065de
0x004065e4
0x004065e7
0x004065ea
0x004065ed
0x004065f0
0x004065f3
0x004065f6
0x00406612
0x00406615
0x00406618
0x0040661b
0x00406622
0x00406626
0x00406628
0x0040662c
0x004065f8
0x004065f8
0x004065fc
0x00406604
0x00406609
0x0040660b
0x0040660d
0x0040660d
0x0040662f
0x00406636
0x00406639
0x00000000
0x0040663f
0x00000000
0x0040663f
0x00000000
0x00406644
0x00406644
0x00406648
0x00406d08
0x00000000
0x00406d08
0x0040664e
0x00406651
0x00406654
0x00406658
0x0040665b
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x00406669
0x00406669
0x0040666f
0x00000000
0x00000000
0x00406671
0x00406674
0x00406677
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406686
0x00406689
0x0040668c
0x0040668f
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b0
0x004066b3
0x004066b7
0x004066b9
0x00406691
0x00406691
0x00406699
0x0040669e
0x004066a0
0x004066a2
0x004066a2
0x004066bc
0x004066c3
0x004066c6
0x00000000
0x004066c8
0x00000000
0x004066c8
0x004066c6
0x004066cd
0x004066cd
0x004066cd
0x004066cd
0x00000000
0x00000000
0x00406708
0x00406708
0x0040670c
0x00406d14
0x00000000
0x00406d14
0x00406712
0x00406715
0x00406718
0x0040671c
0x0040671f
0x00406725
0x00406727
0x00406727
0x00406727
0x0040672a
0x0040672d
0x0040672d
0x00406733
0x004066d1
0x004066d1
0x004066d4
0x00000000
0x004066d4
0x00406735
0x00406735
0x00406738
0x0040673b
0x0040673e
0x00406741
0x00406744
0x00406747
0x0040674a
0x0040674d
0x00406750
0x00406753
0x0040676b
0x0040676e
0x00406771
0x00406774
0x00406774
0x00406777
0x0040677b
0x0040677d
0x00406755
0x00406755
0x0040675d
0x00406762
0x00406764
0x00406766
0x00406766
0x00406780
0x00406787
0x0040678a
0x00000000
0x0040678c
0x00000000
0x0040678c
0x00000000
0x00406a19
0x00406a19
0x00406a1d
0x00406d44
0x00000000
0x00406d44
0x00406a23
0x00406a26
0x00406a29
0x00406a2d
0x00406a30
0x00406a36
0x00406a38
0x00406a38
0x00406a38
0x00406a3b
0x00000000
0x00000000
0x004067e9
0x004067e9
0x004067ec
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00000000
0x00406b28
0x00406b2c
0x00406b4e
0x00406b51
0x00406b5b
0x00406b5e
0x00406b5e
0x00000000
0x00406b5e
0x00406b5e
0x00406b2e
0x00406b31
0x00406b35
0x00406b38
0x00406b38
0x00406b3b
0x00000000
0x00000000
0x00406be5
0x00406be9
0x00406c07
0x00406c07
0x00406c07
0x00406c0e
0x00406c15
0x00406c1c
0x00406c1c
0x00000000
0x00406c1c
0x00406beb
0x00406bee
0x00406bf1
0x00406bf4
0x00406bfb
0x00406b3f
0x00406b3f
0x00406b42
0x00000000
0x00000000
0x00406cd6
0x00406cd9
0x00406bda
0x00000000
0x00000000
0x00406910
0x00406912
0x00406919
0x0040691a
0x0040691c
0x0040691f
0x00000000
0x00000000
0x00406927
0x0040692a
0x0040692d
0x0040692f
0x00406931
0x00406931
0x00406932
0x00406935
0x0040693c
0x0040693f
0x0040694d
0x00000000
0x00000000
0x00406c23
0x00406c23
0x00406c26
0x00406c2d
0x00000000
0x00000000
0x00406c32
0x00406c32
0x00406c36
0x00406d6e
0x00000000
0x00406d6e
0x00406c3c
0x00406c3f
0x00406c42
0x00406c46
0x00406c49
0x00406c4f
0x00406c51
0x00406c51
0x00406c51
0x00406c54
0x00406c57
0x00406c57
0x00406c57
0x00406c57
0x00406c5a
0x00406c5a
0x00406c5e
0x00406cbe
0x00406cc1
0x00406cc6
0x00406cc7
0x00406cc9
0x00406ccb
0x00406cce
0x00406bda
0x00406bda
0x00000000
0x00406be0
0x00406bda
0x00406c60
0x00406c66
0x00406c69
0x00406c6c
0x00406c6f
0x00406c72
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00406c81
0x00406c9a
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca7
0x00406ca9
0x00406ca9
0x00406caa
0x00406cad
0x00406c83
0x00406c83
0x00406c8b
0x00406c90
0x00406c92
0x00406c95
0x00406c95
0x00406cb0
0x00406cb7
0x00000000
0x00406cb9
0x00000000
0x00406cb9
0x00000000
0x00406955
0x00406958
0x0040698e
0x00406abe
0x00406abe
0x00406abe
0x00406abe
0x00406ac1
0x00406ac1
0x00406ac4
0x00406ac6
0x00406d50
0x00000000
0x00406d50
0x00406acc
0x00406acf
0x00000000
0x00000000
0x00406ad5
0x00406ad9
0x00406adc
0x00406adc
0x00406adc
0x00000000
0x00406adc
0x0040695a
0x0040695c
0x0040695e
0x00406960
0x00406963
0x00406964
0x00406966
0x00406968
0x0040696b
0x0040696e
0x00406984
0x00406989
0x004069c1
0x004069c1
0x004069c5
0x004069f1
0x004069f3
0x004069fa
0x004069fd
0x00406a00
0x00406a00
0x00406a05
0x00406a05
0x00406a07
0x00406a0a
0x00406a11
0x00406a14
0x00406a41
0x00406a41
0x00406a44
0x00406a47
0x00406abb
0x00406abb
0x00406abb
0x00000000
0x00406abb
0x00406a49
0x00406a4f
0x00406a52
0x00406a55
0x00406a58
0x00406a5b
0x00406a5e
0x00406a61
0x00406a64
0x00406a67
0x00406a6a
0x00406a83
0x00406a85
0x00406a88
0x00406a89
0x00406a8c
0x00406a8e
0x00406a91
0x00406a93
0x00406a95
0x00406a98
0x00406a9a
0x00406a9d
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa4
0x00406aa7
0x00406aaa
0x00406a6c
0x00406a6c
0x00406a74
0x00406a79
0x00406a7b
0x00406a7e
0x00406a7e
0x00406aad
0x00406ab4
0x00406a3e
0x00406a3e
0x00406a3e
0x00406a3e
0x00000000
0x00406ab6
0x00000000
0x00406ab6
0x00406ab4
0x004069c7
0x004069ca
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d7
0x004069da
0x004069dd
0x004069dd
0x004069e0
0x004069e0
0x004069e3
0x004069ea
0x004069be
0x004069be
0x004069be
0x004069be
0x00000000
0x004069ec
0x00000000
0x004069ec
0x004069ea
0x00406970
0x00406973
0x00406975
0x00406978
0x00000000
0x00000000
0x004066d7
0x004066d7
0x004066db
0x00406d20
0x00000000
0x00406d20
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f8
0x004066fb
0x004066fe
0x00406700
0x00406700
0x00406700
0x00000000
0x00000000
0x00406862
0x00406862
0x00406866
0x00406d2c
0x00000000
0x00406d2c
0x0040686c
0x0040686f
0x00406872
0x00406875
0x00406877
0x00406877
0x00406877
0x0040687a
0x0040687d
0x00406880
0x00406883
0x00406886
0x00406889
0x0040688a
0x0040688c
0x0040688c
0x0040688c
0x0040688f
0x00406892
0x00406895
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689d
0x0040689d
0x00000000
0x00000000
0x00406adf
0x00406adf
0x00406adf
0x00406ae3
0x00000000
0x00000000
0x00406ae9
0x00406aec
0x00406aef
0x00406af2
0x00406af4
0x00406af4
0x00406af4
0x00406af7
0x00406afa
0x00406afd
0x00406b00
0x00406b03
0x00406b06
0x00406b07
0x00406b09
0x00406b09
0x00406b09
0x00406b0c
0x00406b0f
0x00406b12
0x00406b15
0x00406b18
0x00406b1c
0x00406b1e
0x00406b21
0x00000000
0x00406b23
0x004068a0
0x004068a0
0x00000000
0x004068a0
0x00406b21
0x00406d56
0x00000000
0x00000000
0x00406385
0x00406d8d
0x00406d8d
0x00000000
0x00406d8d
0x00406bda
0x00406b61
0x00406b5e

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4242d614f798f8792a53f50a84438554c8f1d45208bf26f69370823527229637
Instruction ID: db63df4c9dc921a153734d9da3eb9da28a2dd5735414477bd0938ed33ee91274
Opcode Fuzzy Hash: 4242d614f798f8792a53f50a84438554c8f1d45208bf26f69370823527229637
Instruction Fuzzy Hash: EF710271E00228DBDF28CF98C844BADBBB1FF44305F15816AD856BB291C778AA56DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F98(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x429298");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x429268 =  *0x429268 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402AD0(0xfffffff0);
				 *((intOrPtr*)(_t39 - 8)) = E00402AD0(1);
				if( *((intOrPtr*)(_t39 - 0x1c)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E00406273( *(_t39 + 8),  *((intOrPtr*)(_t39 - 8)));
					if(_t38 == _t32) {
						E00405151(0xfffffff7,  *((intOrPtr*)(_t39 - 8)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x24)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 0x38)), 0x400, _t34, 0x40bd84, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x24)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x20)) == _t32 && E00403811( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f98
0x00401f98
0x00401f9d
0x00401fa4
0x00402063
0x00402190
0x00402190
0x0040295d
0x00402960
0x0040296c
0x0040296c
0x00401fb3
0x00401fbd
0x00401fc0
0x00401fd0
0x00401fd4
0x00401fdc
0x00401fdf
0x0040205c
0x00000000
0x0040205c
0x00401fe1
0x00401fec
0x00401ff0
0x00402030
0x00401ff2
0x00401ff5
0x00401ff8
0x00402024
0x00401ffa
0x00401ffd
0x00402006
0x00402008
0x00402008
0x00402006
0x00401ff8
0x00402038
0x00402051
0x00402051
0x00000000
0x00402038
0x00401fc3
0x00401fcb
0x00401fce
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3

Part of subcall function 00405151: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 00405189
Part of subcall function 00405151: lstrlenW.KERNEL32(00402D2A,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 00405199
Part of subcall function 00405151: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00402D2A), ref: 004051AC
Part of subcall function 00405151: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll), ref: 004051BE
Part of subcall function 00405151: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E4
Part of subcall function 00405151: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004051FE
Part of subcall function 00405151: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040520C

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 198544ad47867a311c9ab2942c2caf960d6e417475cb7c23a9b1d35d39bc63e9
Instruction ID: c0d393f31030898aff1d6f59a53140140d7d4386e7892ffc40c090e5086dd3b2
Opcode Fuzzy Hash: 198544ad47867a311c9ab2942c2caf960d6e417475cb7c23a9b1d35d39bc63e9
Instruction Fuzzy Hash: A6218331A04215E7CF20AFA5CE48A9E7EB0AB05354F60417BF611B52E0D7B98D82DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 10002739 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x10002742
0x10002747
0x10002757
0x1000275f
0x10002766
0x1000276b
0x10002770
0x10002775
0x1000277a
0x1000277f
0x10002784
0x10002784
0x1000278c

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 10002757

Strings

`gqt@Mqt, xrefs: 10002757

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ProtectVirtual
String ID: `gqt@Mqt
API String ID: 544645111-3052285678
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: e6ccb02edab80a880d7c03d4c74031de7c2ff58f49d21229ec1755338f0ba737
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 7DF09BF19497A1DEF350DF688C847063BE0E3883C4B03852AE3A8E6268EB344048CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004023DE(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402BDA(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402AD0(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 8) = 0x800;
					_t21 = RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 8); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x1c) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x1c) == __ebx;
							E00405DE4(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x1c);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x429268 =  *0x429268 +  *(_t37 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023e3
0x004023ea
0x004023ec
0x004023f3
0x004023f6
0x00402729
0x004023fc
0x004023ff
0x0040240f
0x0040241a
0x0040244a
0x0040244a
0x0040244d
0x0040241c
0x00402420
0x00402439
0x00402440
0x00402443
0x00402422
0x00402425
0x00402430
0x004024a2
0x00000000
0x00000000
0x00000000
0x00402425
0x00402420
0x004024a9
0x004024aa
0x004024aa
0x00402960
0x0040296c

APIs

Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02

RegQueryValueExW.KERNELBASE(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ac3cabf19bc2b5dbe9b8c3b2bc839ced7fca6a3ad99872c4f02e0b16d3e02c83
Instruction ID: b5eb31ee48971b42b3d66096dbe1d90abbbb53f3ec8c1c4e10c5490098569425
Opcode Fuzzy Hash: ac3cabf19bc2b5dbe9b8c3b2bc839ced7fca6a3ad99872c4f02e0b16d3e02c83
Instruction Fuzzy Hash: 5411A371A10205EADB14DFA0D6585AE77B4EF04354F20843FE042A72D0D2B85A82DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x429210;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x4281cc =  *0x4281cc + _t12;
						SendMessageW(_a11, 0x402, MulDiv( *0x4281cc, 0x7530,  *0x4281b4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022D3(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t11;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x1c) - __ebx;
				if( *(_t23 - 0x1c) != __ebx) {
					_t6 = E00402AD0(0x22);
					_t18 =  *(_t23 - 0x1c) & 0x00000002;
					__eflags =  *(_t23 - 0x1c) & 0x00000002;
					_t8 = E00402B10(E00402BC5( *((intOrPtr*)(_t23 - 0x28))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t11 = E00402BDA(_t26, 2); // executed
					_t22 = _t11;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402AD0(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x004022d3
0x004022d3
0x004022d6
0x00402305
0x0040230d
0x0040230d
0x0040231b
0x00402320
0x00000000
0x004022d8
0x004022da
0x004022df
0x004022e3
0x00402729
0x00402729
0x004022e9
0x004022f9
0x004022fb
0x00402322
0x00402324
0x00000000
0x0040232a
0x00402324
0x004022e3
0x00402960
0x0040296c

APIs

Part of subcall function 00402BDA: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
RegCloseKey.ADVAPI32(00000000), ref: 004022FB

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 3367a97905ac59631619e64cd750ebe518f2392d3f071ded011822ca1f7ee9d3
Instruction ID: 6ade20f596bc286d2584c3cfef10a7c145a3b458b75cbe70d33d3f280513cc25
Opcode Fuzzy Hash: 3367a97905ac59631619e64cd750ebe518f2392d3f071ded011822ca1f7ee9d3
Instruction Fuzzy Hash: 5BF0AF72A00111EBD711BBA09A4EAAE7268DB00354F14443BF202B71C0D9FC6D428B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040156B(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x4281b0;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x28)); // executed
					_t4 =  *(_t16 - 0x2c);
				}
				_t12 =  *0x4281c4;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x0040156b
0x0040156b
0x00401579
0x0040157f
0x00401581
0x00401581
0x00401584
0x0040158c
0x00401594
0x00401594
0x00402960
0x0040296c

APIs

ShowWindow.USER32(?,?), ref: 0040157F
ShowWindow.USER32(?), ref: 00401594

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7f13c2d660488b150bce259c7fc5f4face56bd1cddc635c539c94eb460d3dec0
Instruction ID: 80e76f6a688c62747686e25d0ca61306c2f631b5b0eee649f6067f2527668ce1
Opcode Fuzzy Hash: 7f13c2d660488b150bce259c7fc5f4face56bd1cddc635c539c94eb460d3dec0
Instruction Fuzzy Hash: 43E08672B04115DBCB24DBA8ED908BD77A5EB44310754447FE902B32D0C6759C12CF38

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 6a9e35591c00cd6ffd28ac18102f02794c34a39118e1a8546508df961f6cc6e7
Instruction ID: 28e908a6165a13ae20b5456a54398491662dd313bd445d62b915cc3bb3bf236f
Opcode Fuzzy Hash: 6a9e35591c00cd6ffd28ac18102f02794c34a39118e1a8546508df961f6cc6e7
Instruction Fuzzy Hash: C8E08C72B04110DBDB21BBA4AA8859D7264EB50369B1005BBF402F10D2C6B85C42DA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B26 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405B26(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b2a
0x00405b37
0x00405b4c
0x00405b52

APIs

GetFileAttributesW.KERNELBASE(00000003,00402D95,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00405B2A
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B4C

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405B01 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B01(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405b06
0x00405b0c
0x00405b11
0x00405b1a
0x00405b1a
0x00405b23

APIs

GetFileAttributesW.KERNELBASE(?,?,004056F0,?,?,00000000,004058DC,?,?,?,?), ref: 00405B06
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B1A

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: 3daf87e94682bd9fa43cebacea7e4f88137d7a4c1f25d61fac279a85ffa77bb6
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 94D0C972908020AFC2102728EE0C89BBB65DB542717018B31F965A22B0C7305C52CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040268F Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040268F(void* __ecx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				void* _t15;
				void* _t17;

				_t13 = __ecx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402AB3(2);
					_t9 = SetFilePointer(E00405DFD(_t13, _t15), _t7, _t11,  *(_t17 - 0x20)); // executed
					if( *((intOrPtr*)(_t17 - 0x28)) >= _t11) {
						_push(_t9);
						_push( *((intOrPtr*)(_t17 - 0xc)));
						E00405DE4();
					}
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040268f
0x0040268f
0x00402690
0x0040269c
0x004026a9
0x004026b2
0x004028ff
0x00402900
0x00402903
0x00402903
0x004026b2
0x00402960
0x0040296c

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004026A9

Part of subcall function 00405DE4: wsprintfW.USER32 ref: 00405DF1

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: f1affde76962026bb3892130916a581bd959e3b298de0af9047324a73b520901
Instruction ID: 848bc1b904df8e593f2179e2ec749d0f1789724b1ad591dd405ad2f686524010
Opcode Fuzzy Hash: f1affde76962026bb3892130916a581bd959e3b298de0af9047324a73b520901
Instruction Fuzzy Hash: 6DE01271B04116ABDB01BB95AE49CAE7769DF01314F10443BF201F00D1C6794902DB3D

Uniqueness

Uniqueness Score: -1.00%

Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402251(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402AD0(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x28)) != _t11) {
					_t13 = E00402AD0(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x1c)) != _t11) {
					_t11 = E00402AD0(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402AD0(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402251
0x00402251
0x00402253
0x00402257
0x0040225a
0x0040225f
0x00402264
0x0040226d
0x0040226d
0x00402272
0x0040227b
0x0040227b
0x00402288
0x004015ac
0x004015ae
0x00402729
0x00402729
0x00402960
0x0040296c

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction ID: 4d522e8bde3653b981076e9042a854f7c5429d371814473e34f0fcc773409074
Opcode Fuzzy Hash: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction Fuzzy Hash: CAE0E632A041696ADB2036F20E8DD7F3058DB54754F15057FB513BA2C2DDFC0D815AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402BDA Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00402BDA(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402AD0(0x22);
				_t9 =  *0x40bd80; // 0x344fc58
				_t11 = RegOpenKeyExW(E00402BC5( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x429290 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402bee
0x00402bf4
0x00402c02
0x00402c0a
0x00402c12

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C02

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction ID: b0bbdecf46b64206e012d84e5d9e673a6d3cc271936ee21996476f731e1d4893
Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction Fuzzy Hash: 12E0B676290108BADB11EFA5ED4AFA577ECEB08705F108425BA09E6091D674F5508BAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040329F Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040329F(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409018, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004032a3
0x004032b6
0x004032be
0x00000000
0x004032c5
0x00000000
0x004032c7

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00413E78,0040BE78,004031A4,00413E78,00004000,?,00000000,?,0040302E,00000004,00000000,00000000), ref: 004032B6

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 476de8a6d54054254eaeab11a76a7e936c9490da6f321b020811133c829fda6c
Instruction ID: 88158c925b015a47486c1d05f200f8b2f8795a110b6c7e6efd1e7249e7db3a8e
Opcode Fuzzy Hash: 476de8a6d54054254eaeab11a76a7e936c9490da6f321b020811133c829fda6c
Instruction Fuzzy Hash: 1AE0863512411DBBCF205E619C00AE73B5CEB05761F00C076F908E5290D130DA059BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159B() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402AD0(0xfffffff0),  *(_t11 - 0x28)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a6
0x004015ac
0x004015ae
0x00402729
0x00402729
0x00402960
0x0040296c

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 77e648e7e29f62b40c1914f2f13d0d5af15d4fddf3a636ff72d00cfb230e9c56
Instruction ID: f3354cb8ce28efe1ca3c080267c8b1e00e40bfd903d5f796d394ce91db8ae015
Opcode Fuzzy Hash: 77e648e7e29f62b40c1914f2f13d0d5af15d4fddf3a636ff72d00cfb230e9c56
Instruction Fuzzy Hash: 20D01272708111D7DB10DBE5AA0869D76649B01364F204577D112F21D0D2B89545DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004040EC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004040EC(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextW(_v4, _v0 + 0x3e8, E00405EBF(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}

0x00404106
0x0040410b

APIs

SetDlgItemTextW.USER32 ref: 00404106

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 89ef0c13f186ee6438446acdb8d61910068c771356f2cf9ecbc695c3a08d2ba0
Instruction ID: 5e2450ef4b61503df5230995b72fccf88bd953f39a813e1862a21e7890be1ed7
Opcode Fuzzy Hash: 89ef0c13f186ee6438446acdb8d61910068c771356f2cf9ecbc695c3a08d2ba0
Instruction Fuzzy Hash: E0C08C35048200BFE641BB04CC02F0FB39CEFA0316F00C82EB0ACA10D1CA3789208A26

Uniqueness

Uniqueness Score: -1.00%

Function 00404138 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404138(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4281b8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404138
0x0040413f
0x0040414a
0x00000000
0x0040414a
0x00404150

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414A

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 311574ae90b6f76d5c46421f765eec9d6790004f5caaca051db0d990d20e12cf
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: B5C09B71744300BBDA309B50AD49F1777546798B40F1444397314F51D0C674F451D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00404121 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404121(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x4291e8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040412f
0x00404135

APIs

SendMessageW.USER32(00000028,?,00000001,00403F4D), ref: 0040412F

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Uniqueness

Uniqueness Score: -1.00%

Function 004032D1 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032D1(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}

0x004032df
0x004032e5

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F7D,?), ref: 004032DF

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040410E Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040410E(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x4226cc, _a4); // executed
				return _t2;
			}

0x00404118
0x0040411e

APIs

KiUserCallbackDispatcher.NTDLL(?,00403EE6), ref: 00404118

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404ACD Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404ACD(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x429208;
				_t282 = 0;
				_v24 =  *0x4291f0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x4291f9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A1B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x4291f8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x4226b4;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x4226c8;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x4226b4 = _t282;
								 *0x4226c8 = _t282;
								 *0x429240 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x4291f9 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404A9B();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x4226c8;
									_t195 =  *0x429208;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42920c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x4281bc + 0x10)) != _t282) {
											E00404935(0x3ff, 0xfffffffb, E004049EE(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42920c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x4226c8);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x429240 = _t306;
					 *0x4226c8 = GlobalAlloc(0x40,  *0x42920c << 2);
					_t252 = LoadBitmapW( *0x4291e0, 0x6e);
					 *0x4226bc =  *0x4226bc | 0xffffffff;
					_t313 = _t252;
					 *0x4226c4 = SetWindowLongW(_v8, 0xfffffffc, E004050C5);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4226b4 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4226b4);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00405EBF(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004040EC(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004040EC(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42920c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x4226c8 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x4226c8 + _t316 * 4) = _t276;
									_t284 =  *( *0x4226c8 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42920c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404121(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404121(_v12);
								L91:
								return E00404153(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404adc
0x00404aed
0x00404af2
0x00404afa
0x00404b00
0x00404b08
0x00404b16
0x00404b19
0x00404d3a
0x00404d41
0x00404d55
0x00404d43
0x00404d45
0x00404d48
0x00404d49
0x00404d50
0x00404d50
0x00404d61
0x00404d6f
0x00404d72
0x00404d88
0x00404dfd
0x00404e00
0x00404e02
0x00404e0c
0x00404e1a
0x00404e1a
0x00404e1c
0x00404e26
0x00404e2c
0x00404e2f
0x00404e32
0x00404e4d
0x00404e34
0x00404e3e
0x00404e3e
0x00404e32
0x00404e26
0x00000000
0x00404e00
0x00404d8d
0x00404d98
0x00404d9d
0x00404da4
0x00404da9
0x00404dad
0x00404db8
0x00404db8
0x00404dbc
0x00404dc0
0x00404dc4
0x00404dd7
0x00404dc6
0x00404dc6
0x00404dcd
0x00404dd3
0x00404dcf
0x00404dcf
0x00404dcf
0x00404dcd
0x00404ddb
0x00404ddd
0x00404df0
0x00404df3
0x00404df6
0x00404df6
0x00404dc0
0x00000000
0x00404dad
0x00404d8f
0x00404d96
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e50
0x00404e50
0x00404e57
0x00404ec8
0x00404ed0
0x00404ed8
0x00404ed8
0x00404ee1
0x00404ee3
0x00404eea
0x00404eed
0x00404eed
0x00404ef3
0x00404efa
0x00404efd
0x00404efd
0x00404f03
0x00404f09
0x00404f0f
0x00404f0f
0x00404f1c
0x00405072
0x00405079
0x00405096
0x0040509c
0x004050ae
0x004050ae
0x00000000
0x00404f22
0x00404f24
0x00404f29
0x00404f2e
0x00404f33
0x00404f35
0x00404f35
0x00404f36
0x00404f37
0x00404f39
0x00404f39
0x00404f41
0x00404f82
0x00404f84
0x00404f94
0x00404f97
0x00404f9c
0x00404fa3
0x00404fa6
0x00405048
0x0040504e
0x0040505c
0x0040506d
0x0040506d
0x00000000
0x0040505c
0x00404fac
0x00404faf
0x00404fb5
0x00404fba
0x00404fbc
0x00404fbe
0x00404fc4
0x00404fcb
0x00404fd0
0x00404fd7
0x00404fda
0x00404fda
0x00404fe1
0x00404fed
0x00404ff1
0x00404ff3
0x00404ff3
0x00404fe3
0x00404fe5
0x00404fe5
0x00405013
0x0040501f
0x0040502e
0x0040502e
0x00405030
0x00405033
0x0040503c
0x00000000
0x00404f43
0x00404f4e
0x00404f51
0x00404f56
0x00404f58
0x00404f5c
0x00404f6c
0x00404f76
0x00404f78
0x00404f7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f5e
0x00404f5e
0x00404f64
0x00404f66
0x00404f66
0x00404f67
0x00404f68
0x00000000
0x00404f5e
0x00404f41
0x00404f1c
0x00404e5f
0x00000000
0x00404e75
0x00404e7f
0x00404e84
0x00000000
0x00000000
0x00404e96
0x00404e9b
0x00404ea7
0x00404ea7
0x00404ea9
0x00404eb8
0x00404eba
0x00404ebe
0x00404ec1
0x00000000
0x00404ec1
0x00404e5f
0x00404b1f
0x00404b24
0x00404b2d
0x00404b34
0x00404b42
0x00404b4d
0x00404b53
0x00404b61
0x00404b75
0x00404b7a
0x00404b87
0x00404b8c
0x00404ba2
0x00404bb3
0x00404bc0
0x00404bc0
0x00404bc3
0x00404bc9
0x00404bcb
0x00404bce
0x00404bd3
0x00404bd8
0x00404bda
0x00404bda
0x00404bfa
0x00404bfa
0x00404bfc
0x00404bfd
0x00404c02
0x00404c05
0x00404c08
0x00404c0c
0x00404c11
0x00404c16
0x00404c1a
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404cf9
0x00404d0c
0x00000000
0x00404c34
0x00404c37
0x00404c3a
0x00404c3d
0x00404c3d
0x00404c44
0x00404c4a
0x00404c4d
0x00404c53
0x00404c54
0x00404c59
0x00404c62
0x00404c69
0x00404c6c
0x00404c6f
0x00404c72
0x00404cae
0x00404cd7
0x00404cb0
0x00404cbd
0x00404cbd
0x00404c74
0x00404c77
0x00404c86
0x00404c90
0x00404c98
0x00404c9f
0x00404ca7
0x00404ca7
0x00404c72
0x00404cdd
0x00404cde
0x00404cea
0x00404cea
0x00404cf7
0x00404d12
0x00404d16
0x00404d33
0x00404d38
0x00000000
0x00404d18
0x00404d1d
0x00404d26
0x004050b0
0x004050c2
0x004050c2
0x00404d16
0x00000000
0x00404cf7
0x00404c2e

APIs

GetDlgItem.USER32 ref: 00404AE5
GetDlgItem.USER32 ref: 00404AF0
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B3A
LoadBitmapW.USER32(0000006E), ref: 00404B4D
SetWindowLongW.USER32 ref: 00404B66
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404B7A
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B8C
SendMessageW.USER32(?,00001109,00000002), ref: 00404BA2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BAE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BC0
DeleteObject.GDI32(00000000), ref: 00404BC3
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404BEE
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404BFA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404C90
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CBB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CCF
GetWindowLongW.USER32(?,000000F0), ref: 00404CFE
SetWindowLongW.USER32 ref: 00404D0C
ShowWindow.USER32(?,00000005), ref: 00404D1D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E1A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404E7F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404E94
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EB8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404ED8
ImageList_Destroy.COMCTL32(?), ref: 00404EED
GlobalFree.KERNEL32 ref: 00404EFD
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F76
SendMessageW.USER32(?,00001102,?,?), ref: 0040501F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040502E
InvalidateRect.USER32(?,00000000,00000001), ref: 0040504E
ShowWindow.USER32(?,00000000), ref: 0040509C
GetDlgItem.USER32 ref: 004050A7
ShowWindow.USER32(00000000), ref: 004050AE

Strings

M, xrefs: 00404C77
N, xrefs: 00404D58
, xrefs: 00405086

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f884e8d6c0fcc1f0dbacae2e534055ddf25148311cd6b84ad760a532713f6753
Instruction ID: 2b8abece73fbeb368f1422e498a405ff90f22d27d638e65f5ac4229e047e6b4a
Opcode Fuzzy Hash: f884e8d6c0fcc1f0dbacae2e534055ddf25148311cd6b84ad760a532713f6753
Instruction Fuzzy Hash: C7028FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404587 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404587(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				WCHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				WCHAR* _v68;
				void _v72;
				struct HWND__* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t78;
				long _t83;
				signed short* _t85;
				void* _t91;
				signed int _t92;
				signed short _t110;
				signed int _t114;
				struct HWND__** _t118;
				intOrPtr* _t134;
				WCHAR* _t142;
				signed char _t145;
				signed int _t146;
				signed int _t150;
				signed int* _t152;
				signed int _t153;
				signed int* _t154;
				struct HWND__* _t160;
				struct HWND__* _t161;
				int _t163;

				_t78 =  *0x4216a8; // 0x4fa104
				_v36 = _t78;
				_t142 = ( *(_t78 + 0x3c) << 0xb) + 0x42a000;
				_v12 =  *((intOrPtr*)(_t78 + 0x38));
				if(_a8 == 0x40b) {
					E00405664(0x3fb, _t142);
					E00406131(_t142);
				}
				_t161 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405664(0x3fb, _t142);
							if(E00405A0D(_t180, _t142) == 0) {
								_v8 = 1;
							}
							E00405E9D(0x4206a0, _t142);
							_t152 = 0;
							_t83 = E00406207(0);
							_v16 = _t83;
							if(_t83 == 0 || 0 == 0x4206a0) {
								L30:
								E00405E9D(0x4206a0, _t142);
								_t85 = E004059B0(0x4206a0);
								if(_t85 != 0) {
									 *_t85 =  *_t85 & 0x00000000;
								}
								if(GetDiskFreeSpaceW(0x4206a0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L36;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L37;
								}
							} else {
								while(1) {
									_t110 = _v16(0x4206a0,  &_v44,  &_v32,  &_v24);
									if(_t110 != 0) {
										break;
									}
									if(_t152 != 0) {
										 *_t152 =  *_t152 & _t110;
									}
									_t154 = E00405951(0x4206a0);
									 *_t154 =  *_t154 & 0x00000000;
									_t152 = _t154;
									 *_t152 = 0x5c;
									if(_t152 != 0x4206a0) {
										continue;
									} else {
										goto L30;
									}
								}
								_v16 = 0xa;
								_t145 = _v16;
								_t150 = _v40;
								_v40 = _t150 >> _t145;
								_t153 = (_t150 << 0x00000020 | _v44) >> _t145;
								_v12 = 1;
								L36:
								_t163 = 0x400;
								L37:
								_t91 = E004049EE(5);
								if(_v12 != 0 && _t153 < _t91) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x4281bc + 0x10)) != 0) {
									E00404935(0x3ff, 0xfffffffb, _t91);
									if(_v12 == 0) {
										SetDlgItemTextW(_a4, _t163, 0x420690);
									} else {
										E00404935(_t163, 0xfffffffc, _t153);
									}
								}
								_t92 = _v8;
								 *0x429284 = _t92;
								if(_t92 == 0) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = 0;
								}
								E0040410E(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x4226c0 == 0) {
									E0040451C();
								}
								 *0x4226c0 = 0;
								goto L52;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L52;
						}
						goto L22;
					}
					_t114 = _a12 & 0x0000ffff;
					if(_t114 != 0x3fb) {
						L12:
						if(_t114 == 0x3e9) {
							_t146 = 7;
							memset( &_v72, 0, _t146 << 2);
							_v76 = _t161;
							_v68 = 0x4226d0;
							_v56 = E004048CF;
							_v52 = _t142;
							_v64 = E00405EBF(_t142, 0x4226d0, _t161, 0x420ea8, _v12);
							_t118 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderW(_t118);
							if(_t118 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t118);
								E00405905(_t142);
								_t121 =  *((intOrPtr*)( *0x4291f0 + 0x11c));
								if( *((intOrPtr*)( *0x4291f0 + 0x11c)) != 0 && _t142 == L"C:\\Users\\jones\\Nonhieratical") {
									E00405EBF(_t142, 0x4226d0, _t161, 0, _t121);
									if(lstrcmpiW(0x427180, 0x4226d0) != 0) {
										lstrcatW(_t142, 0x427180);
									}
								}
								 *0x4226c0 =  *0x4226c0 + 1;
								SetDlgItemTextW(_t161, 0x3fb, _t142);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L52;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t160 = GetDlgItem(_t161, 0x3fb);
					if(E0040597C(_t142) != 0 && E004059B0(_t142) == 0) {
						E00405905(_t142);
					}
					 *0x4281b8 = _t161;
					SetWindowTextW(_t160, _t142);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004040EC(_t161);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004040EC(_t161);
					E00404121(_t160);
					_t134 = E00406207(7);
					if(_t134 == 0) {
						L52:
						return E00404153(_a8, _a12, _a16);
					}
					 *_t134(_t160, 1);
					goto L8;
				}
			}

0x0040458d
0x00404593
0x004045a0
0x004045ae
0x004045b1
0x004045b9
0x004045bf
0x004045bf
0x004045cb
0x004045ce
0x0040463c
0x00404643
0x0040471a
0x00404721
0x00404730
0x00404730
0x00404734
0x0040473e
0x0040474b
0x0040474d
0x0040474d
0x0040475b
0x00404760
0x00404763
0x0040476a
0x0040476d
0x004047a7
0x004047a9
0x004047af
0x004047b6
0x004047b8
0x004047b8
0x004047d5
0x0040481c
0x00000000
0x004047d7
0x004047da
0x004047ee
0x004047f0
0x00000000
0x004047f0
0x00404775
0x00404775
0x00404782
0x00404787
0x00000000
0x00000000
0x0040478b
0x0040478d
0x0040478d
0x00404796
0x00404798
0x0040479d
0x004047a0
0x004047a5
0x00000000
0x00000000
0x00000000
0x00000000
0x004047a5
0x004047f9
0x00404800
0x00404806
0x0040480e
0x00404811
0x00404813
0x0040481f
0x0040481f
0x00404824
0x00404826
0x00404830
0x00404836
0x00404836
0x00404846
0x00404850
0x00404858
0x0040486e
0x0040485a
0x0040485e
0x0040485e
0x00404858
0x00404873
0x00404878
0x0040487d
0x00404886
0x00404886
0x0040488f
0x00404891
0x00404891
0x0040489d
0x004048a5
0x004048af
0x004048af
0x004048b4
0x00000000
0x004048b4
0x0040476d
0x00404723
0x0040472a
0x00000000
0x00000000
0x00000000
0x0040472a
0x00404649
0x00404652
0x0040466c
0x00404671
0x0040467b
0x00404682
0x0040468e
0x00404691
0x00404694
0x0040469b
0x004046a3
0x004046a6
0x004046aa
0x004046b1
0x004046b9
0x00404713
0x004046bb
0x004046bc
0x004046c3
0x004046cd
0x004046d5
0x004046e2
0x004046f6
0x004046fa
0x004046fa
0x004046f6
0x004046ff
0x0040470c
0x0040470c
0x004046b9
0x00000000
0x00404671
0x0040465f
0x00000000
0x00000000
0x00404665
0x00000000
0x004045d0
0x004045dd
0x004045e6
0x004045f3
0x004045f3
0x004045fa
0x00404600
0x00404609
0x0040460c
0x0040460f
0x00404617
0x0040461a
0x0040461d
0x00404623
0x0040462a
0x00404631
0x004048ba
0x004048cc
0x004048cc
0x0040463a
0x00000000
0x0040463a

APIs

GetDlgItem.USER32 ref: 004045D6
SetWindowTextW.USER32(00000000,?), ref: 00404600
SHBrowseForFolderW.SHELL32(?), ref: 004046B1
CoTaskMemFree.OLE32(00000000), ref: 004046BC
lstrcmpiW.KERNEL32(Call,004226D0,00000000,?,?), ref: 004046EE
lstrcatW.KERNEL32(?,Call), ref: 004046FA
SetDlgItemTextW.USER32 ref: 0040470C

Part of subcall function 00405664: GetDlgItemTextW.USER32(?,?,00000400,00404743), ref: 00405677

Part of subcall function 00406131: CharNextW.USER32(?,*?|<>/":,00000000,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 00406194
Part of subcall function 00406131: CharNextW.USER32(?,?,?,00000000), ref: 004061A3
Part of subcall function 00406131: CharNextW.USER32(?,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061A8
Part of subcall function 00406131: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061BB

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 004047CD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E8
SetDlgItemTextW.USER32 ref: 0040486E

Strings

Call, xrefs: 004046E8, 004046ED, 004046F8
C:\Users\user\Nonhieratical, xrefs: 004046D7
A, xrefs: 004046AA

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\Nonhieratical$Call
API String ID: 2246997448-1811298504
Opcode ID: d77ef5926bdc3ca355801c50b0e3a60660584b5cf75aaec8f2767f63c22423f5
Instruction ID: 122484eb7d36ffcc0129a122b569feef6f06f52461b07c096c8c8d5ef3f4f7d3
Opcode Fuzzy Hash: d77ef5926bdc3ca355801c50b0e3a60660584b5cf75aaec8f2767f63c22423f5
Instruction Fuzzy Hash: 689160B1900219ABDB10AFA1CC85AAF77B8EF85314F10843BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123
comCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040206A(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				void* _t74;
				signed int _t80;
				intOrPtr* _t87;
				void* _t94;
				void* _t95;
				void* _t98;

				 *((intOrPtr*)(_t98 - 0x38)) = E00402AD0(0xfffffff0);
				_t95 = E00402AD0(0xffffffdf);
				 *((intOrPtr*)(_t98 - 0x34)) = E00402AD0(2);
				 *((intOrPtr*)(_t98 - 8)) = E00402AD0(0xffffffcd);
				 *((intOrPtr*)(_t98 - 0x14)) = E00402AD0(0x45);
				if(E0040597C(_t95) == 0) {
					E00402AD0(0x21);
				}
				_t44 = _t98 + 8;
				__imp__CoCreateInstance(0x407474, _t74, 1, 0x407464, _t44);
				if(_t44 < _t74) {
					L12:
					 *((intOrPtr*)(_t98 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t98 + 8));
					_t94 =  *((intOrPtr*)( *_t48))(_t48, 0x407484, _t98 - 0x10);
					if(_t94 >= _t74) {
						_t52 =  *((intOrPtr*)(_t98 + 8));
						_t94 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t95);
						_t54 =  *((intOrPtr*)(_t98 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, L"C:\\Users\\jones\\Nonhieratical\\Clavichordist\\benenders\\Actionfilm\\Sortsrenheden");
						_t80 =  *(_t98 - 0x1c);
						_t58 = _t80 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t87 =  *((intOrPtr*)(_t98 + 8));
							 *((intOrPtr*)( *_t87 + 0x3c))(_t87, _t58);
							_t80 =  *(_t98 - 0x1c);
						}
						_t59 =  *((intOrPtr*)(_t98 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t80 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t98 - 8)))) != _t74) {
							_t70 =  *((intOrPtr*)(_t98 + 8));
							 *((intOrPtr*)( *_t70 + 0x44))(_t70,  *((intOrPtr*)(_t98 - 8)),  *(_t98 - 0x1c) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t98 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t98 - 0x34)));
						_t64 =  *((intOrPtr*)(_t98 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t98 - 0x14)));
						if(_t94 >= _t74) {
							_t68 =  *((intOrPtr*)(_t98 - 0x10));
							_t94 =  *((intOrPtr*)( *_t68 + 0x18))(_t68,  *((intOrPtr*)(_t98 - 0x38)), 1);
						}
						_t66 =  *((intOrPtr*)(_t98 - 0x10));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t98 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t94 >= _t74) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401423();
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t98 - 4));
				return 0;
			}

0x00402073
0x0040207d
0x00402086
0x00402090
0x00402099
0x004020a3
0x004020a7
0x004020a7
0x004020ac
0x004020bd
0x004020c5
0x00402187
0x00402187
0x0040218e
0x004020cb
0x004020cb
0x004020dc
0x004020e0
0x004020e6
0x004020f0
0x004020f2
0x004020fd
0x00402100
0x0040210d
0x0040210f
0x00402111
0x00402118
0x0040211b
0x0040211b
0x0040211e
0x00402128
0x00402131
0x00402136
0x00402142
0x00402142
0x00402145
0x0040214e
0x00402151
0x0040215a
0x0040215f
0x00402161
0x0040216f
0x0040216f
0x00402171
0x00402177
0x00402177
0x0040217a
0x00402180
0x00402185
0x0040219a
0x00000000
0x00000000
0x00000000
0x00402185
0x00402190
0x00402960
0x0040296c

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden
API String ID: 542301482-131915481
Opcode ID: a8bd0b364e8e1e36ce1657ca7717b5d11e2d8f6bfb7acde44d0ce68e54101bf4
Instruction ID: a6376baa3ec4f1c88fe6eb5752b3f6b13a86488716130cb7c57fbbae1acb5123
Opcode Fuzzy Hash: a8bd0b364e8e1e36ce1657ca7717b5d11e2d8f6bfb7acde44d0ce68e54101bf4
Instruction Fuzzy Hash: F5413175A00105AFCB00DFA4CD89EAD7BB5EF48314F20456AF906EB2D1CAB9DD41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404289 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404289(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				short* _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42069c =  *0x42069c + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404153(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x427180;
							if(_t103 - _t113 < 0x1000) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v8, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x4291e8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x4291e8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42069c != 0) {
						goto L27;
					} else {
						_t69 =  *0x4216a8; // 0x4fa104
						_t29 = _t69 + 0x14; // 0x4fa118
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040410E(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040451C();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4281bc - 4 + _t75 * 4);
				}
				_t76 =  *0x429218 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040423A;
				if(_t110 != 2) {
					_v8 = E00404200;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004040EC(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004040EC(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040410E( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404121(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x4291f0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42069c = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42069c = 0;
				return 0;
			}

0x0040429b
0x004043c8
0x00404425
0x00404429
0x004044fe
0x00404500
0x00404500
0x00404506
0x00404506
0x00404509
0x00000000
0x00404510
0x00404437
0x0040443d
0x00404447
0x00404452
0x00404455
0x00404458
0x00404463
0x00404466
0x0040446d
0x0040447a
0x0040448b
0x004044a0
0x004044af
0x004044b5
0x004044b5
0x0040446d
0x004044bf
0x00000000
0x004044ca
0x004044ce
0x004044de
0x004044de
0x004044e4
0x004044f0
0x004044f0
0x00000000
0x004044f4
0x004044bf
0x004043d3
0x00000000
0x004043e5
0x004043e5
0x004043ea
0x004043ea
0x004043f0
0x00000000
0x00000000
0x00404419
0x0040441b
0x00404420
0x00000000
0x00404420
0x004043d3
0x004042a1
0x004042a4
0x004042a9
0x004042ba
0x004042ba
0x004042c2
0x004042c5
0x004042c9
0x004042cc
0x004042d0
0x004042d3
0x004042d6
0x004042d9
0x004042e0
0x004042e2
0x004042e2
0x004042ec
0x004042f9
0x00404303
0x00404308
0x0040430b
0x00404310
0x00404327
0x0040432e
0x00404341
0x00404344
0x00404358
0x0040435f
0x00404364
0x00404369
0x00404369
0x00404377
0x00404385
0x00404397
0x0040439c
0x004043ac
0x004043ae
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404327
GetDlgItem.USER32 ref: 0040433B
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404358
GetSysColor.USER32(?), ref: 00404369
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404377
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404385
lstrlenW.KERNEL32(?), ref: 0040438A
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404397
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043AC
GetDlgItem.USER32 ref: 00404405
SendMessageW.USER32(00000000), ref: 0040440C
GetDlgItem.USER32 ref: 00404437
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040447A
LoadCursorW.USER32(00000000,00007F02), ref: 00404488
SetCursor.USER32(00000000), ref: 0040448B
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044A0
LoadCursorW.USER32(00000000,00007F00), ref: 004044AC
SetCursor.USER32(00000000), ref: 004044AF
SendMessageW.USER32(00000111,00000001,00000000), ref: 004044DE
SendMessageW.USER32(00000010,00000000,00000000), ref: 004044F0

Strings

Call, xrefs: 00404466
N, xrefs: 00404425
open, xrefs: 00404498

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: eaef407198ac3fa16bada7d3b853943ddba12c96eecc2d2f9aa003102af99c96
Instruction ID: 8f6599a34b6ad16d32f51e15a5d116f7808c9ee9d2655792365e95d9f3efa1dd
Opcode Fuzzy Hash: eaef407198ac3fa16bada7d3b853943ddba12c96eecc2d2f9aa003102af99c96
Instruction Fuzzy Hash: 567193B1A00209FFDB109F61DD45A6A7B69FB84354F00843AFB05B62D0C779AD61CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA9 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BA9() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				long _t16;
				long _t29;
				char* _t37;
				int _t43;
				void* _t44;
				intOrPtr* _t45;
				long _t48;
				WCHAR* _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t58;
				void* _t59;

				lstrcpyW(0x425d70, L"NUL");
				_t50 =  *(_t58 + 0x1c);
				if(_t50 == 0) {
					L3:
					_t16 = GetShortPathNameW( *(_t58 + 0x20), 0x426570, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x425970, "%ls=%ls\r\n", 0x425d70, 0x426570);
						_t59 = _t58 + 0x10;
						E00405EBF(_t43, 0x400, 0x426570, 0x426570,  *((intOrPtr*)( *0x4291f0 + 0x128)));
						_t16 = E00405B26(0x426570, 0xc0000000, 4);
						_t54 = _t16;
						 *(_t59 + 0x1c) = _t54;
						if(_t54 != 0xffffffff) {
							_t48 = GetFileSize(_t54, 0);
							_t6 = _t43 + 0xa; // 0xa
							_t52 = GlobalAlloc(0x40, _t48 + _t6);
							if(_t52 == 0 || ReadFile(_t54, _t52, _t48, _t59 + 0x10, 0) == 0 || _t48 !=  *(_t59 + 0x10)) {
								L19:
								return CloseHandle(_t54);
							} else {
								if(E00405A8B(_t44, _t52, "[Rename]\r\n") != 0) {
									_t55 = E00405A8B(_t44, _t26 + 0xa, "\n[");
									if(_t55 == 0) {
										_t54 =  *(_t59 + 0x1c);
										L17:
										_t29 = _t48;
										L18:
										E00405AE1(_t52 + _t29, 0x425970, _t43);
										SetFilePointer(_t54, 0, 0, 0);
										WriteFile(_t54, _t52, _t48 + _t43, _t59 + 0x10, 0);
										GlobalFree(_t52);
										goto L19;
									}
									_t45 = _t52 + _t48;
									_t37 = _t45 + _t43;
									while(_t45 > _t55) {
										 *_t37 =  *_t45;
										_t37 = _t37 - 1;
										_t45 = _t45 - 1;
									}
									_t29 = _t55 - _t52 + 1;
									_t54 =  *(_t59 + 0x1c);
									goto L18;
								}
								lstrcpyA(_t52 + _t48, "[Rename]\r\n");
								_t48 = _t48 + 0xa;
								goto L17;
							}
						}
					}
				} else {
					CloseHandle(E00405B26(_t50, 0, 1));
					_t16 = GetShortPathNameW(_t50, 0x425d70, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L3;
					}
				}
				return _t16;
			}

0x00405bb9
0x00405bbf
0x00405bd0
0x00405bf8
0x00405c03
0x00405c07
0x00405c27
0x00405c2e
0x00405c38
0x00405c45
0x00405c4a
0x00405c4f
0x00405c53
0x00405c62
0x00405c64
0x00405c71
0x00405c75
0x00405d2a
0x00000000
0x00405c9d
0x00405caa
0x00405cce
0x00405cd2
0x00405cf1
0x00405cf5
0x00405cf5
0x00405cf7
0x00405d00
0x00405d0b
0x00405d1d
0x00405d24
0x00000000
0x00405d24
0x00405cd4
0x00405cd7
0x00405ce2
0x00405cde
0x00405ce0
0x00405ce1
0x00405ce1
0x00405ce9
0x00405ceb
0x00000000
0x00405ceb
0x00405cb5
0x00405cbb
0x00000000
0x00405cbb
0x00405c75
0x00405c53
0x00405bd2
0x00405bdd
0x00405be6
0x00405bea
0x00000000
0x00000000
0x00405bea
0x00405d36

APIs

lstrcpyW.KERNEL32 ref: 00405BB9
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405D5F,?,?,00000001,004058F4,?,00000000,000000F1,?), ref: 00405BDD
GetShortPathNameW.KERNEL32 ref: 00405BE6

Part of subcall function 00405A8B: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405CA8,00000000,[Rename]), ref: 00405A9B
Part of subcall function 00405A8B: lstrlenA.KERNEL32(?,?,00000000,00405CA8,00000000,[Rename]), ref: 00405ACD

GetShortPathNameW.KERNEL32 ref: 00405C03
wsprintfA.USER32 ref: 00405C21
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405C5C
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405C6B
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405C85
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00405CB5
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00425970,00000000,-0000000A,00409544,00000000,[Rename]), ref: 00405D0B
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405D1D
GlobalFree.KERNEL32 ref: 00405D24
CloseHandle.KERNEL32(00000000), ref: 00405D2B

Part of subcall function 00405B26: GetFileAttributesW.KERNELBASE(00000003,00402D95,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00405B2A
Part of subcall function 00405B26: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B4C

Strings

p]B, xrefs: 00405BAE
%ls=%ls, xrefs: 00405C17
peB, xrefs: 00405BF8
[Rename], xrefs: 00405C9D, 00405CAF
NUL, xrefs: 00405BB3

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 3756836283-3322868524
Opcode ID: 97023a7ab2933246e22fcd2e2ffa615fe261335f31b0e17c083aea59aaf65f28
Instruction ID: 8432ad1ec8881f1d66a0607d03b0a8c6dbb1ec5101aa8f14883564715b6ce3c2
Opcode Fuzzy Hash: 97023a7ab2933246e22fcd2e2ffa615fe261335f31b0e17c083aea59aaf65f28
Instruction Fuzzy Hash: 7341F371604B19BFE2206B619C48F6B3A6CEF45714F14443BF901B22C2E678A901CE7D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x4291f0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x4281e0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x4291e8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405151 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405151(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x4281c4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x429294;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00405EBF(_t38, 0, 0x4216b0, 0x4216b0, _a4);
					}
					_t27 = lstrlenW(0x4216b0);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4281a8, 0x4216b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4216b0;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4216b0[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4216b0, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405157
0x00405161
0x00405166
0x0040516c
0x00405177
0x0040517a
0x0040517d
0x00405183
0x00405183
0x00405189
0x00405191
0x00405194
0x004051b1
0x004051b5
0x004051be
0x004051be
0x004051c8
0x004051d1
0x004051dd
0x004051e4
0x004051e8
0x004051eb
0x004051fe
0x0040520c
0x0040520c
0x00405210
0x00405212
0x00405215
0x00000000
0x00405215
0x00405196
0x0040519e
0x004051a6
0x004051ac
0x00000000
0x004051ac
0x004051a6
0x00405194
0x00405221

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 00405189
lstrlenW.KERNEL32(00402D2A,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 00405199
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00402D2A), ref: 004051AC
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll), ref: 004051BE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E4
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004051FE
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040520C

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll, xrefs: 00405172, 00405182, 00405188, 004051AB, 004051B7

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll
API String ID: 2531174081-3785093150
Opcode ID: c7982dcc7f83d9d1842baaa3c0c2181428a9a97c7e691b8a5e5e7162ba0b32dc
Instruction ID: 561c7102ec21bcf4f247983c8d84c4b4dcf94b4bdabcc197e502abf74bd0db19
Opcode Fuzzy Hash: c7982dcc7f83d9d1842baaa3c0c2181428a9a97c7e691b8a5e5e7162ba0b32dc
Instruction Fuzzy Hash: EC218C71D00518BADB11AF95DD85A9FBFB8EF94350F14807AF944B62A0C3798A41CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000228E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000228E(char* __edx, intOrPtr _a4) {
				signed int _v4;
				WCHAR* _t31;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				char* _t37;
				void* _t38;
				void* _t40;
				char* _t41;
				void* _t43;
				void* _t44;
				void* _t45;
				WCHAR* _t50;
				WCHAR* _t51;
				char* _t63;
				char** _t64;
				intOrPtr* _t65;
				char** _t66;

				_t63 = __edx;
				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x1014)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x1018; // 0x1018
					_t65 = (_v4 << 5) + _t9;
					_t51 =  *(_t65 + 0x14);
					if(_t51 == 0) {
						goto L9;
					}
					_t50 = 0x1a;
					if(_t51 == _t50) {
						goto L9;
					}
					if(_t51 != 0xffffffff) {
						if(_t51 <= 0 || _t51 > 0x19) {
							 *(_t65 + 0x14) = _t50;
							goto L12;
						} else {
							_t31 = E100012C8(_t51 - 1);
							L10:
							goto L11;
						}
					} else {
						_t31 = E10001243();
						L11:
						_t51 = _t31;
						L12:
						_t13 = _t65 + 8; // 0x1020
						_t66 = _t13;
						if( *((intOrPtr*)(_t65 + 4)) != 0xffffffff) {
							_t64 = _t66;
						} else {
							_t64 =  *_t66;
						}
						_t33 =  *_t65;
						 *(_t65 + 0x1c) = 0;
						if(_t33 == 0) {
							 *_t66 = 0;
						} else {
							_t36 = _t33 - 1;
							if(_t36 == 0) {
								_t37 = E10001329(_t51);
								L26:
								 *_t64 = _t37;
								L31:
								_t34 = GlobalFree(_t51);
								if(_v4 == 0) {
									return _t34;
								}
								if(_v4 !=  *((intOrPtr*)(_a4 + 0x1014))) {
									_v4 = _v4 + 1;
								} else {
									_v4 = _v4 & 0x00000000;
								}
								continue;
							}
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								 *_t64 = E10001329(_t51);
								_t64[1] = _t63;
								goto L31;
							}
							_t40 = _t38 - 1;
							if(_t40 == 0) {
								_t41 = GlobalAlloc(0x40,  *0x1000406c);
								 *(_t65 + 0x1c) = _t41;
								_t63 = 0;
								 *_t64 = _t41;
								WideCharToMultiByte(0, 0, _t51,  *0x1000406c, _t41,  *0x1000406c, 0, 0);
								goto L31;
							}
							_t43 = _t40 - 1;
							if(_t43 == 0) {
								_t37 = E1000122C(_t51);
								 *(_t65 + 0x1c) = _t37;
								goto L26;
							}
							_t44 = _t43 - 1;
							if(_t44 == 0) {
								_t45 = GlobalAlloc(0x40, 0x10);
								 *(_t65 + 0x1c) = _t45;
								 *_t64 = _t45;
								__imp__CLSIDFromString(_t51, _t45);
							} else {
								if(_t44 == 1 && lstrlenW(_t51) > 0) {
									 *_t66 = E1000254B(E10001329(_t51));
								}
							}
						}
						goto L31;
					}
					L9:
					_t31 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x1000228e
0x100022a2
0x100022a6
0x100022b1
0x100022b1
0x100022b8
0x100022bd
0x00000000
0x00000000
0x100022c1
0x100022c4
0x00000000
0x00000000
0x100022c9
0x100022d4
0x100022e4
0x00000000
0x100022db
0x100022dd
0x100022f3
0x00000000
0x100022f3
0x100022cb
0x100022cb
0x100022f4
0x100022f4
0x100022f6
0x100022fa
0x100022fa
0x100022fd
0x10002304
0x100022ff
0x100022ff
0x100022ff
0x1000230a
0x1000230c
0x1000230f
0x100023b9
0x10002315
0x10002315
0x10002316
0x100023b2
0x10002373
0x10002374
0x100023bc
0x100023bd
0x100023c8
0x100023f2
0x100023f2
0x100023d8
0x100023e4
0x100023da
0x100023da
0x100023da
0x00000000
0x100023d8
0x1000231c
0x1000231d
0x100023aa
0x100023ac
0x00000000
0x100023ac
0x10002323
0x10002324
0x10002380
0x10002386
0x10002389
0x1000238b
0x1000239b
0x00000000
0x1000239b
0x10002326
0x10002327
0x1000236b
0x10002370
0x00000000
0x10002370
0x10002329
0x1000232a
0x10002355
0x1000235c
0x10002360
0x10002362
0x1000232c
0x1000232d
0x1000234b
0x1000234e
0x1000232d
0x1000232a
0x00000000
0x1000230f
0x100022e9
0x100022ee
0x00000000
0x100022ee

APIs

lstrlenW.KERNEL32(?), ref: 10002334
GlobalAlloc.KERNEL32(00000040,00000010), ref: 10002355
CLSIDFromString.OLE32(?,00000000), ref: 10002362
GlobalAlloc.KERNEL32(00000040), ref: 10002380
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 1000239B
GlobalFree.KERNEL32 ref: 100023BD

Strings

@hqt, xrefs: 1000239B

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Global$Alloc$ByteCharFreeFromMultiStringWidelstrlen
String ID: @hqt
API String ID: 3579998418-2648236075
Opcode ID: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction ID: 92ad864d7eaf777a3729ef1fd9657dd0a0a37f05fa24005ae91eac6ed31fbb47
Opcode Fuzzy Hash: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction Fuzzy Hash: F0418EB0504302EFF724DF649C84A6BB7E8FB443D0B11892EFA46C6199DB34AE44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00406131 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406131(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E0040597C(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405932(L"*?|<>/\":", _t5))) == 0) {
							E00405AE1(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406133
0x0040613c
0x00406153
0x00406153
0x0040615a
0x00406166
0x00406166
0x00406169
0x0040616c
0x00406171
0x00406173
0x0040617c
0x00406180
0x0040619d
0x004061a5
0x004061a5
0x004061aa
0x004061ac
0x004061af
0x004061b4
0x004061b5
0x004061b9
0x004061b9
0x004061ba
0x004061c1
0x004061c3
0x004061ca
0x00000000
0x00000000
0x004061d2
0x004061d8
0x00000000
0x00000000
0x00000000
0x004061d8
0x004061dd

APIs

CharNextW.USER32(?,*?|<>/":,00000000,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 00406194
CharNextW.USER32(?,?,?,00000000), ref: 004061A3
CharNextW.USER32(?,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061A8
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004032F4,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 004061BB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406132, 00406137
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00406175
*?|<>/":, xrefs: 00406183

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)
API String ID: 589700163-2357146075
Opcode ID: 2d54cbb0e8494857c179f5df92518ebeb87d66f09dbd66fee380f3f48f4b7355
Instruction ID: 97360d054feb9d030cd46d1938c618f10704a11f4d23437df23652b5358ad834
Opcode Fuzzy Hash: 2d54cbb0e8494857c179f5df92518ebeb87d66f09dbd66fee380f3f48f4b7355
Instruction Fuzzy Hash: 3511B27A80021299DB317B148C40AB7A2B8EF55760F56403FED86B73C2E77C5C9282ED

Uniqueness

Uniqueness Score: -1.00%

Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024EC(int __ebx, intOrPtr* __esi) {
				int _t9;
				long _t12;
				struct _OVERLAPPED* _t18;
				intOrPtr* _t23;
				void* _t25;
				int _t29;

				_t23 = __esi;
				_t18 = __ebx;
				if( *((intOrPtr*)(_t25 - 0x24)) == __ebx) {
					if( *((intOrPtr*)(_t25 - 0x30)) != 0x38) {
						_t12 = lstrlenW(E00402AD0(0x11)) + _t11;
					} else {
						E00402AD0(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\jones\AppData\Local\Temp\nsoF960.tmp", 0xffffffff, 0x409d80, 0x400, __ebx, __ebx);
						_t12 = lstrlenA(0x409d80);
					}
				} else {
					E00402AB3(1);
					 *0x409d80 = __ax;
				}
				if( *_t23 == _t18) {
					L10:
					 *((intOrPtr*)(_t25 - 4)) = 1;
				} else {
					_t9 = WriteFile(E00405DFD(_t25 + 8, _t23), "C:\Users\jones\AppData\Local\Temp\nsoF960.tmp\System.dll", _t12, _t25 + 8, _t18);
					_t29 = _t9;
					if(_t29 == 0) {
						goto L10;
					}
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t25 - 4));
				return 0;
			}

0x004024ec
0x004024ec
0x004024ef
0x0040250e
0x00402549
0x00402510
0x00402512
0x0040252d
0x00402534
0x00402534
0x004024f1
0x004024f3
0x004024f8
0x00402507
0x0040254e
0x00402729
0x00402729
0x00402554
0x00402566
0x004015ac
0x004015ae
0x00000000
0x004015b4
0x004015ae
0x00402960
0x0040296c

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A
C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
C:\Users\user\AppData\Local\Temp\nsoF960.tmp, xrefs: 00402526

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nsoF960.tmp$C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll
API String ID: 1453599865-1404677045
Opcode ID: 48fadf72c295a64c7f59957173d09a32a0b1232740451ce2f6f1ff3f31627d40
Instruction ID: a74916d260ff311dc1de602934a3eb812556956cd348fe9d4a36b9c849c2985b
Opcode Fuzzy Hash: 48fadf72c295a64c7f59957173d09a32a0b1232740451ce2f6f1ff3f31627d40
Instruction Fuzzy Hash: E1019271A44204FBD700ABA0DE89EAF7268EB40319F20053BF102B61D2D7FC5E41DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404153 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404153(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00404165
0x004041f9
0x00000000
0x004041f9
0x00404176
0x0040417a
0x00000000
0x00000000
0x00404180
0x00404189
0x0040418c
0x0040418c
0x00404192
0x00404198
0x00404198
0x004041a4
0x004041aa
0x004041b1
0x004041b4
0x004041b7
0x004041b9
0x004041b9
0x004041c1
0x004041c7
0x004041c7
0x004041d1
0x004041d6
0x004041d9
0x004041de
0x004041e1
0x004041e1
0x004041f1
0x004041f1
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404170
GetSysColor.USER32(00000000), ref: 0040418C
SetTextColor.GDI32(?,00000000), ref: 00404198
SetBkMode.GDI32(?,?), ref: 004041A4
GetSysColor.USER32(?), ref: 004041B7
SetBkColor.GDI32(?,?), ref: 004041C7
DeleteObject.GDI32(?), ref: 004041E1
CreateBrushIndirect.GDI32(?), ref: 004041EB

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 67bbf8253a9e8794ceedc565232cff1d48e1af93272a84c29814a0898a83ad58
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: F221D8B1804744ABCB219F68DD0CB4B7BF8AF40710F048629FD95E62E0D738E944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10002430 Relevance: 10.6, APIs: 7, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10002430(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t18;
				intOrPtr _t21;
				void* _t23;
				WCHAR* _t24;
				void* _t25;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t38;
				void* _t40;
				void* _t42;
				void* _t47;
				WCHAR** _t48;
				intOrPtr _t49;
				WCHAR** _t52;
				void* _t54;

				_t47 = __edx;
				_t18 = _a4;
				_t49 =  *((intOrPtr*)(_t18 + 0x1014));
				_v4 = _t49;
				_t52 = (_t49 + 0x81 << 5) + _t18;
				do {
					if( *((intOrPtr*)(_t52 - 4)) != 0xffffffff) {
						_t48 = _t52;
					} else {
						_t48 =  *_t52;
					}
					_t42 = E1000121B();
					_t21 =  *((intOrPtr*)(_t52 - 8));
					if(_t21 == 0) {
						lstrcpyW(_t42, 0x10004044);
					} else {
						_t30 = _t21 - 1;
						if(_t30 == 0) {
							_push( *_t48);
							goto L12;
						} else {
							_t32 = _t30 - 1;
							if(_t32 == 0) {
								E10001488(_t47,  *_t48, _t48[1], _t42);
								goto L13;
							} else {
								_t34 = _t32 - 1;
								if(_t34 == 0) {
									MultiByteToWideChar(0, 0,  *_t48,  *0x1000406c, _t42,  *0x1000406c - 1);
									 *((short*)(_t42 +  *0x1000406c * 2 - 2)) = 0;
								} else {
									_t38 = _t34 - 1;
									if(_t38 == 0) {
										lstrcpynW(_t42,  *_t48,  *0x1000406c);
									} else {
										_t40 = _t38 - 1;
										if(_t40 == 0) {
											__imp__StringFromGUID2( *_t48, _t42,  *0x1000406c);
										} else {
											if(_t40 == 1) {
												_push( *_t52);
												L12:
												wsprintfW(_t42, 0x10004000);
												L13:
												_t54 = _t54 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					_t23 = _t52[5];
					if(_t23 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t52 - 4)) > 0)) {
						GlobalFree(_t23);
					}
					_t24 = _t52[4];
					if(_t24 != 0) {
						if(_t24 != 0xffffffff) {
							if(_t24 > 0) {
								E100012F3(_t24 - 1, _t42);
								goto L29;
							}
						} else {
							E10001280(_t42);
							L29:
						}
					}
					_t25 = GlobalFree(_t42);
					_v4 = _v4 - 1;
					_t52 = _t52 - 0x20;
				} while (_v4 >= 0);
				return _t25;
			}

0x10002430
0x10002431
0x10002438
0x1000243f
0x1000244c
0x10002450
0x10002454
0x1000245a
0x10002456
0x10002456
0x10002456
0x10002461
0x10002466
0x10002468
0x100024e9
0x1000246a
0x1000246a
0x1000246b
0x100024df
0x00000000
0x1000246d
0x1000246d
0x1000246e
0x100024d8
0x00000000
0x10002470
0x10002470
0x10002471
0x100024c0
0x100024cb
0x10002473
0x10002473
0x10002474
0x100024a9
0x10002476
0x10002476
0x10002477
0x10002498
0x10002479
0x1000247a
0x1000247c
0x1000247e
0x10002484
0x1000248a
0x1000248a
0x1000248a
0x1000247a
0x10002477
0x10002474
0x10002471
0x1000246e
0x1000246b
0x100024ef
0x100024f4
0x10002505
0x10002505
0x1000250b
0x10002510
0x10002515
0x10002521
0x10002526
0x00000000
0x1000252b
0x10002517
0x10002518
0x1000252c
0x1000252c
0x10002515
0x1000252e
0x10002534
0x10002538
0x1000253b
0x1000254a

APIs

wsprintfW.USER32 ref: 10002484
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,10001875,00000000), ref: 10002498

Part of subcall function 100012F3: lstrcpyW.KERNEL32 ref: 1000131E

GlobalFree.KERNEL32 ref: 10002505
GlobalFree.KERNEL32 ref: 1000252E

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID:
API String ID: 2435812281-0
Opcode ID: bb9e9b395051b3fca634c9c67a90cb730b3747ff24aa199545dded541c7a2836
Instruction ID: f64b64ae4b2db59ab97b7ed59bafad1354160bd237cc2a2c65f80b4fe5cf6c60
Opcode Fuzzy Hash: bb9e9b395051b3fca634c9c67a90cb730b3747ff24aa199545dded541c7a2836
Instruction Fuzzy Hash: A931EFB1509616EFFA22CFA4CCD492BB7BCFB043D17224919FA429216DCB319C54DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040274B Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040274B(struct _OVERLAPPED* __ebx, void* __eflags) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 0x10) = 0xfffffd66;
				_t52 = E00402AD0(0xfffffff0);
				 *(_t58 - 0x34) = _t24;
				if(E0040597C(_t52) == 0) {
					E00402AD0(0xffffffed);
				}
				E00405B01(_t52);
				_t27 = E00405B26(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x4291f4;
					 *(_t58 - 8) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004032D1(_t47);
						E0040329F(_t51,  *(_t58 - 8));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x24));
						 *(_t58 - 0x10) = _t56;
						if(_t56 != _t47) {
							E00402FF8(_t49,  *((intOrPtr*)(_t58 - 0x28)), _t47, _t56,  *(_t58 - 0x24));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x3c) =  *_t56;
								E00405AE1( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x3c);
							}
							GlobalFree( *(_t58 - 0x10));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 8), _t58 - 0x14, _t47);
						GlobalFree(_t51);
						 *(_t58 - 0x10) = E00402FF8(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 0x10) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileW( *(_t58 - 0x34));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040274b
0x0040274d
0x00402759
0x0040275c
0x00402766
0x0040276a
0x0040276a
0x00402770
0x0040277d
0x00402785
0x00402788
0x0040278e
0x0040279c
0x004027a1
0x004027a5
0x004027a8
0x004027b1
0x004027bd
0x004027c1
0x004027c4
0x004027ce
0x004027ed
0x004027d5
0x004027da
0x004027e2
0x004027e5
0x004027ea
0x004027ea
0x004027f4
0x004027f4
0x00402806
0x0040280d
0x0040281f
0x0040281f
0x00402825
0x00402825
0x00402830
0x00402831
0x00402835
0x00402839
0x0040283f
0x0040283f
0x00402846
0x00402190
0x00402960
0x0040296c

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 0040279F
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 004027BB
GlobalFree.KERNEL32 ref: 004027F4
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402806
GlobalFree.KERNEL32 ref: 0040280D
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402825
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 53f8a6e33a3b61a39d9f033152abbefe2e91c1a858d84e1454498997fc3ce1d5
Instruction ID: eb22058d7ff545a0a954d965169f1c4594d8a1284e2b0a2c981c2c9109066905
Opcode Fuzzy Hash: 53f8a6e33a3b61a39d9f033152abbefe2e91c1a858d84e1454498997fc3ce1d5
Instruction Fuzzy Hash: DC319F71C00128BBDF216FA5CD89DAF7A79EF09364F10023AF521762E0C7795D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CB0(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x417e84; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x417e84 = 0;
					return _t15;
				}
				__eflags =  *0x417e84; // 0x0
				if(__eflags != 0) {
					return E00406240(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x4291ec;
				if(_t6 >  *0x4291ec) {
					__eflags =  *0x4291e8;
					if( *0x4291e8 == 0) {
						_t7 = CreateDialogParamW( *0x4291e0, 0x6f, 0, E00402C15, 0);
						 *0x417e84 = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x429294 & 0x00000001;
					if(( *0x429294 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402C94());
						return E00405151(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402cbf
0x00402cc1
0x00402cc8
0x00402ccb
0x00402ccb
0x00402cd1
0x00000000
0x00402cd1
0x00402cd9
0x00402cdf
0x00000000
0x00402ce2
0x00402ce9
0x00402cef
0x00402cf5
0x00402cf7
0x00402cfd
0x00402d3b
0x00402d44
0x00000000
0x00402d49
0x00402cff
0x00402d06
0x00402d17
0x00000000
0x00402d25
0x00402d06
0x00402d51

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402CCB
GetTickCount.KERNEL32 ref: 00402CE9
wsprintfW.USER32 ref: 00402D17

Part of subcall function 00405151: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 00405189
Part of subcall function 00405151: lstrlenW.KERNEL32(00402D2A,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 00405199
Part of subcall function 00405151: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00402D2A), ref: 004051AC
Part of subcall function 00405151: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll), ref: 004051BE
Part of subcall function 00405151: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E4
Part of subcall function 00405151: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004051FE
Part of subcall function 00405151: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040520C

CreateDialogParamW.USER32 ref: 00402D3B
ShowWindow.USER32(00000000,00000005), ref: 00402D49

Part of subcall function 00402C94: MulDiv.KERNEL32(00008000,00000064,00009507), ref: 00402CA9

Strings

... %d%%, xrefs: 00402D11

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 1f6409b5ddfd425c3834184b9f37c587bfa798100efa3ec0170f06afe82593ce
Instruction ID: 52b96f78d5e849bbc28d8f9b609f743c2cb6a2631374a09702664ed1f0f99897
Opcode Fuzzy Hash: 1f6409b5ddfd425c3834184b9f37c587bfa798100efa3ec0170f06afe82593ce
Instruction Fuzzy Hash: 40016130949214EFD7216B60AF4DBAE3B68EB01704B14407BF841B51F5CAFC9D45DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A1B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A1B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404a29
0x00404a36
0x00404a3c
0x00404a7a
0x00404a7a
0x00404a89
0x00404a90
0x00000000
0x00404a92
0x00404a3e
0x00404a4d
0x00404a55
0x00404a58
0x00404a6a
0x00404a70
0x00404a77
0x00000000
0x00404a77
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A36
GetMessagePos.USER32 ref: 00404A3E
ScreenToClient.USER32 ref: 00404A58
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A6A
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404A90

Strings

f, xrefs: 00404A6C

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 810e458af9685d952a0ca39aaa36d26b65eb51785e28c2290d369dfc85261bed
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 3B015E71E40219BADB10DB94DD85FFEBBBCAB54B11F10412BBB10B61C0C7B4A9018FA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001620 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001620(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x1000163a
0x10001646
0x10001653
0x1000165a
0x10001663
0x1000166f

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,1000214E,?,00000808), ref: 10001638
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,1000214E,?,00000808), ref: 1000163F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,1000214E,?,00000808), ref: 10001653
GetProcAddress.KERNEL32(1000214E,00000000), ref: 1000165A
GlobalFree.KERNEL32 ref: 10001663

Strings

Nqt@hqt, xrefs: 1000165A

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: Nqt@hqt
API String ID: 1148316912-2613664712
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00402C15 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C15(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402C94();
					_t19 = L"unpacking data: %d%%";
					if( *0x4291f0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402c25
0x00402c33
0x00402c39
0x00402c39
0x00402c47
0x00402c49
0x00402c55
0x00402c5a
0x00402c5c
0x00402c5c
0x00402c67
0x00402c77
0x00402c89
0x00402c89
0x00402c91

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C33
wsprintfW.USER32 ref: 00402C67
SetWindowTextW.USER32(?,?), ref: 00402C77
SetDlgItemTextW.USER32 ref: 00402C89

Strings

unpacking data: %d%%, xrefs: 00402C55, 00402C65
verifying installer: %d%%, xrefs: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 202ece786e13b18a676f2d836fda4bfb41f8cf2a392876fb75eca89f5c504dda
Instruction ID: ec47e9a39b355974639a187dabe614555329f6b54796009757118e462ee14d14
Opcode Fuzzy Hash: 202ece786e13b18a676f2d836fda4bfb41f8cf2a392876fb75eca89f5c504dda
Instruction Fuzzy Hash: 0AF01270504109ABEF246F61DD49BAE3768AB00305F00803AFA15B51D0DBF99A59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 100018CA Relevance: 7.7, APIs: 5, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E100018CA(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v276;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t78;
				void* _t82;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				void* _t102;

				_t86 = __edx;
				 *0x1000406c = _a8;
				_t78 = 0;
				 *0x10004070 = _a16;
				_v8 = 0;
				_a16 = E10001243();
				_a8 = E10001243();
				_t91 = E10001329(_a16);
				_t82 = _a8;
				_t88 = _t86;
				_t46 =  *_t82;
				if(_t46 != 0x7e && _t46 != 0x21) {
					_v16 = E10001243();
					_t78 = E10001329(_t75);
					_v8 = _t86;
					GlobalFree(_v16);
					_t82 = _a8;
				}
				_t47 =  *_t82 & 0x0000ffff;
				_t102 = _t47 - 0x2f;
				if(_t102 > 0) {
					_t48 = _t47 - 0x3c;
					__eflags = _t48;
					if(_t48 == 0) {
						__eflags =  *((short*)(_t82 + 2)) - 0x3c;
						if( *((short*)(_t82 + 2)) != 0x3c) {
							__eflags = _t88 - _v8;
							if(__eflags > 0) {
								L54:
								_t49 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t91 = _t49;
								_t88 = _t86;
								L57:
								E10001488(_t86, _t91, _t88,  &_v276);
								E10001280( &_v276);
								GlobalFree(_a16);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t49 = 1;
								goto L55;
							}
							__eflags = _t91 - _t78;
							if(_t91 < _t78) {
								goto L47;
							}
							goto L54;
						}
						_t86 = _t88;
						_t49 = E10002D00(_t91, _t78, _t86);
						goto L56;
					}
					_t58 = _t48 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags = _t91 - _t78;
						if(_t91 != _t78) {
							goto L54;
						}
						__eflags = _t88 - _v8;
						if(_t88 != _v8) {
							goto L54;
						}
						goto L47;
					}
					_t59 = _t58 - 1;
					__eflags = _t59;
					if(_t59 == 0) {
						__eflags =  *((short*)(_t82 + 2)) - 0x3e;
						if( *((short*)(_t82 + 2)) != 0x3e) {
							__eflags = _t88 - _v8;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t91 - _t78;
							if(_t91 <= _t78) {
								goto L54;
							}
							goto L47;
						}
						_t86 = _t88;
						_t49 = E10002D20(_t91, _t78, _t86);
						goto L56;
					}
					_t61 = _t59 - 0x20;
					__eflags = _t61;
					if(_t61 == 0) {
						_t91 = _t91 ^ _t78;
						_t88 = _t88 ^ _v8;
						goto L57;
					}
					_t62 = _t61 - 0x1e;
					__eflags = _t62;
					if(_t62 == 0) {
						__eflags =  *((short*)(_t82 + 2)) - 0x7c;
						if( *((short*)(_t82 + 2)) != 0x7c) {
							_t91 = _t91 | _t78;
							_t88 = _t88 | _v8;
							goto L57;
						}
						__eflags = _t91 | _t88;
						if((_t91 | _t88) != 0) {
							goto L47;
						}
						__eflags = _t78 | _v8;
						if((_t78 | _v8) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t62 == 0;
					if(_t62 == 0) {
						_t91 =  !_t91;
						_t88 =  !_t88;
					}
					goto L57;
				}
				if(_t102 == 0) {
					L21:
					__eflags = _t78 | _v8;
					if((_t78 | _v8) != 0) {
						_v20 = E10002B90(_t91, _t88, _t78, _v8);
						_v16 = _t86;
						_t49 = E10002C40(_t91, _t88, _t78, _v8);
						_t82 = _a8;
					} else {
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_t49 = _t91;
						_t86 = _t88;
					}
					__eflags =  *_t82 - 0x2f;
					if( *_t82 != 0x2f) {
						goto L56;
					} else {
						_t91 = _v20;
						_t88 = _v16;
						goto L57;
					}
				}
				_t68 = _t47 - 0x21;
				if(_t68 == 0) {
					_t49 = 0;
					__eflags = _t91 | _t88;
					if((_t91 | _t88) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t69 = _t68 - 4;
				if(_t69 == 0) {
					goto L21;
				}
				_t70 = _t69 - 1;
				if(_t70 == 0) {
					__eflags =  *((short*)(_t82 + 2)) - 0x26;
					if( *((short*)(_t82 + 2)) != 0x26) {
						_t91 = _t91 & _t78;
						_t88 = _t88 & _v8;
						goto L57;
					}
					__eflags = _t91 | _t88;
					if((_t91 | _t88) == 0) {
						goto L54;
					}
					__eflags = _t78 | _v8;
					if((_t78 | _v8) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t71 = _t70 - 4;
				if(_t71 == 0) {
					_t49 = E10002B50(_t91, _t88, _t78, _v8);
					goto L56;
				} else {
					_t72 = _t71 - 1;
					if(_t72 == 0) {
						_t91 = _t91 + _t78;
						asm("adc edi, [ebp-0x4]");
					} else {
						if(_t72 == 0) {
							_t91 = _t91 - _t78;
							asm("sbb edi, [ebp-0x4]");
						}
					}
					goto L57;
				}
			}

0x100018ca
0x100018d7
0x100018e0
0x100018e3
0x100018e8
0x100018f0
0x100018fb
0x10001904
0x10001906
0x10001909
0x1000190b
0x10001912
0x10001920
0x10001929
0x1000192e
0x10001931
0x10001937
0x10001937
0x1000193a
0x1000193d
0x10001940
0x10001a08
0x10001a08
0x10001a0b
0x10001a76
0x10001a7b
0x10001a8a
0x10001a8d
0x10001a95
0x10001a95
0x10001a95
0x10001a97
0x10001a97
0x10001a98
0x10001a98
0x10001a9a
0x10001a9c
0x10001aa5
0x10001ab1
0x10001ac2
0x10001acd
0x10001acd
0x10001a8f
0x10001a71
0x10001a71
0x10001a73
0x10001a73
0x00000000
0x10001a73
0x10001a91
0x10001a93
0x00000000
0x00000000
0x00000000
0x10001a93
0x10001a7f
0x10001a83
0x00000000
0x10001a83
0x10001a0d
0x10001a0d
0x10001a0e
0x10001a68
0x10001a6a
0x00000000
0x00000000
0x10001a6c
0x10001a6f
0x00000000
0x00000000
0x00000000
0x10001a6f
0x10001a10
0x10001a10
0x10001a11
0x10001a47
0x10001a4c
0x10001a5b
0x10001a5e
0x00000000
0x00000000
0x10001a60
0x00000000
0x00000000
0x10001a62
0x10001a64
0x00000000
0x00000000
0x00000000
0x10001a66
0x10001a50
0x10001a54
0x00000000
0x10001a54
0x10001a13
0x10001a13
0x10001a16
0x10001a40
0x10001a42
0x00000000
0x10001a42
0x10001a18
0x10001a18
0x10001a1b
0x10001a27
0x10001a2c
0x10001a39
0x10001a3b
0x00000000
0x10001a3b
0x10001a2e
0x10001a30
0x00000000
0x00000000
0x10001a32
0x10001a35
0x00000000
0x00000000
0x00000000
0x10001a37
0x10001a1e
0x10001a1f
0x10001a21
0x10001a23
0x10001a23
0x00000000
0x10001a1f
0x10001946
0x100019bf
0x100019c1
0x100019c4
0x100019e2
0x100019e5
0x100019eb
0x100019f0
0x100019c6
0x100019c6
0x100019ca
0x100019ce
0x100019d0
0x100019d0
0x100019f3
0x100019f7
0x00000000
0x100019fd
0x100019fd
0x10001a00
0x00000000
0x10001a00
0x100019f7
0x10001948
0x1000194b
0x100019b0
0x100019b2
0x100019b4
0x00000000
0x00000000
0x00000000
0x100019ba
0x1000194d
0x10001950
0x00000000
0x00000000
0x10001952
0x10001953
0x10001989
0x1000198e
0x100019a6
0x100019a8
0x00000000
0x100019a8
0x10001990
0x10001992
0x00000000
0x00000000
0x10001998
0x1000199b
0x00000000
0x00000000
0x00000000
0x100019a1
0x10001955
0x10001958
0x1000197f
0x00000000
0x1000195a
0x1000195a
0x1000195b
0x1000196f
0x10001971
0x1000195d
0x1000195f
0x10001965
0x10001967
0x10001967
0x1000195f
0x00000000
0x1000195b

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32 ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalFree.KERNEL32 ref: 10001931
GlobalFree.KERNEL32 ref: 10001AC2
GlobalFree.KERNEL32 ref: 10001AC7

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: c22ba43a18e4d9f744f6e075eadf9e9a5255e54f0eba7ecd37738f721cb55e58
Instruction ID: e766759d7bb1ff2ecdb10e3212f1feb1bfb1f11c96232c97993d4d3884186bff
Opcode Fuzzy Hash: c22ba43a18e4d9f744f6e075eadf9e9a5255e54f0eba7ecd37738f721cb55e58
Instruction Fuzzy Hash: BE51F736F0511AEAFB11DFA4C8815EDB7F5EB463D0B12415AE804A311CD774AF809B93

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CE5() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x38),  *(_t27 - 0x28));
				GetClientRect(_t25, _t27 - 0x44);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402AD0(_t22), _t22,  *(_t27 - 0x3c) *  *(_t27 - 0x24),  *(_t27 - 0x38) *  *(_t27 - 0x24), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401cf1
0x00401cf8
0x00401d27
0x00401d2f
0x00401d36
0x00401d36
0x00402960
0x0040296c

APIs

GetDlgItem.USER32 ref: 00401CEB
GetClientRect.USER32 ref: 00401CF8
LoadImageW.USER32 ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f6126feefc43d8776814008abe35740a3edac46cac5f4f1009ced896c04c5d32
Instruction ID: 9f239c48d4aaa00782f217baa2b30d914516c3821aac0afcf03912814d809b9c
Opcode Fuzzy Hash: f6126feefc43d8776814008abe35740a3edac46cac5f4f1009ced896c04c5d32
Instruction Fuzzy Hash: FAF0E1B2A04105BFD701DBA4EE88DDE7BBCEB08341F100466F602F11A0C674AD418B39

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401D41() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0x38));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40bd88->lfHeight =  ~(MulDiv(E00402AB3(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0x38), _t26);
				 *0x40bd98 = E00402AB3(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x40bd9f = 1;
				 *0x40bd9c = _t13 & 0x00000001;
				 *0x40bd9d = _t13 & 0x00000002;
				 *0x40bd9e = _t13 & 0x00000004;
				E00405EBF(_t20, _t26, _t28, 0x40bda4,  *((intOrPtr*)(_t30 - 0x28)));
				_t16 = CreateFontIndirectW(0x40bd88);
				_push(_t16);
				_push(_t28);
				E00405DE4();
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401d4a
0x00401d51
0x00401d6c
0x00401d71
0x00401d7e
0x00401d83
0x00401d8e
0x00401d95
0x00401da7
0x00401dad
0x00401db2
0x00401dbc
0x004024e6
0x00401565
0x00402903
0x00402960
0x0040296c

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32 ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 8d06ea3c060267aba26da0b87c592af6ff0513f004a4823b2904bc844afbdc39
Instruction ID: fec6a530431b5b469736924079753082c8e07c69b24af6cf24ec0cd862f891d0
Opcode Fuzzy Hash: 8d06ea3c060267aba26da0b87c592af6ff0513f004a4823b2904bc844afbdc39
Instruction Fuzzy Hash: DC01D131948280AFEB016BB0AE0BB9ABF74EF55301F144479F545B62E2C7B90405DFAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404935(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t37;
				signed int _t39;
				signed int _t42;
				unsigned int _t48;

				_t48 = _a12;
				_push(0x14);
				_pop(0);
				_t37 = 0xffffffdc;
				if(_t48 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t37 = 0xffffffdd;
				}
				if(_t48 < 0x400) {
					_t37 = 0xffffffde;
				}
				if(_t48 < 0xffff3333) {
					_t42 = 0x14;
					asm("cdq");
					_t48 = _t48 + 1 / _t42;
				}
				_push(E00405EBF(_t37, 0, _t48,  &_v68, 0xffffffdf));
				_push(E00405EBF(_t37, 0, _t48,  &_v132, _t37));
				_t23 = _t48 & 0x00ffffff;
				_t39 = 0xa;
				_push(((_t48 & 0x00ffffff) + _t23 * 4 + (_t48 & 0x00ffffff) + _t23 * 4 >> 0) % _t39);
				_push(_t48 >> 0);
				_t28 = E00405EBF(_t37, 0, 0x4226d0, 0x4226d0, _a8);
				wsprintfW(_t28 + lstrlenW(0x4226d0) * 2, L"%u.%u%s%s");
				return SetDlgItemTextW( *0x4281b8, _a4, 0x4226d0);
			}

0x00404940
0x00404944
0x0040494c
0x0040494f
0x00404950
0x00404952
0x00404954
0x00404957
0x00404957
0x0040495e
0x00404964
0x00404964
0x0040496b
0x00404976
0x00404977
0x0040497a
0x0040497a
0x00404987
0x00404992
0x00404995
0x004049a7
0x004049ae
0x004049af
0x004049be
0x004049cf
0x004049eb

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 004049C6
wsprintfW.USER32 ref: 004049CF
SetDlgItemTextW.USER32 ref: 004049E2

Strings

%u.%u%s%s, xrefs: 004049B0

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c567148c496b5c02b25936fcbea2ceb3a8a52533cb3534e30566c3cda5758d23
Instruction ID: f61d95f755632ac5edd746692cf812be4224c8eb64b47e969409db010472fd61
Opcode Fuzzy Hash: c567148c496b5c02b25936fcbea2ceb3a8a52533cb3534e30566c3cda5758d23
Instruction Fuzzy Hash: CE112273A001243BDB10A66D9C06EAF368D9BC6334F140237FA69F60D0E939992186E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BCA() {
				signed int _t28;
				WCHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x38) = E00402AB3(3);
				 *(_t55 + 8) = E00402AB3(4);
				if(( *(_t55 - 0x18) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x38)) = E00402AD0(0x33);
				}
				__eflags =  *(_t55 - 0x18) & 0x00000002;
				if(( *(_t55 - 0x18) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402AD0(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x30)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402AD0();
					_t28 = E00402AD0();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExW( *(_t55 - 0x38),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402AB3();
					_t37 = E00402AB3();
					_t48 =  *(_t55 - 0x18) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageW(_t52, _t37,  *(_t55 - 0x38),  *(_t55 + 8));
						L10:
						 *(_t55 - 0x14) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t52, _t37,  *(_t55 - 0x38),  *(_t55 + 8), _t42, _t48, _t55 - 0x14);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x2c)) >= _t42) {
					_push( *(_t55 - 0x14));
					E00405DE4();
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bd3
0x00401bdf
0x00401be2
0x00401beb
0x00401beb
0x00401bee
0x00401bf2
0x00401bfb
0x00401bfb
0x00401bfe
0x00401c02
0x00401c04
0x00401c51
0x00401c53
0x00401c5e
0x00401c68
0x00401c6b
0x00401c6b
0x00401c74
0x00000000
0x00401c06
0x00401c0d
0x00401c0f
0x00401c17
0x00401c1a
0x00401c42
0x00401c7a
0x00401c7a
0x00401c1c
0x00401c2a
0x00401c32
0x00401c35
0x00401c35
0x00401c1a
0x00401c7d
0x00401c80
0x00401c86
0x00402903
0x00402903
0x00402960
0x0040296c

APIs

SendMessageTimeoutW.USER32 ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 52f4d4622d5b556f3db6b94c676b28452a5fe3dd9bf5f3cdc56a47c5b8eac1a3
Instruction ID: 242dffae23b960cd8007ea5fea3b51ba7af3559057b5bd4d34745741baaae21e
Opcode Fuzzy Hash: 52f4d4622d5b556f3db6b94c676b28452a5fe3dd9bf5f3cdc56a47c5b8eac1a3
Instruction Fuzzy Hash: 1F21A771A44109BEDF11AFB0D94AEBD7B75EF40304F10003AF502B61D1D6B88581DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405905 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405905(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x409014);
				}
				return _t9;
			}

0x00405906
0x00405913
0x00405914
0x0040591f
0x00405927
0x00405927
0x0040592f

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403306,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 0040590B
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403306,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7476FAA0,004034CF), ref: 00405915
lstrcatW.KERNEL32(?,00409014), ref: 00405927

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405905

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1447656032315978b1f69cf749e7b3958b60c33623e7124d34fd1eba4ba6eb1c
Instruction ID: c3e08cc5af2b1f047ef8571acce3770399c42791c1c3f21ab5bf67171d1cf9b0
Opcode Fuzzy Hash: 1447656032315978b1f69cf749e7b3958b60c33623e7124d34fd1eba4ba6eb1c
Instruction Fuzzy Hash: DED05E31102920AAD21267959C01D9F669CEE49301340042BF240B21A2C7782E418AFD

Uniqueness

Uniqueness Score: -1.00%

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401F08(short __ebx, short* __esi) {
				short* _t18;
				int _t19;
				void* _t31;

				_t18 = E00402AD0(0xffffffee);
				 *(_t31 - 0x10) = _t18;
				_t19 = GetFileVersionInfoSizeW(_t18, _t31 - 0x34);
				 *__esi = __ebx;
				 *((short*)( *((intOrPtr*)(_t31 - 0xc)))) = __ebx;
				 *((intOrPtr*)(_t31 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __edi);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x10 = __ebp - 8;
							if(VerQueryValueW( *(__ebp + 8), 0x409014, __ebp - 8, __ebp - 0x10) != 0) {
								 *(__ebp - 8) = E00405DE4(__esi,  *((intOrPtr*)( *(__ebp - 8) + 8)));
								 *(__ebp - 8) = E00405DE4( *((intOrPtr*)(__ebp - 0xc)),  *((intOrPtr*)( *(__ebp - 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401f0a
0x00401f12
0x00401f17
0x00401f21
0x00401f26
0x00401f29
0x00401f30
0x00401f39
0x00401f41
0x00401f44
0x00401f57
0x00401f5d
0x00401f70
0x00401f79
0x00401f87
0x00401f8c
0x00401f8c
0x00401f70
0x00401f8f
0x00401b92
0x00401b92
0x00401f44
0x00402960
0x0040296c

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405DE4: wsprintfW.USER32 ref: 00405DF1

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 7ea1d099be6e14a282ffb140573587facd47ca8a94e847c472c45d7e4bcfd4e8
Instruction ID: fe8e56e2738f359636fdee19c948e1b9f51f70c27ddfc54eaf8440ef9c02e962
Opcode Fuzzy Hash: 7ea1d099be6e14a282ffb140573587facd47ca8a94e847c472c45d7e4bcfd4e8
Instruction Fuzzy Hash: EC113675A00109BFDB00EFA5CD44CAEBBB9EF44344F10407AF501E62A1E7748A50DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401E51() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402AD0(_t25);
				E00405151(0xffffffeb, _t14);
				_t16 = E0040561F(_t29);
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x24)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406240(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 8);
						if( *((intOrPtr*)(_t32 - 0x28)) < _t25) {
							if( *(_t32 - 8) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00405DE4( *((intOrPtr*)(_t32 - 0xc)),  *(_t32 - 8));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x429268 =  *0x429268 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00401e57
0x00401e5c
0x00401e62
0x00401e69
0x00401e6c
0x00402729
0x00401e72
0x00401e75
0x00401e80
0x00401e97
0x00401e8b
0x00401e95
0x00401e95
0x00401ea2
0x00401eab
0x00401ebd
0x00401ebf
0x00401ebf
0x00401ead
0x00401eb3
0x00401eb3
0x00401eab
0x00401ec6
0x00401ec9
0x00401ec9
0x00402960
0x0040296c

APIs

Part of subcall function 00405151: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000,?), ref: 00405189
Part of subcall function 00405151: lstrlenW.KERNEL32(00402D2A,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D2A,00000000), ref: 00405199
Part of subcall function 00405151: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,00402D2A), ref: 004051AC
Part of subcall function 00405151: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll), ref: 004051BE
Part of subcall function 00405151: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004051E4
Part of subcall function 00405151: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004051FE
Part of subcall function 00405151: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040520C

Part of subcall function 0040561F: CreateProcessW.KERNEL32 ref: 00405644
Part of subcall function 0040561F: CloseHandle.KERNEL32(?), ref: 00405651

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32 ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: d5d920f7a00f09facbbcb48f1d1b573057724c53b939118cecf58aee6f3bd413
Instruction ID: b7fb6717031cca9e022c3010432c791f0f8bb2a4bb58c399baade1f9ef3e11c1
Opcode Fuzzy Hash: d5d920f7a00f09facbbcb48f1d1b573057724c53b939118cecf58aee6f3bd413
Instruction Fuzzy Hash: 9C11A531E00104EBDF10AF90CD449DE7AB5EB04354F24447BE605B62E0C7798982DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004050C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004050C5(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4226bc != _t16) {
							_push(_t16);
							_push(6);
							 *0x4226bc = _t16;
							E00404A9B();
						}
						L11:
						return CallWindowProcW( *0x4226c4, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A1B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404138(0x413);
				return 0;
			}

0x004050c9
0x004050d3
0x004050ef
0x00405111
0x00405114
0x0040511a
0x00405124
0x00405125
0x00405127
0x0040512d
0x0040512d
0x00405137
0x00000000
0x00405145
0x004050fc
0x00405134
0x00405134
0x00000000
0x00405134
0x00405108
0x0040510a
0x00000000
0x0040510a
0x004050d9
0x00000000
0x00000000
0x004050e0
0x00000000

APIs

IsWindowVisible.USER32 ref: 004050F4
CallWindowProcW.USER32(?,?,?,?), ref: 00405145

Part of subcall function 00404138: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414A

Strings

, xrefs: 004050D5

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: c4290ae089cdc4b05757160b06b4bda3ec352363987f40685724c3cb7cdf2401
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: 8701B1B1600608AFDF209F01DC95B9B7626E794314F108037FA407E1D1C3BA9D529F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040561F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040561F(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4256d8->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0, 0, 0, 0x4256d8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405628
0x00405644
0x0040564c
0x00405651
0x00000000
0x00405657
0x0040565b

APIs

CreateProcessW.KERNEL32 ref: 00405644
CloseHandle.KERNEL32(?), ref: 00405651

Strings

Error launching installer, xrefs: 00405632

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: aaa78c2290a81acfddd835a221acea0182f56fec0b4b20719fd4813cb900d87e
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: D2E0ECB4A01209AFEB00AFA4EC4996B7BBCFB10745B908922A915F2250D774E8108A79

Uniqueness

Uniqueness Score: -1.00%

Function 004037DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037DC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x420694;
				_t3 = E004037C1(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x420694 =  *0x420694 & 0x00000000;
				return _t3;
			}

0x004037dd
0x004037e5
0x004037ec
0x004037ef
0x004037ef
0x004037f1
0x004037f6
0x004037fd
0x00403803
0x00403807
0x00403808
0x00403810

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,7476F560,004037B3,7476FAA0,004035DE,?), ref: 004037F6
GlobalFree.KERNEL32 ref: 004037FD

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037EE

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 686a453a59375011d248e64d1223e0c34a70a07035adad1612da1d2aa66a9b85
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 10E0C23391102057C7215F24ED04B1ABBA8AF99F22F12403AE9407B7A183746C524BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00405951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405951(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405952
0x0040595c
0x0040595f
0x00405965
0x00405966
0x00405967
0x0040596f
0x00000000
0x00000000
0x00000000
0x0040596f
0x00405971
0x00405979

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402DBE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00405957
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DBE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,C:\Users\user\Desktop\DHL04AWB01173903102023PDF.scr.exe,80000000,00000003), ref: 00405967

Strings

C:\Users\user\Desktop, xrefs: 00405951

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: e7e50489df4e5da7584ac772c1502a8879f37129e397ca9a8dce42098350be23
Instruction ID: a4bc465d6b7ea1ea14b4acc5ac6999b04969a41cdcba9cd401af948ef0c4e13d
Opcode Fuzzy Hash: e7e50489df4e5da7584ac772c1502a8879f37129e397ca9a8dce42098350be23
Instruction Fuzzy Hash: D5D05EF2405D20DBD3226714DC41D9F67A8EF113107454466F441A61A1D3786D818AED

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015D2, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001280(E100012C8(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012F3(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001584(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001584( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32 ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32 ref: 100011C7
GlobalFree.KERNEL32 ref: 100011D9
GlobalFree.KERNEL32 ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.844683287.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.844674032.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844702593.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.844712082.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: efa50b43e91c1ccc28343189545b65b5cdd8b9049b59fb06d3163fa2f9196ea5
Instruction ID: dfa8033d91bdbc1ecc465c3c8a87416c6933f1b99adadbc21e28f794a1617889
Opcode Fuzzy Hash: efa50b43e91c1ccc28343189545b65b5cdd8b9049b59fb06d3163fa2f9196ea5
Instruction Fuzzy Hash: 87318FF69042119BF314CF64DC85AEAB7E8EB842D0B124529FB41E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8B Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A8B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405a9b
0x00405a9d
0x00405aa0
0x00405acc
0x00405aa5
0x00405aae
0x00405ab3
0x00405abe
0x00405ac1
0x00405add
0x00405ac3
0x00405aca
0x00000000
0x00405aca
0x00405ad6
0x00405ada
0x00405ada
0x00405ad4
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00405CA8,00000000,[Rename]), ref: 00405A9B
lstrcmpiA.KERNEL32(?,?,?,00000000,00405CA8,00000000,[Rename]), ref: 00405AB3
CharNextA.USER32(?,?,00000000,00405CA8,00000000,[Rename]), ref: 00405AC4
lstrlenA.KERNEL32(?,?,00000000,00405CA8,00000000,[Rename]), ref: 00405ACD

Memory Dump Source

Source File: 00000000.00000002.831354993.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.831347741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831368224.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831378507.000000000044C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.831482858.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DHL04AWB01173903102023PDF.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: b9b14922259e72bab7fc2f5a98189e3131ed1d598b97a1be9a6620de63f307b3
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: CBF0C232604558BFC7029BA4CD4099FBBA8EF46250B2541B6F801F7210D274EE019FA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL04AWB01173903102023PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nseEDA7.tmp

C:\Users\user\AppData\Local\Temp\nsoF960.tmp\System.dll

C:\Users\user\Nonhieratical\Apicad\Outjinx\Nonnavigableness\Competed\Coccosteid.Udr

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\TableTextServiceYi.txt

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\Z_Custom2.ini

C:\Users\user\Nonhieratical\Clavichordist\benenders\Actionfilm\Sortsrenheden\msado25.tlb

C:\Users\user\Nonhieratical\Counts\Convolution\Dottily\ArtDeco_brown_22.bmp

C:\Users\user\Nonhieratical\Counts\Convolution\Dottily\Iconology.Ess

C:\Users\user\Nonhieratical\Extracorpuscular\APM_DefConvertor.dll

C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\ContactsApi.dll

C:\Users\user\Nonhieratical\Thonny\Yderligheders\Samtalernes\Sikkerhedsventilen\Sports-Wallpapers-1.jpg

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
DHL04AWB01173903102023PDF.scr.exe

Function 0040331C Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 00405290 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405EBF Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 0040572C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004064F2 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 004061E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00406207 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00402706 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00403871 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C14 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402D52 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00402FF8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00403123 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00402571 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105
fileCOMMON

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 00402B10 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 1000177A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405D6A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Function 00405B55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 10002814 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
fileCOMMON

Function 004032E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406927 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406B28 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 0040683E Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406343 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406791 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 004068AF Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 004067FB Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 10002739 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23
COMMON