Edit tour

Windows Analysis Report
IdeaShare Key.exe

Overview

General Information

Sample Name:	IdeaShare Key.exe
Analysis ID:	876178
MD5:	e6d42ac433331124c62460cfcced76a1
SHA1:	ea9fc583c7bd2054a8d51e61d6b1cbeee800d344
SHA256:	5faa9cd735d499eb4fbcb08a252d53020629a7418c9b6c30b00c5d2d7cc7fe25
Infos:

Detection

Score:	9
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Compliance

Score:	16
Range:	0 - 100

Signatures

Creates a DirectInput object (often for capturing keystrokes)

EXE planting / hijacking vulnerabilities found

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality to query network adapater information

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

IdeaShare Key.exe (PID: 5976 cmdline: C:\Users\user\Desktop\IdeaShare Key.exe MD5: E6D42AC433331124C62460CFCCED76A1)

IdeaShareKeyForm.exe (PID: 5948 cmdline: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe MD5: 1A8C471F9AF78F640DC43C6C2FB533C2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Cryptography

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\IdeaShare Key.exe

EXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Jump to behavior

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMM.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WTSAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETAPI32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: USERENV.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MPR.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: IPHLPAPI.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: MSVCP140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: WINMMBASE.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: NETUTILS.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: SRVCLI.DLL	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: WindowsCodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: DNSAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: UxTheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	DLL: VCRUNTIME140.dll	Jump to behavior
Source: C:\Users\user\Desktop\IdeaShare Key.exe	DLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Spreading

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,	0_2_004062F9
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,	0_2_00402E3C
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CAF

Networking

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: k04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: IdeaShare Key.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.color.org)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShare Key.exe, 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmp, IdeaShare Key.exe, 00000000.00000003.350799274.0000000002970000.00000004.00000020.00020000.00000000.sdmp, qwindows.dll.0.dr, IdeaShareKeyForm.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00407277 InternetConnectA,HttpOpenRequestA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00407277

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: IdeaShare Key.exe, 00000000.00000002.359007472.000000000083A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004044E9 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044E9

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004050FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050FE

System Summary

Uses 32bit PE files

Source: IdeaShare Key.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //VALUE "OriginalFilename", "IdeaShareKeyForm.exe" vs IdeaShare Key.exe
Source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs IdeaShare Key.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004038A8 EntryPoint,GetTickCount,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,GetTickCount,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004038A8

Detected potential crypto function

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00407E74	0_2_00407E74
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406EE6	0_2_00406EE6
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004049B5	0_2_004049B5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: String function: 004062C7 appears 57 times

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\user\Desktop\IdeaShare Key.exe

Jump to behavior

Source: IdeaShare Key.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IdeaShare Key.exe C:\Users\user\Desktop\IdeaShare Key.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/ideasharekey/qtsingleapp-ideash-193a-1-lockfile

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\IdeaShareKey

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File created: C:\Users\user\AppData\Local\Temp\nsk3518.tmp

Jump to behavior

Source: classification engine

Classification label: clean9.winEXE@3/8@0/0

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_0040250B CoCreateInstance,

0_2_0040250B

Source: C:\Users\user\Desktop\IdeaShare Key.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IdeaShare Key.exe

0_2_004044E9

Submission file is bigger than most known malware samples

Source: IdeaShare Key.exe

Static file information: File size 6338072 > 1048576

PE / OLE file has a valid certificate

Source: IdeaShare Key.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShare Key.exe, 00000000.00000003.352289765.000000000370F000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.362084835.000000006C191000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\bin\Release\IdeaShareKey.pdb,,& source: IdeaShare Key.exe, 00000000.00000003.350799274.0000000002941000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000000.358493347.00000000011DD000.00000002.00000001.01000000.00000005.sdmp, IdeaShareKeyForm.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\IdeaShareRelease\IdeaShare\third-party\qtsingleapplication\release\QtSingleApp.pdb source: IdeaShare Key.exe, 00000000.00000003.357958578.0000000002924000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365942375.000000006CCA6000.00000002.00000001.01000000.00000006.sdmp, QtSingleApp.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShare Key.exe, 00000000.00000003.356718724.0000000002925000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.365228156.000000006CAF4000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShare Key.exe, 00000000.00000002.359109194.0000000002929000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361417174.000000006B847000.00000002.00000001.01000000.0000000B.sdmp, qwindows.dll.0.dr

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011C100A push ecx; ret

1_2_011CBD99

PE file contains sections with non-standard names

Source: IdeaShareKeyForm.exe.0.dr	Static PE information: section name: .00cfg
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406320

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\IdeaShare Key.exe	File created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

API coverage: 7.8 %

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: wsprintfA,lstrcatA,GetAdaptersInfo,GetAdaptersInfo,StrStrIA,

0_2_004076C5

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_004077D3 lstrcatA,GetSystemInfo,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,QueryPerformanceFrequency,wsprintfA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,wsprintfA,

0_2_004077D3

Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_004062F9 FindFirstFileW,FindClose,	0_2_004062F9
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00402E3C FindFirstFileW,	0_2_00402E3C
Source: C:\Users\user\Desktop\IdeaShare Key.exe	Code function: 0_2_00406CAF DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CAF

Source: IdeaShare Key.exe	Binary or memory string: %d,%d,%d,%d,%d,%dkernel32.dllGetProductInfovmware%u,%u,%uc:\%d,%d,%d,%u~MHzHARDWARE\DESCRIPTION\System\CentralProcessor\0\%u,%u,%u,%u,%s
Source: IdeaShare Key.exe	Binary or memory string: vmware
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@L
Source: IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: cl.?AVQEmulationPaintEngine@@L
Source: IdeaShare Key.exe	Binary or memory string: vmCih
Source: IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363356725.000000006C7F5000.00000008.00000001.01000000.00000008.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_011CBAD4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406320 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406320

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CB2B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_011CB2B7
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011CBAD4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_011CBAD4
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	Code function: 1_2_011C1415 SetUnhandledExceptionFilter,	1_2_011C1415

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Queries volume information: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll VolumeInformation

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CB8C5 cpuid

1_2_011CB8C5

Source: C:\Users\user\Desktop\IdeaShare Key.exe

Code function: 0_2_00406820 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406820

Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Code function: 1_2_011CBE0B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_011CBE0B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	2 DLL Search Order Hijacking	1 Process Injection	1 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 DLL Search Order Hijacking	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 DLL Search Order Hijacking	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IdeaShare Key.exe	2%	ReversingLabs
IdeaShare Key.exe	1%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.phreedom.org/md5)	0%	URL Reputation	safe
http://www.phreedom.org/md5)	0%	URL Reputation	safe
http://www.phreedom.org/md5)08:27	0%	URL Reputation	safe
http://www.color.org)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://www.phreedom.org/md5)08:27	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	IdeaShare Key.exe	false		high
http://www.aiim.org/pdfa/ns/id/	IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	false		high
http://www.color.org)	IdeaShare Key.exe, 00000000.00000003.354243430.0000000002921000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.363086921.000000006C5E4000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	low
http://bugreports.qt.io/	IdeaShare Key.exe, 00000000.00000003.355179944.0000000002922000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyForm.exe, 00000001.00000002.361582478.000000006BCCE000.00000002.00000001.01000000.0000000A.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876178
Start date and time:	2023-05-26 13:01:46 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	IdeaShare Key.exe
Detection:	CLEAN
Classification:	clean9.winEXE@3/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 52.6%) Quality average: 39.5% Quality standard deviation: 42.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

Time	Type	Description
13:02:40	API Interceptor	1x Sleep call for process: IdeaShareKeyForm.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	320872
Entropy (8bit):	4.939208143331431
Encrypted:	false
SSDEEP:	6144:wGXX45Tx+DPeuqD4K3FN3EiCXibivN/DHCfMiKu:HuSBMMil
MD5:	1A8C471F9AF78F640DC43C6C2FB533C2
SHA1:	8CEEC8B336A55EC150607E69F620F4EF8E009AE1
SHA-256:	284CC22997B0E20D8F30F5C7F8B2256D9756E5AFA54FE9F2C4C70485CDB4A7C3
SHA-512:	80DC736CDB80CDA2544D402627DA04E1768737D4EB682FEBBFC64B498EEAF64E110FDCF23898B08786B00A7183B1E62E460623E74BEF2D2836EFF09BADA1836E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.D. .. .. ..).....r.+."..r./.:..r...,..r.).!..E.+.$../.!..+.&..+.#.. .+.../.%....!.. ..!..(.!..Rich .*.................PE..L...d8Ca..........................................@.................................v.....@..............................................]..............h...............8...............................@............................................text...\........................... ..`.rdata..............................@..@.data...\...........................@....idata..FX.......Z..................@..@.00cfg.......p.......P..............@..@.rsrc....].......^...R..............@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5298536
Entropy (8bit):	6.852481117447856
Encrypted:	false
SSDEEP:	98304:p3QkIHj14FdDhqJsv6tWKFdu9CjzHveRnZyxEdm0:pgdnJsv6tWKFdu9CjzHeb
MD5:	4BB1FC81E4B6149749B6E84EF12712D6
SHA1:	FB0143E6EA6128D7FA7B2E1731D0232D6A40689F
SHA-256:	19BE47FA14A6F1B103171FB2B9B830F631215BB522A8803795DBB72C9E8E4A8F
SHA-512:	9505ED82E68C37717C2EA4E2107ECDED41004946ABD562A03FB92F187E4855D86CF3A319FC323492865C4D0EA8A9A5110737CB662266F360FEC7993CA84C876C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........V..8].8].8]...].8]..9\.8]A".].8]..=\.8]..<\.8]..;\.8]..<\.8]..>\.8]..9\.8].9]..8]E.<\.8]E.=\$.8]E.8\.8]E..].8]..].8]E.:\.8]Rich.8]........PE..L...2.}^...........!......'..").......%.......(....g.........................PQ......dQ...@...........................G.@...0.N.......O...............P.h.....O......PE.T....................QE......QE.@.............(.X............................text.....'.......'................. ..`.rdata....&...(...&...'.............@..@.data...\|.....O..J....N.............@....rsrc.........O......8O.............@..@.reloc........O......>O.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5978984
Entropy (8bit):	6.780270903027489
Encrypted:	false
SSDEEP:	98304:f8oNJzx4w24LwWotu+PNlwL9PmEZ23Cex:pBbUuCPwNj2C0
MD5:	D8B7393009A6743FFCFB9D3A138FC114
SHA1:	5467D025F650D80949393DAF58601B47D41A25FA
SHA-256:	48846110574CFA870918E08471A180981D934DB1AAA92B4832CC567D0630A28E
SHA-512:	1AE4580ECEE6E992501C963B9406A2A0A927CA48AB0A3E7B8FDC247EC21AA74EDA9818224D72C3088893418FE8E5044E857B347D056B77DC5D4F73F5BF0EACDA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......?.f.{...{...{...r...m...)...q...)...w...)...c...)..........y... ...z... ...v...{...<......k.............z......z...{..z......z...Rich{...........................PE..L.....}^...........!....."7..d$.....b.7......@7...............................[.......[...@..........................n=.......V.h.....Y..............$[.h.....Y......<.T.....................<.....8.<.@............@7..............................text.... 7......"7................. ..`.rdata...O ..@7..P ..&7.............@..@.data....c....W......vW.............@....rsrc.........Y......tX.............@..@.reloc.......Y......zX.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1115496
Entropy (8bit):	6.66916261306281
Encrypted:	false
SSDEEP:	24576:ZNfY4/b8d22Gmou3ZjRkjZgUPiV69DrOMxpqDc0EGQVzKa4:xAd22GrziVaSDckZ
MD5:	80D7021426B78E3E7527265841FC22A7
SHA1:	2E81B7E0F3D717F80284E3A43038997D66616042
SHA-256:	169BE38BE0BC90018DFF8EF05FE004DD04A6D0B3ABE294FC67B42466E5F2E6DD
SHA-512:	A2AF4D9ACE035C51E5CF846DB3955895422E65AE6A6D7D523493AC3AE6BC28ABA87A272BB50B16FC5FFF438723A911E31DED0EEFBDB4EFF7416D7C5E121C64CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........U.}...}...}....E..}.......}.......}.......}.......}.......}.......}..+....}...}..M~..+...7}..+....}..+.)..}...}A..}..+....}..Rich.}..........................PE..L.....}^...........!.........>.....................d.........................@......s%....@.............................Ta...=..@....0..................h....@..\|......T..........................H...@............................................text...?........................... ..`.rdata..............................@..@.data....9..........................@....rsrc........0......................@..@.reloc..\|....@......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4596072
Entropy (8bit):	6.819919859208047
Encrypted:	false
SSDEEP:	98304:O1CmFlF05UMNO1ulAjhDfTbz7quDp+bXa6gYzdkSPD1UZlH6uV75uDdHBclxooG0:Yf59iJ5i
MD5:	2EBDB8799EB13D879A57CC20894EFDFF
SHA1:	8D54AC978DBBCA41742DADFD29DE360EC7E60450
SHA-256:	0CC9C3B945B35EFAB0DBB5706ED285B0C5233E6D36B2261AAA2FB7BFCBA0CD4E
SHA-512:	E580DBFF9CA35A1DDCFD879C35229212732D4E912D0F47430DB7F7C0166FBDDA895170ADF89F4EA2D81F393A71BDB4681E812B8F7B3636C7C8A3357927AEF309
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......I\|...............eK....._u......_u......_u......_u......Vu......Vu......t..........;...t.....t......t'.......O.....t......Rich............................PE..L...;.}^...........!.....&,..........',......@,....e.........................PF.......G...@.........................0.7..#..4.?.@.....B...............F.h.....B..z....6.T.....................6.......6.@............@,..4...........................text....$,......&,................. ..`.rdata..d....@,......*,.............@..@.data........@B..h... B.............@....rsrc.........B.......B.............@..@.reloc...z....B..\|....B.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	6.1073547240575285
Encrypted:	false
SSDEEP:	768:RJiXhlJ0/q2aqiquV3aHaxGtpA510VxjqjCij9yKqTws:RJivOC9FxG4rsxjq3j9yKqss
MD5:	ABA7C077EFE89A0006FCD643A2C5EC62
SHA1:	531EB0A0941A19159921909BFE20FA47F34C0457
SHA-256:	B214C4FD356E0699900C40EBE22A757E6C6334E8C96F72791ACD27545FFC45A8
SHA-512:	1280CCF34D6B31CAAC2D5F5EAEEDB45E8D8F364E378EC79CCF63072CC40D5ADBB38016D934C8A193606FA6D00F7A7CC4C844DE4E94B06203DA6F954A19076139
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T.f.T.f.T.f.]...P.f...g.V.f...c.F.f...b.^.f...e.U.f.@.g.V.f...g.S.f.T.g..f...c.W.f...f.U.f....U.f...d.U.f.RichT.f.................PE..L.....O`...........!.....D...N.......?.......`............................................@..........................w.......\|..................................0....j..T...........................hj..@............`...............................text....C.......D.................. ..`.rdata...:...`...<...H..............@..@.data...\|...........................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\IdeaShareKey\log\insit.log

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.065774219659049
Encrypted:	false
SSDEEP:	3:QvWizYQPc2XIvfYQPctTXvA:6WiRXSsTXvA
MD5:	8E2CD044125E0C173B3AAC9D12C190BB
SHA1:	1DD4E9AF27BC8DE55E1E537AFD3DEAAF4A118163
SHA-256:	CF663FEEB3397611B70272AD2D6969D1464D2E3437F371254144F6EF850FCECB
SHA-512:	F94D23D1766DD7BCBC4F55F081A717597FC607F938DF59B37A84DCB5C639871953A7B7200E8A6B2B1C14C6D85B5E08AD9A203A59731B073E25B5D3457659312A
Malicious:	false
Reputation:	low
Preview:	copy dll.start IdeaShareKeyForm.start IdeaShareKeyInstaller.end.

C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll

Download File

Process:	C:\Users\user\Desktop\IdeaShare Key.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221992
Entropy (8bit):	6.832955399743319
Encrypted:	false
SSDEEP:	12288:1YCQWyni5LoUmhY4or3D8kSqjPfmK7UpOVpYAlCRegIe5ZpzNAoKu15XSxDyfEWu:SniF3z39xPePpOkaXze5ZtN4bZa0n
MD5:	2F98DC4484F115FE227246844464CD04
SHA1:	0A49DA60F63FB476B2A3CAED2A5B7BA686A7D2FA
SHA-256:	31BF06D063B23A0AD606354D7D77416AF5713CE877F6A7E7BC658DD09DB02BB2
SHA-512:	32D64143CEE92FE6CAB366493DDFFB034EA71DF2B7CE584238DEB56E54886083676A50C6FBF28E871F926081E8C8AFD72B7FEB8EF24C50E16A4C034939D5433E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..Ak...k...j...k...j..k...j..k...j..k...j..k...j..kN..j..kN..j..k...j...k..kg..kN..j...kN..j..kN.-k..kN..j..kRich..k................PE..L.....}^...........!.....\...j.......[.......p...........................................@..........................w..x...(x....... ..H...............h....0..<....9..T....................:......H:..@............p...............................text....Z.......\.................. ..`.rdata...?...p...@...`..............@..@.data....X..........................@....qtmetad............................@..P.rsrc...H.... ......................@..@.reloc..<....0......................@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999391627012608
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IdeaShare Key.exe
File size:	6338072
MD5:	e6d42ac433331124c62460cfcced76a1
SHA1:	ea9fc583c7bd2054a8d51e61d6b1cbeee800d344
SHA256:	5faa9cd735d499eb4fbcb08a252d53020629a7418c9b6c30b00c5d2d7cc7fe25
SHA512:	cfad934f060f13b9e44934a793b1d73d4e3fbcd265050bce69481f1328bc8bc170b24ae826288b0f0b708a1bf5a4ba4df36ab7988c4a0ac96e18388ecdc9d2a8
SSDEEP:	196608:8y7Weg+i1XWsTrXmiq8mC7h0YPvw8qGqhXvmhwupR+:xk/9WC05CN0YZqFhXeeY
TLSH:	0256338092EC8466FF8A057066F075A195FEBD6D0663EB0D72368905FD2A3F45F68F04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mu]..&]..&]..&..\&_..&..^&J..&]..&...&z\n&P..&z\.&\..&z\{&\..&Rich]..&........................PE..L...,..R.................x.

File Icon


Icon Hash:	181b214161331b18

Static PE Info

General

Entrypoint:	0x4038a8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x52AFF32C [Tue Dec 17 06:46:04 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a73b2531bfc838dc3d19df5285b8d0fd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/2/2021 12:37:54 AM 6/3/2022 12:37:54 AM
Subject Chain	CN=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, O=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, L=\u5317\u4eac\u5e02, S=\u5317\u4eac\u5e02, C=CN
Version:	3
Thumbprint MD5:	302F9D7469F8C3413FEEC8D8C9B808F8
Thumbprint SHA-1:	C2455B5BB7938677784BFE593CCE0E218E2AB68D
Thumbprint SHA-256:	F44AEB9493563C34D85C329C38D892C77DCC768C831AF7FB48DE773837E32AB6
Serial:	249A5D0D48B5FBE5F0138D14

Entrypoint Preview

Instruction
sub esp, 000002D8h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebx, ebx
pop esi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A2D0h
mov dword ptr [esp+14h], ebx
call dword ptr [00409090h]
mov dword ptr [esp+1Ch], eax
call dword ptr [00409034h]
push 00008001h
call dword ptr [004090B4h]
push ebx
call dword ptr [00409330h]
push 00000008h
mov dword ptr [00473EB8h], eax
call 00007F52B8CFD530h
push ebx
push 000002B4h
mov dword ptr [00473DD0h], eax
lea eax, dword ptr [esp+3Ch]
push eax
push ebx
push 0040A2CCh
call dword ptr [004091A4h]
push 0040A2B4h
push 0046BDC0h
call 00007F52B8CFD212h
call dword ptr [004090B0h]
push eax
mov edi, 004C40A0h
push edi
call 00007F52B8CFD200h
push ebx
call dword ptr [00409158h]
cmp word ptr [004C40A0h], 0022h
mov dword ptr [00473DD8h], eax
mov eax, edi
jne 00007F52B8CFAB0Ah
push 00000022h
pop esi
mov eax, 004C40A2h
push esi
push eax
call 00007F52B8CFCED8h
push eax
call dword ptr [00409270h]
mov esi, eax
mov dword ptr [esp+20h], esi
jmp 00007F52B8CFAB91h
push 00000020h
pop ebp
cmp ax, word ptr [eax]

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xada4	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf9000	0x38f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x607050	0x45c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x338	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7788	0x7800	False	0.6550455729166667	data	6.509642546823201	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2f64	0x3000	False	0.3724772135416667	data	4.571600211578863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x67ebc	0x200	False	0.21875	data	1.5987280494305565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x74000	0x85000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf9000	0x38f8	0x3a00	False	0.8774245689655172	data	7.598885730468926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xf91d8	0x2fa3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0xfc180	0x100	data	English	United States
RT_DIALOG	0xfc280	0x11c	data	English	United States
RT_DIALOG	0xfc3a0	0x60	data	English	United States
RT_GROUP_ICON	0xfc400	0x14	data	English	United States
RT_VERSION	0xfc418	0x1fc	data
RT_MANIFEST	0xfc618	0x2dd	XML 1.0 document, ASCII text, with very long lines (733), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, CloseHandle, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, GlobalHandle, GlobalReAlloc, GetSystemDefaultLCID, GetVolumeInformationA, QueryPerformanceFrequency, GlobalMemoryStatusEx, GetSystemInfo, GetModuleFileNameA, lstrcatA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, GlobalLock, MulDiv
USER32.dll	GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, GetClassInfoW, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, ScreenToClient, IsDlgButtonChecked, GetAsyncKeyState, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, SetWindowLongW
GDI32.dll	CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor, SelectObject, CreateFontIndirectW, SetBkMode, SetTextColor
SHELL32.dll	SHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteW
ADVAPI32.dll	RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegEnumValueW, RegDeleteKeyW, RegCloseKey, RegEnumKeyW, RegOpenKeyExW, RegDeleteValueW
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
ole32.dll	OleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoSizeA, VerQueryValueW, GetFileVersionInfoW, VerQueryValueA, GetFileVersionInfoA
WININET.dll	InternetReadFile, InternetConnectA, InternetOpenA, InternetCloseHandle, HttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetSetOptionA
SHLWAPI.dll	PathFindFileNameA, StrStrIA
iphlpapi.dll	GetAdaptersInfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: IdeaShare Key.exePID: 5976, Parent PID: 3452

General

Target ID:	0
Start time:	13:02:36
Start date:	26/05/2023
Path:	C:\Users\user\Desktop\IdeaShare Key.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\IdeaShare Key.exe
Imagebase:	0x400000
File size:	6338072 bytes
MD5 hash:	E6D42AC433331124C62460CFCCED76A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: IdeaShareKeyForm.exePID: 5948, Parent PID: 5976

General

Target ID:	1
Start time:	13:02:40
Start date:	26/05/2023
Path:	C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe
Imagebase:	0x11c0000
File size:	320872 bytes
MD5 hash:	1A8C471F9AF78F640DC43C6C2FB533C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: IdeaShare Key.exePID: 5976, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.6%
Total number of Nodes:	1574
Total number of Limit Nodes:	38

Executed Functions

Function 004038A8 Relevance: 58.1, APIs: 24, Strings: 9, Instructions: 317
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				struct _SHFILEINFOW _v700;
				long _v716;
				struct _SECURITY_ATTRIBUTES* _v720;
				struct _SECURITY_ATTRIBUTES* _v724;
				WCHAR* _v728;
				intOrPtr _v736;
				char _v740;
				int _v744;
				signed int _v748;
				WCHAR* _v752;
				int _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				struct _SECURITY_ATTRIBUTES* _v768;
				void* _v776;
				int _t38;
				short* _t46;
				signed int _t49;
				WCHAR* _t51;
				WCHAR* _t53;
				void* _t58;
				int _t60;
				signed int _t62;
				void* _t77;
				WCHAR* _t82;
				int _t83;
				WCHAR* _t87;
				WCHAR* _t99;
				void* _t105;
				signed int _t106;
				signed int _t107;
				void* _t109;
				void* _t111;
				void* _t113;
				WCHAR* _t114;
				void* _t115;
				WCHAR* _t116;
				WCHAR* _t121;
				WCHAR* _t123;
				void* _t128;
				WCHAR* _t129;
				void* _t130;
				void* _t131;

				_t130 =  &_v728;
				_t115 = 0x20;
				_v720 = 0;
				_v728 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v724 = 0;
				_v716 = GetTickCount();
				__imp__#17();
				_t38 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x473eb8 = _t38;
				 *0x473dd0 = E00406320(8);
				SHGetFileInfoW(0x40a2cc, 0,  &_v700, 0x2b4, 0); // executed
				E0040602D(0x46bdc0, L"NSIS Error");
				E0040602D(0x4c40a0, GetCommandLineW());
				 *0x473dd8 = GetModuleHandleW(0);
				_t46 = 0x4c40a0;
				if( *0x4c40a0 == 0x22) {
					_t115 = 0x22;
					_t46 = 0x4c40a2;
				}
				_t116 = CharNextW(E00405D2C(_t46, _t115));
				_v744 = _t116;
				while(1) {
					_t49 =  *_t116 & 0x0000ffff;
					_t133 = _t49;
					if(_t49 == 0) {
						break;
					}
					_t128 = 0x20;
					__eflags = _t49 - _t128;
					if(_t49 != _t128) {
						L5:
						__eflags =  *_t116 - 0x22;
						if( *_t116 == 0x22) {
							_t116 =  &(_t116[1]);
							__eflags = _t116;
							_t128 = 0x22;
						}
						__eflags =  *_t116 - 0x2f;
						if( *_t116 != 0x2f) {
							L17:
							_t116 = E00405D2C(_t116, _t128);
							__eflags =  *_t116 - 0x22;
							if(__eflags == 0) {
								_t116 =  &(_t116[1]);
								__eflags = _t116;
							}
							continue;
						}
						_t116 =  &(_t116[1]);
						__eflags =  *_t116 - 0x53;
						if( *_t116 != 0x53) {
							L12:
							_t51 = E00403827(_t116, L"NCRC", 4);
							_t131 = _t130 + 0xc;
							__eflags = _t51;
							if(_t51 != 0) {
								L16:
								_t13 = _t116 - 4; // -2
								_t53 = E00403827(_t13, L" /D=", 4);
								_t130 = _t131 + 0xc;
								__eflags = _t53;
								if(_t53 == 0) {
									_t14 = _t116 - 4; // -2
									E0040872A(_t14, 0, 8);
									_t130 = _t130 + 0xc;
									__eflags =  &(_t116[2]);
									E0040602D(0x4c80a8,  &(_t116[2]));
									break;
								}
								goto L17;
							}
							_t106 = _t116[4] & 0x0000ffff;
							__eflags = _t106 - 0x20;
							if(_t106 == 0x20) {
								L15:
								_t11 =  &_v748;
								 *_t11 = _v748 | 0x00000004;
								__eflags =  *_t11;
								goto L16;
							}
							__eflags = _t106;
							if(_t106 != 0) {
								goto L16;
							}
							goto L15;
						}
						_t107 = _t116[1] & 0x0000ffff;
						__eflags = _t107 - 0x20;
						if(_t107 == 0x20) {
							L11:
							_t8 =  &_v748;
							 *_t8 = _v748 | 0x00000002;
							__eflags =  *_t8;
							goto L12;
						}
						__eflags = _t107;
						if(_t107 != 0) {
							goto L12;
						}
						goto L11;
					} else {
						goto L4;
					}
					do {
						L4:
						_t116 =  &(_t116[1]);
						__eflags =  *_t116 - _t128;
					} while ( *_t116 == _t128);
					goto L5;
				}
				_t129 = 0x4d80c8;
				GetTempPathW(0x2004, 0x4d80c8);
				_t58 = E004037F3(_t109, _t133);
				_t134 = _t58;
				if(_t58 != 0) {
					L24:
					DeleteFileW(0x4d40c0); // executed
					_t60 = E004035AE(_t135, _v748); // executed
					_v756 = _t60;
					if(_t60 != 0) {
						L34:
						E0040387E(); // executed
						__imp__OleUninitialize(); // executed
						if(_v752 == 0) {
							__eflags =  *0x473e94;
							if( *0x473e94 != 0) {
								_t129 = E00406320(3);
								_t121 = E00406320(4);
								_t82 = E00406320(5);
								__eflags = _t129;
								_t114 = _t82;
								if(_t129 != 0) {
									__eflags = _t121;
									if(_t121 != 0) {
										__eflags = _t114;
										if(_t114 != 0) {
											_t87 =  *_t129(GetCurrentProcess(), 0x28,  &_v740);
											__eflags = _t87;
											if(_t87 != 0) {
												 *_t121(0, L"SeShutdownPrivilege",  &_v740);
												_v756 = 1;
												_v744 = 2;
												 *_t114(_v764, 0,  &_v756, 0, 0, 0);
											}
										}
									}
								}
								_t83 = ExitWindowsEx(2, 0);
								__eflags = _t83;
								if(_t83 == 0) {
									E00401414(9);
								}
							}
							_t62 =  *0x473eac;
							__eflags = _t62 - 0xffffffff;
							if(_t62 != 0xffffffff) {
								_v744 = _t62;
							}
							ExitProcess(_v744);
						} else {
							E00405CC8(_v752, 0x200010);
							ExitProcess(2);
						}
					}
					if( *0x473e24 == 0) {
						L33:
						 *0x473eac =  *0x473eac | 0xffffffff;
						_v744 = E00405957(_t109);
						E00407A0F(_t109, GetTickCount() - _v740, _v744, GetTickCount() - _v740);
						_pop(_t111);
						E0040610B(_t111, 1);
						goto L34;
					}
					_t123 = E00405D2C(0x4c40a0, 0);
					while(_t123 >= 0x4c40a0) {
						_t99 = E00403827(_t123, L" _?=", 4);
						_t130 = _t130 + 0xc;
						__eflags = _t99;
						if(__eflags == 0) {
							break;
						}
						_t123 = _t123;
						__eflags = _t123;
					}
					_t139 = _t123 - 0x4c40a0;
					_v752 = L"Error launching installer";
					if(_t123 < 0x4c40a0) {
						lstrcatW(_t129, L"~nsu.tmp");
						if(lstrcmpiW(_t129, 0x4d00b8) == 0) {
							goto L34;
						}
						CreateDirectoryW(_t129, 0);
						SetCurrentDirectoryW(_t129);
						if( *0x4c80a8 == 0) {
							E0040602D(0x4c80a8, 0x4d00b8);
						}
						E0040602D(0x474000, _v736);
						E0040602D(0x478008, "A");
						_t113 = 0x1a;
						do {
							_push( *((intOrPtr*)( *0x473ddc + 0x134)));
							_push(0x4341e8);
							E00406820(0, _t113, 0x4341e8);
							DeleteFileW(0x4341e8);
							if(_v760 != 0 && CopyFileW(0x4e00d8, 0x4341e8, 1) != 0) {
								E00406C7C(0x4341e8, 0);
								_push( *((intOrPtr*)( *0x473ddc + 0x138)));
								_push(0x4341e8);
								E00406820(0, _t113, 0x4341e8);
								_t77 = E00405C67(0x4341e8);
								if(_t77 != 0) {
									CloseHandle(_t77);
									_v768 = 0;
								}
							}
							 *0x478008 =  *0x478008 + 1;
							_t113 = _t113 - 1;
						} while (_t113 != 0);
						E00406C7C(_t129, 0);
						goto L34;
					}
					 *_t123 = 0;
					_t124 =  &(_t123[4]);
					if(E00406798(_t139,  &(_t123[4])) == 0) {
						goto L34;
					}
					E0040602D(0x4c80a8, _t124);
					E0040602D(0x4cc0b0, _t124);
					_v768 = 0;
					goto L33;
				}
				GetWindowsDirectoryW(0x4d80c8, 0x1fff);
				lstrcatW(0x4d80c8, L"\\Temp");
				_t105 = E004037F3(_t109, _t134);
				_t135 = _t105;
				if(_t105 == 0) {
					goto L34;
				}
				goto L24;
			}

0x004038a8
0x004038b6
0x004038b7
0x004038bb
0x004038c3
0x004038cd
0x004038d1
0x004038dc
0x004038e3
0x004038eb
0x004038fb
0x0040390b
0x0040391b
0x0040392d
0x00403941
0x00403946
0x00403948
0x0040394c
0x0040394d
0x0040394d
0x00403960
0x00403962
0x004039f7
0x004039f7
0x004039fa
0x004039fd
0x00403a03
0x00403a03
0x0040396d
0x0040396e
0x00403971
0x0040397a
0x0040397a
0x0040397e
0x00403983
0x00403983
0x00403984
0x00403984
0x00403985
0x00403989
0x004039e6
0x004039ed
0x004039ef
0x004039f3
0x004039f6
0x004039f6
0x004039f6
0x00000000
0x004039f3
0x0040398c
0x0040398d
0x00403991
0x004039a7
0x004039af
0x004039b4
0x004039b7
0x004039b9
0x004039cf
0x004039d1
0x004039da
0x004039df
0x004039e2
0x004039e4
0x00403a07
0x00403a0c
0x00403a11
0x00403a14
0x00403a1d
0x00000000
0x00403a1d
0x00000000
0x004039e4
0x004039bb
0x004039bf
0x004039c3
0x004039ca
0x004039ca
0x004039ca
0x004039ca
0x00000000
0x004039ca
0x004039c5
0x004039c8
0x00000000
0x00000000
0x00000000
0x004039c8
0x00403993
0x00403997
0x0040399b
0x004039a2
0x004039a2
0x004039a2
0x004039a2
0x00000000
0x004039a2
0x0040399d
0x004039a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403973
0x00403973
0x00403974
0x00403975
0x00403975
0x00000000
0x00403973
0x00403a22
0x00403a2d
0x00403a33
0x00403a38
0x00403a3a
0x00403a60
0x00403a65
0x00403a6f
0x00403a76
0x00403a7a
0x00403b14
0x00403b14
0x00403b19
0x00403b23
0x00403c16
0x00403c1c
0x00403c27
0x00403c30
0x00403c32
0x00403c37
0x00403c39
0x00403c3b
0x00403c3d
0x00403c3f
0x00403c41
0x00403c43
0x00403c53
0x00403c55
0x00403c57
0x00403c64
0x00403c73
0x00403c7b
0x00403c83
0x00403c83
0x00403c57
0x00403c43
0x00403c3f
0x00403c88
0x00403c8e
0x00403c90
0x00403c94
0x00403c94
0x00403c90
0x00403c99
0x00403c9e
0x00403ca1
0x00403ca3
0x00403ca3
0x00403b39
0x00403b29
0x00403b32
0x00403b39
0x00403b39
0x00403b39
0x00403a86
0x00403ae7
0x00403ae7
0x00403af3
0x00403b06
0x00403b0c
0x00403b0f
0x00000000
0x00403b0f
0x00403a8f
0x00403aa9
0x00403a9b
0x00403aa0
0x00403aa3
0x00403aa5
0x00000000
0x00000000
0x00403aa8
0x00403aa8
0x00403aa8
0x00403aad
0x00403aaf
0x00403ab7
0x00403b45
0x00403b59
0x00000000
0x00000000
0x00403b5d
0x00403b64
0x00403b71
0x00403b79
0x00403b79
0x00403b87
0x00403b96
0x00403b9d
0x00403ba3
0x00403ba8
0x00403bae
0x00403baf
0x00403bb5
0x00403bbf
0x00403bd5
0x00403bdf
0x00403be5
0x00403be6
0x00403bec
0x00403bf3
0x00403bf6
0x00403bfc
0x00403bfc
0x00403bf3
0x00403c00
0x00403c07
0x00403c07
0x00403c0c
0x00000000
0x00403c0c
0x00403abd
0x00403ac0
0x00403acb
0x00000000
0x00000000
0x00403ad3
0x00403ade
0x00403ae3
0x00000000
0x00403ae3
0x00403a42
0x00403a4e
0x00403a53
0x00403a58
0x00403a5a
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004038C7
#17.COMCTL32 ref: 004038D1
SetErrorMode.KERNELBASE(00008001), ref: 004038DC
OleInitialize.OLE32(00000000), ref: 004038E3

Part of subcall function 00406320: GetModuleHandleA.KERNEL32(?,?,00000020,004038F5,00000008), ref: 00406330
Part of subcall function 00406320: LoadLibraryA.KERNELBASE(?,?,00000020,004038F5,00000008), ref: 0040633B
Part of subcall function 00406320: GetProcAddress.KERNEL32(00000000,?), ref: 0040634C

SHGetFileInfoW.SHELL32(0040A2CC,00000000,?,000002B4,00000000), ref: 0040390B

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00002004,00403920,0046BDC0,NSIS Error), ref: 0040603A

GetCommandLineW.KERNEL32(0046BDC0,NSIS Error), ref: 00403920
GetModuleHandleW.KERNEL32(00000000,004C40A0,00000000), ref: 00403933
CharNextW.USER32(00000000,004C40A0,00000020), ref: 0040395A
GetTempPathW.KERNEL32(00002004,004D80C8,00000000,00000020), ref: 00403A2D
GetWindowsDirectoryW.KERNEL32(004D80C8,00001FFF), ref: 00403A42
lstrcatW.KERNEL32(004D80C8,\Temp), ref: 00403A4E
DeleteFileW.KERNELBASE(004D40C0), ref: 00403A65
GetTickCount.KERNEL32 ref: 00403AF7
OleUninitialize.OLE32(?), ref: 00403B19
ExitProcess.KERNEL32 ref: 00403B39
lstrcatW.KERNEL32(004D80C8,~nsu.tmp), ref: 00403B45
lstrcmpiW.KERNEL32(004D80C8,004D00B8,004D80C8,~nsu.tmp), ref: 00403B51
CreateDirectoryW.KERNEL32(004D80C8,00000000), ref: 00403B5D
SetCurrentDirectoryW.KERNEL32(004D80C8), ref: 00403B64
DeleteFileW.KERNEL32(004341E8,004341E8,?,00478008,0040A26C,00474000,?), ref: 00403BB5
CopyFileW.KERNEL32(004E00D8,004341E8,00000001), ref: 00403BC9
CloseHandle.KERNEL32(00000000,004341E8,004341E8,?,004341E8,00000000), ref: 00403BF6
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C4C
ExitWindowsEx.USER32 ref: 00403C88

Strings

~nsu.tmp, xrefs: 00403B3F
_?=, xrefs: 00403A95
Error launching installer, xrefs: 00403AAF
SeShutdownPrivilege, xrefs: 00403C5E
NCRC, xrefs: 004039A9
\Temp, xrefs: 00403A48
/D=, xrefs: 004039D4
AC, xrefs: 00403B9E
NSIS Error, xrefs: 00403911

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$DirectoryHandle$CountCurrentDeleteExitModuleProcessTickWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$AC
API String ID: 3571254196-561670634
Opcode ID: 9fcc83a64643b08adee18faf5b21d09c59662f553cd3ef148a3a5933213992de
Instruction ID: 03d0f53d0528b34187fd831154d40783effd2435d1f57860f97df753a731456c
Opcode Fuzzy Hash: 9fcc83a64643b08adee18faf5b21d09c59662f553cd3ef148a3a5933213992de
Instruction Fuzzy Hash: 40A18F715443116AE720BF619D4AB2B7EACAF4430AF10443FF585B21D2D7BC8E4486AE

Uniqueness

Uniqueness Score: -1.00%

Function 00406820 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00406820(void* __ebx, void* __edi, void* __esi) {
				signed int _t38;
				WCHAR* _t39;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				long _t54;
				short _t55;
				short _t57;
				short _t59;
				void* _t69;
				signed int _t72;
				WCHAR* _t76;
				signed int _t77;
				short _t78;
				void* _t92;
				void* _t94;
				signed int _t96;
				signed int _t98;
				void* _t99;
				WCHAR* _t100;
				signed short* _t103;
				void* _t106;

				_t99 = __esi;
				_t92 = __edi;
				_t69 = __ebx;
				_t38 =  *(_t106 + 8);
				if(_t38 < 0) {
					_t38 =  *( *0x46bda8 - 4 + _t38 * 4);
				}
				_t103 =  *0x473df8 + _t38 * 2;
				_t76 =  *(_t106 + 0x1c);
				_t39 = 0x463540;
				_push(_t99);
				_t100 = 0x463540;
				if(_t76 >= 0x463540 && _t76 - 0x463540 >> 1 < 0x4008) {
					 *(_t106 + 0x20) =  *(_t106 + 0x20) & 0x00000000;
					_t100 = _t76;
				}
				_t77 =  *_t103 & 0x0000ffff;
				if(_t77 == 0) {
					L51:
					 *_t100 =  *_t100 & 0x00000000;
					if( *(_t106 + 0x20) == 0) {
						return _t39;
					}
					return E0040602D( *(_t106 + 0x1c), _t39);
				} else {
					_push(_t69);
					_push(_t92);
					while((_t100 - _t39 & 0xfffffffe) < 0x4008) {
						_t78 = _t77 & 0x0000ffff;
						_t94 = 2;
						_t103 = _t103 + _t94;
						if((0x0000e000 & _t78) == 0) {
							__eflags = _t78 - 0xe000;
							L46:
							if(__eflags != 0) {
								 *_t100 = _t78;
								_t100 = _t100 + _t94;
								__eflags = _t100;
							} else {
								 *_t100 =  *_t103;
								_t100 = _t100 + _t94;
								_t103 = _t103 + _t94;
							}
							L49:
							_t77 =  *_t103 & 0x0000ffff;
							if(_t77 != 0) {
								continue;
							}
							break;
						}
						if(_t78 <= 0xe000) {
							goto L46;
						}
						_t41 =  *_t103 & 0x0000ffff;
						_t72 = _t41 & 0x000000ff;
						_t42 = _t41 >> 8;
						_t96 = _t41 & 0x00007fff;
						 *(_t106 + 0x20) = _t42;
						_t43 = _t42 | 0x00008000;
						_t103 =  &(_t103[1]);
						 *(_t106 + 0x18) = _t72;
						 *(_t106 + 0x14) = _t72 | 0x00008000;
						 *(_t106 + 0x1c) = _t43;
						if(_t78 != 0xe002) {
							__eflags = _t78 - 0xe001;
							if(_t78 != 0xe001) {
								__eflags = _t78 - 0xe003;
								if(__eflags == 0) {
									__eflags = (_t43 | 0xffffffff) - _t96;
									E00406820(_t72, _t96, _t100, _t100, (_t43 | 0xffffffff) - _t96);
								}
								L44:
								_t100 =  &(_t100[lstrlenW(_t100)]);
								_t39 = 0x463540;
								goto L49;
							}
							__eflags = _t96 - 0x1d;
							if(_t96 != 0x1d) {
								__eflags = 0x474000 + _t96 * 0x4008;
								E0040602D(_t100, 0x474000 + _t96 * 0x4008);
							} else {
								E00405F74(_t100,  *0x473dd4);
							}
							__eflags = _t96 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L41:
								E0040605C(_t100);
							}
							goto L44;
						}
						_t98 = 2;
						_t54 = GetVersion();
						if(_t54 >= 0 || _t54 == 0x5a04 ||  *(_t106 + 0x20) == 0x23 ||  *(_t106 + 0x20) == 0x2e) {
							 *(_t106 + 0x2c) = 1;
						} else {
							 *(_t106 + 0x2c) =  *(_t106 + 0x2c) & 0x00000000;
						}
						if( *0x473e84 != 0) {
							_t98 = 4;
						}
						if(_t72 >= 0) {
							__eflags = _t72 - 0x25;
							if(_t72 != 0x25) {
								__eflags = _t72 - 0x24;
								if(_t72 == 0x24) {
									GetWindowsDirectoryW(_t100, 0x2004);
									_t98 = 0;
								}
								while(1) {
									__eflags = _t98;
									if(_t98 == 0) {
										goto L33;
									}
									_t55 =  *0x473dd0;
									_t98 = _t98 - 1;
									__eflags = _t55;
									if(_t55 == 0) {
										L29:
										_t57 = SHGetSpecialFolderLocation( *0x473dd4,  *(_t106 + 0x18 + _t98 * 4), _t106 + 0x10);
										__eflags = _t57;
										if(_t57 != 0) {
											L31:
											 *_t100 =  *_t100 & 0x00000000;
											__eflags =  *_t100;
											continue;
										}
										__imp__SHGetPathFromIDListW( *(_t106 + 0x14), _t100);
										__imp__CoTaskMemFree( *(_t106 + 0x10));
										__eflags = _t57;
										if(_t57 != 0) {
											goto L33;
										}
										goto L31;
									}
									__eflags =  *(_t106 + 0x2c);
									if( *(_t106 + 0x2c) == 0) {
										goto L29;
									}
									_t59 =  *_t55( *0x473dd4,  *((intOrPtr*)(_t106 + 0x20 + _t98 * 4)), 0, 0, _t100); // executed
									__eflags = _t59;
									if(_t59 == 0) {
										goto L33;
									}
									goto L29;
								}
								goto L33;
							}
							GetSystemDirectoryW(_t100, 0x2004);
							goto L33;
						} else {
							_t74 = _t72 & 0x0000003f;
							E00405EFA(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x473df8 + (_t72 & 0x0000003f) * 2, _t100, _t72 & 0x00000040);
							if( *_t100 != 0) {
								L34:
								if( *(_t106 + 0x20) == 0x1a) {
									lstrcatW(_t100, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L41;
							}
							E00406820(_t74, _t98, _t100, _t100,  *(_t106 + 0x20));
							L33:
							if( *_t100 == 0) {
								goto L41;
							}
							goto L34;
						}
					}
					goto L51;
				}
			}

0x00406820
0x00406820
0x00406820
0x00406820
0x00406829
0x0040683a
0x0040683a
0x00406843
0x00406846
0x0040684a
0x00406851
0x00406852
0x00406854
0x00406864
0x00406869
0x00406869
0x0040686b
0x00406872
0x00406a94
0x00406a94
0x00406a9f
0x00406aae
0x00406aae
0x00000000
0x00406878
0x00406878
0x00406879
0x0040687a
0x0040688f
0x00406892
0x00406898
0x0040689d
0x00406a6e
0x00406a71
0x00406a71
0x00406a80
0x00406a83
0x00406a83
0x00406a73
0x00406a77
0x00406a7a
0x00406a7c
0x00406a7c
0x00406a85
0x00406a85
0x00406a8c
0x00000000
0x00000000
0x00000000
0x00406a8c
0x004068a6
0x00000000
0x00000000
0x004068ac
0x004068b2
0x004068ba
0x004068c5
0x004068cb
0x004068cf
0x004068d5
0x004068db
0x004068df
0x004068e3
0x004068e7
0x00406a0c
0x00406a11
0x00406a4a
0x00406a4f
0x00406a54
0x00406a58
0x00406a58
0x00406a5d
0x00406a64
0x00406a67
0x00000000
0x00406a67
0x00406a13
0x00406a16
0x00406a2e
0x00406a35
0x00406a18
0x00406a1f
0x00406a1f
0x00406a3d
0x00406a40
0x00406a42
0x00406a43
0x00406a43
0x00000000
0x00406a40
0x004068ef
0x004068f0
0x004068f8
0x00406915
0x0040690e
0x0040690e
0x0040690e
0x00406924
0x00406928
0x00406928
0x0040692b
0x00406968
0x0040696b
0x0040697b
0x0040697e
0x00406986
0x0040698c
0x0040698c
0x004069ed
0x004069ed
0x004069ef
0x00000000
0x00000000
0x00406990
0x00406997
0x00406998
0x0040699a
0x004069b5
0x004069c4
0x004069ca
0x004069cc
0x004069e9
0x004069e9
0x004069e9
0x00000000
0x004069e9
0x004069d3
0x004069df
0x004069e5
0x004069e7
0x00000000
0x00000000
0x00000000
0x004069e7
0x0040699c
0x004069a0
0x00000000
0x00000000
0x004069af
0x004069b1
0x004069b3
0x00000000
0x00000000
0x00000000
0x004069b3
0x00000000
0x004069ed
0x00406973
0x00000000
0x0040692d
0x00406939
0x0040694a
0x00406953
0x004069f7
0x004069fc
0x00406a04
0x00406a04
0x00000000
0x004069fc
0x0040695e
0x004069f1
0x004069f5
0x00000000
0x00000000
0x00000000
0x004069f5
0x0040692b
0x00000000
0x00406a93

APIs

GetVersion.KERNEL32(00000000,?,0043C228,?,0043C228,00000000,00424150,00000000,00000000), ref: 004068F0
GetSystemDirectoryW.KERNEL32(00463540,00002004), ref: 00406973

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00002004,00403920,0046BDC0,NSIS Error), ref: 0040603A

GetWindowsDirectoryW.KERNEL32(00463540,00002004), ref: 00406986
lstrcatW.KERNEL32(00463540,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A04
lstrlenW.KERNEL32(00463540,00000000,?,0043C228,?,0043C228,00000000,00424150,00000000,00000000), ref: 00406A5E

Strings

@5F, xrefs: 0040684A
., xrefs: 00406907
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069FE
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406940
@5F, xrefs: 00406A67

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: .$@5F$@5F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-2462334739
Opcode ID: 95926efc6c3610f7d6fa915319345213f1768bc879491ab7f7588908531437c4
Instruction ID: 6f210e65e5bdd83496655f55c9cb6e66988f7a6e7174f4c128f7467b39b1ba21
Opcode Fuzzy Hash: 95926efc6c3610f7d6fa915319345213f1768bc879491ab7f7588908531437c4
Instruction Fuzzy Hash: A861F5B16002129BDB20AF24CC44B6B72A5FF85304F12853FF587B66D0E77C89A18A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00407E74 Relevance: 5.4, APIs: 4, Instructions: 381
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00407E74(void* __edx) {
				void* _t518;
				signed int _t519;
				signed int _t549;
				signed short* _t590;
				intOrPtr* _t597;

				L0:
				while(1) {
					L0:
					if( *(_t597 + 0x38) != 0) {
						 *(_t597 + 0x44) = 1;
						_t590 = __edx + 0x180 +  *(_t597 + 0x40) * 2;
						 *(_t597 - 0xc) = 7;
						goto L134;
					} else {
						__esi =  *(__ebp + 0x1c) & 0x000000ff;
						 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
						__ecx = 8;
						__cl = __cl -  *(__ebp + 0x3c);
						__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
						__ecx =  *(__ebp + 0x3c);
						__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
						__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
						__ecx = __esi + __edx + 0xe6c;
						 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
						if( *(__ebp + 0x40) >= 4) {
							if( *(__ebp + 0x40) >= 0xa) {
								_t91 = __ebp + 0x40;
								 *_t91 =  *(__ebp + 0x40) - 6;
							} else {
								 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
							}
						} else {
							 *(__ebp + 0x40) = 0;
						}
						if( *(__ebp + 0x44) == __eax) {
							__ebx = 0;
							__ebx = 1;
							goto L62;
						} else {
							__eax =  *(__ebp + 0x64);
							__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
							if(__eax >=  *(__ebp + 4)) {
								__eax = __eax +  *(__ebp + 4);
							}
							__ecx =  *(__ebp + 0x70);
							__al =  *((intOrPtr*)(__eax + __ecx));
							__ebx = 0;
							 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
							__ebx = 1;
							L42:
							__eax =  *(__ebp + 0x1d) & 0x000000ff;
							 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
							__ecx =  *(__ebp + 0x20);
							__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
							 *(__ebp + 0x30) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__esi =  *(__ebp + 0x20) + __eax * 2;
							__eax =  *__esi & 0x0000ffff;
							__ecx =  *(__ebp + 0x68);
							__edx = __ax & 0x0000ffff;
							__ecx =  *(__ebp + 0x68) >> 0xb;
							__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
							 *(__ebp + 0x24) = __esi;
							if( *(__ebp + 0x6c) >= __ecx) {
								 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
								 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__ax = __ax - __cx;
								 *(__ebp + 0x38) = 1;
								 *__esi = __ax;
								__ebx = __ebx + __ebx + 1;
							} else {
								 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
								 *(__ebp + 0x68) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								 *__esi = __cx;
								__ebx = __ebx + __ebx;
							}
							 *(__ebp + 0x34) = __ebx;
							if( *(__ebp + 0x68) >= 0x1000000) {
								L40:
								__eax =  *(__ebp + 0x38);
								if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
									goto L49;
								} else {
									if(__ebx >= 0x100) {
										L55:
										_t165 = __ebp + 0x44;
										 *_t165 =  *(__ebp + 0x44) & 0x00000000;
										L56:
										__al =  *(__ebp + 0x34);
										 *(__ebp + 0x1c) =  *(__ebp + 0x34);
										L57:
										if( *(__ebp + 0x14) == 0) {
											 *(__ebp - 0x10) = 0x1a;
											goto L173;
										} else {
											__al =  *(__ebp + 0x1c);
											__ecx =  *(__ebp + 0x10);
											__edx =  *(__ebp + 0x70);
											 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
											 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
											 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
											 *( *(__ebp + 0x10)) = __al;
											__ecx =  *(__ebp + 0x64);
											 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t184 = __eax %  *(__ebp + 4);
											__eax = __eax /  *(__ebp + 4);
											__edx = _t184;
											L81:
											 *(__ebp + 0x64) = __edx;
											L82:
											 *(__ebp - 0x10) = 2;
											L2:
											_t518 =  *(_t597 - 0x10);
											if(_t518 > 0x1c) {
												L174:
												_t519 = _t518 | 0xffffffff;
											} else {
												switch( *((intOrPtr*)(_t518 * 4 +  &M004086B6))) {
													case 0:
														if( *(_t597 + 0xc) == 0) {
															goto L173;
														} else {
															 *(_t597 + 0xc) =  *(_t597 + 0xc) - 1;
															_t518 =  *( *(_t597 + 8));
															 *(_t597 + 8) =  &(( *(_t597 + 8))[1]);
															if(_t518 > 0xe1) {
																goto L174;
															} else {
																_t522 = _t518 & 0x000000ff;
																asm("cdq");
																_push(0x2d);
																_pop(_t551);
																_push(9);
																_pop(_t552);
																_t593 = _t522 / _t551;
																_t524 = _t522 % _t551 & 0x000000ff;
																asm("cdq");
																_t588 = _t524 % _t552 & 0x000000ff;
																 *(_t597 + 0x3c) = _t588;
																 *(_t597 + 0x5c) = (1 << _t593) - 1;
																 *((intOrPtr*)(_t597 + 0x60)) = (1 << _t524 / _t552) - 1;
																_t596 = (0x300 << _t588 + _t593) + 0x736;
																if(0x600 ==  *_t597) {
																	L11:
																	if(_t596 != 0) {
																		do {
																			_t596 = _t596 - 1;
																			 *((short*)( *(_t597 + 0x74) + _t596 * 2)) = 0x400;
																		} while (_t596 != 0);
																	}
																	 *(_t597 + 0x30) =  *(_t597 + 0x30) & 0x00000000;
																	 *(_t597 + 0x38) =  *(_t597 + 0x38) & 0x00000000;
																	goto L16;
																} else {
																	if( *(_t597 + 0x74) != 0) {
																		GlobalFree( *(_t597 + 0x74)); // executed
																	}
																	_t518 = GlobalAlloc(0x40, 0x600); // executed
																	 *(_t597 + 0x74) = _t518;
																	if(_t518 == 0) {
																		goto L174;
																	} else {
																		 *_t597 = 0x600;
																		goto L11;
																	}
																}
															}
														}
														goto L175;
													case 1:
														L14:
														__eflags =  *(_t597 + 0xc);
														if( *(_t597 + 0xc) == 0) {
															 *(_t597 - 0x10) = 1;
															goto L173;
														} else {
															 *(_t597 + 0xc) =  *(_t597 + 0xc) - 1;
															 *(_t597 + 0x38) =  *(_t597 + 0x38) | ( *( *(_t597 + 8)) & 0x000000ff) <<  *(_t597 + 0x30) << 0x00000003;
															 *(_t597 + 8) =  &(( *(_t597 + 8))[1]);
															_t44 = _t597 + 0x30;
															 *_t44 =  *(_t597 + 0x30) + 1;
															__eflags =  *_t44;
															L16:
															if( *(_t597 + 0x30) < 4) {
																goto L14;
															} else {
																_t529 =  *(_t597 + 0x38);
																if(_t529 ==  *(_t597 + 4)) {
																	L21:
																	 *((char*)( *(_t597 + 0x70) +  *(_t597 + 4) - 1)) = 0;
																	 *(_t597 + 0x30) = 5;
																	goto L24;
																} else {
																	 *(_t597 + 4) = _t529;
																	if( *(_t597 + 0x70) != 0) {
																		GlobalFree( *(_t597 + 0x70)); // executed
																	}
																	_t518 = GlobalAlloc(0x40,  *(_t597 + 0x38)); // executed
																	 *(_t597 + 0x70) = _t518;
																	if(_t518 == 0) {
																		goto L174;
																	} else {
																		goto L21;
																	}
																}
															}
														}
														goto L175;
													case 2:
														L26:
														_t536 =  *(_t597 + 0x18) &  *(_t597 + 0x5c);
														 *(_t597 + 0x2c) = _t536;
														_t590 = _t581 + (( *(_t597 + 0x40) << 4) + _t536) * 2;
														 *(_t597 - 0xc) = 6;
														goto L134;
													case 3:
														L22:
														__eflags =  *(_t597 + 0xc);
														if( *(_t597 + 0xc) == 0) {
															 *(_t597 - 0x10) = 3;
															goto L173;
														} else {
															 *(_t597 + 0xc) =  *(_t597 + 0xc) - 1;
															_t64 = _t597 + 8;
															 *_t64 =  &(( *(_t597 + 8))[1]);
															__eflags =  *_t64;
															 *(_t597 + 0x6c) =  *(_t597 + 0x6c) << 0x00000008 |  *( *(_t597 + 8)) & 0x000000ff;
															L24:
															 *(_t597 + 0x30) =  *(_t597 + 0x30) - 1;
															if( *(_t597 + 0x30) != 0) {
																goto L22;
															} else {
																_t581 =  *(_t597 + 0x74);
																goto L26;
															}
														}
														goto L175;
													case 4:
														L135:
														_t515 =  *_t590 & 0x0000ffff;
														_t583 = _t515 & 0x0000ffff;
														_t546 = ( *(_t597 + 0x68) >> 0xb) * _t583;
														if( *(_t597 + 0x6c) >= _t546) {
															 *(_t597 + 0x68) =  *(_t597 + 0x68) - _t546;
															 *(_t597 + 0x6c) =  *(_t597 + 0x6c) - _t546;
															_t516 = _t515 - (_t515 >> 5);
															__eflags = _t516;
															 *_t590 = _t516;
															 *(_t597 + 0x38) = 1;
														} else {
															 *(_t597 + 0x68) = _t546;
															 *(_t597 + 0x38) =  *(_t597 + 0x38) & 0x00000000;
															 *_t590 = (0x800 - _t583 >> 5) + _t515;
														}
														if( *(_t597 + 0x68) >= 0x1000000) {
															goto L141;
														} else {
															goto L139;
														}
														goto L175;
													case 5:
														L139:
														if( *(_t597 + 0xc) == 0) {
															 *(_t597 - 0x10) = 5;
															goto L173;
														} else {
															 *(_t597 + 0x68) =  *(_t597 + 0x68) << 8;
															 *(_t597 + 0xc) =  *(_t597 + 0xc) - 1;
															 *(_t597 + 8) =  &(( *(_t597 + 8))[1]);
															 *(_t597 + 0x6c) =  *(_t597 + 0x6c) << 0x00000008 |  *( *(_t597 + 8)) & 0x000000ff;
															L141:
															_t517 =  *(_t597 - 0xc);
															goto L159;
														}
														goto L175;
													case 6:
														goto L0;
													case 7:
														__eflags =  *(__ebp + 0x38) - 1;
														if( *(__ebp + 0x38) != 1) {
															__eax =  *(__ebp + 0x54);
															 *(__ebp + 0x58) =  *(__ebp + 0x54);
															__eax =  *(__ebp + 0x50);
															 *(__ebp + 0x54) =  *(__ebp + 0x50);
															__eax =  *(__ebp + 0x4c);
															 *(__ebp + 0x50) =  *(__ebp + 0x4c);
															__eax = 0;
															__eflags =  *(__ebp + 0x40) - 7;
															 *(__ebp - 8) = 0x16;
															0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
															__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
															__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
															__eflags = __eax;
															 *(__ebp + 0x40) = __eax;
															__eax = __edx + 0x664;
															 *(__ebp + 0x20) = __eax;
															goto L70;
														} else {
															__eax =  *(__ebp + 0x40);
															__esi = __edx + 0x198 + __eax * 2;
															 *(__ebp - 0xc) = 8;
														}
														goto L134;
													case 8:
														__eflags =  *(__ebp + 0x38);
														__eax =  *(__ebp + 0x40);
														if( *(__ebp + 0x38) != 0) {
															__esi = __edx + 0x1b0 + __eax * 2;
															 *(__ebp - 0xc) = 0xa;
														} else {
															__eax = __eax + 0xf;
															__eax = __eax << 4;
															__eax = __eax +  *(__ebp + 0x2c);
															 *(__ebp - 0xc) = 9;
															__esi = __edx + __eax * 2;
														}
														goto L134;
													case 9:
														__eflags =  *(__ebp + 0x38);
														if( *(__ebp + 0x38) != 0) {
															goto L91;
														} else {
															__eflags =  *(__ebp + 0x18);
															if( *(__ebp + 0x18) == 0) {
																goto L174;
															} else {
																__eax = 0;
																__eflags =  *(__ebp + 0x40) - 7;
																_t247 =  *(__ebp + 0x40) - 7 >= 0;
																__eflags = _t247;
																__eax = 0 | _t247;
																__eax = _t247 + _t247 + 9;
																 *(__ebp + 0x40) = _t247 + _t247 + 9;
																goto L77;
															}
														}
														goto L175;
													case 0xa:
														__eflags =  *(__ebp + 0x38);
														if( *(__ebp + 0x38) != 0) {
															__eax =  *(__ebp + 0x40);
															__esi = __edx + 0x1c8 + __eax * 2;
															 *(__ebp - 0xc) = 0xb;
														} else {
															__eax =  *(__ebp + 0x50);
															goto L90;
														}
														goto L134;
													case 0xb:
														__eflags =  *(__ebp + 0x38);
														if( *(__ebp + 0x38) != 0) {
															__ecx =  *(__ebp + 0x54);
															__eax =  *(__ebp + 0x58);
															 *(__ebp + 0x58) =  *(__ebp + 0x54);
														} else {
															__eax =  *(__ebp + 0x54);
														}
														__ecx =  *(__ebp + 0x50);
														 *(__ebp + 0x54) =  *(__ebp + 0x50);
														L90:
														__ecx =  *(__ebp + 0x4c);
														 *(__ebp + 0x50) =  *(__ebp + 0x4c);
														 *(__ebp + 0x4c) = __eax;
														L91:
														__eax = __edx + 0xa68;
														 *(__ebp + 0x20) = __eax;
														 *(__ebp - 8) = 0x15;
														goto L70;
													case 0xc:
														__eax =  *(__ebp + 0x4c);
														goto L102;
													case 0xd:
														goto L38;
													case 0xe:
														L47:
														__eflags =  *(__ebp + 0xc);
														if( *(__ebp + 0xc) == 0) {
															 *(__ebp - 0x10) = 0xe;
															goto L173;
														} else {
															__ecx =  *(__ebp + 8);
															__eax =  *(__ebp + 0x6c);
															__ecx =  *( *(__ebp + 8)) & 0x000000ff;
															 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
															 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															_t148 = __ebp + 8;
															 *_t148 =  *(__ebp + 8) + 1;
															__eflags =  *_t148;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															while(1) {
																L49:
																__eflags = __ebx - 0x100;
																if(__ebx >= 0x100) {
																	goto L55;
																}
																__eax =  *(__ebp + 0x20);
																__ecx =  *(__ebp + 0x68);
																__edx = __ebx + __ebx;
																__esi = __edx +  *(__ebp + 0x20);
																__eax =  *__esi & 0x0000ffff;
																__edi = __ax & 0x0000ffff;
																__ecx =  *(__ebp + 0x68) >> 0xb;
																__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
																__eflags =  *(__ebp + 0x6c) - __ecx;
																 *(__ebp + 0x24) = __esi;
																if( *(__ebp + 0x6c) >= __ecx) {
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
																	 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
																	__cx = __ax;
																	__cx = __ax >> 5;
																	__ax = __ax - __cx;
																	__eflags = __ax;
																	 *__esi = __ax;
																	__ebx = __edx + 1;
																} else {
																	 *(__ebp + 0x68) = __ecx;
																	0x800 = 0x800 - __edi;
																	0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																	 *__esi = __cx;
																	__ebx = __ebx + __ebx;
																}
																__eflags =  *(__ebp + 0x68) - 0x1000000;
																 *(__ebp + 0x34) = __ebx;
																if( *(__ebp + 0x68) >= 0x1000000) {
																	continue;
																} else {
																	goto L47;
																}
																goto L175;
															}
															goto L55;
														}
														goto L175;
													case 0xf:
														L59:
														__eflags =  *(__ebp + 0xc);
														if( *(__ebp + 0xc) == 0) {
															 *(__ebp - 0x10) = 0xf;
															goto L173;
														} else {
															__ecx =  *(__ebp + 8);
															__eax =  *(__ebp + 0x6c);
															__ecx =  *( *(__ebp + 8)) & 0x000000ff;
															 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
															 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															_t195 = __ebp + 8;
															 *_t195 =  *(__ebp + 8) + 1;
															__eflags =  *_t195;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															L61:
															__eflags = __ebx - 0x100;
															if(__ebx >= 0x100) {
																goto L56;
															} else {
																L62:
																__eax =  *(__ebp + 0x20);
																__ecx =  *(__ebp + 0x68);
																__edx = __ebx + __ebx;
																__esi = __edx +  *(__ebp + 0x20);
																__eax =  *__esi & 0x0000ffff;
																__edi = __ax & 0x0000ffff;
																__ecx =  *(__ebp + 0x68) >> 0xb;
																__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
																__eflags =  *(__ebp + 0x6c) - __ecx;
																 *(__ebp + 0x24) = __esi;
																if( *(__ebp + 0x6c) >= __ecx) {
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
																	 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
																	__cx = __ax;
																	__cx = __ax >> 5;
																	__ax = __ax - __cx;
																	__eflags = __ax;
																	 *__esi = __ax;
																	__ebx = __edx + 1;
																} else {
																	 *(__ebp + 0x68) = __ecx;
																	0x800 = 0x800 - __edi;
																	0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																	 *__esi = __cx;
																	__ebx = __ebx + __ebx;
																}
																__eflags =  *(__ebp + 0x68) - 0x1000000;
																 *(__ebp + 0x34) = __ebx;
																if( *(__ebp + 0x68) >= 0x1000000) {
																	goto L61;
																} else {
																	goto L59;
																}
															}
														}
														goto L175;
													case 0x10:
														L112:
														__eflags =  *(__ebp + 0xc);
														if( *(__ebp + 0xc) == 0) {
															 *(__ebp - 0x10) = 0x10;
															goto L173;
														} else {
															__ecx =  *(__ebp + 8);
															__eax =  *(__ebp + 0x6c);
															__ecx =  *( *(__ebp + 8)) & 0x000000ff;
															 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
															 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															_t350 = __ebp + 8;
															 *_t350 =  *(__ebp + 8) + 1;
															__eflags =  *_t350;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															goto L114;
														}
														goto L175;
													case 0x11:
														L70:
														__esi =  *(__ebp + 0x20);
														 *(__ebp - 0xc) = 0x12;
														goto L134;
													case 0x12:
														__eflags =  *(__ebp + 0x38);
														if( *(__ebp + 0x38) != 0) {
															 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
															__eflags =  *(__ebp + 0x20) + 2;
															 *(__ebp - 0xc) = 0x13;
															L134:
															 *(_t597 + 0x24) = _t590;
															goto L135;
														} else {
															__eax =  *(__ebp + 0x2c);
															 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
															__ecx =  *(__ebp + 0x20);
															__eax =  *(__ebp + 0x2c) << 4;
															__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
															goto L144;
														}
														goto L175;
													case 0x13:
														__eflags =  *(__ebp + 0x38);
														if( *(__ebp + 0x38) != 0) {
															_t451 = __ebp + 0x20;
															 *_t451 =  *(__ebp + 0x20) + 0x204;
															__eflags =  *_t451;
															 *(__ebp + 0x48) = 0x10;
															 *(__ebp + 0x38) = 8;
														} else {
															__eax =  *(__ebp + 0x2c);
															__ecx =  *(__ebp + 0x20);
															__eax =  *(__ebp + 0x2c) << 4;
															__eflags = __eax;
															 *(__ebp + 0x48) = 8;
															__eax =  *(__ebp + 0x20) + __eax + 0x104;
															L144:
															 *(__ebp + 0x20) = __eax;
															 *(__ebp + 0x38) = 3;
														}
														 *(__ebp - 4) = 0x14;
														goto L147;
													case 0x14:
														_t492 = __ebp + 0x48;
														 *_t492 =  *(__ebp + 0x48) + __ebx;
														__eflags =  *_t492;
														__eax =  *(__ebp - 8);
														goto L159;
													case 0x15:
														__eax = 0;
														__eflags =  *(__ebp + 0x40) - 7;
														0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
														(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
														 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
														goto L123;
													case 0x16:
														__eax =  *(__ebp + 0x48);
														__eflags = __eax - 4;
														if(__eax >= 4) {
															_push(3);
															_pop(__eax);
														}
														__eax = __eax << 7;
														 *(__ebp + 0x20) = __eax;
														 *(__ebp + 0x38) = 6;
														 *(__ebp - 4) = 0x19;
														goto L147;
													case 0x17:
														L147:
														__eax =  *(__ebp + 0x38);
														 *(__ebp + 0x28) = 1;
														 *(__ebp + 0x30) =  *(__ebp + 0x38);
														goto L151;
													case 0x18:
														L148:
														__eflags =  *(__ebp + 0xc);
														if( *(__ebp + 0xc) == 0) {
															 *(__ebp - 0x10) = 0x18;
															goto L173;
														} else {
															__ecx =  *(__ebp + 8);
															__eax =  *(__ebp + 0x6c);
															__ecx =  *( *(__ebp + 8)) & 0x000000ff;
															 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
															 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
															 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															_t466 = __ebp + 8;
															 *_t466 =  *(__ebp + 8) + 1;
															__eflags =  *_t466;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
															L150:
															_t469 = __ebp + 0x30;
															 *_t469 =  *(__ebp + 0x30) - 1;
															__eflags =  *_t469;
															__edx =  *(__ebp + 0x74);
															L151:
															__eflags =  *(__ebp + 0x30);
															if( *(__ebp + 0x30) <= 0) {
																__ecx =  *(__ebp + 0x38);
																__ebx =  *(__ebp + 0x28);
																0 = 1;
																__eax = 1 << __cl;
																__ebx =  *(__ebp + 0x28) - (1 << __cl);
																__eax =  *(__ebp - 4);
																 *(__ebp + 0x34) = __ebx;
																L159:
																 *(_t597 - 0x10) = _t517;
																goto L2;
															} else {
																__edx =  *(__ebp + 0x28);
																__eax =  *(__ebp + 0x20);
																__ecx =  *(__ebp + 0x68);
																__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
																__esi = __edx +  *(__ebp + 0x20);
																__eax =  *__esi & 0x0000ffff;
																__edi = __ax & 0x0000ffff;
																__ecx =  *(__ebp + 0x68) >> 0xb;
																__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
																__eflags =  *(__ebp + 0x6c) - __ecx;
																 *(__ebp + 0x24) = __esi;
																if( *(__ebp + 0x6c) >= __ecx) {
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
																	 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
																	__cx = __ax;
																	__cx = __ax >> 5;
																	__ax = __ax - __cx;
																	__edx = __edx + 1;
																	__eflags = __edx;
																	 *__esi = __ax;
																	 *(__ebp + 0x28) = __edx;
																} else {
																	 *(__ebp + 0x68) = __ecx;
																	0x800 = 0x800 - __edi;
																	0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																	 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
																	 *__esi = __cx;
																}
																__eflags =  *(__ebp + 0x68) - 0x1000000;
																if( *(__ebp + 0x68) >= 0x1000000) {
																	goto L150;
																} else {
																	goto L148;
																}
															}
														}
														goto L175;
													case 0x19:
														__eflags = __ebx - 4;
														if(__ebx < 4) {
															 *(__ebp + 0x4c) = __ebx;
															goto L122;
														} else {
															__ecx = __ebx;
															__ebx = __ebx & 0x00000001;
															__ecx = __ebx >> 1;
															__ecx = (__ebx >> 1) - 1;
															__eax = __ebx & 0x00000001 | 0x00000002;
															__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
															__eflags = __ebx - 0xe;
															 *(__ebp + 0x4c) = __eax;
															if(__ebx >= 0xe) {
																__ebx = 0;
																 *(__ebp + 0x30) = __ecx;
																L105:
																__eflags =  *(__ebp + 0x30);
																if( *(__ebp + 0x30) <= 0) {
																	__eax = __eax + __ebx;
																	__edx = __edx + 0x644;
																	__eflags = __edx;
																	 *(__ebp + 0x4c) = __eax;
																	 *(__ebp + 0x20) = __edx;
																	 *(__ebp + 0x38) = 4;
																	goto L111;
																} else {
																	__ecx =  *(__ebp + 0x6c);
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
																	__ebx = __ebx + __ebx;
																	__eflags = __ecx -  *(__ebp + 0x68);
																	 *(__ebp + 0x34) = __ebx;
																	if(__ecx >=  *(__ebp + 0x68)) {
																		__ecx = __ecx -  *(__ebp + 0x68);
																		__ebx = __ebx | 0x00000001;
																		__eflags = __ebx;
																		 *(__ebp + 0x6c) = __ecx;
																		 *(__ebp + 0x34) = __ebx;
																	}
																	__eflags =  *(__ebp + 0x68) - 0x1000000;
																	if( *(__ebp + 0x68) >= 0x1000000) {
																		L104:
																		_t325 = __ebp + 0x30;
																		 *_t325 =  *(__ebp + 0x30) - 1;
																		__eflags =  *_t325;
																		goto L105;
																	} else {
																		L102:
																		__eflags =  *(__ebp + 0xc);
																		if( *(__ebp + 0xc) == 0) {
																			 *(__ebp - 0x10) = 0xc;
																			goto L173;
																		} else {
																			__edi =  *(__ebp + 8);
																			__ecx =  *(__ebp + 0x6c);
																			__edi =  *( *(__ebp + 8)) & 0x000000ff;
																			 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																			 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																			 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																			_t322 = __ebp + 8;
																			 *_t322 =  *(__ebp + 8) + 1;
																			__eflags =  *_t322;
																			 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																			goto L104;
																		}
																	}
																}
															} else {
																__eax = __eax - __ebx;
																 *(__ebp + 0x20) = __eax;
																 *(__ebp + 0x38) = __ecx;
																L111:
																__ebx = 0;
																 *(__ebp + 0x28) = 1;
																 *(__ebp + 0x34) = 0;
																 *(__ebp + 0x30) = 0;
																L115:
																__eax =  *(__ebp + 0x38);
																__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
																if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
																	_t375 = __ebp + 0x4c;
																	 *_t375 =  *(__ebp + 0x4c) + __ebx;
																	__eflags =  *_t375;
																	L122:
																	_t377 = __ebp + 0x4c;
																	 *_t377 =  *(__ebp + 0x4c) + 1;
																	__eflags =  *_t377;
																	L123:
																	__eax =  *(__ebp + 0x4c);
																	__eflags = __eax;
																	if(__eax == 0) {
																		 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
																		goto L173;
																	} else {
																		__eflags = __eax -  *(__ebp + 0x18);
																		if(__eax >  *(__ebp + 0x18)) {
																			goto L174;
																		} else {
																			 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																			__eax =  *(__ebp + 0x48);
																			_t384 = __ebp + 0x18;
																			 *_t384 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																			__eflags =  *_t384;
																			goto L126;
																		}
																	}
																} else {
																	__edi =  *(__ebp + 0x28);
																	__eax =  *(__ebp + 0x20);
																	__edx =  *(__ebp + 0x68);
																	__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
																	__esi = __edi +  *(__ebp + 0x20);
																	__eax =  *__esi & 0x0000ffff;
																	__ecx = __ax & 0x0000ffff;
																	__edx =  *(__ebp + 0x68) >> 0xb;
																	__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
																	__eflags =  *(__ebp + 0x6c) - __edx;
																	 *(__ebp + 0x24) = __esi;
																	if( *(__ebp + 0x6c) >= __edx) {
																		 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
																		 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
																		0 = 1;
																		__ebx = 1;
																		__ecx =  *(__ebp + 0x30);
																		__ebx = 1 << __cl;
																		__ecx = 1 << __cl;
																		__ebx =  *(__ebp + 0x34);
																		__ebx =  *(__ebp + 0x34) | 1 << __cl;
																		__cx = __ax;
																		__cx = __ax >> 5;
																		__ax = __ax - __cx;
																		__edi = __edi + 1;
																		__eflags = __edi;
																		 *(__ebp + 0x34) = __ebx;
																		 *__esi = __ax;
																		 *(__ebp + 0x28) = __edi;
																	} else {
																		 *(__ebp + 0x68) = __edx;
																		0x800 = 0x800 - __ecx;
																		0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
																		 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
																		 *__esi = __dx;
																	}
																	__eflags =  *(__ebp + 0x68) - 0x1000000;
																	if( *(__ebp + 0x68) >= 0x1000000) {
																		L114:
																		_t353 = __ebp + 0x30;
																		 *_t353 =  *(__ebp + 0x30) + 1;
																		__eflags =  *_t353;
																		goto L115;
																	} else {
																		goto L112;
																	}
																}
															}
														}
														goto L175;
													case 0x1a:
														goto L57;
													case 0x1b:
														L77:
														__eflags =  *(__ebp + 0x14);
														if( *(__ebp + 0x14) == 0) {
															 *(__ebp - 0x10) = 0x1b;
															goto L173;
														} else {
															__eax =  *(__ebp + 0x64);
															__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
															__eflags = __eax -  *(__ebp + 4);
															if(__eax >=  *(__ebp + 4)) {
																__eax = __eax +  *(__ebp + 4);
																__eflags = __eax;
															}
															__edx =  *(__ebp + 0x70);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp + 0x64);
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t262 = __eax %  *(__ebp + 4);
															__eax = __eax /  *(__ebp + 4);
															__edx = _t262;
															 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
															__eax =  *(__ebp + 0x10);
															 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
															_t271 = __ebp + 0x14;
															 *_t271 =  *(__ebp + 0x14) - 1;
															__eflags =  *_t271;
															 *(__ebp + 0x1c) = __cl;
															 *__eax = __cl;
															goto L81;
														}
														goto L175;
													case 0x1c:
														while(1) {
															L126:
															__eflags =  *(__ebp + 0x14);
															if( *(__ebp + 0x14) == 0) {
																break;
															}
															__eax =  *(__ebp + 0x64);
															__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
															__eflags = __eax -  *(__ebp + 4);
															if(__eax >=  *(__ebp + 4)) {
																__eax = __eax +  *(__ebp + 4);
																__eflags = __eax;
															}
															__edx =  *(__ebp + 0x70);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp + 0x64);
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t397 = __eax %  *(__ebp + 4);
															__eax = __eax /  *(__ebp + 4);
															__edx = _t397;
															__eax =  *(__ebp + 0x10);
															 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
															 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
															 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
															__eflags =  *(__ebp + 0x48);
															 *(__ebp + 0x1c) = __cl;
															 *__eax = __cl;
															 *(__ebp + 0x64) = __edx;
															if( *(__ebp + 0x48) > 0) {
																continue;
															} else {
																goto L82;
															}
															goto L175;
														}
														 *(__ebp - 0x10) = 0x1c;
														goto L173;
												}
											}
										}
									} else {
										goto L42;
									}
								}
							} else {
								L38:
								if( *(__ebp + 0xc) == 0) {
									 *(__ebp - 0x10) = 0xd;
									L173:
									_t549 = 0x22;
									memcpy( *(_t597 - 0x18), _t597 - 0x10, _t549 << 2);
									_t519 = 0;
								} else {
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t114 = __ebp + 8;
									 *_t114 =  *(__ebp + 8) + 1;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									goto L40;
								}
							}
						}
					}
					L175:
					return _t519;
				}
			}

0x00000000
0x00407e74
0x00407e74
0x00407e79
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e82
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e92
0x00407e94
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eb3
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ec2
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec7
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407fb1
0x00407fb4
0x00407f2a
0x00407f2a
0x00407f30
0x00000000
0x00407f36
0x00407f3c
0x00408049
0x00408049
0x00408049
0x0040804d
0x0040804d
0x00408050
0x00408053
0x00408057
0x00408659
0x00000000
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00408201
0x00408201
0x00408204
0x00408204
0x00407d00
0x00407d00
0x00407d06
0x004086ab
0x004086ab
0x00407d0c
0x00407d0c
0x00000000
0x00407d17
0x00000000
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x00000000
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00000000
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x00000000
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x0040851e
0x0040851e
0x00000000
0x0040851e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040810e
0x00408112
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408117
0x0040811e
0x0040811e
0x00000000
0x00000000
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408214
0x0040821b
0x0040821e
0x00408225
0x00408216
0x00408216
0x00000000
0x00408216
0x00000000
0x00000000
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00000000
0x00407fe4
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00000000
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00000000
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x00000000
0x00000000
0x0040847e
0x00408482
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x00000000
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00000000
0x00000000
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00000000
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00000000
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00000000
0x00408604
0x00408602
0x004085a9
0x00000000
0x00000000
0x004082ac
0x004082af
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00000000
0x004081ff
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00000000
0x00408479
0x00000000
0x00408477
0x00408683
0x00000000
0x00000000
0x00407d0c
0x00407d06
0x00000000
0x00000000
0x00000000
0x00407f3c
0x00407fba
0x00407f05
0x00407f09
0x0040863e
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f27
0x00000000
0x00407f27
0x00407f09
0x00407fb4
0x00407ec2
0x004086ae
0x004086b5
0x004086b5

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42064d1b1f36a7938901196cccaec0156d4f93100d4efbba4dd95c84456e829
Instruction ID: 46be69f7f5ffe3d9bd6848774a0f37705c7e3a83ebcfb9df13ec131d521bab89
Opcode Fuzzy Hash: d42064d1b1f36a7938901196cccaec0156d4f93100d4efbba4dd95c84456e829
Instruction Fuzzy Hash: 3EF18571904249DBDF18CF28C9846E93BB0FF44345F15852EFC9AAB281C739A985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00406320 Relevance: 4.5, APIs: 3, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406320(signed int _a4) {
				struct HINSTANCE__* _t4;
				CHAR* _t6;
				signed int _t8;

				_t8 = _a4 << 3;
				_t6 =  *(_t8 + 0x40c060);
				_t4 = GetModuleHandleA(_t6);
				if(_t4 != 0) {
					L2:
					return GetProcAddress(_t4,  *(_t8 + 0x40c064));
				}
				_t4 = LoadLibraryA(_t6); // executed
				if(_t4 != 0) {
					goto L2;
				}
				return _t4;
			}

0x00406326
0x00406329
0x00406330
0x00406338
0x00406345
0x00000000
0x0040634c
0x0040633b
0x00406343
0x00000000
0x00000000
0x00406354

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F5,00000008), ref: 00406330
LoadLibraryA.KERNELBASE(?,?,00000020,004038F5,00000008), ref: 0040633B
GetProcAddress.KERNEL32(00000000,?), ref: 0040634C

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 053cacf7f7176cdcad43e8a554e249abbf2c485b4c20a79998afce369676ce87
Instruction ID: d217d198fa6128fda09305f059a65c7120bae1873ef529da100d8be4f404c142
Opcode Fuzzy Hash: 053cacf7f7176cdcad43e8a554e249abbf2c485b4c20a79998afce369676ce87
Instruction Fuzzy Hash: ECE01233604212DBD7115FB09D48A6BB77CAE89B51305843EFA46F3151D734AC21DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004062F9 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062F9(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x45cec8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x45cec8;
			}

0x00406304
0x0040630d
0x00000000
0x0040631a
0x00406310
0x00000000

APIs

FindFirstFileW.KERNELBASE(004582C0,0045CEC8,004582C0,004067E9,004582C0), ref: 00406304
FindClose.KERNEL32(00000000), ref: 00406310

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fed1454a890a649a2006ea5ab692a8445d583c3d80467e3c5f2a8f7cfa417cc5
Instruction ID: a5be972e40a24532a6973e9215ada1319d8cf60e24f1e3afb89203af70512ccb
Opcode Fuzzy Hash: fed1454a890a649a2006ea5ab692a8445d583c3d80467e3c5f2a8f7cfa417cc5
Instruction Fuzzy Hash: 70D012326451216BD71017386D0C84B7E589B953333258A32FC66F61F1D7788C229AEC

Uniqueness

Uniqueness Score: -1.00%

Function 00401593 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 356
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401593(void _a4, char _a7) {
				RECT* _v8;
				long _v12;
				short _v16;
				void* _v20;
				DWORD* _v24;
				signed int _v28;
				struct _FILETIME _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void _v52;
				long _v56;
				void _v57;
				void* _v64;
				long _v70;
				struct _SHFILEOPSTRUCTW _v96;
				char _v352;
				struct _WIN32_FIND_DATAW _v944;
				signed int _t536;
				signed int _t542;
				signed int _t555;

				_v16 =  *0x473dd4;
				_t542 = 7;
				memcpy( &_v52, _a4, _t542 << 2);
				_t555 = _v48;
				_a4 = 0x474000 + _v44 * 0x4008;
				 *0x40c0c4 =  &_v48;
				_t536 = _v52 + 0xfffffffe;
				_v8 = 0;
				if(_t536 > 0x47) {
					L432:
					 *0x473e88 = _v8 +  *0x473e88;
					L433:
					return 0;
				}
				switch( *((intOrPtr*)(_t536 * 4 +  &M0040311F))) {
					case 0:
						E004062C7(L"Jump: %d", _t555);
						return _v48;
					case 1:
						__esi = 0;
						__eflags = 0;
						E00401453(0) = E004062C7(L"Aborting: \"%s\"", __eax);
						_pop(__ecx);
						_pop(__ecx);
						_push(0);
						_push(_v48);
						goto L4;
					case 2:
						 *0x46bd94 =  *0x46bd94 + 1;
						__eflags = _v16;
						if(_v16 != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						__eax = E00401373(__esi);
						__eax = E004062C7(L"Call: %d", __eax - 1);
						_pop(__ecx);
						_pop(__ecx);
						_push(0);
						return E00401392(__esi);
					case 4:
						__esi = 0;
						E00401453(0) = E004062C7(L"detailprint: %s", __eax);
						_pop(__ecx);
						_pop(__ecx);
						__eax = E00404FA5(_v48, 0);
						goto L432;
					case 5:
						__ecx = 0;
						__esi = E0040143D(0);
						__eax = E004062C7(L"Sleep(%d)", __esi);
						__eflags = __esi - 1;
						_pop(__ecx);
						_pop(__ecx);
						if(__esi <= 1) {
							__esi = 0;
							__esi = 1;
							__eflags = 1;
						}
						Sleep(__esi);
						goto L432;
					case 6:
						_push(L"BringToFront");
						__eax = E004062C7();
						_pop(__ecx);
						__eax = SetForegroundWindow(_v16);
						goto L432;
					case 7:
						__eax =  *0x46bda0;
						__eflags = __eax;
						__edi = ShowWindow;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __edx);
							__esi = _v48;
						}
						__eax =  *0x46bd8c;
						__eflags = __eax - __ebx;
						if(__eax != __ebx) {
							__eax = ShowWindow(__eax, __esi);
						}
						goto L432;
					case 8:
						_push(0xfffffff0);
						_pop(__esi);
						__eax = E00401453(__esi);
						_push(_v44);
						__esi = __eax;
						__eax = E004062C7(L"SetFileAttributes: \"%s\":%08X", __esi);
						__eax = SetFileAttributesW(__esi, _v44);
						__eflags = __eax;
						if(__eax != 0) {
							goto L432;
						} else {
							_v8 = 1;
							_push(L"SetFileAttributes failed.");
							goto L25;
						}
					case 9:
						_push(0xfffffff0);
						_pop(__esi);
						__eax = E00401453(__esi);
						_push(_v44);
						_a4 = __eax;
						__eax = E004062C7(L"CreateDirectory: \"%s\" (%d)", __eax);
						__esi = E00405D80(_a4);
						__eflags = __esi;
						if(__esi == 0) {
							L36:
							__eflags = _v44 - __ebx;
							if(_v44 == __ebx) {
								_push(0xfffffff5);
								goto L39;
							} else {
								E0040142C(0xffffffe6) = E0040602D(0x4cc0b0, _a4);
								__eax = SetCurrentDirectoryW(_a4); // executed
								goto L432;
							}
						} else {
							goto L28;
						}
						do {
							L28:
							__esi = E00405D2C(__esi, 0x5c);
							__edi =  *__esi & 0x0000ffff;
							 *__esi = __bx; // executed
							__eax = CreateDirectoryW(_a4, __ebx); // executed
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E004062C7(L"CreateDirectory: \"%s\" created", _a4);
								L34:
								_pop(__ecx);
								_pop(__ecx);
								goto L35;
							}
							__eax = GetLastError();
							__eflags = __eax - 0xb7;
							if(__eax == 0xb7) {
								__eax = GetFileAttributesW(_a4); // executed
								__eflags = __al & 0x00000010;
								if((__al & 0x00000010) != 0) {
									goto L35;
								} else {
									__eax = E004062C7(L"CreateDirectory: can\'t create \"%s\" - a file already exists", _a4);
									_v8 =  &(_v8->left);
									goto L34;
								}
							} else {
								_push(GetLastError());
								__eax = E004062C7(L"CreateDirectory: can\'t create \"%s\" (err=%d)", _a4);
								_v8 =  &(_v8->left);
							}
							L35:
							 *__esi = __di;
							__esi = __esi + 1;
							__eflags = __di - __bx;
						} while (__di != __bx);
						goto L36;
					case 0xa:
						__esi = 0;
						__esi = E00401453(0);
						__eax = E004062F9(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							_push(_v40);
							__eax = E004062C7(L"IfFileExists: file \"%s\" does not exist, jumping %d", __esi);
							goto L44;
						} else {
							_push(_v44);
							__eax = E004062C7(L"IfFileExists: file \"%s\" exists, jumping %d", __esi);
							goto L42;
						}
					case 0xb:
						__eax = __esi;
						__eax = __esi << 2;
						__eflags = _v40;
						if(_v40 != 0) {
							__ecx = __eax[0x239f20];
							__eax[0x239f40] = __eax[0x239f20];
						} else {
							__ecx = __eax[0x239f40];
							__eax[0x239f20] = __eax[0x239f40];
							__ecx = 0;
							__ecx = 1;
							__eax = E0040143D(1);
							__ecx = _v48;
							 *(0x473e80 + _v48 * 4) = __eax;
						}
						goto L432;
					case 0xc:
						__esi = _v40;
						__esi = 0x473e80 + _v40 * 4;
						__ecx =  *__esi;
						__eax = 0;
						__eflags = __ecx;
						__eax = 0 | __ecx == 0x00000000;
						 *__esi = __ecx;
						return __eax;
					case 0xd:
						_push( *((intOrPtr*)(0x473e80 + __edx * 4)));
						goto L430;
					case 0xe:
						_push(0xffffffd0);
						_pop(__esi);
						__eax = E00401453(__esi);
						_push(0xffffffdf);
						_pop(__esi);
						__edi = __eax;
						__eax = E00401453(__esi);
						_push(0x13);
						_pop(__esi);
						_a4 = __eax;
						__esi = E00401453(__esi);
						__eax = E004062C7(L"Rename: %s", __esi);
						_pop(__ecx);
						_pop(__ecx);
						__eax = MoveFileW(__edi, _a4);
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v40;
							if(_v40 == 0) {
								L50:
								_push(__esi);
								_push(L"Rename failed: %s");
								goto L51;
							}
							__eax = E004062F9(__edi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L50;
							} else {
								E00406C7C(__edi, _a4) = E0040142C(0xffffffe4);
								_push(__esi);
								_push(L"Rename on reboot: %s");
								goto L52;
							}
						} else {
							_push(0xffffffe3);
							goto L39;
						}
					case 0xf:
						__esi = 0;
						__eax = E00401453(0);
						__edi = _a4;
						__esi = __eax;
						__eax =  &_v12;
						__eax = GetFullPathNameW(__esi, 0x2004, __edi,  &_v12);
						__eflags = __eax;
						if(__eax == 0) {
							L58:
							 *__edi = __bx;
							_v8 = 1;
							L59:
							__eflags = _v40 - __ebx;
							if(_v40 == __ebx) {
								__eax = GetShortPathNameW(__edi, __edi, 0x2004);
							}
							goto L432;
						}
						__eax = _v12;
						__eflags = __eax - __esi;
						if(__eax <= __esi) {
							goto L59;
						}
						__eflags =  *__eax - __bx;
						if( *__eax == __bx) {
							goto L59;
						}
						__eax = E004062F9(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L58;
						} else {
							__eax = E0040602D(_v12, __eax);
							goto L59;
						}
					case 0x10:
						__esi = __esi | 0xffffffff;
						__eflags = __esi;
						__eax = E00401453(__esi);
						__ecx =  &_a4;
						__eax = SearchPathW(0, __eax, 0, 0x2004, __edi,  &_a4);
						goto L62;
					case 0x11:
						_push(0xffffffef);
						_pop(__esi);
						__eax = E00401453(__esi);
						__eax = E00405EA6(__ecx, __edi, __eax);
						goto L65;
					case 0x12:
						_push(0x31);
						_pop(__esi);
						__esi = E00401453(__esi);
						__eax = _v48;
						__ecx = __eax;
						__eax = __eax >> 3;
						_push(__esi);
						__eax = __eax & 0x00000002;
						__ecx = __ecx & 0x00000007;
						_push(__eax);
						_v16 = __esi;
						_a4 = __ecx;
						__eax = E004062C7(L"File: overwriteflag=%d, allowskipfilesflag=%d, name=\"%s\"", __ecx);
						__eax = E00405D4B(__esi);
						__eflags = __eax;
						_push(__esi);
						__esi = 0x40c0c8;
						if(__eax == 0) {
							__eax = E0040602D(0x40c0c8, 0x4cc0b0);
							__eax = lstrcatW(__eax, ??);
						} else {
							_push(0x40c0c8);
							__eax = E0040602D();
						}
						__eax = E0040605C(__esi);
						__edi = 0x4140d8;
						while(1) {
							__eflags = _a4 - 3;
							if(_a4 >= 3) {
								__eax = E004062F9(__esi);
								__ecx = 0;
								__eflags = __eax - __ebx;
								if(__eax != __ebx) {
									__ecx =  &_v36;
									__eax =  &(__eax[0xa]);
									__eflags = __eax;
									__ecx = __eax;
								}
								_a4 = _a4 + 0xfffffffd;
								_a4 + 0xfffffffd | 0x80000000 = (_a4 + 0xfffffffd | 0x80000000) & __ecx;
								__eax =  ~((_a4 + 0xfffffffd | 0x80000000) & __ecx);
								asm("sbb eax, eax");
								__eax =  ~((_a4 + 0xfffffffd | 0x80000000) & __ecx) + 1;
								__eflags = __eax;
								_a4 = __eax;
							}
							__eflags = _a4 - __ebx;
							if(_a4 == __ebx) {
								__eax = E00405E57(__esi);
							}
							__eax = 0;
							__eflags = _a4 - 1;
							0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
							__eax = E00405E77(__esi, 0x40000000, (__eflags != 0) + 1);
							__eflags = __eax - 0xffffffff;
							_v20 = __eax;
							if(__eax != 0xffffffff) {
								break;
							}
							__eflags = _a4 - __ebx;
							if(_a4 != __ebx) {
								__eax = E00404FA5(0xffffffe2, _v16);
								__eflags = _a4 - 2;
								if(_a4 == 2) {
									_v8 = 1;
								}
								_push(_a4);
								_push(__esi);
								_push(L"File: skipped: \"%s\" (overwriteflag=%d)");
								goto L87;
							}
							__eax = E004062C7(L"File: error creating \"%s\"", __esi);
							_pop(__ecx);
							_pop(__ecx);
							E0040602D(__edi, 0x474000) = E0040602D(0x474000, __esi);
							_push(_v28);
							_push(0x4100d0);
							E00406820(__ebx, __edi, __esi) = E0040602D(0x474000, __edi);
							_v48 = _v48 >> 3;
							__eax = E00405CC8(0x4100d0, _v48 >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
							if(__eax != 0) {
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									_push(L"File: error, user cancel");
									__eax = E004062C7();
									 *0x473e88 =  *0x473e88 + 1;
									_pop(__ecx);
									goto L433;
								}
								_push(L"File: error, user abort");
								__eax = E004062C7();
								_pop(__ecx);
								_push(__esi);
								_push(0xfffffffa);
								L4:
								__eax = E00404FA5();
								goto L5;
							}
							_push(L"File: error, user retry");
							__eax = E004062C7();
							_pop(__ecx);
						}
						__eax = E00404FA5(0xffffffea, _v16);
						 *0x473eb4 =  *0x473eb4 + 1;
						__eax = E004033A6(_v40, _v20, __ebx, __ebx); // executed
						 *0x473eb4 =  *0x473eb4 - 1;
						__edi = __eax;
						_push(__esi);
						__eax = E004062C7(L"File: wrote %d to \"%s\"", __edi);
						__eflags = _v36.dwLowDateTime - 0xffffffff;
						if(_v36.dwLowDateTime != 0xffffffff) {
							L92:
							 &_v36 = SetFileTime(_v20,  &_v36, __ebx,  &_v36); // executed
							L93:
							__eax = FindCloseChangeNotification(_v20); // executed
							__eflags = __edi - __ebx;
							if(__edi >= __ebx) {
								goto L432;
							}
							__eflags = __edi - 0xfffffffe;
							if(__edi != 0xfffffffe) {
								_push(0xffffffee);
								_push(__esi);
								__eax = E00406820(__ebx, __edi, __esi);
							} else {
								_push(0xffffffe9);
								_push(__esi);
								E00406820(__ebx, __edi, __esi) = lstrcatW(__esi, _v16);
							}
							__eax = E004062C7(L"%s", __esi);
							_pop(__ecx);
							_pop(__ecx);
							_push(0x200010);
							_push(__esi);
							goto L98;
						}
						__eflags = _v36.dwHighDateTime - 0xffffffff;
						if(_v36.dwHighDateTime == 0xffffffff) {
							goto L93;
						}
						goto L92;
					case 0x13:
						__esi = 0;
						__eflags = 0;
						__eax = E00401453(0);
						__esi = __eax;
						_push(__eax);
						_push(L"Delete: \"%s\"");
						goto L100;
					case 0x14:
						_push(0x31);
						_pop(__esi);
						__eax = E00401453(__esi);
						__esi = __eax;
						_push(__eax);
						__eax = E004062C7(L"MessageBox: %d,\"%s\"", _v48);
						__eax = E00405CC8(__esi, _v48);
						__eflags = __eax;
						if(__eax == 0) {
							goto L67;
						}
						__eflags = __eax - _v40;
						if(__eax != _v40) {
							__eflags = __eax - _v36.dwHighDateTime;
							if(__eax != _v36.dwHighDateTime) {
								goto L432;
							}
							__eax = _v28;
							return _v28;
						}
						goto L103;
					case 0x15:
						_push(0xfffffff0);
						_pop(__esi);
						__eax = E00401453(__esi);
						__esi = __eax;
						_push(__eax);
						_push(L"RMDir: \"%s\"");
						L100:
						__eax = E004062C7();
						_pop(__ecx);
						_pop(__ecx);
						__eax = E00406CAF(__eflags, __esi, _v44);
						goto L432;
					case 0x16:
						__esi = 0;
						__esi = 1;
						__eax = E00401453(1);
						_push(__eax);
						L00406043();
						goto L429;
					case 0x17:
						_push(2);
						_pop(__ecx);
						__eax = E0040143D(__ecx);
						_push(3);
						_pop(__ecx);
						_a4 = __eax;
						__eax = E0040143D(__ecx);
						__esi = 0;
						__esi = 1;
						_v20 = __eax;
						__eax = E00401453(1);
						__eflags = _v40;
						__esi = __eax;
						 *__edi = __bx;
						if(_v40 == 0) {
							L110:
							__eax = lstrlenW(__esi);
							__eflags = _v20 - __ebx;
							if(_v20 >= __ebx) {
								L112:
								__ecx = _v20;
								__eflags = __ecx - __eax;
								if(__ecx > __eax) {
									__ecx = __eax;
								}
								__esi + __ecx * 2 = E0040602D(__edi, __esi + __ecx * 2);
								__eflags = _a4 - __ebx;
								if(__eflags != 0) {
									if(__eflags < 0) {
										__eax = lstrlenW(__edi);
										_t122 =  &_a4;
										 *_t122 = __eax + _a4;
										__eflags =  *_t122;
										if( *_t122 < 0) {
											_a4 = __ebx;
										}
									}
									__eflags = _a4 - 0x2004;
									if(_a4 < 0x2004) {
										__eax = _a4;
										 *(__edi + _a4 * 2) = __bx;
									}
								}
								goto L432;
							}
							_t116 =  &_v20;
							 *_t116 = _v20 + __eax;
							__eflags =  *_t116;
							if( *_t116 < 0) {
								goto L432;
							}
							goto L112;
						}
						__eflags = _a4;
						if(_a4 == 0) {
							goto L432;
						}
						goto L110;
					case 0x18:
						_push(0x20);
						_pop(__esi);
						__eax = E00401453(__esi);
						_push(0x31);
						_pop(__esi);
						__edi = __eax;
						__eax = E00401453(__esi);
						__eflags = _v36.dwHighDateTime;
						_push(__eax);
						_push(__edi);
						if(_v36.dwHighDateTime != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							goto L103;
						} else {
							goto L44;
						}
					case 0x19:
						__esi = 0;
						__esi = 1;
						__esi = E00401453(1);
						__eax = ExpandEnvironmentStringsW(__esi, __edi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							L128:
							_v8 = 1;
							 *__edi = __bx;
							L129:
							 *(__edi + 0x4006) = __bx;
							goto L432;
						}
						__eflags = _v40;
						if(_v40 == 0) {
							goto L129;
						}
						__eax = lstrcmpW(__esi, __edi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L129;
						}
						goto L128;
					case 0x1a:
						__ecx = 0;
						__eax = E0040143D(0);
						__ecx = 0;
						__ecx = 1;
						__esi = __eax;
						__eax = E0040143D(1);
						__eflags = _v28;
						if(_v28 != 0) {
							__eflags = __esi - __eax;
							if(__eflags < 0) {
								L103:
								__eax = _v36.dwLowDateTime;
								return _v36.dwLowDateTime;
							}
							if(__eflags <= 0) {
								goto L44;
							}
							L133:
							__eax = _v36.dwHighDateTime;
							return _v36.dwHighDateTime;
						}
						__eflags = __esi - __eax;
						if(__eflags < 0) {
							goto L103;
						}
						if(__eflags <= 0) {
							goto L44;
						}
						goto L133;
					case 0x1b:
						__ecx = 0;
						__ecx = 1;
						__eax = E0040143D(1);
						_push(2);
						_pop(__ecx);
						__esi = __eax;
						__ecx = E0040143D(1);
						__eax = _v36.dwLowDateTime;
						__eflags = __eax - 0xc;
						if(__eax > 0xc) {
							L159:
							_push(__esi);
							goto L430;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M0040323F))) {
							case 0:
								__esi = __esi + __ecx;
								goto L159;
							case 1:
								__esi = __esi - __ecx;
								goto L159;
							case 2:
								__esi = __ecx;
								goto L159;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L144;
								}
								__eax = __esi;
								asm("cdq");
								_t139 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t139;
								goto L149;
							case 4:
								__esi = __esi | __ecx;
								goto L159;
							case 5:
								__esi = __esi & __ecx;
								goto L159;
							case 6:
								__esi = __esi ^ __ecx;
								goto L159;
							case 7:
								__eax = 0;
								__eflags = __esi;
								_t144 = __esi == 0;
								__eflags = _t144;
								__eax = 0 | _t144;
								L149:
								__esi = __eax;
								goto L159;
							case 8:
								__eflags = __esi;
								if(__esi != 0) {
									goto L152;
								}
								goto L151;
							case 9:
								__eflags = __esi;
								if(__esi != 0) {
									L151:
									__eflags = __ecx - __ebx;
									if(__ecx == __ebx) {
										goto L154;
									}
									L152:
									__esi = 0;
									__esi = 1;
									goto L159;
								}
								L154:
								__esi = 0;
								goto L159;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L144:
									__esi = 0;
									_v8 = 1;
									goto L159;
								}
								__eax = __esi;
								asm("cdq");
								_t146 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t146;
								__esi = _t146;
								goto L159;
							case 0xb:
								__esi = __esi << __cl;
								goto L159;
							case 0xc:
								__esi = __esi >> __cl;
								goto L159;
						}
					case 0x1c:
						__esi = 0;
						__esi = 1;
						__eax = E00401453(1);
						_push(2);
						_pop(__ecx);
						__esi = __eax;
						E0040143D(__ecx) = wsprintfW(__edi, __esi, __eax);
						goto L88;
					case 0x1d:
						__eax = _v40;
						__eflags = __eax;
						__esi =  *0x40c0c0; // 0x0
						if(__eax == 0) {
							__eflags = __edx;
							if(__edx == 0) {
								__eax = GlobalAlloc(0x40, 0x400c);
								_push(_v48);
								__esi = __eax;
								_t154 = __esi + 4; // 0x4
								__eax = _t154;
								_push(_t154);
								__eax = E00406820(__ebx, __edi, __esi);
								__eax =  *0x40c0c0; // 0x0
								 *__esi = __eax;
								 *0x40c0c0 = __esi;
								goto L432;
							}
							__eflags = __esi;
							if(__esi != 0) {
								_t152 = __esi + 4; // 0x4
								_t152 = E0040602D(__edi, _t152);
								__eax =  *__esi;
								 *0x40c0c0 =  *__esi;
								__eax = GlobalFree(__esi);
								goto L220;
							}
							_push(L"Pop: stack empty");
							__eax = E004062C7();
							_pop(__ecx);
							goto L67;
						} else {
							goto L162;
						}
						while(1) {
							L162:
							__eax = __eax - 1;
							__eflags = __esi - __ebx;
							if(__esi == __ebx) {
								break;
							}
							__eflags = __eax - __ebx;
							__esi =  *__esi;
							if(__eax != __ebx) {
								continue;
							}
							__eflags = __esi - __ebx;
							if(__esi != __ebx) {
								__edi = __esi + 4;
								__esi = 0x40c0c8;
								__eax = E0040602D(0x40c0c8, __edi);
								__eax =  *0x40c0c0; // 0x0
								__eax = E0040602D(__edi, __eax);
								__eax =  *0x40c0c0; // 0x0
								_push(0x40c0c8);
								_push(__eax);
								goto L388;
							}
							break;
						}
						__eax = E004062C7(L"Exch: stack < %d elements", _v40);
						_pop(__ecx);
						_pop(__ecx);
						goto L166;
					case 0x1e:
						_push(3);
						_pop(__ecx);
						__eax = E0040143D(__ecx);
						_push(4);
						_pop(__ecx);
						_v20 = __eax;
						__eax = E0040143D(__ecx);
						__eflags = _v28 & 0x00000001;
						_a4 = __eax;
						if((_v28 & 0x00000001) != 0) {
							_push(0x33);
							_pop(__esi);
							_v20 = E00401453(__esi);
						}
						__eflags = _v28 & 0x00000002;
						if((_v28 & 0x00000002) != 0) {
							_push(0x44);
							_pop(__esi);
							_a4 = E00401453(__esi);
						}
						__eflags = _v52 - 0x21;
						if(_v52 != 0x21) {
							__esi = 0;
							__esi = 1;
							__eax = E00401453(1);
							_push(0x12);
							_pop(__esi);
							_v96.hNameMappings = __eax;
							__eax = E00401453(1);
							asm("sbb ecx, ecx");
							__ecx = __ecx & __eax;
							__eax = _v96.hNameMappings;
							asm("sbb ecx, ecx");
							__ecx = __ecx & _v96.hNameMappings;
							__eflags = __ecx;
							__eax = FindWindowExW(_v20, _a4, __ecx, __ecx);
							goto L182;
						} else {
							__ecx = 0;
							__ecx = 1;
							__eflags = 1;
							__eax = E0040143D(1);
							_push(2);
							_pop(__ecx);
							__esi = __eax;
							__eax = E0040143D(1);
							__ecx = _v28;
							__ecx = _v28 >> 2;
							if(1 == 0) {
								__eax = SendMessageW(__esi, __eax, _v20, _a4);
								L182:
								_v16 = __eax;
								L183:
								__eflags = _v48 - __ebx;
								if(_v48 < __ebx) {
									goto L432;
								}
								_push(_v16);
								goto L430;
							}
							__edx =  &_v16;
							__eax = SendMessageTimeoutW(__esi, __eax, _v20, _a4, __ebx, __ecx,  &_v16);
							__eax =  ~__eax;
							asm("sbb eax, eax");
							_v8 = __eax;
							goto L183;
						}
					case 0x1f:
						__ecx = 0;
						__eax = E0040143D(0);
						__eax = IsWindow(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							L44:
							__eax = _v40;
							return _v40;
						}
						L42:
						__eax = _v44;
						return _v44;
					case 0x20:
						_push(2);
						_pop(__ecx);
						__eax = E0040143D(__ecx);
						__ecx = 0;
						__ecx = 1;
						__eax = E0040143D(1);
						__eax = GetDlgItem(__eax, __eax);
						goto L429;
					case 0x21:
						 *0x473e08 =  *0x473e08 + __edx;
						__ecx = 0;
						E0040143D(0) = SetWindowLongW(__eax, 0xffffffeb,  *0x473e08 + __edx);
						goto L432;
					case 0x22:
						__edi = GetDlgItem(_v16, __edx);
						 &(_v96.pTo) = GetClientRect(__edi,  &(_v96.pTo));
						_v96.hNameMappings = _v96.hNameMappings * _v40;
						_v96.fAnyOperationsAborted = _v96.fAnyOperationsAborted * _v40;
						__esi = 0;
						__eax = E00401453(0);
						__eax = LoadImageW(0, __eax, 0, _v96.fAnyOperationsAborted * _v40, _v96.hNameMappings * _v40, 0x10);
						__eax = SendMessageW(__edi, 0x172, 0, __eax);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = DeleteObject(__eax);
						}
						goto L432;
					case 0x23:
						_push(0x48);
						__eax = GetDC(_v16);
						_push(__eax);
						_push(2);
						_pop(__ecx);
						__eax = E0040143D(__ecx);
						__eax = MulDiv(__eax, ??, ??);
						_push(3);
						__eax =  ~__eax;
						_pop(__ecx);
						0x4200f0->lfHeight = __eax;
						__eax = E0040143D(__ecx);
						_push(_v44);
						 *0x420100 = __eax;
						__al = _v36.dwHighDateTime;
						__al = __al & 0x00000001;
						 *0x420104 = __al & 0x00000001;
						__cl = __al;
						__cl = __al & 0x00000002;
						__al = __al & 0x00000004;
						_push(0x42010c);
						 *0x420105 = __cl;
						 *0x420106 = __al;
						 *0x420107 = 1;
						__eax = E00406820(__ebx, __edi, __esi);
						__eax = CreateFontIndirectW(0x4200f0);
						goto L429;
					case 0x24:
						__ecx = 0;
						__eax = E0040143D(0);
						__ecx = 0;
						__ecx = 1;
						__esi = __eax;
						__eax = E0040143D(1);
						__eflags = _v40;
						__edi = __eax;
						if(_v40 != 0) {
							_push(L"HideWindow");
							__eax = E004062C7();
							_pop(__ecx);
						}
						__eflags = _v36.dwLowDateTime - __ebx;
						_push(__edi);
						_push(__esi);
						if(_v36.dwLowDateTime != __ebx) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow();
						}
						goto L432;
					case 0x25:
						__esi = 0;
						__eax = E00401453(0);
						_push(0x31);
						_pop(__esi);
						__edi = __eax;
						__eax = E00401453(0);
						_push(0x22);
						_pop(__esi);
						_a4 = __eax;
						__eax = E00401453(0);
						_push(0x15);
						_pop(__esi);
						__ebx = __eax;
						__eax = E00401453(0);
						__eax = E0040142C(0xffffffec);
						__ebx->Internal =  ~(__ebx->Internal);
						asm("sbb eax, eax");
						__eax = __eax & __ebx;
						 *__edi =  ~( *__edi);
						asm("sbb eax, eax");
						__eax = __eax & __edi;
						__eax = ShellExecuteW(_v16, __eax, _a4, __eax, 0x4cc0b0, _v36.dwLowDateTime);
						__eflags = __eax - 0x21;
						if(__eax >= 0x21) {
							_push(__ebx);
							_push(_a4);
							__eax = E004062C7(L"ExecShell: success (\"%s\": file:\"%s\" params:\"%s\")", __edi);
							goto L432;
						}
						_push(__eax);
						_push(__ebx);
						_push(_a4);
						__eax = E004062C7(L"ExecShell: warning: error (\"%s\": file:\"%s\" params:\"%s\")=%d", __edi);
						goto L67;
					case 0x26:
						__esi = 0;
						__esi = E00401453(0);
						__eax = E004062C7(L"Exec: command=\"%s\"", __esi);
						_pop(__ecx);
						_pop(__ecx);
						__eax = E00404FA5(0xffffffeb, __esi);
						__eax = E00405C67(__esi); // executed
						__eflags = __eax;
						_v20 = __eax;
						_push(__esi);
						if(__eax == 0) {
							_push(L"Exec: failed createprocess (\"%s\")");
							L51:
							_v8 = 1;
							goto L52;
						}
						_push(L"Exec: success (\"%s\")");
						__eax = E004062C7();
						__eflags = _v40;
						_pop(__ecx);
						_pop(__ecx);
						if(_v40 == 0) {
							L209:
							__eax = FindCloseChangeNotification(_v20);
							goto L314;
						}
						__esi = WaitForSingleObject;
						__eax = WaitForSingleObject(_v20, 0x64);
						__edi = 0x102;
						while(1) {
							__eflags = __eax - __edi;
							if(__eax != __edi) {
								break;
							}
							__eax = E00406357(0xf);
							__eax = WaitForSingleObject(_v20, 0x64);
						}
						 &_v12 = GetExitCodeProcess(_v20,  &_v12);
						__eflags = _v44 - __ebx;
						if(_v44 < __ebx) {
							__eflags = _v12 - __ebx;
							if(_v12 != __ebx) {
								_v8 = 1;
							}
						} else {
							__eax = E00405F74(_a4, _v12);
						}
						goto L209;
					case 0x27:
						_push(2);
						_pop(__esi);
						__eax = E00401453(__esi);
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							__eax = _a4;
							 *__edi = __bx;
							 *_a4 = __bx;
							goto L67;
						}
						__eax = E00405F74(_a4,  *((intOrPtr*)(__esi + 0x14)));
						_push( *(__esi + 0x18));
						goto L430;
					case 0x28:
						_push(0xffffffee);
						_pop(__esi);
						__eax = E00401453(__esi);
						__ecx =  &_v56;
						_v96.hNameMappings = __eax;
						__esi = __eax;
						__eflags = __esi;
						__eax = _a4;
						 *__edi = __bx;
						 *_a4 = __bx;
						_v8 = 1;
						if(__esi == 0) {
							goto L432;
						}
						__eax = GlobalAlloc(0x40, __esi);
						__eflags = __eax;
						_v20 = __eax;
						if(__eax == 0) {
							goto L432;
						}
						__eax = GetFileVersionInfoW(_v96.hNameMappings, 0, __esi, __eax);
						__eflags = __eax;
						if(__eax != 0) {
							 &(_v96.hNameMappings) =  &_v12;
							__eax = VerQueryValueW(_v20, "\\",  &_v12,  &(_v96.hNameMappings));
							__eflags = __eax;
							if(__eax != 0) {
								_v12 = E00405F74(__edi,  *((intOrPtr*)(_v12 + 8)));
								_v12 = E00405F74(_a4,  *((intOrPtr*)(_v12 + 0xc)));
								_v8 = 0;
							}
						}
						__eax = GlobalFree(_v20);
						goto L220;
					case 0x29:
						_push(0x11);
						_pop(__esi);
						__esi = E00401453(__esi);
						__eax = E00407154(__eflags, __esi, __edi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							_v8 = 1;
						}
						_push(__edi);
						_push(__esi);
						_push(L"GetTTFVersionString(%s) returned %s");
						goto L87;
					case 0x2a:
						_push(0x11);
						_pop(__esi);
						__esi = E00401453(__esi);
						__eax = E004071C5(__esi, __edi, 0x2004);
						__eflags = __eax;
						if(__eax == 0) {
							_v8 = 1;
						}
						_push(__edi);
						_push(__esi);
						_push(L"GetTTFFontName(%s) returned %s");
						goto L87;
					case 0x2b:
						__eflags =  *0x473eb8;
						asm("sbb eax, 0x473eb8");
						_v8 = 1;
						if(__eflags < 0) {
							__eax = E0040142C(0xffffffe7);
							_push(L"Error registering DLL: Could not initialize OLE");
							L25:
							__eax = E004062C7();
							goto L26;
						} else {
							_push(0xfffffff0);
							_pop(__esi);
							__eax = E00401453(__esi);
							__esi = 0;
							__esi = 1;
							__edi = __eax;
							__eax = E00401453(1);
							__eflags = _v36.dwHighDateTime;
							_v20 = __eax;
							if(_v36.dwHighDateTime == 0) {
								L231:
								__eax = LoadLibraryExW(__edi, __ebx, 8);
								__eflags = __eax - __ebx;
								_a4 = __eax;
								if(__eax == __ebx) {
									__eax = E0040142C(0xfffffff6);
									_push(__edi);
									_push(L"Error registering DLL: Could not load %s");
									goto L52;
								}
								L232:
								__esi = E0040638A(_a4, _v20);
								__eflags = __esi - __ebx;
								if(__esi == __ebx) {
									__eax = E00404FA5(0xfffffff7, _v20);
									_push(__edi);
									__eax = E004062C7(L"Error registering DLL: %s not found in %s", _v20);
								} else {
									__eflags = _v40 - __ebx;
									_v8 = __ebx;
									if(_v40 == __ebx) {
										_push(0x40c000);
										_push(0x40c0c0);
										_push(0x474000);
										_push(0x2004);
										_push(_v16);
										__eax =  *__esi();
										__esp = __esp + 0x14;
									} else {
										__eax = E0040142C(_v40);
										__eax =  *__esi();
										__eflags = __eax;
										if(__eax != 0) {
											_v8 = 1;
										}
									}
								}
								__eflags = _v36.dwLowDateTime - __ebx;
								if(_v36.dwLowDateTime == __ebx) {
									__eax = E00403D00(_a4);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = FreeLibrary(_a4);
									}
								}
								goto L432;
							}
							__eax = GetModuleHandleW(__edi);
							__eflags = __eax;
							_a4 = __eax;
							if(__eax != 0) {
								goto L232;
							}
							goto L231;
						}
					case 0x2c:
						_push(0xfffffff0);
						_pop(__esi);
						__eax = E00401453(__esi);
						_push(0xffffffdf);
						_pop(__esi);
						_v64 = __eax;
						__eax = E00401453(__esi);
						_push(2);
						_pop(__esi);
						__edi = __eax;
						__eax = E00401453(__esi);
						_push(0xffffffcd);
						_pop(__esi);
						_v16 = __eax;
						__eax = E00401453(__esi);
						_push(0x45);
						_pop(__esi);
						_v12 = __eax;
						_v56 = E00401453(__esi);
						__eax = E00405D4B(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							_push(0x21);
							_pop(__esi);
							__eax = E00401453(__esi);
						}
						__eax = _v36.dwHighDateTime;
						__eax = __eax >> 0x10;
						_push(__eax >> 0x10);
						__ecx = __ah & 0x000000ff;
						_push(__ah & 0x000000ff);
						__esi = 0xff;
						_push(__eax);
						_push(_v12);
						_push(_v16);
						_push(__edi);
						__eax = E004062C7(L"CreateShortCut: out: \"%s\", in: \"%s %s\", icon: %s,%d, sw=%d, hk=%d", _v64);
						__eax =  &_a4;
						_push(__eax);
						_push(0x40ad74);
						_push(1);
						_push(__ebx);
						_push(0x40ad84);
						__imp__CoCreateInstance();
						__eflags = __eax - __ebx;
						if(__eax < __ebx) {
							L255:
							_v8 = 1;
							_push(0xfffffff0);
							goto L39;
						} else {
							__eax = _a4;
							__ecx =  *__eax;
							__edx =  &(_v96.hNameMappings);
							_push( &(_v96.hNameMappings));
							_push(0x40ad94);
							_push(__eax);
							__eax =  *( *__eax)();
							__eflags = __eax - __ebx;
							_v20 = __eax;
							if(__eax >= __ebx) {
								__eax = _a4;
								__ecx =  *__eax;
								_push(__edi);
								_push(__eax);
								_v20 = __eax;
								__eax = _a4;
								__ecx =  *__eax;
								_push(0x4cc0b0);
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x24))();
								__ecx = _v36.dwHighDateTime;
								__ecx = __ecx >> 8;
								__eax = __ecx >> 0x00000008 & 0x000000ff;
								__eflags = __eax;
								if(__eax != 0) {
									__ecx = _a4;
									__edx =  *__ecx;
									_push(__eax);
									_push(__ecx);
									__eax =  *((intOrPtr*)( *__ecx + 0x3c))();
									__ecx = _v36.dwHighDateTime;
								}
								__eax = _a4;
								__edx =  *__eax;
								_push(__ecx);
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__eax = _v12;
								__eflags =  *__eax - __bx;
								if( *__eax != __bx) {
									__edi = _v36.dwHighDateTime;
									__ecx = _a4;
									__edx =  *__ecx;
									__edi = _v36.dwHighDateTime & __esi;
									__eflags = __edi;
									_push(__edi);
									_push(__eax);
									_push(__ecx);
									__eax =  *((intOrPtr*)( *__ecx + 0x44))();
								}
								__eax = _a4;
								_push(_v16);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax = _a4;
								_push(_v56);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = _v20 - __ebx;
								if(_v20 >= __ebx) {
									__eax = _v96.hNameMappings;
									__ecx =  *__eax;
									_push(1);
									_push(_v64);
									_push(__eax);
									_v20 = __eax;
								}
								__eax = _v96.hNameMappings;
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax = _a4;
							__ecx =  *__eax;
							_push(__eax);
							__eax =  *((intOrPtr*)( *__eax + 8))();
							__eflags = _v20 - __ebx;
							if(_v20 >= __ebx) {
								_push(0xfffffff4);
								goto L39;
							} else {
								goto L255;
							}
						}
					case 0x2d:
						__esi = 0;
						__eax = E00401453(0);
						_push(0x11);
						_pop(__esi);
						__edi = __eax;
						__eax = E00401453(0);
						_push(0x23);
						_pop(__esi);
						_a4 = __eax;
						__eax = E00401453(0);
						__esi = _a4;
						_push(__esi);
						_v56 = __eax;
						__eax = E004062C7(L"CopyFiles \"%s\"->\"%s\"", __edi);
						__eax = E004062F9(__edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v16;
							_v96.hwnd = _v16;
							_v96.wFunc = 2;
							 *(__edi + 2 + lstrlenW(__edi) * 2) = __bx;
							 *(__esi + 2 + lstrlenW(__esi) * 2) = __bx;
							__eax = _v56;
							_v96.pFrom = __edi;
							_v96.pTo.left = __esi;
							_v70 = _v56;
							_v96.fFlags = _v40;
							E00404FA5(0, _v56) =  &_v96;
							__eax = SHFileOperationW( &_v96);
							__eflags = __eax;
							if(__eax == 0) {
								goto L432;
							}
						}
						__eax = E00404FA5(0xfffffff9, __ebx);
						goto L67;
					case 0x2e:
						__eflags = __esi - 0xbadf00d;
						if(__esi != 0xbadf00d) {
							L166:
							_push(0x200010);
							_push(0xffffffe8);
							_push(__ebx);
							_push(E00406820(__ebx, __edi, __esi));
							L98:
							__eax = E00405CC8();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x473e94 =  *0x473e94 + 1;
						goto L432;
					case 0x2f:
						__esi = 0x4100d0;
						_v96.hNameMappings = 0;
						_a4 = 0;
						__eax = E0040602D(0x4100d0, L"<RM>");
						__edi = 0x4140d8;
						__eax = E0040602D(0x4140d8, 0x4100d0);
						__eflags = _v48;
						if(_v48 != 0) {
							__esi = 0;
							__eflags = 0;
							_v96.hNameMappings = E00401453(0);
						}
						__eflags = _v44 - __ebx;
						if(_v44 != __ebx) {
							_push(0x11);
							_pop(__esi);
							_a4 = E00401453(__esi);
						}
						__eflags = _v36.dwHighDateTime - __ebx;
						if(_v36.dwHighDateTime != __ebx) {
							_push(0x22);
							_pop(__esi);
							__ebx = E00401453(__esi);
						}
						_push(0xffffffcd);
						_pop(__esi);
						__esi = E00401453(__esi);
						_push(__esi);
						_push(__edi);
						_push(0x4100d0);
						__eax = E004062C7(L"WriteINIStr: wrote [%s] %s=%s in %s", "end");
						__eax = WritePrivateProfileStringW(_v96.hNameMappings, _a4, __ebx, __esi);
						goto L65;
					case 0x30:
						__eax =  *L"!N~"; // 0x4e0021
						_v96.fAnyOperationsAborted = __eax;
						__eax =  *0x4095f8; // 0x7e
						__esi = 0;
						__esi = 1;
						_v96.hNameMappings = __eax;
						__eax = E00401453(1);
						_push(0x12);
						_pop(__esi);
						_v56 = __eax;
						__eax = E00401453(1);
						_push(0xffffffdd);
						_pop(__esi);
						_a4 = __eax;
						E00401453(1) =  &(_v96.fAnyOperationsAborted);
						GetPrivateProfileStringW(_v56, _a4,  &(_v96.fAnyOperationsAborted), __edi, 0x2003,  &(_v96.fAnyOperationsAborted)) =  &(_v96.fAnyOperationsAborted);
						__eax = lstrcmpW(__edi,  &(_v96.fAnyOperationsAborted));
						L62:
						__eflags = __eax;
						if(__eax != 0) {
							goto L432;
						}
						goto L63;
					case 0x31:
						__eax = E004061E4(__edx);
						__eflags = _v36.dwHighDateTime;
						_a4 = __eax;
						if(_v36.dwHighDateTime != 0) {
							_push(0x22);
							_pop(__esi);
							__eax = E00401453(__esi);
							__esi = __eax;
							_push(__eax);
							__eax = E004062C7(L"DeleteRegKey: \"%s\\%s\"", _a4);
							__eax = _v44;
							__eflags = __eax;
							if(__eax == 0) {
								 *0x473e84 =  *0x473e84 + 0x80000001;
								__eflags =  *0x473e84 + 0x80000001;
							}
							_v36.dwHighDateTime = _v36.dwHighDateTime & 0x00000002;
							__eflags = _v36.dwHighDateTime & 0x00000002;
							_v96.hNameMappings = __eax;
							L277:
							__eflags = _v96.hNameMappings - __ebx;
							if(_v96.hNameMappings == __ebx) {
								goto L432;
							}
							goto L67;
						}
						__edi = E00401544(2);
						__eflags = __edi;
						if(__edi == 0) {
							goto L67;
						}
						_push(0x33);
						_pop(__esi);
						__esi = E00401453(__esi);
						__eax = RegDeleteValueW(__edi, __esi);
						_push(__esi);
						_push(0x4140d8);
						_v96.hNameMappings = __eax;
						E004062C7(L"DeleteRegValue: \"%s\\%s\" \"%s\"", _a4) = RegCloseKey(__edi);
						goto L277;
					case 0x32:
						__eflags = __esi;
						if(__esi == 0) {
							__edi =  *0x473e84;
							__edi =  *0x473e84 + 0x80000001;
							__eflags = __edi;
						} else {
							__edi = __esi;
						}
						__eax = _v36.dwHighDateTime;
						_v12 = _v36.dwHighDateTime;
						__eax = _v28;
						_push(2);
						_pop(__esi);
						_v96.hNameMappings = _v28;
						__eax = E00401453(__esi);
						_push(0x11);
						_pop(__esi);
						_v16 = __eax;
						_a4 = E00401453(__esi);
						_v20 = E004061E4(__edi);
						 &_v64 =  *0x473eb0;
						__eax =  *0x473eb0 | 0x00000002;
						_v8 = 1;
						__eax = RegCreateKeyExW(__edi, _a4, __ebx, __ebx, __ebx,  *0x473eb0 | 0x00000002, __ebx,  &_v64, __ebx);
						__eflags = __eax;
						if(__eax != 0) {
							_push(_a4);
							_push(_v20);
							_push(L"WriteReg: error creating key \"%s\\%s\"");
							L87:
							__eax = E004062C7();
							L88:
							__esp = __esp + 0xc;
							goto L432;
						} else {
							__esi = 0;
							__eflags = _v12 - 1;
							__edi = 0x4140d8;
							if(_v12 != 1) {
								L287:
								__eflags = _v12 - 4;
								if(_v12 == 4) {
									_push(3);
									_pop(__ecx);
									__eax = E0040143D(__ecx);
									_push(4);
									_pop(__esi);
									_push(__eax);
									_push(_v16);
									 *0x4140d8 = __eax;
									_push(_a4);
									__eax = E004062C7(L"WriteRegDWORD: \"%s\\%s\" \"%s\"=\"0x%08x\"", _v20);
								}
								__eflags = _v12 - 3;
								if(_v12 == 3) {
									__esi = E004033A6(_v36.dwLowDateTime, __ebx, __edi, 0xc018);
									 &_v352 = E00406248(__ecx,  &_v352, 0x100, __edi, __esi);
									__eax =  &_v352;
									_push( &_v352);
									_push(_v16);
									_push(_a4);
									__eax = E004062C7(L"WriteRegBin: \"%s\\%s\" \"%s\"=\"%s\"", _v20);
								}
								L291:
								__eax = RegSetValueExW(_v64, _v16, __ebx, _v96.hNameMappings, __edi, __esi);
								__eflags = __eax;
								if(__eax != 0) {
									_push(_v16);
									_push(_a4);
									__eax = E004062C7(L"WriteReg: error writing into \"%s\\%s\" \"%s\"", _v20);
								} else {
									_v8 = __ebx;
								}
								__eax = RegCloseKey(_v64);
								goto L295;
							}
							_push(0x23);
							_pop(__esi);
							__eax = E00401453(0);
							__eax = lstrlenW(0x4140d8);
							__eflags = _v96.hNameMappings - 1;
							_push(0x4140d8);
							_push(_v16);
							_t351 =  &(__eax[1]); // 0x2
							__esi = __eax + _t351;
							_push(_a4);
							_push(_v20);
							if(_v96.hNameMappings != 1) {
								_push(L"WriteRegExpandStr: \"%s\\%s\" \"%s\"=\"%s\"");
								__eax = E004062C7();
								__esp = __esp + 0x14;
								goto L287;
							}
							_push(L"WriteRegStr: \"%s\\%s\" \"%s\"=\"%s\"");
							__eax = E004062C7();
							__esp = __esp + 0x14;
							goto L291;
						}
					case 0x33:
						__eax = E00401544(0x20019);
						_push(0x33);
						_pop(__esi);
						_v12 = __eax;
						__eax = E00401453(__esi);
						__eflags = _v12;
						 *__edi = __bx;
						if(_v12 == 0) {
							goto L67;
						}
						 &(_v96.hNameMappings) =  &_a4;
						_v96.hNameMappings = 0x4008;
						__eax = RegQueryValueExW(_v12, __eax, 0,  &_a4, __edi,  &(_v96.hNameMappings));
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L304:
							 *__edi = __bx;
							_v8 = __ecx;
							L305:
							__eax = RegCloseKey(_v12);
							goto L295;
						}
						__eflags = _a4 - 4;
						if(_a4 == 4) {
							__eax = 0;
							__eflags = _v36.dwHighDateTime;
							__eax = 0 | __eflags == 0x00000000;
							_v8 = __eflags == 0;
							__eax = E00405F74(__edi,  *__edi);
							goto L305;
						}
						__eflags = _a4 - 1;
						if(_a4 == 1) {
							L302:
							__eax = _v36.dwHighDateTime;
							_v8 = _v36.dwHighDateTime;
							__eax = _v96.hNameMappings;
							 *(__edi + _v96.hNameMappings * 2) = __bx;
							goto L305;
						}
						__eflags = _a4 - 2;
						if(_a4 != 2) {
							goto L304;
						}
						goto L302;
					case 0x34:
						__eax = E00401544(0x20019);
						_push(3);
						_pop(__ecx);
						__esi = __eax;
						__eax = E0040143D(__ecx);
						__eflags = __esi;
						 *__edi = __bx;
						if(__esi == 0) {
							goto L67;
						}
						__eflags = _v36.dwHighDateTime;
						__ecx = 0x2003;
						_a4 = 0x2003;
						if(_v36.dwHighDateTime == 0) {
							__ecx =  &_a4;
							__eax = RegEnumValueW(__esi, __eax, __edi,  &_a4, 0, 0, 0, 0);
							__eflags = __eax;
							if(__eax != 0) {
								goto L67;
							}
							L310:
							 *(__edi + 0x4006) = __bx;
							__eax = RegCloseKey(__esi);
							L295:
							goto L432;
						}
						__eax = RegEnumKeyW(__esi, __eax, __edi, 0x2003);
						goto L310;
					case 0x35:
						__eflags =  *__edi - __bx;
						_pop(ds);
						if(__eflags != 0) {
							__eax = FindCloseChangeNotification(E00405F8D(__ecx, __edi));
							L314:
						}
						goto L432;
					case 0x36:
						_push(0xffffffed);
						_pop(__esi);
						__eax = E00401453(__esi);
						__eax = E00405E77(__eax, _v44, _v40);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							goto L429;
						}
						goto L316;
					case 0x37:
						__eax = GlobalAlloc(0x40, 0x2004); // executed
						__eflags = _v40;
						__esi = __eax;
						_a4 = __esi;
						if(_v40 == 0) {
							_push(0x11);
							_pop(__esi);
							E00401453(__esi) = WideCharToMultiByte(0, 0, 0x4100d0, 0xffffffff, _a4, 0x2004, 0, 0);
							__eax = lstrlenA(_a4);
						} else {
							__ecx = 0;
							__ecx = 1;
							__eax = E0040143D(1);
							 *__esi = __al;
							0 = 1;
						}
						__eflags =  *__edi - __bx;
						if( *__edi == __bx) {
							L322:
							_v8 = 1;
							goto L323;
						} else {
							__ecx =  &_v56;
							__eax = E00405F8D(__ecx, __edi);
							__eax = WriteFile(__eax, _a4, __eax, __ecx, __ebx); // executed
							__eflags = __eax;
							if(__eax != 0) {
								L323:
								__eax = GlobalFree(_a4);
								L220:
								goto L432;
							}
							goto L322;
						}
					case 0x38:
						_push(2);
						_pop(__ecx);
						__esi = 0;
						__eax = E0040143D(__ecx);
						__eflags = __eax - 1;
						_v12 = __eax;
						if(__eax < 1) {
							goto L432;
						}
						__ecx = 0x2003;
						__eflags = __eax - 0x2003;
						if(__eax > 0x2003) {
							_v12 = 0x2003;
						}
						__eflags =  *__edi - __bx;
						if( *__edi == __bx) {
							goto L347;
						} else {
							_v57 = __bl;
							__eax = E00405F8D(__ecx, __edi);
							__eflags = _v12 - __ebx;
							_v96.hNameMappings = __eax;
							if(_v12 <= __ebx) {
								goto L347;
							}
							__edi = _a4;
							while(1) {
								 &_v56 =  &_a7;
								__eax = ReadFile(_v96.hNameMappings,  &_a7, 1,  &_v56, __ebx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L348;
								}
								__eflags = _v56 - 1;
								if(_v56 != 1) {
									goto L348;
								}
								__eflags = _v36.dwLowDateTime - __ebx;
								if(_v36.dwLowDateTime != __ebx) {
									__eax = _a7 & 0x000000ff;
									goto L339;
								}
								 &_v16 =  &_a7;
								__eax = MultiByteToWideChar(__ebx, __ebx,  &_a7, 1,  &_v16, 2);
								__al = _v57;
								__eflags = __al - 0xd;
								if(__al == 0xd) {
									L340:
									__eflags = __al - _a7;
									if(__al == _a7) {
										L345:
										_push(1);
										_push(__ebx);
										_push(0xffffffff);
										goto L346;
									}
									__eflags = _a7 - 0xd;
									if(_a7 == 0xd) {
										L343:
										__ax = _v16;
										goto L344;
									}
									__eflags = _a7 - 0xa;
									if(_a7 != 0xa) {
										goto L345;
									}
									goto L343;
								}
								__eflags = __al - 0xa;
								if(__al == 0xa) {
									goto L340;
								}
								__ax = _v16;
								 *(__edi + __esi * 2) = _v16;
								__al = _a7;
								__esi = __esi + 1;
								__eflags = __al - __bl;
								_v57 = __al;
								if(__al == __bl) {
									goto L348;
								}
								__eflags = __esi - _v12;
								if(__esi < _v12) {
									continue;
								}
								goto L348;
							}
							goto L348;
						}
					case 0x39:
						__eflags = _v40;
						if(_v40 == 0) {
							_push(0x11);
							_pop(__esi);
							__eax = E00401453(__esi);
							__eax = lstrlenW(__eax);
						} else {
							__ecx = 0;
							__ecx = 1;
							__eax = E0040143D(1);
							 *0x4100d0 = __ax;
							__eax = 0;
							__eax = 1;
						}
						__eflags =  *__edi - __bx;
						if( *__edi == __bx) {
							goto L67;
						} else {
							__ecx =  &_a4;
							__eax = __eax + __eax;
							__eax = E00405F8D(__ecx, __edi);
							__eax = WriteFile(__eax, 0x4100d0, __eax, __ecx, __ebx);
							L65:
							__eflags = __eax;
							goto L66;
						}
					case 0x3a:
						_push(2);
						_pop(__ecx);
						__esi = 0;
						__eax = E0040143D(__ecx);
						__eflags = __eax - 1;
						_v12 = __eax;
						if(__eax < 1) {
							goto L432;
						}
						__ecx = 0x2003;
						__eflags = __eax - 0x2003;
						if(__eax > 0x2003) {
							_v12 = 0x2003;
						}
						__eflags =  *__edi - __bx;
						if( *__edi == __bx) {
							L347:
							__edi = _a4;
							goto L348;
						} else {
							_v20 = __ebx;
							__eax = E00405F8D(__ecx, __edi);
							__eflags = _v12 - __ebx;
							_v96.hNameMappings = __eax;
							if(_v12 <= __ebx) {
								goto L347;
							}
							__edi = _a4;
							while(1) {
								 &_v56 =  &_a4;
								__eax = ReadFile(_v96.hNameMappings,  &_a4, 2,  &_v56, __ebx);
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v56 - 2;
								if(_v56 != 2) {
									break;
								}
								__eflags = _v36.dwLowDateTime - __ebx;
								if(_v36.dwLowDateTime != __ebx) {
									__eax = _a4 & 0x0000ffff;
									L339:
									__eax = E00405F74(__edi, __eax);
									goto L433;
								}
								__eflags = _v20 - 0xd;
								if(_v20 == 0xd) {
									L369:
									__ax = _a4;
									__eflags = _v20 - __ax;
									if(_v20 == __ax) {
										L372:
										_push(1);
										_push(__ebx);
										_push(0xfffffffe);
										L346:
										__eax = SetFilePointer(_v96.hNameMappings, ??, ??, ??);
										break;
									}
									__eflags = __ax - 0xd;
									if(__ax == 0xd) {
										L344:
										 *(__edi + __esi * 2) = __ax;
										__esi = __esi + 1;
										break;
									}
									__eflags = __ax - 0xa;
									if(__ax == 0xa) {
										goto L344;
									}
									goto L372;
								}
								__eflags = _v20 - 0xa;
								if(_v20 == 0xa) {
									goto L369;
								}
								__ax = _a4;
								__ecx = __ax & 0x0000ffff;
								 *(__edi + __esi * 2) = __ax;
								__esi = __esi + 1;
								__eflags = __ax - __bx;
								_v20 = __ax & 0x0000ffff;
								if(__ax == __bx) {
									break;
								}
								__eflags = __esi - _v12;
								if(__esi < _v12) {
									continue;
								}
								break;
							}
							L348:
							 *(__edi + __esi * 2) = __bx;
							__eflags = __esi - __ebx;
							L66:
							if(__eflags != 0) {
								goto L432;
							}
							goto L67;
						}
					case 0x3b:
						__eflags =  *__edi - __bx;
						_pop(ds);
						if(__eflags == 0) {
							goto L432;
						} else {
							_push(_v36.dwLowDateTime);
							_push(0);
							_push(2);
							_pop(__ecx);
							__eax = E0040143D(__ecx);
							__eax = E00405F8D(__ecx, __edi);
							__eax = SetFilePointer(__eax, __eax, ??, ??); // executed
							__eflags = _v44;
							if(_v44 < 0) {
								goto L432;
							}
							goto L376;
						}
					case 0x3c:
						__eflags =  *__edi - __bx;
						_pop(ds);
						if(__eflags != 0) {
							E00405F8D(__ecx, __edi) = FindClose(__eax);
						}
						goto L432;
					case 0x3d:
						__eax = _a4;
						__eflags =  *_a4 - __bx;
						if( *_a4 == __bx) {
							L63:
							_v8 = 1;
							 *__edi = __bx;
							goto L432;
						}
						__eax =  &_v944;
						__eax = E00405F8D(__ecx, _a4);
						__eax = FindNextFileW(__eax,  &_v944);
						__eflags = __eax;
						if(__eax == 0) {
							goto L63;
						}
						goto L387;
					case 0x3e:
						_push(2);
						_pop(__esi);
						__eax = E00401453(__esi);
						__ecx =  &_v944;
						__eax = FindFirstFileW(__eax,  &_v944);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E00405F74(_a4, __eax);
							L387:
							__eax =  &(_v944.cFileName);
							_push( &(_v944.cFileName));
							_push(__edi);
							goto L388;
						}
						__eax = _a4;
						 *_a4 = __bx;
						L316:
						 *__edi = __bx;
						goto L67;
					case 0x3f:
						_push(0xfffffff0);
						_pop(__esi);
						_v12 = 0xfffffd66;
						__eax = E00401453(__esi);
						__edi = __eax;
						_v64 = __eax;
						__eax = E00405D4B(__eax);
						__eflags = __eax;
						if(__eax == 0) {
							_push(0xffffffed);
							_pop(__esi);
							__eax = E00401453(__esi);
						}
						__eax = E00405E57(__edi);
						__eax = E00405E77(__edi, 0x40000000, 2);
						__eflags = __eax - 0xffffffff;
						_a4 = __eax;
						if(__eax == 0xffffffff) {
							L400:
							_push(_v64);
							__eax = E004062C7(L"created uninstaller: %d, \"%s\"", _v12);
							__eflags = _v12 - __ebx;
							_push(0xfffffff3);
							_pop(__esi);
							if(_v12 < __ebx) {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(_v64);
								_v8 = 1;
							}
							_push(__esi);
							L39:
							__eax = E0040142C();
							goto L432;
						} else {
							__eax =  *0x473e2c;
							__esi = GlobalAlloc;
							_v96.hNameMappings = __eax;
							__edi = __eax;
							__eflags = __edi - __ebx;
							if(__edi == __ebx) {
								L399:
								__eax = CloseHandle(_a4);
								goto L400;
							}
							E0040338F(__ebx) = E0040335D(__edi, _v96.hNameMappings);
							__esi = GlobalAlloc(0x40, _v40);
							__eflags = __esi - __ebx;
							_v56 = __esi;
							if(__esi == __ebx) {
								L398:
								 &_v12 = WriteFile(_a4, __edi, _v96.hNameMappings,  &_v12, __ebx);
								__eax = GlobalFree(__edi);
								_v12 = E004033A6(0xffffffff, _a4, __ebx, __ebx);
								goto L399;
							}
							__eax = E004033A6(_v44, __ebx, __esi, _v40);
							while(1) {
								__eflags =  *__esi - __bl;
								if( *__esi == __bl) {
									break;
								}
								__ecx =  *__esi;
								__eax =  *(__esi + 4);
								__esi = __esi + 8;
								__eax = __eax + __edi;
								_v24 = __ecx;
								__eax = E00405E33(__eax, __esi, __ecx);
								__esi = __esi + _v24;
								__eflags = __esi;
							}
							__eax = GlobalFree(_v56);
							goto L398;
						}
					case 0x40:
						__eflags = __esi;
						if(__esi == 0) {
							__esi = 0;
							__esi = 1;
							_push(E00401453(1));
							_push(L"%s");
							L52:
							__eax = E004062C7();
							_pop(__ecx);
							L26:
							_pop(__ecx);
							goto L432;
						}
						E004062C7(L"settings logging to %d", __edx) = _v44;
						 *0x462528 = _v44;
						__eax = E004062C7(L"logging set to %d", _v44);
						__eflags = _v44;
						if(_v44 == 0) {
							__eax = E0040610B(__ecx, 1);
						} else {
							__eax = E00403EBC();
						}
						goto L432;
					case 0x41:
						__ecx = 0;
						__edi = E0040143D(0);
						__eflags = __edi -  *0x473dec;
						if(__edi >=  *0x473dec) {
							goto L67;
						}
						__eax = _v40;
						__edi = __edi * 0x4020;
						__esi = __edi * 0x4020 +  *0x473de8;
						__eflags = __eax;
						if(__eflags < 0) {
							0xffffffff = 0xffffffff - __eax;
							__eflags = 0xffffffff;
							_v40 = 0xffffffff - __eax;
							if(0xffffffff == 0) {
								_push(_v36.dwHighDateTime);
								__eax = __esi + 0x18;
								_push(__esi + 0x18);
								__eax = E00406820(__ebx, __edi, __esi);
								_t507 = __esi + 8;
								 *_t507 =  *(__esi + 8) | 0x00000100;
								__eflags =  *_t507;
							} else {
								__ecx = 0;
								__ecx = 1;
								_v44 = E0040143D(1);
							}
							__eax = _v40;
							__ecx = _v44;
							 *((intOrPtr*)(__esi + _v40 * 4)) = _v44;
							__eflags = _v36.dwLowDateTime - __ebx;
							if(_v36.dwLowDateTime != __ebx) {
								__eax = E0040117D(__edi);
							}
							goto L432;
						}
						__ecx =  *(__esi + __eax * 4);
						if(__eflags != 0) {
							_push(__ecx);
							goto L377;
						}
						_push(__esi);
						_push(_a4);
						L388:
						__eax = E0040602D();
						goto L432;
					case 0x42:
						__ecx = 0;
						__eax = E0040143D(0);
						__eflags = __eax - 0x20;
						if(__eax >= 0x20) {
							L67:
							_v8 = 1;
							goto L432;
						}
						__eflags = _v36.dwLowDateTime;
						if(_v36.dwLowDateTime == 0) {
							__eflags = _v40;
							if(_v40 == 0) {
								__ecx =  *0x473ddc;
								_push( *( *0x473ddc + 0x94 + __eax * 4));
								_push(_a4);
								__eax = E00406820(__ebx, __edi, __esi);
							} else {
								__ecx = _v44;
								__edx =  *0x473ddc;
								 *( *0x473ddc + 0x94 + __eax * 4) = _v44;
							}
							goto L432;
						}
						__eflags = _v40;
						if(_v40 == 0) {
							__eax = E004012E8(0);
							L376:
							_push(__eax);
							L377:
							_push(_a4);
							goto L431;
						}
						__eax = E004011EF(__ecx, 0, 0);
						goto L432;
					case 0x43:
						goto L432;
					case 0x44:
						 *0x458274 =  *0x458274 & __esi;
						__eax = SendMessageW(_v16, 0xb,  *0x458274 & __esi, 0);
						__eflags = _v48;
						if(_v48 != 0) {
							__eax = InvalidateRect(_v16, 0, 0);
						}
						goto L432;
					case 0x45:
						__esi = 0;
						__esi = 1;
						__eflags = 1;
						__eax = E00401453(1);
						__eax = E004063D1(__eax);
						L429:
						_push(__eax);
						L430:
						_push(__edi);
						L431:
						__eax = E00405F74();
						goto L432;
				}
			}

0x004015a9
0x004015ac
0x004015b0
0x004015b5
0x004015cf
0x004015d5
0x004015df
0x004015e7
0x004015ea
0x0040310b
0x0040310e
0x00403114
0x00000000
0x00403114
0x004015f0
0x00000000
0x004015fd
0x00000000
0x00000000
0x0040160c
0x0040160c
0x00401619
0x0040161e
0x0040161f
0x00401620
0x00401621
0x00000000
0x00000000
0x00401633
0x00401639
0x0040163c
0x0040163f
0x0040163f
0x00000000
0x00000000
0x00401648
0x00401656
0x0040165b
0x0040165c
0x0040165d
0x00000000
0x00000000
0x00401669
0x00401676
0x0040167b
0x0040167c
0x00401681
0x00000000
0x00000000
0x0040168b
0x00401692
0x0040169a
0x0040169f
0x004016a2
0x004016a3
0x004016a4
0x004016a6
0x004016a8
0x004016a8
0x004016a8
0x004016aa
0x00000000
0x00000000
0x004016b5
0x004016ba
0x004016bf
0x004016c3
0x00000000
0x00000000
0x00401739
0x0040173e
0x00401740
0x00401746
0x0040174a
0x0040174c
0x0040174c
0x0040174f
0x00401754
0x00401756
0x0040175e
0x0040175e
0x00000000
0x00000000
0x00401765
0x00401767
0x00401768
0x0040176d
0x00401770
0x00401778
0x00401784
0x0040178a
0x0040178c
0x00000000
0x00401792
0x00401792
0x00401799
0x00000000
0x00401799
0x00000000
0x004017a9
0x004017ab
0x004017ac
0x004017b1
0x004017b4
0x004017bd
0x004017cd
0x004017cf
0x004017d1
0x00401852
0x00401852
0x00401855
0x00401879
0x00000000
0x00401857
0x00401866
0x0040186e
0x00000000
0x0040186e
0x00000000
0x00000000
0x00000000
0x004017d3
0x004017d3
0x004017db
0x004017dd
0x004017e4
0x004017e7
0x004017ed
0x004017ef
0x00401841
0x00401846
0x00401846
0x00401847
0x00000000
0x00401847
0x004017f1
0x004017f7
0x004017fc
0x0040181d
0x00401823
0x00401825
0x00000000
0x00401827
0x0040182f
0x00401834
0x00000000
0x00401834
0x004017fe
0x00401804
0x0040180d
0x00401815
0x00401815
0x00401848
0x00401848
0x0040184c
0x0040184d
0x0040184d
0x00000000
0x00000000
0x00401885
0x0040188c
0x0040188f
0x00401894
0x00401896
0x004018b1
0x004018ba
0x00000000
0x00401898
0x00401898
0x004018a1
0x00000000
0x004018a6
0x00000000
0x004016ce
0x004016d0
0x004016d3
0x004016d6
0x004016fb
0x00401701
0x004016d8
0x004016d8
0x004016de
0x004016e4
0x004016e6
0x004016e7
0x004016ec
0x004016ef
0x004016ef
0x00000000
0x00000000
0x0040170c
0x0040170f
0x00401716
0x00401718
0x0040171a
0x0040171c
0x00401722
0x00000000
0x00000000
0x0040172d
0x00000000
0x00000000
0x004018ca
0x004018cc
0x004018cd
0x004018d2
0x004018d4
0x004018d5
0x004018d7
0x004018dc
0x004018de
0x004018df
0x004018e7
0x004018ef
0x004018f4
0x004018f5
0x004018fa
0x00401900
0x00401902
0x0040190b
0x0040190e
0x00401932
0x00401932
0x00401933
0x00000000
0x00401933
0x00401911
0x00401916
0x00401918
0x00000000
0x0040191a
0x00401925
0x0040192a
0x0040192b
0x00000000
0x0040192b
0x00401904
0x00401904
0x00000000
0x00401904
0x00000000
0x0040194a
0x0040194c
0x00401951
0x00401954
0x00401956
0x00401961
0x00401967
0x00401969
0x0040198f
0x0040198f
0x00401992
0x00401999
0x00401999
0x0040199c
0x004019a9
0x004019a9
0x00000000
0x0040199c
0x0040196b
0x0040196e
0x00401970
0x00000000
0x00000000
0x00401972
0x00401975
0x00000000
0x00000000
0x00401978
0x0040197d
0x0040197f
0x00000000
0x00401981
0x00401988
0x00000000
0x00401988
0x00000000
0x004019b4
0x004019b4
0x004019b7
0x004019bc
0x004019c9
0x00000000
0x00000000
0x004019e6
0x004019e8
0x004019e9
0x004019f0
0x00000000
0x00000000
0x00401a09
0x00401a0b
0x00401a11
0x00401a13
0x00401a16
0x00401a18
0x00401a1b
0x00401a1c
0x00401a1f
0x00401a22
0x00401a29
0x00401a2c
0x00401a2f
0x00401a38
0x00401a3d
0x00401a3f
0x00401a40
0x00401a45
0x00401a55
0x00401a61
0x00401a47
0x00401a47
0x00401a48
0x00401a48
0x00401a67
0x00401a6c
0x00401a71
0x00401a71
0x00401a75
0x00401a78
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a87
0x00401a87
0x00401a91
0x00401a91
0x00401a96
0x00401a9e
0x00401aa0
0x00401aa2
0x00401aa4
0x00401aa4
0x00401aa5
0x00401aa5
0x00401aa8
0x00401aab
0x00401aae
0x00401aae
0x00401ab3
0x00401ab5
0x00401abc
0x00401ac4
0x00401ac9
0x00401acc
0x00401acf
0x00000000
0x00000000
0x00401ad5
0x00401ad8
0x00401b56
0x00401b5b
0x00401b5f
0x00401b61
0x00401b61
0x00401b68
0x00401b6b
0x00401b6c
0x00000000
0x00401b6c
0x00401ae0
0x00401ae5
0x00401ae6
0x00401af8
0x00401afd
0x00401b00
0x00401b10
0x00401b18
0x00401b21
0x00401b26
0x00401b26
0x00401b29
0x00401b3b
0x00401b3b
0x00401b3c
0x00401b7e
0x00401b83
0x00401b88
0x00401b8e
0x00000000
0x00401b8e
0x00401b3e
0x00401b43
0x00401b48
0x00401b49
0x00401b4a
0x00401624
0x00401624
0x00000000
0x00401624
0x00401b2b
0x00401b30
0x00401b35
0x00401b35
0x00401b99
0x00401b9e
0x00401bac
0x00401bb1
0x00401bb7
0x00401bb9
0x00401bc0
0x00401bc8
0x00401bcc
0x00401bd4
0x00401bdd
0x00401be3
0x00401be6
0x00401bec
0x00401bee
0x00000000
0x00000000
0x00401bf4
0x00401bf7
0x00401c0c
0x00401c0e
0x00401c0f
0x00401bf9
0x00401bf9
0x00401bfb
0x00401c05
0x00401c05
0x00401c1a
0x00401c1f
0x00401c20
0x00401c21
0x00401c26
0x00000000
0x00401c26
0x00401bce
0x00401bd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c31
0x00401c31
0x00401c33
0x00401c38
0x00401c3a
0x00401c3b
0x00000000
0x00000000
0x00401c55
0x00401c57
0x00401c58
0x00401c5d
0x00401c5f
0x00401c68
0x00401c74
0x00401c79
0x00401c7b
0x00000000
0x00000000
0x00401c81
0x00401c84
0x00401c8e
0x00401c91
0x00000000
0x00000000
0x00401c97
0x00000000
0x00401c97
0x00000000
0x00000000
0x00401c9f
0x00401ca1
0x00401ca2
0x00401ca7
0x00401ca9
0x00401caa
0x00401c40
0x00401c40
0x00401c45
0x00401c46
0x00401c4b
0x00000000
0x00000000
0x00401cb1
0x00401cb3
0x00401cb4
0x00401cb9
0x00401cba
0x00000000
0x00000000
0x00401cc4
0x00401cc6
0x00401cc7
0x00401ccc
0x00401cce
0x00401ccf
0x00401cd2
0x00401cd7
0x00401cd9
0x00401cda
0x00401cdd
0x00401ce2
0x00401ce5
0x00401ce7
0x00401cea
0x00401cf5
0x00401cf6
0x00401cfb
0x00401cfe
0x00401d09
0x00401d09
0x00401d0c
0x00401d0e
0x00401d10
0x00401d10
0x00401d17
0x00401d1c
0x00401d1f
0x00401d25
0x00401d28
0x00401d2d
0x00401d2d
0x00401d2d
0x00401d30
0x00401d32
0x00401d32
0x00401d30
0x00401d35
0x00401d3c
0x00401d42
0x00401d45
0x00401d45
0x00401d3c
0x00000000
0x00401d1f
0x00401d00
0x00401d00
0x00401d00
0x00401d03
0x00000000
0x00000000
0x00000000
0x00401d03
0x00401cec
0x00401cef
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4e
0x00401d50
0x00401d51
0x00401d56
0x00401d58
0x00401d59
0x00401d5b
0x00401d60
0x00401d63
0x00401d64
0x00401d65
0x00401d7a
0x00401d67
0x00401d67
0x00401d67
0x00401d6d
0x00401d6f
0x00000000
0x00401d75
0x00000000
0x00401d75
0x00000000
0x00401d82
0x00401d84
0x00401d8f
0x00401d93
0x00401d99
0x00401d9b
0x00401dae
0x00401dae
0x00401db5
0x00401db8
0x00401db8
0x00000000
0x00401db8
0x00401d9d
0x00401da0
0x00000000
0x00000000
0x00401da4
0x00401daa
0x00401dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00401dc4
0x00401dc6
0x00401dcb
0x00401dcd
0x00401dce
0x00401dd0
0x00401dd5
0x00401dd8
0x00401df0
0x00401df2
0x00401c86
0x00401c86
0x00000000
0x00401c86
0x00401df8
0x00000000
0x00000000
0x00401de8
0x00401de8
0x00000000
0x00401de8
0x00401dda
0x00401ddc
0x00000000
0x00000000
0x00401de2
0x00000000
0x00000000
0x00000000
0x00000000
0x00401e00
0x00401e02
0x00401e03
0x00401e08
0x00401e0a
0x00401e0b
0x00401e12
0x00401e14
0x00401e17
0x00401e1a
0x00401e87
0x00401e87
0x00000000
0x00401e87
0x00401e1c
0x00000000
0x00401e23
0x00000000
0x00000000
0x00401e27
0x00000000
0x00000000
0x00401e2e
0x00000000
0x00000000
0x00401e32
0x00401e34
0x00000000
0x00000000
0x00401e36
0x00401e38
0x00401e39
0x00401e39
0x00401e39
0x00000000
0x00000000
0x00401e48
0x00000000
0x00000000
0x00401e4c
0x00000000
0x00000000
0x00401e50
0x00000000
0x00000000
0x00401e54
0x00401e56
0x00401e58
0x00401e58
0x00401e58
0x00401e5b
0x00401e5b
0x00000000
0x00000000
0x00401e5f
0x00401e61
0x00000000
0x00000000
0x00000000
0x00000000
0x00401e6c
0x00401e6e
0x00401e63
0x00401e63
0x00401e65
0x00000000
0x00000000
0x00401e67
0x00401e67
0x00401e69
0x00000000
0x00401e69
0x00401e70
0x00401e70
0x00000000
0x00000000
0x00401e74
0x00401e76
0x00401e3d
0x00401e3d
0x00401e3f
0x00000000
0x00401e3f
0x00401e78
0x00401e7a
0x00401e7b
0x00401e7b
0x00401e7b
0x00401e7d
0x00000000
0x00000000
0x00401e81
0x00000000
0x00000000
0x00401e85
0x00000000
0x00000000
0x00000000
0x00401e8d
0x00401e8f
0x00401e90
0x00401e95
0x00401e97
0x00401e98
0x00401ea2
0x00000000
0x00000000
0x00401ead
0x00401eb0
0x00401eb2
0x00401eb8
0x00401f18
0x00401f1a
0x00401f4e
0x00401f54
0x00401f57
0x00401f59
0x00401f59
0x00401f5c
0x00401f5d
0x00401f62
0x00401f67
0x00401f69
0x00000000
0x00401f69
0x00401f1c
0x00401f1e
0x00401f30
0x00401f35
0x00401f3a
0x00401f3c
0x0040239d
0x00000000
0x0040239d
0x00401f20
0x00401f25
0x00401f2a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401eba
0x00401eba
0x00401eba
0x00401ebb
0x00401ebd
0x00000000
0x00000000
0x00401ebf
0x00401ec1
0x00401ec3
0x00000000
0x00000000
0x00401ec5
0x00401ec7
0x00401eeb
0x00401eef
0x00401ef5
0x00401efa
0x00401f04
0x00401f09
0x00401f0e
0x00401f12
0x00000000
0x00401f12
0x00000000
0x00401ec7
0x00401ed1
0x00401ed6
0x00401ed7
0x00000000
0x00000000
0x00401f74
0x00401f76
0x00401f77
0x00401f7c
0x00401f7e
0x00401f7f
0x00401f82
0x00401f87
0x00401f8b
0x00401f8e
0x00401f90
0x00401f92
0x00401f98
0x00401f98
0x00401f9b
0x00401f9f
0x00401fa1
0x00401fa3
0x00401fa9
0x00401fa9
0x00401fac
0x00401fb0
0x00401ffa
0x00401ffc
0x00401ffd
0x00402002
0x00402004
0x00402005
0x00402008
0x00402013
0x00402015
0x00402017
0x00402021
0x00402023
0x00402023
0x0040202c
0x00000000
0x00401fb2
0x00401fb2
0x00401fb4
0x00401fb4
0x00401fb5
0x00401fba
0x00401fbc
0x00401fbd
0x00401fbf
0x00401fc4
0x00401fc7
0x00401fca
0x00401ff2
0x00402032
0x00402032
0x00402035
0x00402035
0x00402038
0x00000000
0x00000000
0x0040203e
0x00000000
0x0040203e
0x00401fcc
0x00401fda
0x00401fe0
0x00401fe2
0x00401fe5
0x00000000
0x00401fe5
0x00000000
0x00402046
0x00402048
0x0040204e
0x00402054
0x00402056
0x004018c2
0x004018c2
0x00000000
0x004018c2
0x004018a9
0x004018a9
0x00000000
0x00000000
0x00402061
0x00402063
0x00402064
0x00402069
0x0040206c
0x0040206d
0x00402073
0x00000000
0x00000000
0x00402083
0x00402088
0x00402090
0x00000000
0x00000000
0x004020a5
0x004020ac
0x004020b5
0x004020bf
0x004020c5
0x004020c7
0x004020ce
0x004020dc
0x004020e2
0x004020e4
0x004020eb
0x004020eb
0x00000000
0x00000000
0x004020f6
0x004020fd
0x0040210a
0x0040210b
0x0040210d
0x0040210e
0x00402114
0x0040211a
0x0040211c
0x0040211e
0x0040211f
0x00402124
0x00402129
0x0040212c
0x00402131
0x00402136
0x00402139
0x0040213f
0x00402141
0x00402144
0x00402146
0x0040214b
0x00402151
0x00402156
0x0040215d
0x00402167
0x00000000
0x00000000
0x00402172
0x00402174
0x00402179
0x0040217b
0x0040217c
0x0040217e
0x00402183
0x00402186
0x00402188
0x0040218a
0x0040218f
0x00402194
0x00402194
0x00402195
0x00402198
0x00402199
0x0040219a
0x004021a7
0x0040219c
0x0040219c
0x0040219c
0x00000000
0x00000000
0x004021b2
0x004021b4
0x004021b9
0x004021bb
0x004021bc
0x004021be
0x004021c3
0x004021c5
0x004021c6
0x004021c9
0x004021ce
0x004021d0
0x004021d1
0x004021d3
0x004021da
0x004021e5
0x004021ed
0x004021ef
0x004021f8
0x004021fb
0x004021fd
0x00402203
0x00402209
0x0040220c
0x00402226
0x00402227
0x00402230
0x00000000
0x00402235
0x0040220e
0x0040220f
0x00402210
0x00402219
0x00000000
0x00000000
0x0040223d
0x00402244
0x0040224c
0x00402251
0x00402252
0x00402256
0x0040225c
0x00402261
0x00402263
0x00402266
0x00402267
0x004022d3
0x00401938
0x00401938
0x00000000
0x00401938
0x00402269
0x0040226e
0x00402273
0x00402276
0x00402277
0x00402278
0x004022cb
0x00402b08
0x00000000
0x00402b08
0x0040227a
0x00402285
0x00402287
0x0040229c
0x0040229c
0x0040229e
0x00000000
0x00000000
0x00402290
0x0040229a
0x0040229a
0x004022a7
0x004022ad
0x004022b0
0x004022bf
0x004022c2
0x004022c4
0x004022c4
0x004022b2
0x004022b8
0x004022b8
0x00000000
0x00000000
0x004022dd
0x004022df
0x004022e0
0x004022eb
0x004022ed
0x004022ef
0x00402304
0x00402307
0x0040230a
0x00000000
0x0040230a
0x004022f7
0x004022fc
0x00000000
0x00000000
0x00402312
0x00402314
0x00402315
0x0040231a
0x0040231f
0x00402327
0x00402329
0x0040232b
0x0040232e
0x00402331
0x00402334
0x0040233b
0x00000000
0x00000000
0x00402344
0x0040234a
0x0040234c
0x0040234f
0x00000000
0x00000000
0x0040235b
0x00402360
0x00402362
0x00402368
0x00402374
0x00402379
0x0040237b
0x00402384
0x00402392
0x00402397
0x00402397
0x0040237b
0x0040239d
0x00000000
0x00000000
0x004023a8
0x004023aa
0x004023b5
0x004023b9
0x004023c1
0x004023c3
0x004023c5
0x004023c5
0x004023cc
0x004023cd
0x004023ce
0x00000000
0x00000000
0x004023d8
0x004023da
0x004023e5
0x004023e9
0x004023f1
0x004023f3
0x004023f5
0x004023f5
0x004023fc
0x004023fd
0x004023fe
0x00000000
0x00000000
0x00402408
0x00402409
0x0040240e
0x00402415
0x004024fc
0x00402501
0x0040179e
0x0040179e
0x00000000
0x0040241b
0x0040241b
0x0040241d
0x0040241e
0x00402423
0x00402425
0x00402426
0x00402428
0x0040242d
0x00402430
0x00402433
0x00402443
0x00402447
0x0040244d
0x0040244f
0x00402452
0x004024ea
0x004024ef
0x004024f0
0x00000000
0x004024f0
0x00402458
0x00402463
0x00402465
0x00402467
0x004024ab
0x004024b0
0x004024b9
0x00402469
0x00402469
0x0040246c
0x0040246f
0x00402488
0x0040248d
0x00402492
0x00402497
0x0040249c
0x0040249f
0x004024a1
0x00402471
0x00402474
0x00402479
0x0040247b
0x0040247d
0x0040247f
0x0040247f
0x0040247d
0x0040246f
0x004024c1
0x004024c4
0x004024cd
0x004024d2
0x004024d4
0x004024dd
0x004024dd
0x004024d4
0x00000000
0x004024c4
0x00402436
0x0040243c
0x0040243e
0x00402441
0x00000000
0x00000000
0x00000000
0x00402441
0x00000000
0x0040250b
0x0040250d
0x0040250e
0x00402513
0x00402515
0x00402516
0x00402519
0x0040251e
0x00402520
0x00402521
0x00402523
0x00402528
0x0040252a
0x0040252b
0x0040252e
0x00402533
0x00402535
0x00402536
0x0040253f
0x00402542
0x00402547
0x00402549
0x0040254b
0x0040254d
0x0040254e
0x0040254e
0x00402553
0x00402558
0x0040255b
0x0040255c
0x0040255f
0x00402560
0x00402567
0x00402568
0x0040256b
0x0040256e
0x00402577
0x0040257f
0x00402582
0x00402583
0x00402588
0x0040258a
0x0040258b
0x00402590
0x00402596
0x00402598
0x00402658
0x00402658
0x0040265f
0x00000000
0x0040259e
0x0040259e
0x004025a1
0x004025a3
0x004025a6
0x004025a7
0x004025ac
0x004025ad
0x004025af
0x004025b1
0x004025b4
0x004025ba
0x004025bd
0x004025bf
0x004025c0
0x004025c4
0x004025c7
0x004025ca
0x004025cc
0x004025d1
0x004025d2
0x004025d5
0x004025da
0x004025dd
0x004025dd
0x004025df
0x004025e1
0x004025e4
0x004025e6
0x004025e7
0x004025e8
0x004025eb
0x004025eb
0x004025ee
0x004025f1
0x004025f6
0x004025f7
0x004025f8
0x004025fb
0x004025fe
0x00402601
0x00402603
0x00402606
0x00402609
0x0040260b
0x0040260b
0x0040260d
0x0040260e
0x0040260f
0x00402610
0x00402610
0x00402613
0x00402616
0x00402619
0x0040261b
0x0040261c
0x0040261f
0x00402622
0x00402625
0x00402627
0x00402628
0x0040262b
0x0040262e
0x00402630
0x00402633
0x00402635
0x00402637
0x0040263a
0x0040263e
0x0040263e
0x00402641
0x00402644
0x00402646
0x00402647
0x00402647
0x0040264a
0x0040264d
0x0040264f
0x00402650
0x00402653
0x00402656
0x00402666
0x00000000
0x00000000
0x00000000
0x00000000
0x00402656
0x00000000
0x0040266d
0x0040266f
0x00402674
0x00402676
0x00402677
0x00402679
0x0040267e
0x00402680
0x00402681
0x00402684
0x00402689
0x0040268c
0x00402693
0x00402696
0x0040269f
0x004026a4
0x004026a6
0x004026b5
0x004026b9
0x004026bc
0x004026c9
0x004026d3
0x004026d8
0x004026e1
0x004026e4
0x004026e7
0x004026ea
0x004026f3
0x004026f7
0x004026fd
0x004026ff
0x00000000
0x00000000
0x00402705
0x004026ab
0x00000000
0x00000000
0x00402707
0x0040270d
0x00401ed8
0x00401ed8
0x00401edd
0x00401edf
0x00401ee5
0x00401c27
0x00401c27
0x00401629
0x00401629
0x00000000
0x00401629
0x00402713
0x00000000
0x00000000
0x00402723
0x00402729
0x0040272c
0x0040272f
0x00402735
0x0040273b
0x00402740
0x00402743
0x00402745
0x00402745
0x0040274c
0x0040274c
0x0040274f
0x00402752
0x00402754
0x00402756
0x0040275c
0x0040275c
0x0040275f
0x00402762
0x00402764
0x00402766
0x0040276c
0x0040276c
0x0040276e
0x00402770
0x00402776
0x00402778
0x00402779
0x0040277a
0x00402789
0x00402799
0x00000000
0x00000000
0x004027a4
0x004027a9
0x004027ac
0x004027b1
0x004027b3
0x004027b4
0x004027b7
0x004027bc
0x004027be
0x004027bf
0x004027c2
0x004027c7
0x004027c9
0x004027ca
0x004027d9
0x004027e9
0x004027ee
0x004019cf
0x004019cf
0x004019d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004027fa
0x004027ff
0x00402803
0x00402806
0x0040284d
0x0040284f
0x00402850
0x00402855
0x00402857
0x00402860
0x00402865
0x0040286b
0x0040286d
0x00402874
0x00402874
0x00402874
0x0040287c
0x0040287c
0x00402887
0x0040288a
0x0040288a
0x0040288d
0x00000000
0x00000000
0x00000000
0x00402893
0x0040280f
0x00402811
0x00402813
0x00000000
0x00000000
0x00402819
0x0040281b
0x00402821
0x00402825
0x0040282b
0x0040282c
0x00402834
0x00402845
0x00000000
0x00000000
0x00402898
0x0040289a
0x004028a0
0x004028a6
0x004028a6
0x0040289c
0x0040289c
0x0040289c
0x004028ac
0x004028af
0x004028b2
0x004028b5
0x004028b7
0x004028b8
0x004028bb
0x004028c0
0x004028c2
0x004028c3
0x004028cc
0x004028d6
0x004028dd
0x004028e3
0x004028ed
0x004028f5
0x004028fb
0x004028fd
0x00402a04
0x00402a07
0x00402a0a
0x00401b71
0x00401b71
0x00401b76
0x00401b76
0x00000000
0x00402903
0x00402903
0x00402905
0x00402909
0x0040290e
0x00402951
0x00402951
0x00402955
0x00402957
0x00402959
0x0040295a
0x0040295f
0x00402961
0x00402962
0x00402963
0x00402966
0x0040296b
0x00402976
0x0040297b
0x0040297e
0x00402982
0x00402993
0x004029a3
0x004029a8
0x004029ae
0x004029af
0x004029b2
0x004029bd
0x004029c2
0x004029c5
0x004029d1
0x004029d7
0x004029d9
0x004029e0
0x004029e3
0x004029ee
0x004029db
0x004029db
0x004029db
0x004029f9
0x00000000
0x004029f9
0x00402910
0x00402912
0x00402913
0x00402919
0x0040291e
0x00402922
0x00402923
0x00402926
0x00402926
0x0040292a
0x0040292d
0x00402930
0x00402944
0x00402949
0x0040294e
0x00000000
0x0040294e
0x00402932
0x00402937
0x0040293c
0x00000000
0x0040293c
0x00000000
0x00402a19
0x00402a1e
0x00402a20
0x00402a21
0x00402a24
0x00402a29
0x00402a2c
0x00402a2f
0x00000000
0x00000000
0x00402a3a
0x00402a43
0x00402a4a
0x00402a50
0x00402a52
0x00402a53
0x00402a55
0x00402a8c
0x00402a8c
0x00402a8f
0x00402a92
0x004029f9
0x00000000
0x004029f9
0x00402a57
0x00402a5b
0x00402a79
0x00402a7b
0x00402a7f
0x00402a82
0x00402a85
0x00000000
0x00402a85
0x00402a5d
0x00402a60
0x00402a68
0x00402a68
0x00402a6b
0x00402a6e
0x00402a71
0x00000000
0x00402a71
0x00402a62
0x00402a66
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a9f
0x00402aa4
0x00402aa6
0x00402aa7
0x00402aa9
0x00402aae
0x00402ab0
0x00402ab3
0x00000000
0x00000000
0x00402ab9
0x00402abc
0x00402ac1
0x00402ac4
0x00402ad6
0x00402add
0x00402ae3
0x00402ae5
0x00000000
0x00000000
0x00402aeb
0x00402aeb
0x004029f9
0x004029f9
0x00000000
0x004029f9
0x00402aca
0x00000000
0x00000000
0x00402af8
0x00402afa
0x00402afb
0x00402b08
0x00402b08
0x00402b08
0x00000000
0x00000000
0x00402b13
0x00402b15
0x00402b16
0x00402b22
0x00402b27
0x00402b2a
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b3f
0x00402b45
0x00402b48
0x00402b4a
0x00402b4d
0x00402b5e
0x00402b60
0x00402b79
0x00402b82
0x00402b4f
0x00402b4f
0x00402b51
0x00402b52
0x00402b57
0x00402b5b
0x00402b5b
0x00402b88
0x00402b8b
0x00402ba7
0x00402ba7
0x00000000
0x00402b8d
0x00402b8e
0x00402b97
0x00402b9d
0x00402ba3
0x00402ba5
0x00402bae
0x0040239d
0x0040239d
0x00000000
0x0040239d
0x00000000
0x00402ba5
0x00000000
0x00402bb6
0x00402bb8
0x00402bb9
0x00402bbb
0x00402bc0
0x00402bc3
0x00402bc6
0x00000000
0x00000000
0x00402bcc
0x00402bd1
0x00402bd3
0x00402bd5
0x00402bd5
0x00402bd8
0x00402bdb
0x00000000
0x00402be1
0x00402be2
0x00402be5
0x00402bea
0x00402bed
0x00402bf0
0x00000000
0x00000000
0x00402bf6
0x00402bf9
0x00402c00
0x00402c07
0x00402c0d
0x00402c0f
0x00000000
0x00000000
0x00402c15
0x00402c19
0x00000000
0x00000000
0x00402c1b
0x00402c1e
0x00402c59
0x00000000
0x00402c59
0x00402c28
0x00402c2e
0x00402c34
0x00402c37
0x00402c39
0x00402c69
0x00402c69
0x00402c6c
0x00402c85
0x00402c85
0x00402c87
0x00402c88
0x00000000
0x00402c88
0x00402c6e
0x00402c72
0x00402c7a
0x00402c7a
0x00000000
0x00402c7a
0x00402c74
0x00402c78
0x00000000
0x00000000
0x00000000
0x00402c78
0x00402c3b
0x00402c3d
0x00000000
0x00000000
0x00402c3f
0x00402c43
0x00402c47
0x00402c4a
0x00402c4b
0x00402c4d
0x00402c50
0x00000000
0x00000000
0x00402c52
0x00402c55
0x00000000
0x00000000
0x00000000
0x00402c57
0x00000000
0x00402bf9
0x00000000
0x00402ca3
0x00402ca6
0x00402cbb
0x00402cbd
0x00402cbe
0x00402cc4
0x00402ca8
0x00402ca8
0x00402caa
0x00402cab
0x00402cb0
0x00402cb6
0x00402cb8
0x00402cb8
0x00402cc9
0x00402ccc
0x00000000
0x00402cd2
0x00402cd3
0x00402cd7
0x00402ce0
0x00402ce6
0x004019f5
0x004019f5
0x00000000
0x004019f5
0x00000000
0x00402cf1
0x00402cf3
0x00402cf4
0x00402cf6
0x00402cfb
0x00402cfe
0x00402d01
0x00000000
0x00000000
0x00402d07
0x00402d0c
0x00402d0e
0x00402d10
0x00402d10
0x00402d13
0x00402d16
0x00402c95
0x00402c95
0x00000000
0x00402d1c
0x00402d1d
0x00402d20
0x00402d25
0x00402d28
0x00402d2b
0x00000000
0x00000000
0x00402d31
0x00402d34
0x00402d3b
0x00402d42
0x00402d48
0x00402d4a
0x00000000
0x00000000
0x00402d50
0x00402d54
0x00000000
0x00000000
0x00402d5a
0x00402d5d
0x00402d8f
0x00402c5d
0x00402c5f
0x00000000
0x00402c5f
0x00402d5f
0x00402d64
0x00402d98
0x00402d98
0x00402d9c
0x00402da0
0x00402db6
0x00402db6
0x00402db8
0x00402db9
0x00402c8a
0x00402c8d
0x00000000
0x00402c8d
0x00402da2
0x00402da6
0x00402c7e
0x00402c7e
0x00402c82
0x00000000
0x00402c82
0x00402dac
0x00402db0
0x00000000
0x00000000
0x00000000
0x00402db0
0x00402d66
0x00402d6b
0x00000000
0x00000000
0x00402d6d
0x00402d71
0x00402d74
0x00402d78
0x00402d79
0x00402d7c
0x00402d7f
0x00000000
0x00000000
0x00402d85
0x00402d88
0x00000000
0x00000000
0x00000000
0x00402d8a
0x00402c98
0x00402c98
0x00402c9c
0x004019f7
0x004019f7
0x00000000
0x00000000
0x00000000
0x004019f7
0x00000000
0x00402dc0
0x00402dc2
0x00402dc3
0x00000000
0x00402dc9
0x00402dc9
0x00402dcc
0x00402dcd
0x00402dcf
0x00402dd0
0x00402dd7
0x00402ddd
0x00402de3
0x00402de6
0x00000000
0x00000000
0x00000000
0x00402de6
0x00000000
0x00402df5
0x00402df7
0x00402df8
0x00402e05
0x00402e05
0x00000000
0x00000000
0x00402e10
0x00402e13
0x00402e16
0x004019d7
0x004019d7
0x004019de
0x00000000
0x004019de
0x00402e1c
0x00402e26
0x00402e2c
0x00402e32
0x00402e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e3c
0x00402e3e
0x00402e3f
0x00402e44
0x00402e4c
0x00402e52
0x00402e55
0x00402e66
0x00402e6b
0x00402e6b
0x00402e71
0x00402e72
0x00000000
0x00402e72
0x00402e57
0x00402e5a
0x00402b30
0x00402b30
0x00000000
0x00000000
0x00402e7d
0x00402e7f
0x00402e80
0x00402e87
0x00402e8c
0x00402e8f
0x00402e92
0x00402e97
0x00402e99
0x00402e9b
0x00402e9d
0x00402e9e
0x00402e9e
0x00402ea4
0x00402eb1
0x00402eb6
0x00402eb9
0x00402ebc
0x00402f5f
0x00402f5f
0x00402f6a
0x00402f72
0x00402f75
0x00402f77
0x00402f78
0x00402f7a
0x00402f7c
0x00402f80
0x00402f86
0x00402f86
0x00402f8d
0x0040187b
0x0040187b
0x00000000
0x00402ec2
0x00402ec2
0x00402ec7
0x00402ed0
0x00402ed5
0x00402ed7
0x00402ed9
0x00402f56
0x00402f59
0x00000000
0x00402f59
0x00402ee5
0x00402ef1
0x00402ef3
0x00402ef5
0x00402ef8
0x00402f2e
0x00402f3a
0x00402f41
0x00402f53
0x00000000
0x00402f53
0x00402f02
0x00402f21
0x00402f21
0x00402f23
0x00000000
0x00000000
0x00402f09
0x00402f0b
0x00402f0f
0x00402f13
0x00402f16
0x00402f19
0x00402f1e
0x00402f1e
0x00402f1e
0x00402f28
0x00000000
0x00402f28
0x00000000
0x00402f93
0x00402f95
0x00402fd3
0x00402fd5
0x00402fdb
0x00402fdc
0x0040193f
0x0040193f
0x00401944
0x004017a3
0x004017a3
0x00000000
0x004017a3
0x00402fa2
0x00402fab
0x00402fb0
0x00402fb8
0x00402fbb
0x00402fc9
0x00402fbd
0x00402fbd
0x00402fbd
0x00000000
0x00000000
0x00402fe6
0x00402fed
0x00402fef
0x00402ff5
0x00000000
0x00000000
0x00402ffb
0x00403000
0x00403006
0x0040300c
0x0040300e
0x0040302a
0x0040302a
0x0040302c
0x0040302f
0x0040303e
0x00403041
0x00403044
0x00403045
0x0040304a
0x0040304a
0x0040304a
0x00403031
0x00403031
0x00403033
0x00403039
0x00403039
0x00403051
0x00403054
0x00403057
0x0040305a
0x0040305d
0x00403064
0x00403064
0x00000000
0x0040305d
0x00403010
0x00403013
0x00403021
0x00000000
0x00403021
0x00403018
0x00403019
0x00402e73
0x00402e73
0x00000000
0x00000000
0x0040306e
0x00403070
0x00403075
0x00403078
0x004019fd
0x004019fd
0x00000000
0x004019fd
0x0040307e
0x00403081
0x004030a2
0x004030a5
0x004030b9
0x004030bf
0x004030c6
0x004030c9
0x004030a7
0x004030a7
0x004030aa
0x004030b0
0x004030b0
0x00000000
0x004030a5
0x00403083
0x00403086
0x00403098
0x00402dec
0x00402dec
0x00402ded
0x00402ded
0x00000000
0x00402ded
0x00403090
0x00000000
0x00000000
0x00000000
0x00000000
0x004030d6
0x004030de
0x004030e4
0x004030e7
0x004030ee
0x004030ee
0x00000000
0x00000000
0x004030f6
0x004030f8
0x004030f8
0x004030f9
0x004030ff
0x00403104
0x00403104
0x00403105
0x00403105
0x00403106
0x00403106
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 0040163F
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016AA
SetForegroundWindow.USER32(?), ref: 004016C3
ShowWindow.USER32(?), ref: 0040174A
ShowWindow.USER32(?,00000001), ref: 0040175E
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00401784
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?), ref: 004017E7
GetLastError.KERNEL32(?,00000000,0000005C,?), ref: 004017F1
GetLastError.KERNEL32(?,00000000,0000005C,?), ref: 004017FE
SetCurrentDirectoryW.KERNELBASE(?,004CC0B0,?,000000E6,?), ref: 0040186E
MoveFileW.KERNEL32(00000000,?), ref: 004018FA
GetFullPathNameW.KERNEL32(00000000,00002004,?,?,000000E3,?,?,00000000), ref: 00401961
GetShortPathNameW.KERNEL32 ref: 004019A9
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,?,?,?,?,00000000), ref: 004019C9

Strings

Aborting: "%s", xrefs: 00401614
SetFileAttributes failed., xrefs: 00401799
Jump: %d, xrefs: 004015F8
Sleep(%d), xrefs: 00401695
CreateDirectory: can't create "%s" - a file already exists, xrefs: 0040182A
Call: %d, xrefs: 00401651
detailprint: %s, xrefs: 00401671
IfFileExists: file "%s" exists, jumping %d, xrefs: 0040189C
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018B5
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401808
SetFileAttributes: "%s":%08X, xrefs: 00401773
Rename on reboot: %s, xrefs: 0040192B
Rename failed: %s, xrefs: 00401933
BringToFront, xrefs: 004016B5
Rename: %s, xrefs: 004018EA
CreateDirectory: "%s" created, xrefs: 0040183C
CreateDirectory: "%s" (%d), xrefs: 004017B8

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: PathWindow$DirectoryErrorFileLastNameShow$AttributesCreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 1049312888-3619442763
Opcode ID: 20bdbae160b11382f84a241b0e4edca93f4e9296c6f9661a0aea3a0d4ce48c62
Instruction ID: 368680f16642449a81697ef35649a038684aa5c8df867521ea818226172d99c4
Opcode Fuzzy Hash: 20bdbae160b11382f84a241b0e4edca93f4e9296c6f9661a0aea3a0d4ce48c62
Instruction Fuzzy Hash: 75B1E472904114ABDB107FA1DC459EE7B78EF48364B20803FF906B61E2D7788E41DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405957 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 227
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405957(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr _v20;
				short _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t28;
				void* _t36;
				void* _t38;
				int _t39;
				void* _t42;
				struct HINSTANCE__* _t45;
				int _t46;
				int _t50;
				short _t72;
				WCHAR* _t74;
				signed char _t78;
				short _t87;
				intOrPtr _t88;
				WCHAR* _t91;
				intOrPtr _t93;
				WCHAR* _t98;

				_t86 = __ecx;
				_t93 =  *0x473ddc;
				_t28 = E00406320(6);
				_t100 = _t28;
				if(_t28 == 0) {
					_t91 = 0x448240;
					 *0x4d40c0 = 0x30;
					 *0x4d40c2 = 0x78;
					 *0x4d40c4 = 0;
					E00405EFA(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x448240, 0);
					__eflags =  *0x448240;
					if(__eflags == 0) {
						E00405EFA(0x80000003, L".DEFAULT\\Control Panel\\International", L"Locale", 0x448240, 0);
					}
					lstrcatW(0x4d40c0, _t91);
				} else {
					E00405F74(0x4d40c0,  *_t28() & 0x0000ffff);
				}
				E00403EDD(_t86, _t100);
				 *0x473e80 =  *0x473e28 & 0x00000020;
				 *0x473e9c = 0x10000;
				if(E00406798(_t100, 0x4c80a8) != 0) {
					L16:
					if(E00406798(_t108, 0x4c80a8) == 0) {
						_push( *((intOrPtr*)(_t93 + 0x118)));
						_push(0x4c80a8);
						E00406820(0, _t91, _t93);
					}
					if(( *0x473e28 & 0x00000010) != 0 &&  *0x473e24 == 0) {
						E00403EBC();
						 *0x462528 = 1;
					}
					_t36 = LoadImageW( *0x473dd8, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x46bd90 = _t36;
					if( *((intOrPtr*)(_t93 + 0x50)) == 0xffffffff) {
						L24:
						if(E00401414(0) == 0) {
							_t38 = E00403EDD(_t86, __eflags);
							__eflags =  *0x473ea0;
							if( *0x473ea0 != 0) {
								_t39 = E00405078(_t38, 0);
								__eflags = _t39;
								if(_t39 == 0) {
									E00401414(1);
									goto L36;
								}
								__eflags =  *0x46bd94;
								if( *0x46bd94 == 0) {
									E00401414(2);
								}
								goto L25;
							}
							ShowWindow( *0x438218, 5);
							_t45 = LoadLibraryW(L"RichEd20");
							__eflags = _t45;
							if(_t45 == 0) {
								LoadLibraryW(L"RichEd32");
							}
							_t98 = L"RichEdit20A";
							_t46 = GetClassInfoW(0, _t98, 0x46bd60);
							__eflags = _t46;
							if(_t46 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x46bd60);
								 *0x46bd84 = _t98;
								RegisterClassW(0x46bd60);
							}
							_t50 = DialogBoxParamW( *0x473dd8,  *0x46bd9c + 0x00000069 & 0x0000ffff, 0, E004054A4, 0);
							E00403CB0(E00401414(5), 1);
							return _t50;
						}
						L25:
						_t42 = 2;
						return _t42;
					} else {
						_t87 =  *L"_Nb"; // 0x4e005f
						_v24 = _t87;
						_t88 =  *0x40a46c; // 0x62
						_v20 = _t88;
						_t86 =  *0x473dd8;
						 *0x46bd74 = _t36;
						 *0x46bd64 = E00401000;
						 *0x46bd70 =  *0x473dd8;
						 *0x46bd84 =  &_v24;
						if(RegisterClassW(0x46bd60) == 0) {
							L36:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x438218 = CreateWindowExW(0x80,  &_v24, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x473dd8, 0);
						goto L24;
					}
				} else {
					_t86 =  *(_t93 + 0x48);
					if( *(_t93 + 0x48) == 0) {
						goto L16;
					}
					_t91 = 0x463540;
					E00405EFA( *((intOrPtr*)(_t93 + 0x44)),  *0x473df8 + _t86 * 2,  *0x473df8 +  *(_t93 + 0x4c) * 2, 0x463540, 0);
					_t72 =  *0x463540;
					if(_t72 == 0) {
						goto L16;
					}
					if(_t72 == 0x22) {
						_t91 = 0x463542;
						 *((short*)(E00405D2C(0x463542, 0x22))) = 0;
					}
					_t9 = lstrlenW(_t91) * 2; // 0x46353a
					_t74 = _t91 + _t9 - 8;
					if(_t74 <= _t91 || lstrcmpiW(_t74, L".exe") != 0) {
						L15:
						E0040602D(0x4c80a8, E0040673D(_t91));
						goto L16;
					} else {
						_t78 = GetFileAttributesW(_t91);
						if(_t78 == 0xffffffff) {
							L14:
							E0040676C(_t91);
							goto L15;
						}
						_t108 = _t78 & 0x00000010;
						if((_t78 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405957
0x0040595d
0x00405966
0x0040596d
0x0040596f
0x00405984
0x00405995
0x0040599e
0x004059a7
0x004059ae
0x004059b3
0x004059ba
0x004059cd
0x004059cd
0x004059d8
0x00405971
0x0040597c
0x0040597c
0x004059dd
0x004059f0
0x004059f5
0x00405a06
0x00405a98
0x00405aa0
0x00405aa2
0x00405aa8
0x00405aa9
0x00405aa9
0x00405ab5
0x00405abf
0x00405ac4
0x00405ac4
0x00405adf
0x00405ae5
0x00405af3
0x00405b8e
0x00405b96
0x00405ba0
0x00405ba5
0x00405bab
0x00405c35
0x00405c3a
0x00405c3c
0x00405c58
0x00000000
0x00405c58
0x00405c3e
0x00405c44
0x00405c4c
0x00405c4c
0x00000000
0x00405c44
0x00405bb9
0x00405bca
0x00405bcc
0x00405bce
0x00405bd5
0x00405bd5
0x00405bde
0x00405be5
0x00405be7
0x00405be9
0x00405bf2
0x00405bf5
0x00405bfb
0x00405bfb
0x00405c1a
0x00405c2b
0x00000000
0x00405c30
0x00405b98
0x00405b9a
0x00000000
0x00405af9
0x00405af9
0x00405aff
0x00405b03
0x00405b09
0x00405b0d
0x00405b13
0x00405b1d
0x00405b27
0x00405b2d
0x00405b3b
0x00405c5d
0x00405c5d
0x00000000
0x00405c5d
0x00405b4a
0x00405b89
0x00000000
0x00405b89
0x00405a0c
0x00405a0c
0x00405a11
0x00000000
0x00000000
0x00405a20
0x00405a31
0x00405a36
0x00405a3f
0x00000000
0x00000000
0x00405a45
0x00405a49
0x00405a54
0x00405a54
0x00405a5d
0x00405a5d
0x00405a63
0x00405a8b
0x00405a93
0x00000000
0x00405a75
0x00405a76
0x00405a7f
0x00405a85
0x00405a86
0x00000000
0x00405a86
0x00405a81
0x00405a83
0x00000000
0x00000000
0x00000000
0x00405a83
0x00405a63

APIs

Part of subcall function 00406320: GetModuleHandleA.KERNEL32(?,?,00000020,004038F5,00000008), ref: 00406330
Part of subcall function 00406320: LoadLibraryA.KERNELBASE(?,?,00000020,004038F5,00000008), ref: 0040633B
Part of subcall function 00406320: GetProcAddress.KERNEL32(00000000,?), ref: 0040634C

lstrcatW.KERNEL32(004D40C0,00448240), ref: 004059D8
lstrlenW.KERNEL32(00463540,?,?,?,00463540,00000000,004C80A8,004D40C0,00448240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00448240,00000000,00000006,004C40A0), ref: 00405A58
lstrcmpiW.KERNEL32(00463538,.exe,00463540,?,?,?,00463540,00000000,004C80A8,004D40C0,00448240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00448240,00000000), ref: 00405A6B
GetFileAttributesW.KERNEL32(00463540), ref: 00405A76
LoadImageW.USER32 ref: 00405ADF

Part of subcall function 00405F74: wsprintfW.USER32 ref: 00405F81

RegisterClassW.USER32 ref: 00405B32
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4A
CreateWindowExW.USER32 ref: 00405B83

Part of subcall function 00403EDD: SetWindowTextW.USER32(00000000,0046BDC0), ref: 00403F75

ShowWindow.USER32(00000005,00000000), ref: 00405BB9
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BCA
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD5
GetClassInfoW.USER32 ref: 00405BE5
GetClassInfoW.USER32 ref: 00405BF2
RegisterClassW.USER32 ref: 00405BFB
DialogBoxParamW.USER32 ref: 00405C1A

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040598B
RichEd20, xrefs: 00405BC5
.DEFAULT\Control Panel\International, xrefs: 004059C3
RichEdit, xrefs: 00405BEC
B5F, xrefs: 00405A49
@5F, xrefs: 00405A20
RichEd32, xrefs: 00405BD0
_Nb, xrefs: 00405AF9
.exe, xrefs: 00405A65
RichEdit20A, xrefs: 00405BDE, 00405BE3

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@5F$B5F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-475086218
Opcode ID: 41dcee178c973a5c25af44f3082aa04b740b2544ca7d99ed556d510f0ab974e8
Instruction ID: e02dce170f68a929b8632967fdf11a9ee2a84ab002059e579f050a2bc5c2e774
Opcode Fuzzy Hash: 41dcee178c973a5c25af44f3082aa04b740b2544ca7d99ed556d510f0ab974e8
Instruction Fuzzy Hash: B771AF70200705BED720AFA19D85E2B36ACEB84709F00053FF945B62E2D7B89C418F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A09 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 186
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00401A09(FILETIME* __ebx) {
				signed int _t31;
				void* _t35;
				void* _t43;
				void* _t45;
				void* _t51;
				void* _t67;
				void* _t74;
				FILETIME* _t83;
				signed int _t94;
				void* _t97;
				void* _t99;
				WCHAR* _t100;
				void* _t103;

				_t83 = __ebx;
				_t99 = 0x31;
				_t100 = E00401453(_t99);
				_t31 =  *(_t103 - 0x2c);
				_push(_t100);
				_push(_t31 >> 0x00000003 & 0x00000002);
				 *(_t103 - 0xc) = _t100;
				 *(_t103 + 8) = _t31 & 0x00000007;
				E004062C7(L"File: overwriteflag=%d, allowskipfilesflag=%d, name=\"%s\"", _t31 & 0x00000007);
				_t35 = E00405D4B(_t100);
				_push(_t100);
				if(_t35 == 0) {
					lstrcatW(E0040673D(E0040602D(0x40c0c8, 0x4cc0b0)), ??);
				} else {
					_push(0x40c0c8);
					E0040602D();
				}
				E0040605C(0x40c0c8);
				L6:
				L6:
				if( *(_t103 + 8) >= 3) {
					_t74 = E004062F9(0x40c0c8);
					_t94 = 0;
					if(_t74 != _t83) {
						_t94 = CompareFileTime(_t74 + 0x14, _t103 - 0x20);
					}
					asm("sbb eax, eax");
					 *(_t103 + 8) =  ~(( *(_t103 + 8) + 0xfffffffd | 0x80000000) & _t94) + 1;
				}
				if( *(_t103 + 8) == _t83) {
					E00405E57(0x40c0c8);
				}
				_t43 = E00405E77(0x40c0c8, 0x40000000, (0 |  *(_t103 + 8) != 0x00000001) + 1);
				 *(_t103 - 0x10) = _t43;
				if(_t43 != 0xffffffff) {
					goto L24;
				}
				if( *(_t103 + 8) != _t83) {
					E00404FA5(0xffffffe2,  *(_t103 - 0xc));
					if( *(_t103 + 8) == 2) {
						 *((intOrPtr*)(_t103 - 4)) = 1;
					}
					_push( *(_t103 + 8));
					_push(0x40c0c8);
					_push(L"File: skipped: \"%s\" (overwriteflag=%d)");
					E004062C7();
					L33:
					 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t103 - 4));
					goto L34;
				} else {
					E004062C7(L"File: error creating \"%s\"", 0x40c0c8);
					E0040602D(0x4140d8, 0x474000);
					E0040602D(0x474000, 0x40c0c8);
					E00406820(_t83, 0x4140d8, 0x40c0c8, 0x4100d0,  *((intOrPtr*)(_t103 - 0x18)));
					E0040602D(0x474000, 0x4140d8);
					_t67 = E00405CC8(0x4100d0,  *(_t103 - 0x2c) >> 3) - 4;
					if(_t67 != 0) {
						if(_t67 == 1) {
							_push(L"File: error, user cancel");
							E004062C7();
							 *0x473e88 =  *0x473e88 + 1;
							L34:
							_t51 = 0;
						} else {
							_push(L"File: error, user abort");
							E004062C7();
							_push(0x40c0c8);
							_push(0xfffffffa);
							E00404FA5();
							L2:
							_t51 = 0x7fffffff;
						}
					} else {
						_push(L"File: error, user retry");
						E004062C7();
						goto L6;
					}
				}
				L35:
				return _t51;
				L24:
				E00404FA5(0xffffffea,  *(_t103 - 0xc));
				 *0x473eb4 =  *0x473eb4 + 1;
				_t45 = E004033A6( *((intOrPtr*)(_t103 - 0x24)),  *(_t103 - 0x10), _t83, _t83); // executed
				 *0x473eb4 =  *0x473eb4 - 1;
				_t97 = _t45;
				_push(0x40c0c8);
				E004062C7(L"File: wrote %d to \"%s\"", _t97);
				if( *(_t103 - 0x20) != 0xffffffff ||  *((intOrPtr*)(_t103 - 0x1c)) != 0xffffffff) {
					SetFileTime( *(_t103 - 0x10), _t103 - 0x20, _t83, _t103 - 0x20); // executed
				}
				FindCloseChangeNotification( *(_t103 - 0x10)); // executed
				if(_t97 >= _t83) {
					goto L33;
				} else {
					if(_t97 != 0xfffffffe) {
						E00406820(_t83, _t97, 0x40c0c8, 0x40c0c8, 0xffffffee);
					} else {
						E00406820(_t83, _t97, 0x40c0c8, 0x40c0c8, 0xffffffe9);
						lstrcatW(0x40c0c8,  *(_t103 - 0xc));
					}
					E004062C7(L"%s", 0x40c0c8);
					_push(0x200010);
					_push(0x40c0c8);
					E00405CC8();
					goto L2;
				}
				goto L35;
			}

0x00401a09
0x00401a0b
0x00401a11
0x00401a13
0x00401a1b
0x00401a22
0x00401a29
0x00401a2c
0x00401a2f
0x00401a38
0x00401a3f
0x00401a45
0x00401a61
0x00401a47
0x00401a47
0x00401a48
0x00401a48
0x00401a67
0x00000000
0x00401a71
0x00401a75
0x00401a78
0x00401a7d
0x00401a81
0x00401a91
0x00401a91
0x00401aa2
0x00401aa5
0x00401aa5
0x00401aab
0x00401aae
0x00401aae
0x00401ac4
0x00401acc
0x00401acf
0x00000000
0x00000000
0x00401ad8
0x00401b56
0x00401b5f
0x00401b61
0x00401b61
0x00401b68
0x00401b6b
0x00401b6c
0x00401b71
0x0040310b
0x0040310e
0x00000000
0x00401ada
0x00401ae0
0x00401aed
0x00401af8
0x00401b05
0x00401b10
0x00401b26
0x00401b29
0x00401b3c
0x00401b7e
0x00401b83
0x00401b88
0x00403114
0x00403114
0x00401b3e
0x00401b3e
0x00401b43
0x00401b49
0x00401b4a
0x00401624
0x00401629
0x00401629
0x00401629
0x00401b2b
0x00401b2b
0x00401b30
0x00000000
0x00401b35
0x00401b29
0x00403116
0x0040311a
0x00401b94
0x00401b99
0x00401b9e
0x00401bac
0x00401bb1
0x00401bb7
0x00401bb9
0x00401bc0
0x00401bcc
0x00401bdd
0x00401bdd
0x00401be6
0x00401bee
0x00000000
0x00401bf4
0x00401bf7
0x00401c0f
0x00401bf9
0x00401bfc
0x00401c05
0x00401c05
0x00401c1a
0x00401c21
0x00401c26
0x00401c27
0x00000000
0x00401c27
0x00000000

APIs

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A61
CompareFileTime.KERNEL32(-00000014,?,end,end,00000000,00000000,end,004CC0B0,00000000,00000000), ref: 00401A8B

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00002004,00403920,0046BDC0,NSIS Error), ref: 0040603A

Part of subcall function 00404FA5: lstrlenW.KERNEL32(0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000,?), ref: 00404FDD
Part of subcall function 00404FA5: lstrlenW.KERNEL32(004034E2,0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000), ref: 00404FED
Part of subcall function 00404FA5: lstrcatW.KERNEL32(0043C228,004034E2), ref: 00405000
Part of subcall function 00404FA5: SetWindowTextW.USER32(0043C228,0043C228), ref: 00405012
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405038
Part of subcall function 00404FA5: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405052
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405060

Strings

File: error, user cancel, xrefs: 00401B7E
File: wrote %d to "%s", xrefs: 00401BBB
File: error, user abort, xrefs: 00401B3E
File: error creating "%s", xrefs: 00401ADB
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A24
File: error, user retry, xrefs: 00401B2B
end, xrefs: 00401A40, 00401A54, 00401A66, 00401A77, 00401AAD, 00401AC3, 00401ADA, 00401AF2, 00401B49, 00401B6B, 00401BB9, 00401BFB, 00401C04, 00401C0E, 00401C14, 00401C26
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B6C

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$end
API String ID: 4286501637-530198618
Opcode ID: a6521db49beb4271b50d961df7b79eb5b17f0e604a7217166d3b51e0775f4275
Instruction ID: d6aa9f2168d9edd2a741874fe5688c28ffe057de9a2e20828714130b8fe89a60
Opcode Fuzzy Hash: a6521db49beb4271b50d961df7b79eb5b17f0e604a7217166d3b51e0775f4275
Instruction Fuzzy Hash: 47510771900115BADB10BBA59C42EEF3A78EF05339B20423FF426B10E2D77C5A518A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004035AE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E004035AE(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x473e20 = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x4e00d8, 0x2004);
				_t89 = E00405E77(0x4e00d8, 0x80000000, 3);
				_v16 = _t89;
				 *0x40c010 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040602D(0x4d00b8, 0x4e00d8);
				E0040602D(0x4e40e0, E0040676C(0x4d00b8));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x4341e0 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E004032F9(1);
					__eflags =  *0x473e2c - _t82;
					if( *0x473e2c == _t82) {
						goto L36;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040338F( *0x473e2c + 0x1c);
						_t57 = E004033A6(0xffffffff, _t82, _t94, _v24);
						__eflags = _t57 - _v24;
						if(_t57 != _v24) {
							goto L36;
						}
						__eflags = _v44 & 0x00000001;
						 *0x473ddc = _t94;
						 *0x473e28 =  *_t94;
						if((_v44 & 0x00000001) != 0) {
							 *0x473e24 =  *0x473e24 + 1;
							__eflags =  *0x473e24;
						}
						_t85 = 8;
						_t40 = _t94 + 0x44; // 0x44
						_t59 = _t40;
						do {
							_t59 = _t59 - 8;
							 *_t59 =  *_t59 + _t94;
							_t85 = _t85 - 1;
							__eflags = _t85 - _t82;
						} while (_t85 != _t82);
						_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
						 *(_t94 + 0x3c) = _t60;
						E00405E33(0x473de0, _t94 + 4, 0x40);
						__eflags = 0;
						return 0;
					}
					E0040338F( *0x42c154);
					_t65 = E0040335D( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L36;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L36;
					}
					goto L28;
				} else {
					do {
						asm("sbb eax, eax");
						_t70 = ( ~( *0x473e2c) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						_t90 = _t93;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040335D(0x42c158, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E004032F9(1);
							L36:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x473e2c;
						if( *0x473e2c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E004032F9(0);
							}
							goto L20;
						}
						E00405E33( &_v44, 0x42c158, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x42c154; // 0x607048
						 *0x473ea0 =  *0x473ea0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x473e2c = _t87;
						if(_t80 > _t93) {
							goto L36;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2cc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x4341e0; // 0x60b618
						if(__eflags < 0) {
							_v12 = E00407C40(_v12, 0x42c158, _t90);
						}
						 *0x42c154 =  *0x42c154 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x004035b6
0x004035b9
0x004035bc
0x004035d6
0x004035db
0x004035ee
0x004035f3
0x004035f6
0x004035fc
0x00000000
0x004035fe
0x0040360f
0x00403620
0x00403627
0x0040362d
0x0040362f
0x00403634
0x00403636
0x00403723
0x00403725
0x0040372a
0x00403731
0x00000000
0x00000000
0x00403737
0x0040373a
0x00403766
0x0040376b
0x00403771
0x0040377c
0x00403788
0x0040378d
0x00403790
0x00000000
0x00000000
0x00403792
0x00403796
0x0040379e
0x004037a3
0x004037a5
0x004037a5
0x004037a5
0x004037ad
0x004037ae
0x004037ae
0x004037b1
0x004037b1
0x004037b4
0x004037b6
0x004037b7
0x004037b7
0x004037c2
0x004037c8
0x004037d6
0x004037db
0x00000000
0x004037db
0x00403742
0x0040374d
0x00403752
0x00403754
0x00000000
0x00000000
0x0040375d
0x00403760
0x00000000
0x00000000
0x00000000
0x0040363c
0x00403641
0x00403648
0x0040364f
0x00403654
0x00403656
0x00403658
0x0040365a
0x0040365a
0x0040365e
0x00403663
0x00403665
0x004037e6
0x004037ec
0x00000000
0x004037ec
0x0040366b
0x00403672
0x004036ee
0x004036f2
0x004036f6
0x004036fb
0x00000000
0x004036f2
0x0040367b
0x00403680
0x00403683
0x00403688
0x00000000
0x00000000
0x0040368a
0x00403691
0x00000000
0x00000000
0x00403693
0x0040369a
0x00000000
0x00000000
0x0040369c
0x004036a3
0x00000000
0x00000000
0x004036a5
0x004036ac
0x00000000
0x00000000
0x004036ae
0x004036b4
0x004036bd
0x004036c3
0x004036c6
0x004036c8
0x004036ce
0x00000000
0x00000000
0x004036d4
0x004036d8
0x004036e0
0x004036e0
0x004036e3
0x004036e3
0x004036e6
0x004036e8
0x004036ea
0x004036ea
0x00000000
0x004036e8
0x004036da
0x004036de
0x00000000
0x00000000
0x00000000
0x004036fc
0x004036fc
0x00403702
0x0040370e
0x0040370e
0x00403711
0x00403717
0x00403719
0x00403719
0x00403721
0x00403721
0x00000000
0x00403721

APIs

GetTickCount.KERNEL32 ref: 004035BF
GetModuleFileNameW.KERNEL32(00000000,004E00D8,00002004,?,?,?,004D80C8,00403A74,?), ref: 004035DB

Part of subcall function 00405E77: GetFileAttributesW.KERNELBASE(00000003,004035EE,004E00D8,80000000,00000003,?,?,?,004D80C8,00403A74,?), ref: 00405E7B
Part of subcall function 00405E77: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,004D80C8,00403A74,?), ref: 00405E9D

GetFileSize.KERNEL32(00000000,00000000,004E40E0,00000000,004D00B8,004D00B8,004E00D8,004E00D8,80000000,00000003,?,?,?,004D80C8,00403A74,?), ref: 00403627

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037EC
Hp`, xrefs: 004036B4, 00403711
Error launching installer, xrefs: 004035FE
Null, xrefs: 004036A5
soft, xrefs: 0040369C
Inst, xrefs: 00403693

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Hp`$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-2160241151
Opcode ID: b2777c497fd742253326582cdde9f350166b5347dccb5b648595a1883aca66ba
Instruction ID: 12a90bec3481402c843752d2a6eb0356d6b7bfe2adab86a5a1dd358d005589d7
Opcode Fuzzy Hash: b2777c497fd742253326582cdde9f350166b5347dccb5b648595a1883aca66ba
Instruction Fuzzy Hash: DD51A4B1900218AFDB21AF65DD86B9E7EACAB04356F10443BF904B72D1C7798F809B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004033A6 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004033A6(int _a4, void* _a8, long _a12, int _a16) {
				signed int _v8;
				long _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				short _v152;
				void* _t62;
				void* _t64;
				intOrPtr _t74;
				long _t75;
				int _t78;
				void* _t88;
				void* _t93;
				long _t96;
				signed int _t97;
				long _t98;
				int _t99;
				void* _t100;
				long _t101;
				void* _t102;

				_t97 = _a16;
				_t93 = _a12;
				_v12 = _t97;
				if(_t93 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t88 = _t93;
				if(_t93 == 0) {
					_t88 = 0x424150;
				}
				_t60 = _a4;
				if(_a4 >= 0) {
					E0040338F( *0x473e18 + _t60);
				}
				_t62 = E0040335D( &_a16, 4); // executed
				if(_t62 != 0) {
					if((_a16 & 0x80000000) == 0) {
						if(_t93 == 0) {
							while(_a16 > 0) {
								_t98 = _v12;
								if(_a16 < _t98) {
									_t98 = _a16;
								}
								if(E0040335D(0x420150, _t98) == 0) {
									goto L7;
								}
								if(WriteFile(_a8, 0x420150, _t98,  &_a12, 0) == 0 || _t98 != _a12) {
									L31:
									_push(0xfffffffe);
									goto L8;
								} else {
									_v8 = _v8 + _t98;
									_a16 = _a16 - _t98;
									continue;
								}
							}
							L37:
							return _v8;
						}
						if(_a16 < _t97) {
							_t97 = _a16;
						}
						if(E0040335D(_t93, _t97) == 0) {
							goto L7;
						} else {
							_v8 = _t97;
							goto L37;
						}
					}
					_v16 = GetTickCount();
					E00407CAE(0x434158);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L37;
					} else {
						goto L11;
					}
					while(1) {
						L11:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E0040335D(0x420150, _t99) == 0) {
							goto L7;
						}
						_a16 = _a16 - _t99;
						 *0x434170 = 0x420150;
						 *0x434174 = _t99;
						while(1) {
							 *0x434178 = _t88;
							 *0x43417c = _v12;
							_t74 = E00407CCE(0x434158);
							_v20 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t100 =  *0x434178; // 0x424150
							_t101 = _t100 - _t88;
							_t75 = GetTickCount();
							_t96 = _t75;
							if(( *0x473eb4 & 0x00000001) != 0 && (_t75 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00404FA5(0,  &_v152);
								_v16 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L11;
								}
								goto L37;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_t88 =  *0x434178; // 0x424150
									L26:
									if(_v20 != 1) {
										continue;
									}
									goto L37;
								}
								_t78 = WriteFile(_a8, _t88, _t101,  &_v24, 0); // executed
								if(_t78 == 0 || _v24 != _t101) {
									goto L31;
								} else {
									_v8 = _v8 + _t101;
									goto L26;
								}
							}
						}
						_push(0xfffffffc);
						goto L8;
					}
					goto L7;
				} else {
					L7:
					_push(0xfffffffd);
					L8:
					_pop(_t64);
					return _t64;
				}
			}

0x004033b1
0x004033b5
0x004033ba
0x004033bd
0x004033bf
0x004033bf
0x004033c6
0x004033cc
0x004033ce
0x004033d0
0x004033d0
0x004033d5
0x004033da
0x004033e5
0x004033e5
0x004033f0
0x004033f7
0x00403408
0x00403541
0x004035a6
0x00403567
0x0040356d
0x0040356f
0x0040356f
0x00403580
0x00000000
0x00000000
0x00403599
0x00403538
0x00403538
0x00000000
0x004035a0
0x004035a0
0x004035a3
0x00000000
0x004035a3
0x00403599
0x0040355d
0x00000000
0x0040355d
0x00403546
0x00403548
0x00403548
0x00403554
0x00000000
0x0040355a
0x0040355a
0x00000000
0x0040355a
0x00403554
0x00403419
0x0040341c
0x00403421
0x00403421
0x0040342b
0x0040342e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403434
0x00403434
0x00403434
0x0040343c
0x0040343e
0x0040343e
0x0040344f
0x00000000
0x00000000
0x00403451
0x00403454
0x0040345a
0x00403460
0x00403468
0x0040346e
0x00403473
0x0040347a
0x0040347d
0x00000000
0x00000000
0x00403483
0x00403489
0x0040348b
0x00403498
0x0040349a
0x004034cb
0x004034d1
0x004034dd
0x004034e2
0x004034e2
0x004034e9
0x00403529
0x00000000
0x00000000
0x00000000
0x004034eb
0x004034ee
0x0040350e
0x00403511
0x00403514
0x0040351a
0x0040351e
0x00000000
0x00000000
0x00000000
0x00403524
0x004034fa
0x00403502
0x00000000
0x00403509
0x00403509
0x00000000
0x00403509
0x00403502
0x004034e9
0x00403531
0x00000000
0x00403531
0x00000000
0x004033f9
0x004033f9
0x004033f9
0x004033fb
0x004033fb
0x00000000
0x004033fb

APIs

GetTickCount.KERNEL32 ref: 0040340E
GetTickCount.KERNEL32 ref: 0040348B
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034B8
wsprintfW.USER32 ref: 004034CB
WriteFile.KERNELBASE(00000000,00000000,00424150,7FFFFFFF,00000000), ref: 004034FA
WriteFile.KERNEL32(00000000,00420150,?,00000000,00000000,00420150,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403591

Strings

XAC, xrefs: 00403463
PAB, xrefs: 004033D0
XAC, xrefs: 00403414
... %d%%, xrefs: 004034C5
PAB, xrefs: 00403468, 00403483, 00403514

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$PAB$PAB$XAC$XAC
API String ID: 651206458-2265661104
Opcode ID: c94d8f568c119f5365b2d6355bb3f3eb95433dc49ad508e424f705cfada44580
Instruction ID: 37378dc1ff60f0818f6b7317979d3cf955f46204bb962838d9db5ba8ff125591
Opcode Fuzzy Hash: c94d8f568c119f5365b2d6355bb3f3eb95433dc49ad508e424f705cfada44580
Instruction Fuzzy Hash: 0C518B71900219ABDF10DF65E944AAE7BBCAB00356F54013BF914B72D0D778DE508BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040223D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0040223D(void* __ebx) {
				intOrPtr _t18;
				void* _t30;
				void* _t32;

				_t30 = E00401453(0);
				E004062C7(L"Exec: command=\"%s\"", _t30);
				E00404FA5(0xffffffeb, _t30);
				_t18 = E00405C67(_t30); // executed
				 *((intOrPtr*)(_t32 - 0x10)) = _t18;
				_push(_t30);
				if(_t18 == __ebx) {
					_push(L"Exec: failed createprocess (\"%s\")");
					 *((intOrPtr*)(_t32 - 4)) = 1;
					E004062C7();
				} else {
					_push(L"Exec: success (\"%s\")");
					__eax = E004062C7();
					if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
						__esi = WaitForSingleObject;
						__eax = WaitForSingleObject( *(__ebp - 0x10), 0x64);
						__edi = 0x102;
						while(__eax == __edi) {
							__eax = E00406357(0xf);
							__eax = WaitForSingleObject( *(__ebp - 0x10), 0x64);
						}
						__ebp - 8 = GetExitCodeProcess( *(__ebp - 0x10), __ebp - 8);
						if( *((intOrPtr*)(__ebp - 0x28)) < __ebx) {
							if( *(__ebp - 8) != __ebx) {
								 *((intOrPtr*)(__ebp - 4)) = 1;
							}
						} else {
							__eax = E00405F74( *((intOrPtr*)(__ebp + 8)),  *(__ebp - 8));
						}
					}
					_push( *(__ebp - 0x10));
					__eax = FindCloseChangeNotification(); // executed
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00402244
0x0040224c
0x00402256
0x0040225c
0x00402263
0x00402266
0x00402267
0x004022d3
0x00401938
0x0040193f
0x00402269
0x00402269
0x0040226e
0x00402278
0x0040227a
0x00402285
0x00402287
0x0040229c
0x00402290
0x0040229a
0x0040229a
0x004022a7
0x004022b0
0x004022c2
0x004022c4
0x004022c4
0x004022b2
0x004022b8
0x004022b8
0x004022b0
0x004022cb
0x00402b08
0x00402b08
0x0040310e
0x0040311a

APIs

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Part of subcall function 00404FA5: lstrlenW.KERNEL32(0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000,?), ref: 00404FDD
Part of subcall function 00404FA5: lstrlenW.KERNEL32(004034E2,0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000), ref: 00404FED
Part of subcall function 00404FA5: lstrcatW.KERNEL32(0043C228,004034E2), ref: 00405000
Part of subcall function 00404FA5: SetWindowTextW.USER32(0043C228,0043C228), ref: 00405012
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405038
Part of subcall function 00404FA5: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405052
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405060

Part of subcall function 00405C67: CreateProcessW.KERNELBASE ref: 00405C8C
Part of subcall function 00405C67: CloseHandle.KERNEL32(?), ref: 00405C99

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402285
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040229A
GetExitCodeProcess.KERNEL32 ref: 004022A7
FindCloseChangeNotification.KERNELBASE(?,00000000,000000EB,00000000), ref: 00402B08

Strings

Exec: failed createprocess ("%s"), xrefs: 004022D3
Exec: command="%s", xrefs: 00402247
Exec: success ("%s"), xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSendlstrlen$CloseObjectProcessSingleWait$ChangeCodeCreateExitFindHandleNotificationTextWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 3418568132-3433828417
Opcode ID: 945a63aee2c36685c064fc95429f6b6396d58999f8d6eb8bdead2a8f94417153
Instruction ID: cde965d28185fd41ea3f6db6f06d38139095f74e4f3b74f2fe40dafcdc349377
Opcode Fuzzy Hash: 945a63aee2c36685c064fc95429f6b6396d58999f8d6eb8bdead2a8f94417153
Instruction Fuzzy Hash: 9A119D32914225AADF11AFD1DD4AAAEBB71EF00314F24007FF101B11E1C7B94E519A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B38 Relevance: 6.0, APIs: 4, Instructions: 44
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00402B38(int __ebx, intOrPtr* __edi) {
				void* _t10;
				long _t13;
				int _t18;
				struct _OVERLAPPED* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t27;

				_t22 = __edi;
				_t19 = __ebx;
				_t10 = GlobalAlloc(0x40, 0x2004); // executed
				 *(_t27 + 8) = _t10;
				if( *((intOrPtr*)(_t27 - 0x24)) == __ebx) {
					_t25 = 0x11;
					E00401453(_t25);
					WideCharToMultiByte(__ebx, __ebx, 0x4100d0, 0xffffffff,  *(_t27 + 8), 0x2004, __ebx, __ebx);
					_t13 = lstrlenA( *(_t27 + 8));
				} else {
					__ecx = 0;
					__ecx = 1;
					E0040143D(1);
					 *__esi = __al;
				}
				if( *_t22 == _t19) {
					L6:
					 *((intOrPtr*)(_t27 - 4)) = 1;
				} else {
					_t18 = WriteFile(E00405F8D(_t27 - 0x34, _t22),  *(_t27 + 8), _t13, _t27 - 0x34, _t19); // executed
					if(_t18 == 0) {
						goto L6;
					}
				}
				_push( *(_t27 + 8));
				GlobalFree();
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00402b38
0x00402b38
0x00402b3f
0x00402b4a
0x00402b4d
0x00402b60
0x00402b61
0x00402b79
0x00402b82
0x00402b4f
0x00402b4f
0x00402b51
0x00402b52
0x00402b57
0x00402b5b
0x00402b8b
0x00402ba7
0x00402ba7
0x00402b8d
0x00402b9d
0x00402ba5
0x00000000
0x00000000
0x00402ba5
0x00402bae
0x0040239d
0x0040310e
0x0040311a

APIs

GlobalAlloc.KERNELBASE(00000040,00002004), ref: 00402B3F
WideCharToMultiByte.KERNEL32(?,?,004100D0,000000FF,?,00002004), ref: 00402B79
lstrlenA.KERNEL32(?,?,?,004100D0,000000FF,?,00002004), ref: 00402B82
WriteFile.KERNELBASE(00000000,?,?,00000000,?,?,?,?,004100D0,000000FF,?,00002004), ref: 00402B9D

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: f821762b6820e2d78db9a715fa0f7ab14e55995059cb70a8262f89232d8ed77c
Instruction ID: 45a8ef2e3faf13c045303dd6b43be52a9a7cc3d91abf537349f68419345bfa63
Opcode Fuzzy Hash: f821762b6820e2d78db9a715fa0f7ab14e55995059cb70a8262f89232d8ed77c
Instruction Fuzzy Hash: 3201A270600206BFEB106F60CD4DEAE7B38EB04344F10413AF606B90E1C7B84E819758

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405EA6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_v12 = _t12;
					_t13 =  *0x40a6c8; // 0x61
					_t23 = _t23 - 1;
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405eac
0x00405eb2
0x00405eb3
0x00405eb3
0x00405eb8
0x00405ebb
0x00405ec0
0x00405ec1
0x00405ec4
0x00405ecc
0x00405edb
0x00405edf
0x00405ee7
0x00000000
0x00000000
0x00405eeb
0x00000000
0x00405eed
0x00405eed
0x00405eed
0x00405ef0
0x00405ef3
0x00405ef3
0x00405ef6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405EC4
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,004D80C8,00403825,004D40C0,004D80C8), ref: 00405EDF

Strings

nsa, xrefs: 00405EB3

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 510ecf5ae11856ec27cf599935a5a9c918153b4e86d00206fc8e481ca45afa6f
Instruction ID: 12bf332e709075c93158bd921f75450f68ba778224ed89dd174a33483fa312a6
Opcode Fuzzy Hash: 510ecf5ae11856ec27cf599935a5a9c918153b4e86d00206fc8e481ca45afa6f
Instruction Fuzzy Hash: 89F06D76611204ABDB10CF59DD09A9BBBB9EBA4710F00803AEA44A7190E6B09A508BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405C67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405C67(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x458278->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0, 0, 0, 0x458278,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c81
0x00405c8c
0x00405c94
0x00405c99
0x00000000
0x00405c9f
0x00405ca3

APIs

CreateProcessW.KERNELBASE ref: 00405C8C
CloseHandle.KERNEL32(?), ref: 00405C99

Strings

Error launching installer, xrefs: 00405C70

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c5bcf02de7e71647a2038a5875e28be6a67d0c2d6e9d4ae8c5a8972886647d8e
Instruction ID: e025228535b6f414593eabf8752f6f447c0f89d9c21b54f32d4678c68b8ebd1c
Opcode Fuzzy Hash: c5bcf02de7e71647a2038a5875e28be6a67d0c2d6e9d4ae8c5a8972886647d8e
Instruction Fuzzy Hash: 93E0ECB4500219AFEF009B65DD49D7B7BBCEB00305F548565BD14F21A1DB78D9148A68

Uniqueness

Uniqueness Score: -1.00%

Function 00408281 Relevance: 5.2, APIs: 4, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00408281(void* __edx) {
				signed int _t513;
				void _t520;
				signed int _t521;
				signed int _t522;
				unsigned short _t549;
				signed int _t558;
				signed int _t586;
				void* _t595;
				void* _t608;
				signed int _t609;
				signed int _t619;
				signed short* _t627;
				intOrPtr* _t628;

				L0:
				while(1) {
					L0:
					_t595 = __edx;
					_t513 =  *(_t628 + 0x48);
					if(_t513 >= 4) {
					}
					 *((intOrPtr*)(_t628 + 0x20)) = (_t513 << 7) + _t595 + 0x360;
					 *(_t628 + 0x38) = 6;
					 *(_t628 - 4) = 0x19;
					while(1) {
						L147:
						 *(_t628 + 0x28) = 1;
						 *(_t628 + 0x30) =  *(_t628 + 0x38);
						while(1) {
							L151:
							if( *(_t628 + 0x30) <= 0) {
								goto L157;
							}
							L152:
							_t608 =  *(_t628 + 0x28) +  *(_t628 + 0x28);
							_t627 = _t608 +  *((intOrPtr*)(_t628 + 0x20));
							_t549 =  *_t627 & 0x0000ffff;
							_t619 = _t549 & 0x0000ffff;
							_t586 = ( *(_t628 + 0x68) >> 0xb) * _t619;
							 *(_t628 + 0x24) = _t627;
							if( *(_t628 + 0x6c) >= _t586) {
								 *(_t628 + 0x68) =  *(_t628 + 0x68) - _t586;
								 *(_t628 + 0x6c) =  *(_t628 + 0x6c) - _t586;
								_t609 = _t608 + 1;
								 *_t627 = _t549 - (_t549 >> 5);
								 *(_t628 + 0x28) = _t609;
							} else {
								 *(_t628 + 0x68) = _t586;
								 *(_t628 + 0x28) =  *(_t628 + 0x28) << 1;
								 *_t627 = (0x800 - _t619 >> 5) + _t549;
							}
							if( *(_t628 + 0x68) >= 0x1000000) {
								L150:
								_t469 = _t628 + 0x30;
								 *_t469 =  *(_t628 + 0x30) - 1;
								L151:
								if( *(_t628 + 0x30) <= 0) {
									goto L157;
								}
							} else {
								L156:
								L148:
								if( *(_t628 + 0xc) == 0) {
									L172:
									 *(_t628 - 0x10) = 0x18;
									L173:
									_t558 = 0x22;
									memcpy( *(_t628 - 0x18), _t628 - 0x10, _t558 << 2);
									_t522 = 0;
								} else {
									L149:
									 *(_t628 + 0x68) =  *(_t628 + 0x68) << 8;
									 *(_t628 + 0xc) =  *(_t628 + 0xc) - 1;
									_t466 = _t628 + 8;
									 *_t466 =  &(( *(_t628 + 8))[1]);
									 *(_t628 + 0x6c) =  *(_t628 + 0x6c) << 0x00000008 |  *( *(_t628 + 8)) & 0x000000ff;
									goto L150;
								}
							}
							L175:
							return _t522;
							L177:
							L157:
							_t520 =  *(_t628 - 4);
							 *((intOrPtr*)(_t628 + 0x34)) =  *(_t628 + 0x28) - (1 <<  *(_t628 + 0x38));
							while(1) {
								L159:
								 *(_t628 - 0x10) = _t520;
								while(1) {
									L2:
									_t521 =  *(_t628 - 0x10);
									if(_t521 > 0x1c) {
										break;
									}
									L3:
									switch( *((intOrPtr*)(_t521 * 4 +  &M004086B6))) {
										case 0:
											L4:
											if( *(_t628 + 0xc) == 0) {
												goto L173;
											} else {
												L5:
												 *(_t628 + 0xc) =  *(_t628 + 0xc) - 1;
												_t521 =  *( *(_t628 + 8));
												 *(_t628 + 8) =  &(( *(_t628 + 8))[1]);
												if(_t521 > 0xe1) {
													goto L174;
												} else {
													L6:
													_t525 = _t521 & 0x000000ff;
													asm("cdq");
													_push(0x2d);
													_pop(_t560);
													_push(9);
													_pop(_t561);
													_t622 = _t525 / _t560;
													_t527 = _t525 % _t560 & 0x000000ff;
													asm("cdq");
													_t616 = _t527 % _t561 & 0x000000ff;
													 *(_t628 + 0x3c) = _t616;
													 *(_t628 + 0x5c) = (1 << _t622) - 1;
													 *((intOrPtr*)(_t628 + 0x60)) = (1 << _t527 / _t561) - 1;
													_t625 = (0x300 << _t616 + _t622) + 0x736;
													if(0x600 ==  *_t628) {
														L11:
														if(_t625 != 0) {
															do {
																L12:
																_t625 = _t625 - 1;
																 *((short*)( *(_t628 + 0x74) + _t625 * 2)) = 0x400;
															} while (_t625 != 0);
														}
														L13:
														 *(_t628 + 0x30) =  *(_t628 + 0x30) & 0x00000000;
														 *(_t628 + 0x38) =  *(_t628 + 0x38) & 0x00000000;
														goto L16;
													} else {
														L7:
														if( *(_t628 + 0x74) != 0) {
															GlobalFree( *(_t628 + 0x74)); // executed
														}
														_t521 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t628 + 0x74) = _t521;
														if(_t521 == 0) {
															goto L174;
														} else {
															L10:
															 *_t628 = 0x600;
															goto L11;
														}
													}
												}
											}
											goto L175;
										case 1:
											L14:
											__eflags =  *(_t628 + 0xc);
											if( *(_t628 + 0xc) == 0) {
												L160:
												 *(_t628 - 0x10) = 1;
												goto L173;
											} else {
												L15:
												 *(_t628 + 0xc) =  *(_t628 + 0xc) - 1;
												 *(_t628 + 0x38) =  *(_t628 + 0x38) | ( *( *(_t628 + 8)) & 0x000000ff) <<  *(_t628 + 0x30) << 0x00000003;
												 *(_t628 + 8) =  &(( *(_t628 + 8))[1]);
												_t44 = _t628 + 0x30;
												 *_t44 =  *(_t628 + 0x30) + 1;
												__eflags =  *_t44;
												L16:
												if( *(_t628 + 0x30) < 4) {
													goto L14;
												} else {
													L17:
													_t532 =  *(_t628 + 0x38);
													if(_t532 ==  *(_t628 + 4)) {
														L21:
														 *((char*)( *(_t628 + 0x70) +  *(_t628 + 4) - 1)) = 0;
														 *(_t628 + 0x30) = 5;
														goto L24;
													} else {
														L18:
														 *(_t628 + 4) = _t532;
														if( *(_t628 + 0x70) != 0) {
															GlobalFree( *(_t628 + 0x70)); // executed
														}
														_t521 = GlobalAlloc(0x40,  *(_t628 + 0x38)); // executed
														 *(_t628 + 0x70) = _t521;
														if(_t521 == 0) {
															goto L174;
														} else {
															goto L21;
														}
													}
												}
											}
											goto L175;
										case 2:
											L26:
											_t539 =  *(_t628 + 0x18) &  *(_t628 + 0x5c);
											 *(_t628 + 0x2c) = _t539;
											_t626 = _t606 + (( *(_t628 + 0x40) << 4) + _t539) * 2;
											 *(_t628 - 0xc) = 6;
											goto L134;
										case 3:
											L22:
											__eflags =  *(_t628 + 0xc);
											if( *(_t628 + 0xc) == 0) {
												L161:
												 *(_t628 - 0x10) = 3;
												goto L173;
											} else {
												L23:
												 *(_t628 + 0xc) =  *(_t628 + 0xc) - 1;
												_t64 = _t628 + 8;
												 *_t64 =  &(( *(_t628 + 8))[1]);
												__eflags =  *_t64;
												 *(_t628 + 0x6c) =  *(_t628 + 0x6c) << 0x00000008 |  *( *(_t628 + 8)) & 0x000000ff;
												L24:
												 *(_t628 + 0x30) =  *(_t628 + 0x30) - 1;
												if( *(_t628 + 0x30) != 0) {
													goto L22;
												} else {
													L25:
													_t606 =  *(_t628 + 0x74);
													goto L26;
												}
											}
											goto L175;
										case 4:
											L135:
											_t540 =  *_t626 & 0x0000ffff;
											_t618 = _t540 & 0x0000ffff;
											_t575 = ( *(_t628 + 0x68) >> 0xb) * _t618;
											if( *(_t628 + 0x6c) >= _t575) {
												 *(_t628 + 0x68) =  *(_t628 + 0x68) - _t575;
												 *(_t628 + 0x6c) =  *(_t628 + 0x6c) - _t575;
												_t541 = _t540 - (_t540 >> 5);
												__eflags = _t541;
												 *_t626 = _t541;
												 *(_t628 + 0x38) = 1;
											} else {
												 *(_t628 + 0x68) = _t575;
												 *(_t628 + 0x38) =  *(_t628 + 0x38) & 0x00000000;
												 *_t626 = (0x800 - _t618 >> 5) + _t540;
											}
											if( *(_t628 + 0x68) >= 0x1000000) {
												goto L141;
											} else {
												goto L139;
											}
											goto L175;
										case 5:
											L139:
											if( *(_t628 + 0xc) == 0) {
												L171:
												 *(_t628 - 0x10) = 5;
												goto L173;
											} else {
												L140:
												 *(_t628 + 0x68) =  *(_t628 + 0x68) << 8;
												 *(_t628 + 0xc) =  *(_t628 + 0xc) - 1;
												 *(_t628 + 8) =  &(( *(_t628 + 8))[1]);
												 *(_t628 + 0x6c) =  *(_t628 + 0x6c) << 0x00000008 |  *( *(_t628 + 8)) & 0x000000ff;
												L141:
												_t520 =  *(_t628 - 0xc);
												L159:
												 *(_t628 - 0x10) = _t520;
												goto L2;
											}
											goto L175;
										case 6:
											L27:
											__eax = 0;
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L38:
												__eax =  *(__ebp + 0x40);
												 *(__ebp + 0x44) = 1;
												__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 7;
												goto L134;
											} else {
												L28:
												__esi =  *(__ebp + 0x1c) & 0x000000ff;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
												_push(8);
												_pop(__ecx);
												__cl = __cl -  *(__ebp + 0x3c);
												__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
												__ecx =  *(__ebp + 0x3c);
												__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
												__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
												__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
												__eflags =  *(__ebp + 0x40) - 4;
												__ecx = __esi + __edx + 0xe6c;
												 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
												if( *(__ebp + 0x40) >= 4) {
													__eflags =  *(__ebp + 0x40) - 0xa;
													if( *(__ebp + 0x40) >= 0xa) {
														_t92 = __ebp + 0x40;
														 *_t92 =  *(__ebp + 0x40) - 6;
														__eflags =  *_t92;
													} else {
														 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
													}
												} else {
													 *(__ebp + 0x40) = 0;
												}
												__eflags =  *(__ebp + 0x44) - __eax;
												if( *(__ebp + 0x44) == __eax) {
													L37:
													__ebx = 0;
													__ebx = 1;
													goto L63;
												} else {
													L34:
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__ecx =  *(__ebp + 0x70);
													__al =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 0;
													 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 1;
													goto L43;
												}
											}
											goto L175;
										case 7:
											L68:
											__eflags =  *(__ebp + 0x38) - 1;
											if( *(__ebp + 0x38) != 1) {
												L70:
												__eax =  *(__ebp + 0x54);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x50);
												 *(__ebp + 0x54) =  *(__ebp + 0x50);
												__eax =  *(__ebp + 0x4c);
												 *(__ebp + 0x50) =  *(__ebp + 0x4c);
												__eax = 0;
												__eflags =  *(__ebp + 0x40) - 7;
												 *(__ebp - 8) = 0x16;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
												__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
												__eflags = __eax;
												 *(__ebp + 0x40) = __eax;
												__eax = __edx + 0x664;
												 *(__ebp + 0x20) = __edx + 0x664;
												goto L71;
											} else {
												L69:
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x198 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 8;
											}
											goto L134;
										case 8:
											L72:
											__eflags =  *(__ebp + 0x38);
											__eax =  *(__ebp + 0x40);
											if( *(__ebp + 0x38) != 0) {
												__esi = __edx + 0x1b0 + __eax * 2;
												 *(__ebp - 0xc) = 0xa;
											} else {
												__eax = __eax + 0xf;
												__eax = __eax << 4;
												__eax = __eax +  *(__ebp + 0x2c);
												 *(__ebp - 0xc) = 9;
												__esi = __edx + __eax * 2;
											}
											goto L134;
										case 9:
											L75:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												goto L92;
											} else {
												L76:
												__eflags =  *(__ebp + 0x18);
												if( *(__ebp + 0x18) == 0) {
													goto L174;
												} else {
													L77:
													__eax = 0;
													__eflags =  *(__ebp + 0x40) - 7;
													_t248 =  *(__ebp + 0x40) - 7 >= 0;
													__eflags = _t248;
													__eax = 0 | _t248;
													__eax = _t248 + _t248 + 9;
													 *(__ebp + 0x40) = _t248 + _t248 + 9;
													goto L78;
												}
											}
											goto L175;
										case 0xa:
											L84:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L86:
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x1c8 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 0xb;
											} else {
												L85:
												__eax =  *(__ebp + 0x50);
												goto L91;
											}
											goto L134;
										case 0xb:
											L87:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												__ecx =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x58);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
											} else {
												__eax =  *(__ebp + 0x54);
											}
											__ecx =  *(__ebp + 0x50);
											 *(__ebp + 0x54) =  *(__ebp + 0x50);
											L91:
											__ecx =  *(__ebp + 0x4c);
											 *(__ebp + 0x50) =  *(__ebp + 0x4c);
											 *(__ebp + 0x4c) = __eax;
											L92:
											__eax = __edx + 0xa68;
											 *(__ebp + 0x20) = __edx + 0xa68;
											 *(__ebp - 8) = 0x15;
											goto L71;
										case 0xc:
											L101:
											__eax =  *(__ebp + 0x4c);
											goto L102;
										case 0xd:
											L39:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L162:
												 *(__ebp - 0x10) = 0xd;
												goto L173;
											} else {
												L40:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t115 = __ebp + 8;
												 *_t115 =  *(__ebp + 8) + 1;
												__eflags =  *_t115;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L41:
												__eax =  *(__ebp + 0x38);
												__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
												if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
													goto L50;
												} else {
													L42:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														goto L56;
													} else {
														L43:
														__eax =  *(__ebp + 0x1d) & 0x000000ff;
														 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
														__ecx =  *(__ebp + 0x20);
														__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
														 *(__ebp + 0x30) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__esi =  *(__ebp + 0x20) + __eax * 2;
														__eax =  *__esi & 0x0000ffff;
														__ecx =  *(__ebp + 0x68);
														__edx = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *(__ebp + 0x38) = 1;
															 *__esi = __ax;
															__ebx = __ebx + __ebx + 1;
														} else {
															 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L41;
														} else {
															L47:
															goto L39;
														}
													}
												}
											}
											goto L175;
										case 0xe:
											L48:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L163:
												 *(__ebp - 0x10) = 0xe;
												goto L173;
											} else {
												L49:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t149 = __ebp + 8;
												 *_t149 =  *(__ebp + 8) + 1;
												__eflags =  *_t149;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												while(1) {
													L50:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													L51:
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														continue;
													} else {
														L55:
														goto L48;
													}
													goto L175;
												}
												L56:
												_t166 = __ebp + 0x44;
												 *_t166 =  *(__ebp + 0x44) & 0x00000000;
												__eflags =  *_t166;
												goto L57;
											}
											goto L175;
										case 0xf:
											L60:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L164:
												 *(__ebp - 0x10) = 0xf;
												goto L173;
											} else {
												L61:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t196 = __ebp + 8;
												 *_t196 =  *(__ebp + 8) + 1;
												__eflags =  *_t196;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L62:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L57:
													__al =  *(__ebp + 0x34);
													 *(__ebp + 0x1c) =  *(__ebp + 0x34);
													goto L58;
												} else {
													L63:
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														goto L62;
													} else {
														L67:
														goto L60;
													}
												}
											}
											goto L175;
										case 0x10:
											L112:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L168:
												 *(__ebp - 0x10) = 0x10;
												goto L173;
											} else {
												L113:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t350 = __ebp + 8;
												 *_t350 =  *(__ebp + 8) + 1;
												__eflags =  *_t350;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												goto L114;
											}
											goto L175;
										case 0x11:
											L71:
											__esi =  *(__ebp + 0x20);
											 *(__ebp - 0xc) = 0x12;
											goto L134;
										case 0x12:
											L131:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L133:
												 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
												__eflags =  *(__ebp + 0x20) + 2;
												 *(__ebp - 0xc) = 0x13;
												L134:
												 *(_t628 + 0x24) = _t626;
												goto L135;
											} else {
												L132:
												__eax =  *(__ebp + 0x2c);
												 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
												__ecx =  *(__ebp + 0x20);
												__eax =  *(__ebp + 0x2c) << 4;
												__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
												goto L144;
											}
											goto L175;
										case 0x13:
											L142:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L145:
												_t451 = __ebp + 0x20;
												 *_t451 =  *(__ebp + 0x20) + 0x204;
												__eflags =  *_t451;
												 *(__ebp + 0x48) = 0x10;
												 *(__ebp + 0x38) = 8;
											} else {
												L143:
												__eax =  *(__ebp + 0x2c);
												__ecx =  *(__ebp + 0x20);
												__eax =  *(__ebp + 0x2c) << 4;
												__eflags = __eax;
												 *(__ebp + 0x48) = 8;
												__eax =  *(__ebp + 0x20) + __eax + 0x104;
												L144:
												 *(__ebp + 0x20) = __eax;
												 *(__ebp + 0x38) = 3;
											}
											L146:
											 *((intOrPtr*)(__ebp - 4)) = 0x14;
											L147:
											 *(_t628 + 0x28) = 1;
											 *(_t628 + 0x30) =  *(_t628 + 0x38);
											goto L151;
										case 0x14:
											L158:
											_t492 = __ebp + 0x48;
											 *_t492 =  *(__ebp + 0x48) + __ebx;
											__eflags =  *_t492;
											__eax =  *(__ebp - 8);
											while(1) {
												L159:
												 *(_t628 - 0x10) = _t520;
												goto L2;
											}
										case 0x15:
											L93:
											__eax = 0;
											__eflags =  *(__ebp + 0x40) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											goto L123;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L147:
												 *(_t628 + 0x28) = 1;
												 *(_t628 + 0x30) =  *(_t628 + 0x38);
												goto L151;
											}
										case 0x18:
											goto L148;
										case 0x19:
											L96:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L100:
												 *(__ebp + 0x4c) = __ebx;
												goto L122;
											} else {
												L97:
												__ecx = __ebx;
												__ebx = __ebx & 0x00000001;
												__ecx = __ebx >> 1;
												__ecx = (__ebx >> 1) - 1;
												__eax = __ebx & 0x00000001 | 0x00000002;
												__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp + 0x4c) = __eax;
												if(__ebx >= 0xe) {
													L99:
													__ebx = 0;
													 *(__ebp + 0x30) = __ecx;
													L105:
													__eflags =  *(__ebp + 0x30);
													if( *(__ebp + 0x30) <= 0) {
														L110:
														__eax = __eax + __ebx;
														__edx = __edx + 0x644;
														__eflags = __edx;
														 *(__ebp + 0x4c) = __eax;
														 *(__ebp + 0x20) = __edx;
														 *(__ebp + 0x38) = 4;
														goto L111;
													} else {
														L106:
														__ecx =  *(__ebp + 0x6c);
														 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
														__ebx = __ebx + __ebx;
														__eflags = __ecx -  *(__ebp + 0x68);
														 *(__ebp + 0x34) = __ebx;
														if(__ecx >=  *(__ebp + 0x68)) {
															__ecx = __ecx -  *(__ebp + 0x68);
															__ebx = __ebx | 0x00000001;
															__eflags = __ebx;
															 *(__ebp + 0x6c) = __ecx;
															 *(__ebp + 0x34) = __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L104:
															_t325 = __ebp + 0x30;
															 *_t325 =  *(__ebp + 0x30) - 1;
															__eflags =  *_t325;
															goto L105;
														} else {
															L109:
															L102:
															__eflags =  *(__ebp + 0xc);
															if( *(__ebp + 0xc) == 0) {
																L167:
																 *(__ebp - 0x10) = 0xc;
																goto L173;
															} else {
																L103:
																__edi =  *(__ebp + 8);
																__ecx =  *(__ebp + 0x6c);
																__edi =  *( *(__ebp + 8)) & 0x000000ff;
																 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																_t322 = __ebp + 8;
																 *_t322 =  *(__ebp + 8) + 1;
																__eflags =  *_t322;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																goto L104;
															}
														}
													}
												} else {
													L98:
													__eax = __eax - __ebx;
													 *(__ebp + 0x20) = __eax;
													 *(__ebp + 0x38) = __ecx;
													L111:
													__ebx = 0;
													 *(__ebp + 0x28) = 1;
													 *(__ebp + 0x34) = 0;
													 *(__ebp + 0x30) = 0;
													L115:
													__eax =  *(__ebp + 0x38);
													__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
													if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
														L121:
														_t375 = __ebp + 0x4c;
														 *_t375 =  *(__ebp + 0x4c) + __ebx;
														__eflags =  *_t375;
														L122:
														_t377 = __ebp + 0x4c;
														 *_t377 =  *(__ebp + 0x4c) + 1;
														__eflags =  *_t377;
														L123:
														__eax =  *(__ebp + 0x4c);
														__eflags = __eax;
														if(__eax == 0) {
															L169:
															 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
															goto L173;
														} else {
															L124:
															__eflags = __eax -  *(__ebp + 0x18);
															if(__eax >  *(__ebp + 0x18)) {
																goto L174;
															} else {
																L125:
																 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																__eax =  *(__ebp + 0x48);
																_t384 = __ebp + 0x18;
																 *_t384 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																__eflags =  *_t384;
																goto L126;
															}
														}
													} else {
														L116:
														__edi =  *(__ebp + 0x28);
														__eax =  *(__ebp + 0x20);
														__edx =  *(__ebp + 0x68);
														__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
														__esi = __edi +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__ecx = __ax & 0x0000ffff;
														__edx =  *(__ebp + 0x68) >> 0xb;
														__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
														__eflags =  *(__ebp + 0x6c) - __edx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __edx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
															0 = 1;
															__ebx = 1;
															__ecx =  *(__ebp + 0x30);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp + 0x34);
															__ebx =  *(__ebp + 0x34) | 1 << __cl;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp + 0x34) = __ebx;
															 *__esi = __ax;
															 *(__ebp + 0x28) = __edi;
														} else {
															 *(__ebp + 0x68) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L114:
															_t353 = __ebp + 0x30;
															 *_t353 =  *(__ebp + 0x30) + 1;
															__eflags =  *_t353;
															goto L115;
														} else {
															L120:
															goto L112;
														}
													}
												}
											}
											goto L175;
										case 0x1a:
											L58:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												L165:
												 *(__ebp - 0x10) = 0x1a;
												goto L173;
											} else {
												L59:
												__al =  *(__ebp + 0x1c);
												__ecx =  *(__ebp + 0x10);
												__edx =  *(__ebp + 0x70);
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *( *(__ebp + 0x10)) = __al;
												__ecx =  *(__ebp + 0x64);
												 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t185 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t185;
												goto L82;
											}
											goto L175;
										case 0x1b:
											L78:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												L166:
												 *(__ebp - 0x10) = 0x1b;
												goto L173;
											} else {
												L79:
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t263 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t263;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												_t272 = __ebp + 0x14;
												 *_t272 =  *(__ebp + 0x14) - 1;
												__eflags =  *_t272;
												 *(__ebp + 0x1c) = __cl;
												 *( *(__ebp + 0x10)) = __cl;
												L82:
												 *(__ebp + 0x64) = __edx;
												goto L83;
											}
											goto L175;
										case 0x1c:
											while(1) {
												L126:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													break;
												}
												L127:
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t397 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t397;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
												__eflags =  *(__ebp + 0x48);
												 *(__ebp + 0x1c) = __cl;
												 *( *(__ebp + 0x10)) = __cl;
												 *(__ebp + 0x64) = __edx;
												if( *(__ebp + 0x48) > 0) {
													continue;
												} else {
													L130:
													L83:
													 *(__ebp - 0x10) = 2;
													goto L2;
												}
												goto L175;
											}
											L170:
											 *(__ebp - 0x10) = 0x1c;
											goto L173;
									}
								}
								L174:
								_t522 = _t521 | 0xffffffff;
								goto L175;
							}
						}
					}
				}
			}

0x00408281
0x00408281
0x00408281
0x00408281
0x00408281
0x00408287
0x0040828b
0x00408296
0x00408299
0x004082a0
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x004085a5
0x004085a5
0x004085a9
0x00000000
0x00000000
0x004085ab
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085c2
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085dc
0x004085df
0x004085df
0x00408602
0x0040859f
0x0040859f
0x0040859f
0x004085a5
0x004085a9
0x00000000
0x00000000
0x00408604
0x00408604
0x0040857a
0x0040857e
0x00408695
0x00408695
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00408584
0x00408584
0x0040858d
0x00408591
0x00408599
0x00408599
0x0040859c
0x00000000
0x0040859c
0x0040857e
0x004086ae
0x004086b5
0x00000000
0x00408609
0x00408616
0x00408619
0x00408624
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00407d0c
0x00000000
0x00407d13
0x00407d17
0x00000000
0x00407d1d
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x0040862c
0x00000000
0x00407dc2
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00408635
0x00000000
0x00407e30
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x0040868c
0x00000000
0x00408503
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x0040851e
0x0040851e
0x00408624
0x00408624
0x00000000
0x00408627
0x00000000
0x00000000
0x00407e74
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x0040810e
0x0040810e
0x00408112
0x0040812a
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408114
0x00408117
0x0040811e
0x0040811e
0x00000000
0x00000000
0x0040816e
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408210
0x00408214
0x0040821b
0x0040821b
0x0040821e
0x00408225
0x00408216
0x00408216
0x00408216
0x00000000
0x00408216
0x00000000
0x00000000
0x00408231
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00408650
0x00000000
0x0040808e
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00408674
0x00000000
0x00408379
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x00000000
0x00000000
0x0040847e
0x0040847e
0x00408482
0x0040849a
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x00000000
0x00408484
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00408564
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00408624
0x00408624
0x00408624
0x00000000
0x00408627
0x00000000
0x00408269
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00408578
0x00000000
0x00000000
0x00000000
0x004082ac
0x004082ac
0x004082af
0x004082e6
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408346
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00408659
0x00000000
0x0040805d
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x00000000
0x00408477
0x00408683
0x00408683
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00408624
0x004085a5
0x0040856b

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c67f1036d2ace6c08b3c38fbe9bbcec839e4347650dcd72a5e692091e3b81e1
Instruction ID: 32b75961713920f9f50a7af97bbeb0d9dc448baae5addf4051199357b4e6ff87
Opcode Fuzzy Hash: 8c67f1036d2ace6c08b3c38fbe9bbcec839e4347650dcd72a5e692091e3b81e1
Instruction Fuzzy Hash: B6A14671900248EBDF58CF18C9846A93BB1FF44355F11812AFC9AAB291D738D985DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040847E Relevance: 5.2, APIs: 4, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040847E() {
				void _t515;
				signed int _t516;
				signed int _t517;
				signed int _t547;
				signed int _t588;
				intOrPtr* _t595;

				L0:
				while(1) {
					L0:
					if( *(_t595 + 0x38) != 0) {
						_t588 =  *((intOrPtr*)(_t595 + 0x20)) + 2;
						 *(_t595 - 0xc) = 0x13;
						goto L134;
					} else {
						__eax =  *(__ebp + 0x2c);
						 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
						__ecx =  *(__ebp + 0x20);
						__eax =  *(__ebp + 0x2c) << 4;
						__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
						L144:
						 *(__ebp + 0x20) = __eax;
						 *(__ebp + 0x38) = 3;
						L146:
						 *(__ebp - 4) = 0x14;
						L147:
						__eax =  *(__ebp + 0x38);
						 *(__ebp + 0x28) = 1;
						 *(__ebp + 0x30) =  *(__ebp + 0x38);
						L151:
						if( *(__ebp + 0x30) <= 0) {
							__ecx =  *(__ebp + 0x38);
							__ebx =  *(__ebp + 0x28);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp + 0x28) - (1 << __cl);
							__eax =  *(__ebp - 4);
							 *(__ebp + 0x34) = __ebx;
							while(1) {
								L159:
								 *(_t595 - 0x10) = _t515;
								while(1) {
									L2:
									_t516 =  *(_t595 - 0x10);
									if(_t516 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t516 * 4 +  &M004086B6))) {
										case 0:
											if( *(_t595 + 0xc) == 0) {
												goto L173;
											} else {
												 *(_t595 + 0xc) =  *(_t595 + 0xc) - 1;
												_t516 =  *( *(_t595 + 8));
												 *(_t595 + 8) =  &(( *(_t595 + 8))[1]);
												if(_t516 > 0xe1) {
													goto L174;
												} else {
													_t520 = _t516 & 0x000000ff;
													asm("cdq");
													_push(0x2d);
													_pop(_t549);
													_push(9);
													_pop(_t550);
													_t591 = _t520 / _t549;
													_t522 = _t520 % _t549 & 0x000000ff;
													asm("cdq");
													_t585 = _t522 % _t550 & 0x000000ff;
													 *(_t595 + 0x3c) = _t585;
													 *(_t595 + 0x5c) = (1 << _t591) - 1;
													 *((intOrPtr*)(_t595 + 0x60)) = (1 << _t522 / _t550) - 1;
													_t594 = (0x300 << _t585 + _t591) + 0x736;
													if(0x600 ==  *_t595) {
														L11:
														if(_t594 != 0) {
															do {
																_t594 = _t594 - 1;
																 *((short*)( *(_t595 + 0x74) + _t594 * 2)) = 0x400;
															} while (_t594 != 0);
														}
														 *(_t595 + 0x30) =  *(_t595 + 0x30) & 0x00000000;
														 *(_t595 + 0x38) =  *(_t595 + 0x38) & 0x00000000;
														goto L16;
													} else {
														if( *(_t595 + 0x74) != 0) {
															GlobalFree( *(_t595 + 0x74)); // executed
														}
														_t516 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t595 + 0x74) = _t516;
														if(_t516 == 0) {
															goto L174;
														} else {
															 *_t595 = 0x600;
															goto L11;
														}
													}
												}
											}
											goto L175;
										case 1:
											L14:
											__eflags =  *(_t595 + 0xc);
											if( *(_t595 + 0xc) == 0) {
												 *(_t595 - 0x10) = 1;
												goto L173;
											} else {
												 *(_t595 + 0xc) =  *(_t595 + 0xc) - 1;
												 *(_t595 + 0x38) =  *(_t595 + 0x38) | ( *( *(_t595 + 8)) & 0x000000ff) <<  *(_t595 + 0x30) << 0x00000003;
												 *(_t595 + 8) =  &(( *(_t595 + 8))[1]);
												_t44 = _t595 + 0x30;
												 *_t44 =  *(_t595 + 0x30) + 1;
												__eflags =  *_t44;
												L16:
												if( *(_t595 + 0x30) < 4) {
													goto L14;
												} else {
													_t527 =  *(_t595 + 0x38);
													if(_t527 ==  *(_t595 + 4)) {
														L21:
														 *((char*)( *(_t595 + 0x70) +  *(_t595 + 4) - 1)) = 0;
														 *(_t595 + 0x30) = 5;
														goto L24;
													} else {
														 *(_t595 + 4) = _t527;
														if( *(_t595 + 0x70) != 0) {
															GlobalFree( *(_t595 + 0x70)); // executed
														}
														_t516 = GlobalAlloc(0x40,  *(_t595 + 0x38)); // executed
														 *(_t595 + 0x70) = _t516;
														if(_t516 == 0) {
															goto L174;
														} else {
															goto L21;
														}
													}
												}
											}
											goto L175;
										case 2:
											L26:
											_t534 =  *(_t595 + 0x18) &  *(_t595 + 0x5c);
											 *(_t595 + 0x2c) = _t534;
											_t588 = _t578 + (( *(_t595 + 0x40) << 4) + _t534) * 2;
											 *(_t595 - 0xc) = 6;
											goto L134;
										case 3:
											L22:
											__eflags =  *(_t595 + 0xc);
											if( *(_t595 + 0xc) == 0) {
												 *(_t595 - 0x10) = 3;
												goto L173;
											} else {
												 *(_t595 + 0xc) =  *(_t595 + 0xc) - 1;
												_t64 = _t595 + 8;
												 *_t64 =  &(( *(_t595 + 8))[1]);
												__eflags =  *_t64;
												 *(_t595 + 0x6c) =  *(_t595 + 0x6c) << 0x00000008 |  *( *(_t595 + 8)) & 0x000000ff;
												L24:
												 *(_t595 + 0x30) =  *(_t595 + 0x30) - 1;
												if( *(_t595 + 0x30) != 0) {
													goto L22;
												} else {
													_t578 =  *(_t595 + 0x74);
													goto L26;
												}
											}
											goto L175;
										case 4:
											L135:
											_t513 =  *_t588 & 0x0000ffff;
											_t580 = _t513 & 0x0000ffff;
											_t544 = ( *(_t595 + 0x68) >> 0xb) * _t580;
											if( *(_t595 + 0x6c) >= _t544) {
												 *(_t595 + 0x68) =  *(_t595 + 0x68) - _t544;
												 *(_t595 + 0x6c) =  *(_t595 + 0x6c) - _t544;
												_t514 = _t513 - (_t513 >> 5);
												__eflags = _t514;
												 *_t588 = _t514;
												 *(_t595 + 0x38) = 1;
											} else {
												 *(_t595 + 0x68) = _t544;
												 *(_t595 + 0x38) =  *(_t595 + 0x38) & 0x00000000;
												 *_t588 = (0x800 - _t580 >> 5) + _t513;
											}
											if( *(_t595 + 0x68) >= 0x1000000) {
												goto L141;
											} else {
												goto L139;
											}
											goto L175;
										case 5:
											L139:
											if( *(_t595 + 0xc) == 0) {
												 *(_t595 - 0x10) = 5;
												goto L173;
											} else {
												 *(_t595 + 0x68) =  *(_t595 + 0x68) << 8;
												 *(_t595 + 0xc) =  *(_t595 + 0xc) - 1;
												 *(_t595 + 8) =  &(( *(_t595 + 8))[1]);
												 *(_t595 + 0x6c) =  *(_t595 + 0x6c) << 0x00000008 |  *( *(_t595 + 8)) & 0x000000ff;
												L141:
												_t515 =  *(_t595 - 0xc);
												goto L159;
											}
											goto L175;
										case 6:
											__eax = 0;
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												__eax =  *(__ebp + 0x40);
												 *(__ebp + 0x44) = 1;
												__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 7;
												goto L134;
											} else {
												__esi =  *(__ebp + 0x1c) & 0x000000ff;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
												_push(8);
												_pop(__ecx);
												__cl = __cl -  *(__ebp + 0x3c);
												__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
												__ecx =  *(__ebp + 0x3c);
												__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
												__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
												__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
												__eflags =  *(__ebp + 0x40) - 4;
												__ecx = __esi + __edx + 0xe6c;
												 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
												if( *(__ebp + 0x40) >= 4) {
													__eflags =  *(__ebp + 0x40) - 0xa;
													if( *(__ebp + 0x40) >= 0xa) {
														_t92 = __ebp + 0x40;
														 *_t92 =  *(__ebp + 0x40) - 6;
														__eflags =  *_t92;
													} else {
														 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
													}
												} else {
													 *(__ebp + 0x40) = 0;
												}
												__eflags =  *(__ebp + 0x44) - __eax;
												if( *(__ebp + 0x44) == __eax) {
													__ebx = 0;
													__ebx = 1;
													goto L63;
												} else {
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__ecx =  *(__ebp + 0x70);
													__al =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 0;
													 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 1;
													goto L43;
												}
											}
											goto L175;
										case 7:
											__eflags =  *(__ebp + 0x38) - 1;
											if( *(__ebp + 0x38) != 1) {
												__eax =  *(__ebp + 0x54);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x50);
												 *(__ebp + 0x54) =  *(__ebp + 0x50);
												__eax =  *(__ebp + 0x4c);
												 *(__ebp + 0x50) =  *(__ebp + 0x4c);
												__eax = 0;
												__eflags =  *(__ebp + 0x40) - 7;
												 *(__ebp - 8) = 0x16;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
												__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
												__eflags = __eax;
												 *(__ebp + 0x40) = __eax;
												__eax = __edx + 0x664;
												 *(__ebp + 0x20) = __edx + 0x664;
												goto L71;
											} else {
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x198 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 8;
											}
											goto L134;
										case 8:
											__eflags =  *(__ebp + 0x38);
											__eax =  *(__ebp + 0x40);
											if( *(__ebp + 0x38) != 0) {
												__esi = __edx + 0x1b0 + __eax * 2;
												 *(__ebp - 0xc) = 0xa;
											} else {
												__eax = __eax + 0xf;
												__eax = __eax << 4;
												__eax = __eax +  *(__ebp + 0x2c);
												 *(__ebp - 0xc) = 9;
												__esi = __edx + __eax * 2;
											}
											goto L134;
										case 9:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												goto L92;
											} else {
												__eflags =  *(__ebp + 0x18);
												if( *(__ebp + 0x18) == 0) {
													goto L174;
												} else {
													__eax = 0;
													__eflags =  *(__ebp + 0x40) - 7;
													_t248 =  *(__ebp + 0x40) - 7 >= 0;
													__eflags = _t248;
													__eax = 0 | _t248;
													__eax = _t248 + _t248 + 9;
													 *(__ebp + 0x40) = _t248 + _t248 + 9;
													goto L78;
												}
											}
											goto L175;
										case 0xa:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x1c8 +  *(__ebp + 0x40) * 2;
												 *(__ebp - 0xc) = 0xb;
											} else {
												__eax =  *(__ebp + 0x50);
												goto L91;
											}
											goto L134;
										case 0xb:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												__ecx =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x58);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
											} else {
												__eax =  *(__ebp + 0x54);
											}
											__ecx =  *(__ebp + 0x50);
											 *(__ebp + 0x54) =  *(__ebp + 0x50);
											L91:
											__ecx =  *(__ebp + 0x4c);
											 *(__ebp + 0x50) =  *(__ebp + 0x4c);
											 *(__ebp + 0x4c) = __eax;
											L92:
											__eax = __edx + 0xa68;
											 *(__ebp + 0x20) = __edx + 0xa68;
											 *(__ebp - 8) = 0x15;
											goto L71;
										case 0xc:
											__eax =  *(__ebp + 0x4c);
											goto L103;
										case 0xd:
											L39:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												 *(__ebp - 0x10) = 0xd;
												goto L173;
											} else {
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t115 = __ebp + 8;
												 *_t115 =  *(__ebp + 8) + 1;
												__eflags =  *_t115;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L41:
												__eax =  *(__ebp + 0x38);
												__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
												if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
													goto L50;
												} else {
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														goto L56;
													} else {
														L43:
														__eax =  *(__ebp + 0x1d) & 0x000000ff;
														 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
														__ecx =  *(__ebp + 0x20);
														__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
														 *(__ebp + 0x30) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__esi =  *(__ebp + 0x20) + __eax * 2;
														__eax =  *__esi & 0x0000ffff;
														__ecx =  *(__ebp + 0x68);
														__edx = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *(__ebp + 0x38) = 1;
															 *__esi = __ax;
															__ebx = __ebx + __ebx + 1;
														} else {
															 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L41;
														} else {
															goto L39;
														}
													}
												}
											}
											goto L175;
										case 0xe:
											L48:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												 *(__ebp - 0x10) = 0xe;
												goto L173;
											} else {
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t149 = __ebp + 8;
												 *_t149 =  *(__ebp + 8) + 1;
												__eflags =  *_t149;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												while(1) {
													L50:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														continue;
													} else {
														goto L48;
													}
													goto L175;
												}
												L56:
												_t166 = __ebp + 0x44;
												 *_t166 =  *(__ebp + 0x44) & 0x00000000;
												__eflags =  *_t166;
												goto L57;
											}
											goto L175;
										case 0xf:
											L60:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												 *(__ebp - 0x10) = 0xf;
												goto L173;
											} else {
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t196 = __ebp + 8;
												 *_t196 =  *(__ebp + 8) + 1;
												__eflags =  *_t196;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L62:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L57:
													__al =  *(__ebp + 0x34);
													 *(__ebp + 0x1c) =  *(__ebp + 0x34);
													goto L58;
												} else {
													L63:
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														goto L62;
													} else {
														goto L60;
													}
												}
											}
											goto L175;
										case 0x10:
											L113:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												 *(__ebp - 0x10) = 0x10;
												goto L173;
											} else {
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t351 = __ebp + 8;
												 *_t351 =  *(__ebp + 8) + 1;
												__eflags =  *_t351;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												goto L115;
											}
											goto L175;
										case 0x11:
											L71:
											__esi =  *(__ebp + 0x20);
											 *(__ebp - 0xc) = 0x12;
											L134:
											 *(_t595 + 0x24) = _t588;
											goto L135;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												_t451 = __ebp + 0x20;
												 *_t451 =  *(__ebp + 0x20) + 0x204;
												__eflags =  *_t451;
												 *(__ebp + 0x48) = 0x10;
												 *(__ebp + 0x38) = 8;
											} else {
												__eax =  *(__ebp + 0x2c);
												__ecx =  *(__ebp + 0x20);
												__eax =  *(__ebp + 0x2c) << 4;
												__eflags = __eax;
												 *(__ebp + 0x48) = 8;
												__eax =  *(__ebp + 0x20) + __eax + 0x104;
												goto L144;
											}
											goto L146;
										case 0x14:
											_t492 = __ebp + 0x48;
											 *_t492 =  *(__ebp + 0x48) + __ebx;
											__eflags =  *_t492;
											__eax =  *(__ebp - 8);
											L159:
											 *(_t595 - 0x10) = _t515;
											goto L2;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp + 0x40) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											goto L124;
										case 0x16:
											__eax =  *(__ebp + 0x48);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__eax = __eax << 7;
											 *(__ebp + 0x20) = __eax;
											 *(__ebp + 0x38) = 6;
											 *(__ebp - 4) = 0x19;
											goto L147;
										case 0x17:
											goto L147;
										case 0x18:
											goto L148;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp + 0x4c) = __ebx;
												goto L123;
											} else {
												__ecx = __ebx;
												__ebx = __ebx & 0x00000001;
												__ecx = __ebx >> 1;
												__ecx = (__ebx >> 1) - 1;
												__eax = __ebx & 0x00000001 | 0x00000002;
												__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp + 0x4c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp + 0x30) = __ecx;
													L106:
													__eflags =  *(__ebp + 0x30);
													if( *(__ebp + 0x30) <= 0) {
														__eax = __eax + __ebx;
														__edx = __edx + 0x644;
														__eflags = __edx;
														 *(__ebp + 0x4c) = __eax;
														 *(__ebp + 0x20) = __edx;
														 *(__ebp + 0x38) = 4;
														goto L112;
													} else {
														__ecx =  *(__ebp + 0x6c);
														 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
														__ebx = __ebx + __ebx;
														__eflags = __ecx -  *(__ebp + 0x68);
														 *(__ebp + 0x34) = __ebx;
														if(__ecx >=  *(__ebp + 0x68)) {
															__ecx = __ecx -  *(__ebp + 0x68);
															__ebx = __ebx | 0x00000001;
															__eflags = __ebx;
															 *(__ebp + 0x6c) = __ecx;
															 *(__ebp + 0x34) = __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L105:
															_t326 = __ebp + 0x30;
															 *_t326 =  *(__ebp + 0x30) - 1;
															__eflags =  *_t326;
															goto L106;
														} else {
															L103:
															__eflags =  *(__ebp + 0xc);
															if( *(__ebp + 0xc) == 0) {
																 *(__ebp - 0x10) = 0xc;
																goto L173;
															} else {
																__edi =  *(__ebp + 8);
																__ecx =  *(__ebp + 0x6c);
																__edi =  *( *(__ebp + 8)) & 0x000000ff;
																 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																_t323 = __ebp + 8;
																 *_t323 =  *(__ebp + 8) + 1;
																__eflags =  *_t323;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																goto L105;
															}
														}
													}
												} else {
													__eax = __eax - __ebx;
													 *(__ebp + 0x20) = __eax;
													 *(__ebp + 0x38) = __ecx;
													L112:
													__ebx = 0;
													 *(__ebp + 0x28) = 1;
													 *(__ebp + 0x34) = 0;
													 *(__ebp + 0x30) = 0;
													L116:
													__eax =  *(__ebp + 0x38);
													__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
													if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
														_t376 = __ebp + 0x4c;
														 *_t376 =  *(__ebp + 0x4c) + __ebx;
														__eflags =  *_t376;
														L123:
														_t378 = __ebp + 0x4c;
														 *_t378 =  *(__ebp + 0x4c) + 1;
														__eflags =  *_t378;
														L124:
														__eax =  *(__ebp + 0x4c);
														__eflags = __eax;
														if(__eax == 0) {
															 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
															goto L173;
														} else {
															__eflags = __eax -  *(__ebp + 0x18);
															if(__eax >  *(__ebp + 0x18)) {
																goto L174;
															} else {
																 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																__eax =  *(__ebp + 0x48);
																_t385 = __ebp + 0x18;
																 *_t385 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																__eflags =  *_t385;
																goto L127;
															}
														}
													} else {
														__edi =  *(__ebp + 0x28);
														__eax =  *(__ebp + 0x20);
														__edx =  *(__ebp + 0x68);
														__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
														__esi = __edi +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__ecx = __ax & 0x0000ffff;
														__edx =  *(__ebp + 0x68) >> 0xb;
														__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
														__eflags =  *(__ebp + 0x6c) - __edx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __edx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
															0 = 1;
															__ebx = 1;
															__ecx =  *(__ebp + 0x30);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp + 0x34);
															__ebx =  *(__ebp + 0x34) | 1 << __cl;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp + 0x34) = __ebx;
															 *__esi = __ax;
															 *(__ebp + 0x28) = __edi;
														} else {
															 *(__ebp + 0x68) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L115:
															_t354 = __ebp + 0x30;
															 *_t354 =  *(__ebp + 0x30) + 1;
															__eflags =  *_t354;
															goto L116;
														} else {
															goto L113;
														}
													}
												}
											}
											goto L175;
										case 0x1a:
											L58:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												 *(__ebp - 0x10) = 0x1a;
												goto L173;
											} else {
												__al =  *(__ebp + 0x1c);
												__ecx =  *(__ebp + 0x10);
												__edx =  *(__ebp + 0x70);
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *( *(__ebp + 0x10)) = __al;
												__ecx =  *(__ebp + 0x64);
												 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t185 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t185;
												goto L82;
											}
											goto L175;
										case 0x1b:
											L78:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												 *(__ebp - 0x10) = 0x1b;
												goto L173;
											} else {
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t263 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t263;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												_t272 = __ebp + 0x14;
												 *_t272 =  *(__ebp + 0x14) - 1;
												__eflags =  *_t272;
												 *(__ebp + 0x1c) = __cl;
												 *( *(__ebp + 0x10)) = __cl;
												L82:
												 *(__ebp + 0x64) = __edx;
												goto L83;
											}
											goto L175;
										case 0x1c:
											while(1) {
												L127:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													break;
												}
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t398 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t398;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
												__eflags =  *(__ebp + 0x48);
												 *(__ebp + 0x1c) = __cl;
												 *( *(__ebp + 0x10)) = __cl;
												 *(__ebp + 0x64) = __edx;
												if( *(__ebp + 0x48) > 0) {
													continue;
												} else {
													L83:
													 *(__ebp - 0x10) = 2;
													goto L2;
												}
												goto L175;
											}
											 *(__ebp - 0x10) = 0x1c;
											goto L173;
									}
								}
								L174:
								_t517 = _t516 | 0xffffffff;
								goto L175;
							}
						} else {
							__edx =  *(__ebp + 0x28);
							__eax =  *(__ebp + 0x20);
							__ecx =  *(__ebp + 0x68);
							__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
							__esi = __edx +  *(__ebp + 0x20);
							__eax =  *__esi & 0x0000ffff;
							__edi = __ax & 0x0000ffff;
							__ecx =  *(__ebp + 0x68) >> 0xb;
							__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
							 *(__ebp + 0x24) = __esi;
							if( *(__ebp + 0x6c) >= __ecx) {
								 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
								 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__ax = __ax - __cx;
								__edx = __edx + 1;
								 *__esi = __ax;
								 *(__ebp + 0x28) = __edx;
							} else {
								 *(__ebp + 0x68) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
								 *__esi = __cx;
							}
							if( *(__ebp + 0x68) >= 0x1000000) {
								L150:
								_t469 = __ebp + 0x30;
								 *_t469 =  *(__ebp + 0x30) - 1;
								__edx =  *(__ebp + 0x74);
								goto L151;
							} else {
								L148:
								if( *(__ebp + 0xc) == 0) {
									 *(__ebp - 0x10) = 0x18;
									L173:
									_t547 = 0x22;
									memcpy( *(_t595 - 0x18), _t595 - 0x10, _t547 << 2);
									_t517 = 0;
								} else {
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t466 = __ebp + 8;
									 *_t466 =  *(__ebp + 8) + 1;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									goto L150;
								}
							}
						}
					}
					L175:
					return _t517;
				}
			}

0x00000000
0x0040847e
0x0040847e
0x00408482
0x0040849d
0x004084a0
0x00000000
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00408543
0x00408543
0x00408546
0x00408564
0x00408564
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x004085a5
0x004085a9
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00000000
0x00407d17
0x00000000
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x00000000
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00000000
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x00000000
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x0040851e
0x0040851e
0x00000000
0x0040851e
0x00000000
0x00000000
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x0040810e
0x00408112
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408117
0x0040811e
0x0040811e
0x00000000
0x00000000
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408214
0x0040821b
0x0040821e
0x00408225
0x00408216
0x00408216
0x00000000
0x00408216
0x00000000
0x00000000
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00000000
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00000000
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x004084a7
0x004084a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00000000
0x0040853c
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00408624
0x00408624
0x00000000
0x00000000
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004082ac
0x004082af
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00000000
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x00000000
0x00408477
0x00408683
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x00408602
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x00000000
0x00408604
0x0040857a
0x0040857e
0x00408695
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x0040859c
0x00000000
0x0040859c
0x0040857e
0x00408602
0x004085a9
0x004086ae
0x004086b5
0x004086b5

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616a88b33cc040cb8dd72b128a85d6dedfe5819c7e3a341ec58e0b0670933a2e
Instruction ID: 889be910bb3604c17133948d78b3a0935b66e9d60f3ea8e608209814c6385e27
Opcode Fuzzy Hash: 616a88b33cc040cb8dd72b128a85d6dedfe5819c7e3a341ec58e0b0670933a2e
Instruction Fuzzy Hash: D3913471900248EBDF58CF18C9847A93BB1FF44359F11812AFC9AAB291C739D985DF88

Uniqueness

Uniqueness Score: -1.00%

Function 00407CCE Relevance: 5.2, APIs: 4, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00407CCE(void* __ecx) {
				signed int _t521;
				signed int _t522;
				signed int _t554;
				intOrPtr* _t615;
				void* _t617;

				_t615 = _t617 - 0x78;
				_t554 = 0x22;
				 *(_t615 - 0x18) = __ecx;
				memcpy(_t615 - 0x10, __ecx, _t554 << 2);
				if( *((intOrPtr*)(_t615 + 0x48)) != 0xffffffff) {
					while(1) {
						L3:
						while(1) {
							L4:
							_t521 =  *(_t615 - 0x10);
							if(_t521 > 0x1c) {
								break;
							}
							switch( *((intOrPtr*)(_t521 * 4 +  &M004086B6))) {
								case 0:
									__eflags =  *(_t615 + 0xc);
									if( *(_t615 + 0xc) == 0) {
										goto L176;
									}
									 *(_t615 + 0xc) =  *(_t615 + 0xc) - 1;
									_t521 =  *( *(_t615 + 8));
									 *(_t615 + 8) =  &(( *(_t615 + 8))[1]);
									__eflags = _t521 - 0xe1;
									if(_t521 > 0xe1) {
										goto L177;
									}
									_t525 = _t521 & 0x000000ff;
									asm("cdq");
									_push(0x2d);
									_pop(_t558);
									_push(9);
									_pop(_t559);
									_t610 = _t525 / _t558;
									_t527 = _t525 % _t558 & 0x000000ff;
									asm("cdq");
									_t602 = _t527 % _t559 & 0x000000ff;
									 *(_t615 + 0x3c) = _t602;
									 *(_t615 + 0x5c) = (1 << _t610) - 1;
									 *((intOrPtr*)(_t615 + 0x60)) = (1 << _t527 / _t559) - 1;
									_t613 = (0x300 << _t602 + _t610) + 0x736;
									__eflags = 0x600 -  *_t615;
									if(0x600 ==  *_t615) {
										L13:
										__eflags = _t613;
										if(_t613 == 0) {
											L15:
											 *(_t615 + 0x30) =  *(_t615 + 0x30) & 0x00000000;
											 *(_t615 + 0x38) =  *(_t615 + 0x38) & 0x00000000;
											goto L18;
										} else {
											goto L14;
										}
										do {
											L14:
											_t613 = _t613 - 1;
											__eflags = _t613;
											 *((short*)( *(_t615 + 0x74) + _t613 * 2)) = 0x400;
										} while (_t613 != 0);
										goto L15;
									}
									__eflags =  *(_t615 + 0x74);
									if( *(_t615 + 0x74) != 0) {
										GlobalFree( *(_t615 + 0x74)); // executed
									}
									_t521 = GlobalAlloc(0x40, 0x600); // executed
									__eflags = _t521;
									 *(_t615 + 0x74) = _t521;
									if(_t521 == 0) {
										goto L177;
									} else {
										 *_t615 = 0x600;
										goto L13;
									}
								case 1:
									L16:
									__eflags =  *(_t615 + 0xc);
									if( *(_t615 + 0xc) == 0) {
										 *(_t615 - 0x10) = 1;
										goto L176;
									}
									 *(_t615 + 0xc) =  *(_t615 + 0xc) - 1;
									 *(_t615 + 0x38) =  *(_t615 + 0x38) | ( *( *(_t615 + 8)) & 0x000000ff) <<  *(_t615 + 0x30) << 0x00000003;
									 *(_t615 + 8) =  &(( *(_t615 + 8))[1]);
									_t50 = _t615 + 0x30;
									 *_t50 =  *(_t615 + 0x30) + 1;
									__eflags =  *_t50;
									L18:
									__eflags =  *(_t615 + 0x30) - 4;
									if( *(_t615 + 0x30) < 4) {
										goto L16;
									}
									_t532 =  *(_t615 + 0x38);
									__eflags = _t532 -  *(_t615 + 4);
									if(_t532 ==  *(_t615 + 4)) {
										L23:
										 *((char*)( *(_t615 + 0x70) +  *(_t615 + 4) - 1)) = 0;
										 *(_t615 + 0x30) = 5;
										goto L26;
									}
									__eflags =  *(_t615 + 0x70);
									 *(_t615 + 4) = _t532;
									if( *(_t615 + 0x70) != 0) {
										GlobalFree( *(_t615 + 0x70)); // executed
									}
									_t521 = GlobalAlloc(0x40,  *(_t615 + 0x38)); // executed
									__eflags = _t521;
									 *(_t615 + 0x70) = _t521;
									if(_t521 == 0) {
										goto L177;
									} else {
										goto L23;
									}
								case 2:
									L28:
									_t539 =  *(_t615 + 0x18) &  *(_t615 + 0x5c);
									 *(_t615 + 0x2c) = _t539;
									_t614 = _t593 + (( *(_t615 + 0x40) << 4) + _t539) * 2;
									 *(_t615 - 0xc) = 6;
									goto L137;
								case 3:
									L24:
									__eflags =  *(_t615 + 0xc);
									if( *(_t615 + 0xc) == 0) {
										 *(_t615 - 0x10) = 3;
										goto L176;
									}
									 *(_t615 + 0xc) =  *(_t615 + 0xc) - 1;
									_t70 = _t615 + 8;
									 *_t70 =  &(( *(_t615 + 8))[1]);
									__eflags =  *_t70;
									 *(_t615 + 0x6c) =  *(_t615 + 0x6c) << 0x00000008 |  *( *(_t615 + 8)) & 0x000000ff;
									L26:
									 *(_t615 + 0x30) =  *(_t615 + 0x30) - 1;
									__eflags =  *(_t615 + 0x30);
									if( *(_t615 + 0x30) != 0) {
										goto L24;
									}
									_t593 =  *(_t615 + 0x74);
									goto L28;
								case 4:
									L138:
									_t540 =  *_t614 & 0x0000ffff;
									_t604 = _t540 & 0x0000ffff;
									_t573 = ( *(_t615 + 0x68) >> 0xb) * _t604;
									__eflags =  *(_t615 + 0x6c) - _t573;
									if( *(_t615 + 0x6c) >= _t573) {
										 *(_t615 + 0x68) =  *(_t615 + 0x68) - _t573;
										 *(_t615 + 0x6c) =  *(_t615 + 0x6c) - _t573;
										_t541 = _t540 - (_t540 >> 5);
										__eflags = _t541;
										 *_t614 = _t541;
										 *(_t615 + 0x38) = 1;
									} else {
										 *(_t615 + 0x68) = _t573;
										 *(_t615 + 0x38) =  *(_t615 + 0x38) & 0x00000000;
										 *_t614 = (0x800 - _t604 >> 5) + _t540;
									}
									__eflags =  *(_t615 + 0x68) - 0x1000000;
									if( *(_t615 + 0x68) >= 0x1000000) {
										goto L144;
									} else {
										goto L142;
									}
								case 5:
									L142:
									__eflags =  *(_t615 + 0xc);
									if( *(_t615 + 0xc) == 0) {
										 *(_t615 - 0x10) = 5;
										goto L176;
									}
									 *(_t615 + 0x68) =  *(_t615 + 0x68) << 8;
									 *(_t615 + 0xc) =  *(_t615 + 0xc) - 1;
									_t446 = _t615 + 8;
									 *_t446 =  &(( *(_t615 + 8))[1]);
									__eflags =  *_t446;
									 *(_t615 + 0x6c) =  *(_t615 + 0x6c) << 0x00000008 |  *( *(_t615 + 8)) & 0x000000ff;
									L144:
									_t542 =  *(_t615 - 0xc);
									goto L162;
								case 6:
									__eax = 0;
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										__eax =  *(__ebp + 0x40);
										 *(__ebp + 0x44) = 1;
										__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
										 *(__ebp - 0xc) = 7;
										goto L137;
									}
									__esi =  *(__ebp + 0x1c) & 0x000000ff;
									 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
									_push(8);
									_pop(__ecx);
									__cl = __cl -  *(__ebp + 0x3c);
									__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
									__ecx =  *(__ebp + 0x3c);
									__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
									__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
									__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
									__eflags =  *(__ebp + 0x40) - 4;
									__ecx = __esi + __edx + 0xe6c;
									 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
									if( *(__ebp + 0x40) >= 4) {
										__eflags =  *(__ebp + 0x40) - 0xa;
										if( *(__ebp + 0x40) >= 0xa) {
											_t98 = __ebp + 0x40;
											 *_t98 =  *(__ebp + 0x40) - 6;
											__eflags =  *_t98;
										} else {
											 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
										}
									} else {
										 *(__ebp + 0x40) = 0;
									}
									__eflags =  *(__ebp + 0x44) - __eax;
									if( *(__ebp + 0x44) == __eax) {
										__ebx = 0;
										__ebx = 1;
										goto L65;
									} else {
										__eax =  *(__ebp + 0x64);
										__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
										__eflags = __eax -  *(__ebp + 4);
										if(__eax >=  *(__ebp + 4)) {
											__eax = __eax +  *(__ebp + 4);
											__eflags = __eax;
										}
										__ecx =  *(__ebp + 0x70);
										__al =  *((intOrPtr*)(__eax + __ecx));
										__ebx = 0;
										 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
										__ebx = 1;
										goto L45;
									}
								case 7:
									__eflags =  *(__ebp + 0x38) - 1;
									if( *(__ebp + 0x38) != 1) {
										__eax =  *(__ebp + 0x54);
										 *(__ebp + 0x58) =  *(__ebp + 0x54);
										__eax =  *(__ebp + 0x50);
										 *(__ebp + 0x54) =  *(__ebp + 0x50);
										__eax =  *(__ebp + 0x4c);
										 *(__ebp + 0x50) =  *(__ebp + 0x4c);
										__eax = 0;
										__eflags =  *(__ebp + 0x40) - 7;
										 *(__ebp - 8) = 0x16;
										0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
										__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
										__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
										__eflags = __eax;
										 *(__ebp + 0x40) = __eax;
										__eax = __edx + 0x664;
										 *(__ebp + 0x20) = __edx + 0x664;
										goto L73;
									}
									__eax =  *(__ebp + 0x40);
									__esi = __edx + 0x198 +  *(__ebp + 0x40) * 2;
									 *(__ebp - 0xc) = 8;
									goto L137;
								case 8:
									__eflags =  *(__ebp + 0x38);
									__eax =  *(__ebp + 0x40);
									if( *(__ebp + 0x38) != 0) {
										__esi = __edx + 0x1b0 + __eax * 2;
										 *(__ebp - 0xc) = 0xa;
									} else {
										__eax = __eax + 0xf;
										__eax = __eax << 4;
										__eax = __eax +  *(__ebp + 0x2c);
										 *(__ebp - 0xc) = 9;
										__esi = __edx + __eax * 2;
									}
									goto L137;
								case 9:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										goto L94;
									}
									__eflags =  *(__ebp + 0x18);
									if( *(__ebp + 0x18) == 0) {
										goto L177;
									}
									__eax = 0;
									__eflags =  *(__ebp + 0x40) - 7;
									_t254 =  *(__ebp + 0x40) - 7 >= 0;
									__eflags = _t254;
									__eax = 0 | _t254;
									__eax = _t254 + _t254 + 9;
									 *(__ebp + 0x40) = _t254 + _t254 + 9;
									goto L80;
								case 0xa:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										__eax =  *(__ebp + 0x40);
										__esi = __edx + 0x1c8 +  *(__ebp + 0x40) * 2;
										 *(__ebp - 0xc) = 0xb;
										goto L137;
									}
									__eax =  *(__ebp + 0x50);
									goto L93;
								case 0xb:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										__ecx =  *(__ebp + 0x54);
										__eax =  *(__ebp + 0x58);
										 *(__ebp + 0x58) =  *(__ebp + 0x54);
									} else {
										__eax =  *(__ebp + 0x54);
									}
									__ecx =  *(__ebp + 0x50);
									 *(__ebp + 0x54) =  *(__ebp + 0x50);
									L93:
									__ecx =  *(__ebp + 0x4c);
									 *(__ebp + 0x50) =  *(__ebp + 0x4c);
									 *(__ebp + 0x4c) = __eax;
									L94:
									__eax = __edx + 0xa68;
									 *(__ebp + 0x20) = __edx + 0xa68;
									 *(__ebp - 8) = 0x15;
									goto L73;
								case 0xc:
									__eax =  *(__ebp + 0x4c);
									goto L105;
								case 0xd:
									L41:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										 *(__ebp - 0x10) = 0xd;
										goto L176;
									}
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t121 = __ebp + 8;
									 *_t121 =  *(__ebp + 8) + 1;
									__eflags =  *_t121;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									L43:
									__eax =  *(__ebp + 0x38);
									__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
									if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
										goto L52;
									}
									__eflags = __ebx - 0x100;
									if(__ebx >= 0x100) {
										goto L58;
									}
									L45:
									__eax =  *(__ebp + 0x1d) & 0x000000ff;
									 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
									__ecx =  *(__ebp + 0x20);
									__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
									 *(__ebp + 0x30) = __eax;
									__eax = __eax + 1;
									__eax = __eax << 8;
									__esi =  *(__ebp + 0x20) + __eax * 2;
									__eax =  *__esi & 0x0000ffff;
									__ecx =  *(__ebp + 0x68);
									__edx = __ax & 0x0000ffff;
									__ecx =  *(__ebp + 0x68) >> 0xb;
									__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
									__eflags =  *(__ebp + 0x6c) - __ecx;
									 *(__ebp + 0x24) = __esi;
									if( *(__ebp + 0x6c) >= __ecx) {
										 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__ax = __ax - __cx;
										__eflags = __ax;
										 *(__ebp + 0x38) = 1;
										 *__esi = __ax;
										__ebx = __ebx + __ebx + 1;
									} else {
										 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
										 *(__ebp + 0x68) = __ecx;
										0x800 = 0x800 - __edx;
										0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
										 *__esi = __cx;
										__ebx = __ebx + __ebx;
									}
									__eflags =  *(__ebp + 0x68) - 0x1000000;
									 *(__ebp + 0x34) = __ebx;
									if( *(__ebp + 0x68) >= 0x1000000) {
										goto L43;
									} else {
										goto L41;
									}
								case 0xe:
									L50:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										 *(__ebp - 0x10) = 0xe;
										goto L176;
									}
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t155 = __ebp + 8;
									 *_t155 =  *(__ebp + 8) + 1;
									__eflags =  *_t155;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									while(1) {
										L52:
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp + 0x20);
										__ecx =  *(__ebp + 0x68);
										__edx = __ebx + __ebx;
										__esi = __edx +  *(__ebp + 0x20);
										__eax =  *__esi & 0x0000ffff;
										__edi = __ax & 0x0000ffff;
										__ecx =  *(__ebp + 0x68) >> 0xb;
										__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
										__eflags =  *(__ebp + 0x6c) - __ecx;
										 *(__ebp + 0x24) = __esi;
										if( *(__ebp + 0x6c) >= __ecx) {
											 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
											 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__ax = __ax - __cx;
											__eflags = __ax;
											 *__esi = __ax;
											__ebx = __edx + 1;
										} else {
											 *(__ebp + 0x68) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											 *__esi = __cx;
											__ebx = __ebx + __ebx;
										}
										__eflags =  *(__ebp + 0x68) - 0x1000000;
										 *(__ebp + 0x34) = __ebx;
										if( *(__ebp + 0x68) >= 0x1000000) {
											continue;
										} else {
											goto L50;
										}
									}
									L58:
									_t172 = __ebp + 0x44;
									 *_t172 =  *(__ebp + 0x44) & 0x00000000;
									__eflags =  *_t172;
									goto L59;
								case 0xf:
									L62:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										 *(__ebp - 0x10) = 0xf;
										goto L176;
									}
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t202 = __ebp + 8;
									 *_t202 =  *(__ebp + 8) + 1;
									__eflags =  *_t202;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									L64:
									__eflags = __ebx - 0x100;
									if(__ebx >= 0x100) {
										L59:
										__al =  *(__ebp + 0x34);
										 *(__ebp + 0x1c) =  *(__ebp + 0x34);
										goto L60;
									}
									L65:
									__eax =  *(__ebp + 0x20);
									__ecx =  *(__ebp + 0x68);
									__edx = __ebx + __ebx;
									__esi = __edx +  *(__ebp + 0x20);
									__eax =  *__esi & 0x0000ffff;
									__edi = __ax & 0x0000ffff;
									__ecx =  *(__ebp + 0x68) >> 0xb;
									__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
									__eflags =  *(__ebp + 0x6c) - __ecx;
									 *(__ebp + 0x24) = __esi;
									if( *(__ebp + 0x6c) >= __ecx) {
										 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__ax = __ax - __cx;
										__eflags = __ax;
										 *__esi = __ax;
										__ebx = __edx + 1;
									} else {
										 *(__ebp + 0x68) = __ecx;
										0x800 = 0x800 - __edi;
										0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
										 *__esi = __cx;
										__ebx = __ebx + __ebx;
									}
									__eflags =  *(__ebp + 0x68) - 0x1000000;
									 *(__ebp + 0x34) = __ebx;
									if( *(__ebp + 0x68) >= 0x1000000) {
										goto L64;
									} else {
										goto L62;
									}
								case 0x10:
									L115:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										 *(__ebp - 0x10) = 0x10;
										goto L176;
									}
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t357 = __ebp + 8;
									 *_t357 =  *(__ebp + 8) + 1;
									__eflags =  *_t357;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									goto L117;
								case 0x11:
									L73:
									__esi =  *(__ebp + 0x20);
									 *(__ebp - 0xc) = 0x12;
									goto L137;
								case 0x12:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
										__eflags =  *(__ebp + 0x20) + 2;
										 *(__ebp - 0xc) = 0x13;
										L137:
										 *(_t615 + 0x24) = _t614;
										goto L138;
									}
									__eax =  *(__ebp + 0x2c);
									 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
									__ecx =  *(__ebp + 0x20);
									__eax =  *(__ebp + 0x2c) << 4;
									__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
									goto L147;
								case 0x13:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										_t458 = __ebp + 0x20;
										 *_t458 =  *(__ebp + 0x20) + 0x204;
										__eflags =  *_t458;
										 *(__ebp + 0x48) = 0x10;
										 *(__ebp + 0x38) = 8;
										L149:
										 *(__ebp - 4) = 0x14;
										goto L150;
									}
									__eax =  *(__ebp + 0x2c);
									__ecx =  *(__ebp + 0x20);
									__eax =  *(__ebp + 0x2c) << 4;
									__eflags = __eax;
									 *(__ebp + 0x48) = 8;
									__eax =  *(__ebp + 0x20) + __eax + 0x104;
									L147:
									 *(__ebp + 0x20) = __eax;
									 *(__ebp + 0x38) = 3;
									goto L149;
								case 0x14:
									_t499 = __ebp + 0x48;
									 *_t499 =  *(__ebp + 0x48) + __ebx;
									__eflags =  *_t499;
									__eax =  *(__ebp - 8);
									goto L162;
								case 0x15:
									__eax = 0;
									__eflags =  *(__ebp + 0x40) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
									 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
									goto L126;
								case 0x16:
									__eax =  *(__ebp + 0x48);
									__eflags = __eax - 4;
									if(__eax >= 4) {
										_push(3);
										_pop(__eax);
									}
									__eax = __eax << 7;
									 *(__ebp + 0x20) = __eax;
									 *(__ebp + 0x38) = 6;
									 *(__ebp - 4) = 0x19;
									goto L150;
								case 0x17:
									L150:
									__eax =  *(__ebp + 0x38);
									 *(__ebp + 0x28) = 1;
									 *(__ebp + 0x30) =  *(__ebp + 0x38);
									goto L154;
								case 0x18:
									L151:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										 *(__ebp - 0x10) = 0x18;
										goto L176;
									}
									__ecx =  *(__ebp + 8);
									__eax =  *(__ebp + 0x6c);
									__ecx =  *( *(__ebp + 8)) & 0x000000ff;
									 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
									 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
									 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									_t473 = __ebp + 8;
									 *_t473 =  *(__ebp + 8) + 1;
									__eflags =  *_t473;
									 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
									L153:
									_t476 = __ebp + 0x30;
									 *_t476 =  *(__ebp + 0x30) - 1;
									__eflags =  *_t476;
									__edx =  *(__ebp + 0x74);
									L154:
									__eflags =  *(__ebp + 0x30);
									if( *(__ebp + 0x30) <= 0) {
										__ecx =  *(__ebp + 0x38);
										__ebx =  *(__ebp + 0x28);
										0 = 1;
										__eax = 1 << __cl;
										__ebx =  *(__ebp + 0x28) - (1 << __cl);
										__eax =  *(__ebp - 4);
										 *(__ebp + 0x34) = __ebx;
										L162:
										 *(_t615 - 0x10) = _t542;
										goto L4;
									}
									__edx =  *(__ebp + 0x28);
									__eax =  *(__ebp + 0x20);
									__ecx =  *(__ebp + 0x68);
									__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
									__esi = __edx +  *(__ebp + 0x20);
									__eax =  *__esi & 0x0000ffff;
									__edi = __ax & 0x0000ffff;
									__ecx =  *(__ebp + 0x68) >> 0xb;
									__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
									__eflags =  *(__ebp + 0x6c) - __ecx;
									 *(__ebp + 0x24) = __esi;
									if( *(__ebp + 0x6c) >= __ecx) {
										 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__ax = __ax - __cx;
										__edx = __edx + 1;
										__eflags = __edx;
										 *__esi = __ax;
										 *(__ebp + 0x28) = __edx;
									} else {
										 *(__ebp + 0x68) = __ecx;
										0x800 = 0x800 - __edi;
										0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
										 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
										 *__esi = __cx;
									}
									__eflags =  *(__ebp + 0x68) - 0x1000000;
									if( *(__ebp + 0x68) >= 0x1000000) {
										goto L153;
									} else {
										goto L151;
									}
								case 0x19:
									__eflags = __ebx - 4;
									if(__ebx < 4) {
										 *(__ebp + 0x4c) = __ebx;
										L125:
										_t384 = __ebp + 0x4c;
										 *_t384 =  *(__ebp + 0x4c) + 1;
										__eflags =  *_t384;
										L126:
										__eax =  *(__ebp + 0x4c);
										__eflags = __eax;
										if(__eax == 0) {
											 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
											goto L176;
										}
										__eflags = __eax -  *(__ebp + 0x18);
										if(__eax >  *(__ebp + 0x18)) {
											goto L177;
										}
										 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
										__eax =  *(__ebp + 0x48);
										_t391 = __ebp + 0x18;
										 *_t391 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
										__eflags =  *_t391;
										goto L129;
									}
									__ecx = __ebx;
									__ebx = __ebx & 0x00000001;
									__ecx = __ebx >> 1;
									__ecx = (__ebx >> 1) - 1;
									__eax = __ebx & 0x00000001 | 0x00000002;
									__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
									__eflags = __ebx - 0xe;
									 *(__ebp + 0x4c) = __eax;
									if(__ebx >= 0xe) {
										__ebx = 0;
										 *(__ebp + 0x30) = __ecx;
										L108:
										__eflags =  *(__ebp + 0x30);
										if( *(__ebp + 0x30) <= 0) {
											__eax = __eax + __ebx;
											__edx = __edx + 0x644;
											__eflags = __edx;
											 *(__ebp + 0x4c) = __eax;
											 *(__ebp + 0x20) = __edx;
											 *(__ebp + 0x38) = 4;
											L114:
											__ebx = 0;
											 *(__ebp + 0x28) = 1;
											 *(__ebp + 0x34) = 0;
											 *(__ebp + 0x30) = 0;
											L118:
											__eax =  *(__ebp + 0x38);
											__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
											if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
												_t382 = __ebp + 0x4c;
												 *_t382 =  *(__ebp + 0x4c) + __ebx;
												__eflags =  *_t382;
												goto L125;
											}
											__edi =  *(__ebp + 0x28);
											__eax =  *(__ebp + 0x20);
											__edx =  *(__ebp + 0x68);
											__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
											__esi = __edi +  *(__ebp + 0x20);
											__eax =  *__esi & 0x0000ffff;
											__ecx = __ax & 0x0000ffff;
											__edx =  *(__ebp + 0x68) >> 0xb;
											__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
											__eflags =  *(__ebp + 0x6c) - __edx;
											 *(__ebp + 0x24) = __esi;
											if( *(__ebp + 0x6c) >= __edx) {
												 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
												0 = 1;
												__ebx = 1;
												__ecx =  *(__ebp + 0x30);
												__ebx = 1 << __cl;
												__ecx = 1 << __cl;
												__ebx =  *(__ebp + 0x34);
												__ebx =  *(__ebp + 0x34) | 1 << __cl;
												__cx = __ax;
												__cx = __ax >> 5;
												__ax = __ax - __cx;
												__edi = __edi + 1;
												__eflags = __edi;
												 *(__ebp + 0x34) = __ebx;
												 *__esi = __ax;
												 *(__ebp + 0x28) = __edi;
											} else {
												 *(__ebp + 0x68) = __edx;
												0x800 = 0x800 - __ecx;
												0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
												 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
												 *__esi = __dx;
											}
											__eflags =  *(__ebp + 0x68) - 0x1000000;
											if( *(__ebp + 0x68) >= 0x1000000) {
												L117:
												_t360 = __ebp + 0x30;
												 *_t360 =  *(__ebp + 0x30) + 1;
												__eflags =  *_t360;
												goto L118;
											} else {
												goto L115;
											}
										}
										__ecx =  *(__ebp + 0x6c);
										 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
										__ebx = __ebx + __ebx;
										__eflags = __ecx -  *(__ebp + 0x68);
										 *(__ebp + 0x34) = __ebx;
										if(__ecx >=  *(__ebp + 0x68)) {
											__ecx = __ecx -  *(__ebp + 0x68);
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											 *(__ebp + 0x6c) = __ecx;
											 *(__ebp + 0x34) = __ebx;
										}
										__eflags =  *(__ebp + 0x68) - 0x1000000;
										if( *(__ebp + 0x68) >= 0x1000000) {
											L107:
											_t332 = __ebp + 0x30;
											 *_t332 =  *(__ebp + 0x30) - 1;
											__eflags =  *_t332;
											goto L108;
										} else {
											L105:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												 *(__ebp - 0x10) = 0xc;
												goto L176;
											}
											__edi =  *(__ebp + 8);
											__ecx =  *(__ebp + 0x6c);
											__edi =  *( *(__ebp + 8)) & 0x000000ff;
											 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
											 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
											 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
											_t329 = __ebp + 8;
											 *_t329 =  *(__ebp + 8) + 1;
											__eflags =  *_t329;
											 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
											goto L107;
										}
									}
									__eax = __eax - __ebx;
									 *(__ebp + 0x20) = __eax;
									 *(__ebp + 0x38) = __ecx;
									goto L114;
								case 0x1a:
									L60:
									__eflags =  *(__ebp + 0x14);
									if( *(__ebp + 0x14) == 0) {
										 *(__ebp - 0x10) = 0x1a;
										goto L176;
									}
									__al =  *(__ebp + 0x1c);
									__ecx =  *(__ebp + 0x10);
									__edx =  *(__ebp + 0x70);
									 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
									 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
									 *( *(__ebp + 0x10)) = __al;
									__ecx =  *(__ebp + 0x64);
									 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp + 4);
									__eax = __eax /  *(__ebp + 4);
									__edx = _t191;
									goto L84;
								case 0x1b:
									L80:
									__eflags =  *(__ebp + 0x14);
									if( *(__ebp + 0x14) == 0) {
										 *(__ebp - 0x10) = 0x1b;
										goto L176;
									}
									__eax =  *(__ebp + 0x64);
									__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
									__eflags = __eax -  *(__ebp + 4);
									if(__eax >=  *(__ebp + 4)) {
										__eax = __eax +  *(__ebp + 4);
										__eflags = __eax;
									}
									__edx =  *(__ebp + 0x70);
									__cl =  *(__eax + __edx);
									__eax =  *(__ebp + 0x64);
									 *(__eax + __edx) = __cl;
									__eax = __eax + 1;
									__edx = 0;
									_t269 = __eax %  *(__ebp + 4);
									__eax = __eax /  *(__ebp + 4);
									__edx = _t269;
									 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
									__eax =  *(__ebp + 0x10);
									 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
									_t278 = __ebp + 0x14;
									 *_t278 =  *(__ebp + 0x14) - 1;
									__eflags =  *_t278;
									 *(__ebp + 0x1c) = __cl;
									 *( *(__ebp + 0x10)) = __cl;
									L84:
									 *(__ebp + 0x64) = __edx;
									goto L85;
								case 0x1c:
									while(1) {
										L129:
										__eflags =  *(__ebp + 0x14);
										if( *(__ebp + 0x14) == 0) {
											break;
										}
										__eax =  *(__ebp + 0x64);
										__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
										__eflags = __eax -  *(__ebp + 4);
										if(__eax >=  *(__ebp + 4)) {
											__eax = __eax +  *(__ebp + 4);
											__eflags = __eax;
										}
										__edx =  *(__ebp + 0x70);
										__cl =  *(__eax + __edx);
										__eax =  *(__ebp + 0x64);
										 *(__eax + __edx) = __cl;
										__eax = __eax + 1;
										__edx = 0;
										_t404 = __eax %  *(__ebp + 4);
										__eax = __eax /  *(__ebp + 4);
										__edx = _t404;
										__eax =  *(__ebp + 0x10);
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
										 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
										 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
										__eflags =  *(__ebp + 0x48);
										 *(__ebp + 0x1c) = __cl;
										 *( *(__ebp + 0x10)) = __cl;
										 *(__ebp + 0x64) = __edx;
										if( *(__ebp + 0x48) > 0) {
											continue;
										} else {
											L85:
											 *(__ebp - 0x10) = 2;
											goto L3;
										}
									}
									 *(__ebp - 0x10) = 0x1c;
									L176:
									_push(0x22);
									_pop(_t556);
									memcpy( *(_t615 - 0x18), _t615 - 0x10, _t556 << 2);
									_t522 = 0;
									L178:
									goto L179;
							}
						}
						L177:
						_t522 = _t521 | 0xffffffff;
						goto L178;
					}
				} else {
					_t522 = 1;
					L179:
					return _t522;
				}
			}

0x00407ccf
0x00407cdf
0x00407ce3
0x00407ce6
0x00407cec
0x00407cfd
0x00407cfd
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00000000
0x00407d13
0x00407d17
0x00000000
0x00000000
0x00407d20
0x00407d23
0x00407d25
0x00407d28
0x00407d2a
0x00000000
0x00000000
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d73
0x00407d76
0x00407d9e
0x00407d9e
0x00407da0
0x00407dae
0x00407dae
0x00407db2
0x00000000
0x00000000
0x00000000
0x00000000
0x00407da2
0x00407da2
0x00407da5
0x00407da5
0x00407da6
0x00407da6
0x00000000
0x00407da2
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d90
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x00000000
0x0040862c
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407ddc
0x00407de0
0x00000000
0x00000000
0x00407de2
0x00407de5
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407e1d
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e07
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00000000
0x00408635
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4d
0x00407e4f
0x00000000
0x00000000
0x00407e51
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084b9
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f0
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004084f9
0x004084f9
0x004084fd
0x0040868c
0x00000000
0x0040868c
0x0040850c
0x00408510
0x00408518
0x00408518
0x00408518
0x0040851b
0x0040851e
0x0040851e
0x00000000
0x00000000
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407ef9
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00000000
0x0040810e
0x00408112
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x0040815c
0x00408114
0x00408117
0x0040811e
0x00000000
0x00000000
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a6
0x00000000
0x00000000
0x004081ac
0x004081b0
0x00000000
0x00000000
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x00000000
0x00408210
0x00408214
0x0040821b
0x0040821e
0x00408225
0x00000000
0x00408225
0x00408216
0x00000000
0x00000000
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x00000000
0x0040863e
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00000000
0x00407f36
0x00407f3c
0x00000000
0x00000000
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00000000
0x00407fba
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00000000
0x00408647
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00000000
0x00408044
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00000000
0x00408650
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x00408050
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00000000
0x00408109
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00000000
0x00408674
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x00000000
0x00000000
0x0040847e
0x00408482
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00000000
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x00408564
0x00408564
0x00000000
0x00408564
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00000000
0x00000000
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00000000
0x00408695
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00000000
0x00408624
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00000000
0x00408604
0x00000000
0x004082ac
0x004082af
0x004082e6
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x00000000
0x0040867d
0x00408422
0x00408425
0x00000000
0x00000000
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00000000
0x00408411
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x00000000
0x0040866b
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x00408342
0x004082c8
0x004082d1
0x004082d4
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00000000
0x00408659
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00000000
0x00408662
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408204
0x00408204
0x00000000
0x00408204
0x00408477
0x00408683
0x0040869c
0x0040869f
0x004086a1
0x004086a5
0x004086a7
0x004086ae
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00407cee
0x00407cf0
0x004086af
0x004086b5
0x004086b5

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ba9b7b1e46ffbbe36361df63a48f904126fb2c17521b9367449b78c74fd88a
Instruction ID: b8f392790c2be9c4190af1bc8fca9bd828317e5a3f73b92229c3cd16b4bb5d9c
Opcode Fuzzy Hash: 84ba9b7b1e46ffbbe36361df63a48f904126fb2c17521b9367449b78c74fd88a
Instruction Fuzzy Hash: F9816471904208EBDF14CF28C944AAE3BB1FF44355F11852AFC9AAB2D1C778A985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040810E Relevance: 5.2, APIs: 4, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040810E(void* __edx) {
				signed int _t520;
				unsigned short _t522;
				signed int _t523;
				void _t524;
				signed int _t525;
				signed int _t526;
				signed int _t553;
				signed int _t556;
				signed int _t590;
				signed short* _t597;
				intOrPtr* _t604;

				L0:
				while(1) {
					L0:
					if( *(_t604 + 0x38) != 1) {
						 *((intOrPtr*)(_t604 + 0x58)) =  *((intOrPtr*)(_t604 + 0x54));
						 *((intOrPtr*)(_t604 + 0x54)) =  *((intOrPtr*)(_t604 + 0x50));
						 *((intOrPtr*)(_t604 + 0x50)) =  *((intOrPtr*)(_t604 + 0x4c));
						 *((intOrPtr*)(_t604 - 8)) = 0x16;
						_t520 = ((0 |  *(_t604 + 0x40) - 0x00000007 >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
						 *(_t604 + 0x40) = _t520;
						 *(_t604 + 0x20) = __edx + 0x664;
						goto L70;
					} else {
						 *(__ebp - 0xc) = 8;
						while(1) {
							L134:
							 *(_t604 + 0x24) = _t597;
							while(1) {
								L135:
								_t522 =  *_t597 & 0x0000ffff;
								_t590 = _t522 & 0x0000ffff;
								_t553 = ( *(_t604 + 0x68) >> 0xb) * _t590;
								if( *(_t604 + 0x6c) >= _t553) {
									 *(_t604 + 0x68) =  *(_t604 + 0x68) - _t553;
									 *(_t604 + 0x6c) =  *(_t604 + 0x6c) - _t553;
									_t523 = _t522 - (_t522 >> 5);
									 *_t597 = _t523;
									 *(_t604 + 0x38) = 1;
								} else {
									 *(_t604 + 0x68) = _t553;
									 *(_t604 + 0x38) =  *(_t604 + 0x38) & 0x00000000;
									 *_t597 = (0x800 - _t590 >> 5) + _t522;
								}
								if( *(_t604 + 0x68) >= 0x1000000) {
									goto L141;
								}
								L139:
								if( *(_t604 + 0xc) == 0) {
									 *(_t604 - 0x10) = 5;
									L173:
									_t556 = 0x22;
									memcpy( *(_t604 - 0x18), _t604 - 0x10, _t556 << 2);
									_t526 = 0;
								} else {
									 *(_t604 + 0x68) =  *(_t604 + 0x68) << 8;
									 *(_t604 + 0xc) =  *(_t604 + 0xc) - 1;
									 *(_t604 + 8) =  &(( *(_t604 + 8))[1]);
									 *(_t604 + 0x6c) =  *(_t604 + 0x6c) << 0x00000008 |  *( *(_t604 + 8)) & 0x000000ff;
									goto L141;
								}
								L175:
								return _t526;
								L141:
								_t524 =  *(_t604 - 0xc);
								while(1) {
									 *(_t604 - 0x10) = _t524;
									while(1) {
										L2:
										_t525 =  *(_t604 - 0x10);
										if(_t525 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t525 * 4 +  &M004086B6))) {
											case 0:
												if( *(_t604 + 0xc) == 0) {
													goto L173;
												} else {
													 *(_t604 + 0xc) =  *(_t604 + 0xc) - 1;
													_t525 =  *( *(_t604 + 8));
													 *(_t604 + 8) =  &(( *(_t604 + 8))[1]);
													if(_t525 > 0xe1) {
														goto L174;
													} else {
														_t529 = _t525 & 0x000000ff;
														asm("cdq");
														_push(0x2d);
														_pop(_t558);
														_push(9);
														_pop(_t559);
														_t600 = _t529 / _t558;
														_t531 = _t529 % _t558 & 0x000000ff;
														asm("cdq");
														_t595 = _t531 % _t559 & 0x000000ff;
														 *(_t604 + 0x3c) = _t595;
														 *(_t604 + 0x5c) = (1 << _t600) - 1;
														 *((intOrPtr*)(_t604 + 0x60)) = (1 << _t531 / _t559) - 1;
														_t603 = (0x300 << _t595 + _t600) + 0x736;
														if(0x600 ==  *_t604) {
															L11:
															if(_t603 != 0) {
																do {
																	_t603 = _t603 - 1;
																	 *((short*)( *(_t604 + 0x74) + _t603 * 2)) = 0x400;
																} while (_t603 != 0);
															}
															 *(_t604 + 0x30) =  *(_t604 + 0x30) & 0x00000000;
															 *(_t604 + 0x38) =  *(_t604 + 0x38) & 0x00000000;
															goto L16;
														} else {
															if( *(_t604 + 0x74) != 0) {
																GlobalFree( *(_t604 + 0x74)); // executed
															}
															_t525 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t604 + 0x74) = _t525;
															if(_t525 == 0) {
																goto L174;
															} else {
																 *_t604 = 0x600;
																goto L11;
															}
														}
													}
												}
												goto L175;
											case 1:
												L14:
												__eflags =  *(_t604 + 0xc);
												if( *(_t604 + 0xc) == 0) {
													 *(_t604 - 0x10) = 1;
													goto L173;
												} else {
													 *(_t604 + 0xc) =  *(_t604 + 0xc) - 1;
													 *(_t604 + 0x38) =  *(_t604 + 0x38) | ( *( *(_t604 + 8)) & 0x000000ff) <<  *(_t604 + 0x30) << 0x00000003;
													 *(_t604 + 8) =  &(( *(_t604 + 8))[1]);
													_t44 = _t604 + 0x30;
													 *_t44 =  *(_t604 + 0x30) + 1;
													__eflags =  *_t44;
													L16:
													if( *(_t604 + 0x30) < 4) {
														goto L14;
													} else {
														_t536 =  *(_t604 + 0x38);
														if(_t536 ==  *(_t604 + 4)) {
															L21:
															 *((char*)( *(_t604 + 0x70) +  *(_t604 + 4) - 1)) = 0;
															 *(_t604 + 0x30) = 5;
															goto L24;
														} else {
															 *(_t604 + 4) = _t536;
															if( *(_t604 + 0x70) != 0) {
																GlobalFree( *(_t604 + 0x70)); // executed
															}
															_t525 = GlobalAlloc(0x40,  *(_t604 + 0x38)); // executed
															 *(_t604 + 0x70) = _t525;
															if(_t525 == 0) {
																goto L174;
															} else {
																goto L21;
															}
														}
													}
												}
												goto L175;
											case 2:
												L26:
												_t543 =  *(_t604 + 0x18) &  *(_t604 + 0x5c);
												 *(_t604 + 0x2c) = _t543;
												_t597 = _t588 + (( *(_t604 + 0x40) << 4) + _t543) * 2;
												 *(_t604 - 0xc) = 6;
												goto L134;
											case 3:
												L22:
												__eflags =  *(_t604 + 0xc);
												if( *(_t604 + 0xc) == 0) {
													 *(_t604 - 0x10) = 3;
													goto L173;
												} else {
													 *(_t604 + 0xc) =  *(_t604 + 0xc) - 1;
													_t64 = _t604 + 8;
													 *_t64 =  &(( *(_t604 + 8))[1]);
													__eflags =  *_t64;
													 *(_t604 + 0x6c) =  *(_t604 + 0x6c) << 0x00000008 |  *( *(_t604 + 8)) & 0x000000ff;
													L24:
													 *(_t604 + 0x30) =  *(_t604 + 0x30) - 1;
													if( *(_t604 + 0x30) != 0) {
														goto L22;
													} else {
														_t588 =  *(_t604 + 0x74);
														goto L26;
													}
												}
												goto L175;
											case 4:
												L135:
												_t522 =  *_t597 & 0x0000ffff;
												_t590 = _t522 & 0x0000ffff;
												_t553 = ( *(_t604 + 0x68) >> 0xb) * _t590;
												if( *(_t604 + 0x6c) >= _t553) {
													 *(_t604 + 0x68) =  *(_t604 + 0x68) - _t553;
													 *(_t604 + 0x6c) =  *(_t604 + 0x6c) - _t553;
													_t523 = _t522 - (_t522 >> 5);
													 *_t597 = _t523;
													 *(_t604 + 0x38) = 1;
												} else {
													 *(_t604 + 0x68) = _t553;
													 *(_t604 + 0x38) =  *(_t604 + 0x38) & 0x00000000;
													 *_t597 = (0x800 - _t590 >> 5) + _t522;
												}
												if( *(_t604 + 0x68) >= 0x1000000) {
													goto L141;
												}
												goto L175;
											case 5:
												goto L139;
											case 6:
												__eax = 0;
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													__eax =  *(__ebp + 0x40);
													 *(__ebp + 0x44) = 1;
													__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
													 *(__ebp - 0xc) = 7;
													goto L134;
												} else {
													__esi =  *(__ebp + 0x1c) & 0x000000ff;
													 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
													_push(8);
													_pop(__ecx);
													__cl = __cl -  *(__ebp + 0x3c);
													__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
													__ecx =  *(__ebp + 0x3c);
													__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
													__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
													__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
													__eflags =  *(__ebp + 0x40) - 4;
													__ecx = __esi + __edx + 0xe6c;
													 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
													if( *(__ebp + 0x40) >= 4) {
														__eflags =  *(__ebp + 0x40) - 0xa;
														if( *(__ebp + 0x40) >= 0xa) {
															_t92 = __ebp + 0x40;
															 *_t92 =  *(__ebp + 0x40) - 6;
															__eflags =  *_t92;
														} else {
															 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
														}
													} else {
														 *(__ebp + 0x40) = 0;
													}
													__eflags =  *(__ebp + 0x44) - __eax;
													if( *(__ebp + 0x44) == __eax) {
														__ebx = 0;
														__ebx = 1;
														goto L63;
													} else {
														__eax =  *(__ebp + 0x64);
														__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
														__eflags = __eax -  *(__ebp + 4);
														if(__eax >=  *(__ebp + 4)) {
															__eax = __eax +  *(__ebp + 4);
															__eflags = __eax;
														}
														__ecx =  *(__ebp + 0x70);
														__al =  *((intOrPtr*)(__eax + __ecx));
														__ebx = 0;
														 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
														__ebx = 1;
														goto L43;
													}
												}
												goto L175;
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp + 0x38);
												__eax =  *(__ebp + 0x40);
												if( *(__ebp + 0x38) != 0) {
													__esi = __edx + 0x1b0 + __eax * 2;
													 *(__ebp - 0xc) = 0xa;
												} else {
													__eax = __eax + 0xf;
													__eax = __eax << 4;
													__eax = __eax +  *(__ebp + 0x2c);
													 *(__ebp - 0xc) = 9;
													__esi = __edx + __eax * 2;
												}
												goto L134;
											case 9:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													goto L91;
												} else {
													__eflags =  *(__ebp + 0x18);
													if( *(__ebp + 0x18) == 0) {
														goto L174;
													} else {
														__eax = 0;
														__eflags =  *(__ebp + 0x40) - 7;
														_t247 =  *(__ebp + 0x40) - 7 >= 0;
														__eflags = _t247;
														__eax = 0 | _t247;
														__eax = _t247 + _t247 + 9;
														 *(__ebp + 0x40) = _t247 + _t247 + 9;
														goto L77;
													}
												}
												goto L175;
											case 0xa:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													__eax =  *(__ebp + 0x40);
													__esi = __edx + 0x1c8 +  *(__ebp + 0x40) * 2;
													 *(__ebp - 0xc) = 0xb;
													while(1) {
														L134:
														 *(_t604 + 0x24) = _t597;
														goto L135;
													}
												} else {
													__eax =  *(__ebp + 0x50);
													goto L90;
												}
												while(1) {
													L134:
													 *(_t604 + 0x24) = _t597;
													goto L135;
												}
											case 0xb:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													__ecx =  *(__ebp + 0x54);
													__eax =  *(__ebp + 0x58);
													 *(__ebp + 0x58) =  *(__ebp + 0x54);
												} else {
													__eax =  *(__ebp + 0x54);
												}
												__ecx =  *(__ebp + 0x50);
												 *(__ebp + 0x54) =  *(__ebp + 0x50);
												L90:
												__ecx =  *(__ebp + 0x4c);
												 *(__ebp + 0x50) =  *(__ebp + 0x4c);
												 *(__ebp + 0x4c) = __eax;
												L91:
												__eax = __edx + 0xa68;
												 *(__ebp + 0x20) = __edx + 0xa68;
												 *(__ebp - 8) = 0x15;
												goto L70;
											case 0xc:
												__eax =  *(__ebp + 0x4c);
												goto L102;
											case 0xd:
												L39:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xd;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t115 = __ebp + 8;
													 *_t115 =  *(__ebp + 8) + 1;
													__eflags =  *_t115;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L41:
													__eax =  *(__ebp + 0x38);
													__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
													if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
														goto L50;
													} else {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L56;
														} else {
															L43:
															__eax =  *(__ebp + 0x1d) & 0x000000ff;
															 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
															__ecx =  *(__ebp + 0x20);
															__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
															 *(__ebp + 0x30) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__esi =  *(__ebp + 0x20) + __eax * 2;
															__eax =  *__esi & 0x0000ffff;
															__ecx =  *(__ebp + 0x68);
															__edx = __ax & 0x0000ffff;
															__ecx =  *(__ebp + 0x68) >> 0xb;
															__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
															__eflags =  *(__ebp + 0x6c) - __ecx;
															 *(__ebp + 0x24) = __esi;
															if( *(__ebp + 0x6c) >= __ecx) {
																 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
																__cx = __ax;
																__cx = __ax >> 5;
																__ax = __ax - __cx;
																__eflags = __ax;
																 *(__ebp + 0x38) = 1;
																 *__esi = __ax;
																__ebx = __ebx + __ebx + 1;
															} else {
																 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
																 *(__ebp + 0x68) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																 *__esi = __cx;
																__ebx = __ebx + __ebx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															 *(__ebp + 0x34) = __ebx;
															if( *(__ebp + 0x68) >= 0x1000000) {
																goto L41;
															} else {
																goto L39;
															}
														}
													}
												}
												goto L175;
											case 0xe:
												L48:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xe;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t149 = __ebp + 8;
													 *_t149 =  *(__ebp + 8) + 1;
													__eflags =  *_t149;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													while(1) {
														L50:
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															break;
														}
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx = __ebx + __ebx;
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *__esi = __ax;
															__ebx = __edx + 1;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															continue;
														} else {
															goto L48;
														}
														goto L175;
													}
													L56:
													_t166 = __ebp + 0x44;
													 *_t166 =  *(__ebp + 0x44) & 0x00000000;
													__eflags =  *_t166;
													goto L57;
												}
												goto L175;
											case 0xf:
												L60:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xf;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t196 = __ebp + 8;
													 *_t196 =  *(__ebp + 8) + 1;
													__eflags =  *_t196;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L62:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L57:
														__al =  *(__ebp + 0x34);
														 *(__ebp + 0x1c) =  *(__ebp + 0x34);
														goto L58;
													} else {
														L63:
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx = __ebx + __ebx;
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *__esi = __ax;
															__ebx = __edx + 1;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L62;
														} else {
															goto L60;
														}
													}
												}
												goto L175;
											case 0x10:
												L112:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0x10;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t350 = __ebp + 8;
													 *_t350 =  *(__ebp + 8) + 1;
													__eflags =  *_t350;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													goto L114;
												}
												goto L175;
											case 0x11:
												L70:
												_t597 =  *(_t604 + 0x20);
												 *(_t604 - 0xc) = 0x12;
												while(1) {
													L134:
													 *(_t604 + 0x24) = _t597;
													goto L135;
												}
											case 0x12:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
													__eflags =  *(__ebp + 0x20) + 2;
													 *(__ebp - 0xc) = 0x13;
													while(1) {
														L134:
														 *(_t604 + 0x24) = _t597;
														goto L135;
													}
												} else {
													__eax =  *(__ebp + 0x2c);
													 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
													__ecx =  *(__ebp + 0x20);
													__eax =  *(__ebp + 0x2c) << 4;
													__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
													goto L144;
												}
												goto L175;
											case 0x13:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													_t451 = __ebp + 0x20;
													 *_t451 =  *(__ebp + 0x20) + 0x204;
													__eflags =  *_t451;
													 *(__ebp + 0x48) = 0x10;
													 *(__ebp + 0x38) = 8;
												} else {
													__eax =  *(__ebp + 0x2c);
													__ecx =  *(__ebp + 0x20);
													__eax =  *(__ebp + 0x2c) << 4;
													__eflags = __eax;
													 *(__ebp + 0x48) = 8;
													__eax =  *(__ebp + 0x20) + __eax + 0x104;
													L144:
													 *(__ebp + 0x20) = __eax;
													 *(__ebp + 0x38) = 3;
												}
												 *(__ebp - 4) = 0x14;
												goto L147;
											case 0x14:
												_t492 = __ebp + 0x48;
												 *_t492 =  *(__ebp + 0x48) + __ebx;
												__eflags =  *_t492;
												__eax =  *(__ebp - 8);
												 *(_t604 - 0x10) = _t524;
												goto L2;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp + 0x40) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
												 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
												goto L123;
											case 0x16:
												__eax =  *(__ebp + 0x48);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__eax = __eax << 7;
												 *(__ebp + 0x20) = __eax;
												 *(__ebp + 0x38) = 6;
												 *(__ebp - 4) = 0x19;
												goto L147;
											case 0x17:
												L147:
												__eax =  *(__ebp + 0x38);
												 *(__ebp + 0x28) = 1;
												 *(__ebp + 0x30) =  *(__ebp + 0x38);
												goto L151;
											case 0x18:
												L148:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0x18;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t466 = __ebp + 8;
													 *_t466 =  *(__ebp + 8) + 1;
													__eflags =  *_t466;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L150:
													_t469 = __ebp + 0x30;
													 *_t469 =  *(__ebp + 0x30) - 1;
													__eflags =  *_t469;
													__edx =  *(__ebp + 0x74);
													L151:
													__eflags =  *(__ebp + 0x30);
													if( *(__ebp + 0x30) <= 0) {
														__ecx =  *(__ebp + 0x38);
														__ebx =  *(__ebp + 0x28);
														0 = 1;
														__eax = 1 << __cl;
														__ebx =  *(__ebp + 0x28) - (1 << __cl);
														__eax =  *(__ebp - 4);
														 *(__ebp + 0x34) = __ebx;
														while(1) {
															 *(_t604 - 0x10) = _t524;
															goto L2;
														}
													} else {
														__edx =  *(__ebp + 0x28);
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__edx = __edx + 1;
															__eflags = __edx;
															 *__esi = __ax;
															 *(__ebp + 0x28) = __edx;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L150;
														} else {
															goto L148;
														}
													}
												}
												goto L175;
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp + 0x4c) = __ebx;
													goto L122;
												} else {
													__ecx = __ebx;
													__ebx = __ebx & 0x00000001;
													__ecx = __ebx >> 1;
													__ecx = (__ebx >> 1) - 1;
													__eax = __ebx & 0x00000001 | 0x00000002;
													__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
													__eflags = __ebx - 0xe;
													 *(__ebp + 0x4c) = __eax;
													if(__ebx >= 0xe) {
														__ebx = 0;
														 *(__ebp + 0x30) = __ecx;
														L105:
														__eflags =  *(__ebp + 0x30);
														if( *(__ebp + 0x30) <= 0) {
															__eax = __eax + __ebx;
															__edx = __edx + 0x644;
															__eflags = __edx;
															 *(__ebp + 0x4c) = __eax;
															 *(__ebp + 0x20) = __edx;
															 *(__ebp + 0x38) = 4;
															goto L111;
														} else {
															__ecx =  *(__ebp + 0x6c);
															 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
															__ebx = __ebx + __ebx;
															__eflags = __ecx -  *(__ebp + 0x68);
															 *(__ebp + 0x34) = __ebx;
															if(__ecx >=  *(__ebp + 0x68)) {
																__ecx = __ecx -  *(__ebp + 0x68);
																__ebx = __ebx | 0x00000001;
																__eflags = __ebx;
																 *(__ebp + 0x6c) = __ecx;
																 *(__ebp + 0x34) = __ebx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															if( *(__ebp + 0x68) >= 0x1000000) {
																L104:
																_t325 = __ebp + 0x30;
																 *_t325 =  *(__ebp + 0x30) - 1;
																__eflags =  *_t325;
																goto L105;
															} else {
																L102:
																__eflags =  *(__ebp + 0xc);
																if( *(__ebp + 0xc) == 0) {
																	 *(__ebp - 0x10) = 0xc;
																	goto L173;
																} else {
																	__edi =  *(__ebp + 8);
																	__ecx =  *(__ebp + 0x6c);
																	__edi =  *( *(__ebp + 8)) & 0x000000ff;
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																	 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																	 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																	_t322 = __ebp + 8;
																	 *_t322 =  *(__ebp + 8) + 1;
																	__eflags =  *_t322;
																	 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																	goto L104;
																}
															}
														}
													} else {
														__eax = __eax - __ebx;
														 *(__ebp + 0x20) = __eax;
														 *(__ebp + 0x38) = __ecx;
														L111:
														__ebx = 0;
														 *(__ebp + 0x28) = 1;
														 *(__ebp + 0x34) = 0;
														 *(__ebp + 0x30) = 0;
														L115:
														__eax =  *(__ebp + 0x38);
														__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
														if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
															_t375 = __ebp + 0x4c;
															 *_t375 =  *(__ebp + 0x4c) + __ebx;
															__eflags =  *_t375;
															L122:
															_t377 = __ebp + 0x4c;
															 *_t377 =  *(__ebp + 0x4c) + 1;
															__eflags =  *_t377;
															L123:
															__eax =  *(__ebp + 0x4c);
															__eflags = __eax;
															if(__eax == 0) {
																 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
																goto L173;
															} else {
																__eflags = __eax -  *(__ebp + 0x18);
																if(__eax >  *(__ebp + 0x18)) {
																	goto L174;
																} else {
																	 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																	__eax =  *(__ebp + 0x48);
																	_t384 = __ebp + 0x18;
																	 *_t384 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																	__eflags =  *_t384;
																	goto L126;
																}
															}
														} else {
															__edi =  *(__ebp + 0x28);
															__eax =  *(__ebp + 0x20);
															__edx =  *(__ebp + 0x68);
															__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
															__esi = __edi +  *(__ebp + 0x20);
															__eax =  *__esi & 0x0000ffff;
															__ecx = __ax & 0x0000ffff;
															__edx =  *(__ebp + 0x68) >> 0xb;
															__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
															__eflags =  *(__ebp + 0x6c) - __edx;
															 *(__ebp + 0x24) = __esi;
															if( *(__ebp + 0x6c) >= __edx) {
																 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
																0 = 1;
																__ebx = 1;
																__ecx =  *(__ebp + 0x30);
																__ebx = 1 << __cl;
																__ecx = 1 << __cl;
																__ebx =  *(__ebp + 0x34);
																__ebx =  *(__ebp + 0x34) | 1 << __cl;
																__cx = __ax;
																__cx = __ax >> 5;
																__ax = __ax - __cx;
																__edi = __edi + 1;
																__eflags = __edi;
																 *(__ebp + 0x34) = __ebx;
																 *__esi = __ax;
																 *(__ebp + 0x28) = __edi;
															} else {
																 *(__ebp + 0x68) = __edx;
																0x800 = 0x800 - __ecx;
																0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
																 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
																 *__esi = __dx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															if( *(__ebp + 0x68) >= 0x1000000) {
																L114:
																_t353 = __ebp + 0x30;
																 *_t353 =  *(__ebp + 0x30) + 1;
																__eflags =  *_t353;
																goto L115;
															} else {
																goto L112;
															}
														}
													}
												}
												goto L175;
											case 0x1a:
												L58:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													 *(__ebp - 0x10) = 0x1a;
													goto L173;
												} else {
													__al =  *(__ebp + 0x1c);
													__ecx =  *(__ebp + 0x10);
													__edx =  *(__ebp + 0x70);
													 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
													 *( *(__ebp + 0x10)) = __al;
													__ecx =  *(__ebp + 0x64);
													 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
													__eax = __ecx + 1;
													__edx = 0;
													_t185 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t185;
													goto L81;
												}
												goto L175;
											case 0x1b:
												L77:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													 *(__ebp - 0x10) = 0x1b;
													goto L173;
												} else {
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__edx =  *(__ebp + 0x70);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp + 0x64);
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t262 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t262;
													 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
													__eax =  *(__ebp + 0x10);
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													_t271 = __ebp + 0x14;
													 *_t271 =  *(__ebp + 0x14) - 1;
													__eflags =  *_t271;
													 *(__ebp + 0x1c) = __cl;
													 *( *(__ebp + 0x10)) = __cl;
													L81:
													 *(__ebp + 0x64) = __edx;
													goto L82;
												}
												goto L175;
											case 0x1c:
												while(1) {
													L126:
													__eflags =  *(__ebp + 0x14);
													if( *(__ebp + 0x14) == 0) {
														break;
													}
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__edx =  *(__ebp + 0x70);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp + 0x64);
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t397 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t397;
													__eax =  *(__ebp + 0x10);
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
													 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
													__eflags =  *(__ebp + 0x48);
													 *(__ebp + 0x1c) = __cl;
													 *( *(__ebp + 0x10)) = __cl;
													 *(__ebp + 0x64) = __edx;
													if( *(__ebp + 0x48) > 0) {
														continue;
													} else {
														L82:
														 *(__ebp - 0x10) = 2;
														goto L2;
													}
													goto L175;
												}
												 *(__ebp - 0x10) = 0x1c;
												goto L173;
										}
									}
									L174:
									_t526 = _t525 | 0xffffffff;
									goto L175;
								}
							}
						}
					}
					L134:
					 *(_t604 + 0x24) = _t597;
					goto L135;
				}
			}

0x00000000
0x0040810e
0x0040810e
0x00408112
0x0040812d
0x00408133
0x00408139
0x00408142
0x00408150
0x00408153
0x0040815c
0x00000000
0x00408114
0x0040811e
0x004084a7
0x004084a7
0x004084a7
0x004084aa
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x00000000
0x0040851b
0x004086ae
0x004086b5
0x0040851e
0x0040851e
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00000000
0x00407d17
0x00000000
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x00000000
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00000000
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408214
0x0040821b
0x0040821e
0x00408225
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408216
0x00408216
0x00000000
0x00408216
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00000000
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00000000
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x0040847e
0x00408482
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00408624
0x00000000
0x00000000
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00000000
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00000000
0x00408627
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00000000
0x00408604
0x00408602
0x004085a9
0x00000000
0x00000000
0x004082ac
0x004082af
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00000000
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x00000000
0x00408477
0x00408683
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00408624
0x004084aa
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf2a511323eb50c5f0278ad7ab59a5b807665e9481e1cb36a1f72689daa30a7
Instruction ID: 55e60ca873c7d9b45e9b3c436aa8e76e75e868305f4124d0c351d95a5ff3d83c
Opcode Fuzzy Hash: 5bf2a511323eb50c5f0278ad7ab59a5b807665e9481e1cb36a1f72689daa30a7
Instruction Fuzzy Hash: 60712171910248EBDF58CF18C984AA93BF1FF44355F11812AFC9AAB291D739E985CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00408210 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00408210(void* __edx) {
				unsigned short _t514;
				signed int _t515;
				void _t516;
				signed int _t517;
				signed int _t518;
				signed int _t545;
				signed int _t548;
				signed int _t582;
				signed short* _t589;
				intOrPtr* _t596;

				L0:
				while(1) {
					L0:
					if( *(_t596 + 0x38) != 0) {
						_t589 = __edx + 0x1c8 +  *(_t596 + 0x40) * 2;
						 *(_t596 - 0xc) = 0xb;
					} else {
						__eax =  *(__ebp + 0x50);
						L90:
						 *(__ebp + 0x50) =  *(__ebp + 0x4c);
						 *(__ebp + 0x4c) = __eax;
						L91:
						__eax = __edx + 0xa68;
						 *(__ebp + 0x20) = __edx + 0xa68;
						 *(__ebp - 8) = 0x15;
						L71:
						 *(__ebp - 0xc) = 0x12;
						while(1) {
							L134:
							 *(_t596 + 0x24) = _t589;
							while(1) {
								L135:
								_t514 =  *_t589 & 0x0000ffff;
								_t582 = _t514 & 0x0000ffff;
								_t545 = ( *(_t596 + 0x68) >> 0xb) * _t582;
								if( *(_t596 + 0x6c) >= _t545) {
									 *(_t596 + 0x68) =  *(_t596 + 0x68) - _t545;
									 *(_t596 + 0x6c) =  *(_t596 + 0x6c) - _t545;
									_t515 = _t514 - (_t514 >> 5);
									 *_t589 = _t515;
									 *(_t596 + 0x38) = 1;
								} else {
									 *(_t596 + 0x68) = _t545;
									 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
									 *_t589 = (0x800 - _t582 >> 5) + _t514;
								}
								if( *(_t596 + 0x68) >= 0x1000000) {
									goto L141;
								}
								L139:
								if( *(_t596 + 0xc) == 0) {
									 *(_t596 - 0x10) = 5;
									L173:
									_t548 = 0x22;
									memcpy( *(_t596 - 0x18), _t596 - 0x10, _t548 << 2);
									_t518 = 0;
								} else {
									 *(_t596 + 0x68) =  *(_t596 + 0x68) << 8;
									 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
									 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
									 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
									goto L141;
								}
								L175:
								return _t518;
								L141:
								_t516 =  *(_t596 - 0xc);
								while(1) {
									 *(_t596 - 0x10) = _t516;
									while(1) {
										L2:
										_t517 =  *(_t596 - 0x10);
										if(_t517 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t517 * 4 +  &M004086B6))) {
											case 0:
												if( *(_t596 + 0xc) == 0) {
													goto L173;
												} else {
													 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
													_t517 =  *( *(_t596 + 8));
													 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
													if(_t517 > 0xe1) {
														goto L174;
													} else {
														_t521 = _t517 & 0x000000ff;
														asm("cdq");
														_push(0x2d);
														_pop(_t550);
														_push(9);
														_pop(_t551);
														_t592 = _t521 / _t550;
														_t523 = _t521 % _t550 & 0x000000ff;
														asm("cdq");
														_t587 = _t523 % _t551 & 0x000000ff;
														 *(_t596 + 0x3c) = _t587;
														 *(_t596 + 0x5c) = (1 << _t592) - 1;
														 *((intOrPtr*)(_t596 + 0x60)) = (1 << _t523 / _t551) - 1;
														_t595 = (0x300 << _t587 + _t592) + 0x736;
														if(0x600 ==  *_t596) {
															L11:
															if(_t595 != 0) {
																do {
																	_t595 = _t595 - 1;
																	 *((short*)( *(_t596 + 0x74) + _t595 * 2)) = 0x400;
																} while (_t595 != 0);
															}
															 *(_t596 + 0x30) =  *(_t596 + 0x30) & 0x00000000;
															 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
															goto L16;
														} else {
															if( *(_t596 + 0x74) != 0) {
																GlobalFree( *(_t596 + 0x74)); // executed
															}
															_t517 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t596 + 0x74) = _t517;
															if(_t517 == 0) {
																goto L174;
															} else {
																 *_t596 = 0x600;
																goto L11;
															}
														}
													}
												}
												goto L175;
											case 1:
												L14:
												__eflags =  *(_t596 + 0xc);
												if( *(_t596 + 0xc) == 0) {
													 *(_t596 - 0x10) = 1;
													goto L173;
												} else {
													 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
													 *(_t596 + 0x38) =  *(_t596 + 0x38) | ( *( *(_t596 + 8)) & 0x000000ff) <<  *(_t596 + 0x30) << 0x00000003;
													 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
													_t44 = _t596 + 0x30;
													 *_t44 =  *(_t596 + 0x30) + 1;
													__eflags =  *_t44;
													L16:
													if( *(_t596 + 0x30) < 4) {
														goto L14;
													} else {
														_t528 =  *(_t596 + 0x38);
														if(_t528 ==  *(_t596 + 4)) {
															L21:
															 *((char*)( *(_t596 + 0x70) +  *(_t596 + 4) - 1)) = 0;
															 *(_t596 + 0x30) = 5;
															goto L24;
														} else {
															 *(_t596 + 4) = _t528;
															if( *(_t596 + 0x70) != 0) {
																GlobalFree( *(_t596 + 0x70)); // executed
															}
															_t517 = GlobalAlloc(0x40,  *(_t596 + 0x38)); // executed
															 *(_t596 + 0x70) = _t517;
															if(_t517 == 0) {
																goto L174;
															} else {
																goto L21;
															}
														}
													}
												}
												goto L175;
											case 2:
												L26:
												_t535 =  *(_t596 + 0x18) &  *(_t596 + 0x5c);
												 *(_t596 + 0x2c) = _t535;
												_t589 = _t580 + (( *(_t596 + 0x40) << 4) + _t535) * 2;
												 *(_t596 - 0xc) = 6;
												goto L134;
											case 3:
												L22:
												__eflags =  *(_t596 + 0xc);
												if( *(_t596 + 0xc) == 0) {
													 *(_t596 - 0x10) = 3;
													goto L173;
												} else {
													 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
													_t64 = _t596 + 8;
													 *_t64 =  &(( *(_t596 + 8))[1]);
													__eflags =  *_t64;
													 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
													L24:
													 *(_t596 + 0x30) =  *(_t596 + 0x30) - 1;
													if( *(_t596 + 0x30) != 0) {
														goto L22;
													} else {
														_t580 =  *(_t596 + 0x74);
														goto L26;
													}
												}
												goto L175;
											case 4:
												L135:
												_t514 =  *_t589 & 0x0000ffff;
												_t582 = _t514 & 0x0000ffff;
												_t545 = ( *(_t596 + 0x68) >> 0xb) * _t582;
												if( *(_t596 + 0x6c) >= _t545) {
													 *(_t596 + 0x68) =  *(_t596 + 0x68) - _t545;
													 *(_t596 + 0x6c) =  *(_t596 + 0x6c) - _t545;
													_t515 = _t514 - (_t514 >> 5);
													 *_t589 = _t515;
													 *(_t596 + 0x38) = 1;
												} else {
													 *(_t596 + 0x68) = _t545;
													 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
													 *_t589 = (0x800 - _t582 >> 5) + _t514;
												}
												if( *(_t596 + 0x68) >= 0x1000000) {
													goto L141;
												}
												goto L175;
											case 5:
												goto L139;
											case 6:
												__eax = 0;
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													__eax =  *(__ebp + 0x40);
													 *(__ebp + 0x44) = 1;
													__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
													 *(__ebp - 0xc) = 7;
													goto L134;
												} else {
													__esi =  *(__ebp + 0x1c) & 0x000000ff;
													 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
													_push(8);
													_pop(__ecx);
													__cl = __cl -  *(__ebp + 0x3c);
													__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
													__ecx =  *(__ebp + 0x3c);
													__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
													__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
													__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
													__eflags =  *(__ebp + 0x40) - 4;
													__ecx = __esi + __edx + 0xe6c;
													 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
													if( *(__ebp + 0x40) >= 4) {
														__eflags =  *(__ebp + 0x40) - 0xa;
														if( *(__ebp + 0x40) >= 0xa) {
															_t92 = __ebp + 0x40;
															 *_t92 =  *(__ebp + 0x40) - 6;
															__eflags =  *_t92;
														} else {
															 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
														}
													} else {
														 *(__ebp + 0x40) = 0;
													}
													__eflags =  *(__ebp + 0x44) - __eax;
													if( *(__ebp + 0x44) == __eax) {
														__ebx = 0;
														__ebx = 1;
														goto L63;
													} else {
														__eax =  *(__ebp + 0x64);
														__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
														__eflags = __eax -  *(__ebp + 4);
														if(__eax >=  *(__ebp + 4)) {
															__eax = __eax +  *(__ebp + 4);
															__eflags = __eax;
														}
														__ecx =  *(__ebp + 0x70);
														__al =  *((intOrPtr*)(__eax + __ecx));
														__ebx = 0;
														 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
														__ebx = 1;
														goto L43;
													}
												}
												goto L175;
											case 7:
												__eflags =  *(__ebp + 0x38) - 1;
												if( *(__ebp + 0x38) != 1) {
													__eax =  *(__ebp + 0x54);
													 *(__ebp + 0x58) =  *(__ebp + 0x54);
													__eax =  *(__ebp + 0x50);
													 *(__ebp + 0x54) =  *(__ebp + 0x50);
													__eax =  *(__ebp + 0x4c);
													 *(__ebp + 0x50) =  *(__ebp + 0x4c);
													__eax = 0;
													__eflags =  *(__ebp + 0x40) - 7;
													 *(__ebp - 8) = 0x16;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
													__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
													__eflags = __eax;
													 *(__ebp + 0x40) = __eax;
													__eax = __edx + 0x664;
													 *(__ebp + 0x20) = __edx + 0x664;
													goto L71;
												} else {
													__eax =  *(__ebp + 0x40);
													__esi = __edx + 0x198 +  *(__ebp + 0x40) * 2;
													 *(__ebp - 0xc) = 8;
													while(1) {
														L134:
														 *(_t596 + 0x24) = _t589;
														goto L135;
													}
												}
												while(1) {
													L134:
													 *(_t596 + 0x24) = _t589;
													goto L135;
												}
											case 8:
												__eflags =  *(__ebp + 0x38);
												__eax =  *(__ebp + 0x40);
												if( *(__ebp + 0x38) != 0) {
													__esi = __edx + 0x1b0 + __eax * 2;
													 *(__ebp - 0xc) = 0xa;
												} else {
													__eax = __eax + 0xf;
													__eax = __eax << 4;
													__eax = __eax +  *(__ebp + 0x2c);
													 *(__ebp - 0xc) = 9;
													__esi = __edx + __eax * 2;
												}
												while(1) {
													L134:
													 *(_t596 + 0x24) = _t589;
													goto L135;
												}
											case 9:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													goto L91;
												} else {
													__eflags =  *(__ebp + 0x18);
													if( *(__ebp + 0x18) == 0) {
														goto L174;
													} else {
														__eax = 0;
														__eflags =  *(__ebp + 0x40) - 7;
														_t248 =  *(__ebp + 0x40) - 7 >= 0;
														__eflags = _t248;
														__eax = 0 | _t248;
														__eax = _t248 + _t248 + 9;
														 *(__ebp + 0x40) = _t248 + _t248 + 9;
														goto L78;
													}
												}
												goto L175;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													__ecx =  *(__ebp + 0x54);
													__eax =  *(__ebp + 0x58);
													 *(__ebp + 0x58) =  *(__ebp + 0x54);
												} else {
													__eax =  *(__ebp + 0x54);
												}
												__ecx =  *(__ebp + 0x50);
												 *(__ebp + 0x54) =  *(__ebp + 0x50);
												goto L90;
											case 0xc:
												__eax =  *(__ebp + 0x4c);
												goto L102;
											case 0xd:
												L39:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xd;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t115 = __ebp + 8;
													 *_t115 =  *(__ebp + 8) + 1;
													__eflags =  *_t115;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L41:
													__eax =  *(__ebp + 0x38);
													__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
													if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
														goto L50;
													} else {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L56;
														} else {
															L43:
															__eax =  *(__ebp + 0x1d) & 0x000000ff;
															 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
															__ecx =  *(__ebp + 0x20);
															__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
															 *(__ebp + 0x30) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__esi =  *(__ebp + 0x20) + __eax * 2;
															__eax =  *__esi & 0x0000ffff;
															__ecx =  *(__ebp + 0x68);
															__edx = __ax & 0x0000ffff;
															__ecx =  *(__ebp + 0x68) >> 0xb;
															__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
															__eflags =  *(__ebp + 0x6c) - __ecx;
															 *(__ebp + 0x24) = __esi;
															if( *(__ebp + 0x6c) >= __ecx) {
																 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
																__cx = __ax;
																__cx = __ax >> 5;
																__ax = __ax - __cx;
																__eflags = __ax;
																 *(__ebp + 0x38) = 1;
																 *__esi = __ax;
																__ebx = __ebx + __ebx + 1;
															} else {
																 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
																 *(__ebp + 0x68) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																 *__esi = __cx;
																__ebx = __ebx + __ebx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															 *(__ebp + 0x34) = __ebx;
															if( *(__ebp + 0x68) >= 0x1000000) {
																goto L41;
															} else {
																goto L39;
															}
														}
													}
												}
												goto L175;
											case 0xe:
												L48:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xe;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t149 = __ebp + 8;
													 *_t149 =  *(__ebp + 8) + 1;
													__eflags =  *_t149;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													while(1) {
														L50:
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															break;
														}
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx = __ebx + __ebx;
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *__esi = __ax;
															__ebx = __edx + 1;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															continue;
														} else {
															goto L48;
														}
														goto L175;
													}
													L56:
													_t166 = __ebp + 0x44;
													 *_t166 =  *(__ebp + 0x44) & 0x00000000;
													__eflags =  *_t166;
													goto L57;
												}
												goto L175;
											case 0xf:
												L60:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0xf;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t196 = __ebp + 8;
													 *_t196 =  *(__ebp + 8) + 1;
													__eflags =  *_t196;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L62:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L57:
														__al =  *(__ebp + 0x34);
														 *(__ebp + 0x1c) =  *(__ebp + 0x34);
														goto L58;
													} else {
														L63:
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx = __ebx + __ebx;
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *__esi = __ax;
															__ebx = __edx + 1;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L62;
														} else {
															goto L60;
														}
													}
												}
												goto L175;
											case 0x10:
												L112:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0x10;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t350 = __ebp + 8;
													 *_t350 =  *(__ebp + 8) + 1;
													__eflags =  *_t350;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													goto L114;
												}
												goto L175;
											case 0x11:
												goto L71;
											case 0x12:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
													__eflags =  *(__ebp + 0x20) + 2;
													 *(__ebp - 0xc) = 0x13;
													while(1) {
														L134:
														 *(_t596 + 0x24) = _t589;
														goto L135;
													}
												} else {
													__eax =  *(__ebp + 0x2c);
													 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
													__ecx =  *(__ebp + 0x20);
													__eax =  *(__ebp + 0x2c) << 4;
													__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
													goto L144;
												}
												goto L175;
											case 0x13:
												__eflags =  *(__ebp + 0x38);
												if( *(__ebp + 0x38) != 0) {
													_t451 = __ebp + 0x20;
													 *_t451 =  *(__ebp + 0x20) + 0x204;
													__eflags =  *_t451;
													 *(__ebp + 0x48) = 0x10;
													 *(__ebp + 0x38) = 8;
												} else {
													__eax =  *(__ebp + 0x2c);
													__ecx =  *(__ebp + 0x20);
													__eax =  *(__ebp + 0x2c) << 4;
													__eflags = __eax;
													 *(__ebp + 0x48) = 8;
													__eax =  *(__ebp + 0x20) + __eax + 0x104;
													L144:
													 *(__ebp + 0x20) = __eax;
													 *(__ebp + 0x38) = 3;
												}
												 *(__ebp - 4) = 0x14;
												goto L147;
											case 0x14:
												_t492 = __ebp + 0x48;
												 *_t492 =  *(__ebp + 0x48) + __ebx;
												__eflags =  *_t492;
												__eax =  *(__ebp - 8);
												 *(_t596 - 0x10) = _t516;
												goto L2;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp + 0x40) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
												 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
												goto L123;
											case 0x16:
												__eax =  *(__ebp + 0x48);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__eax = __eax << 7;
												 *(__ebp + 0x20) = __eax;
												 *(__ebp + 0x38) = 6;
												 *(__ebp - 4) = 0x19;
												goto L147;
											case 0x17:
												L147:
												__eax =  *(__ebp + 0x38);
												 *(__ebp + 0x28) = 1;
												 *(__ebp + 0x30) =  *(__ebp + 0x38);
												goto L151;
											case 0x18:
												L148:
												__eflags =  *(__ebp + 0xc);
												if( *(__ebp + 0xc) == 0) {
													 *(__ebp - 0x10) = 0x18;
													goto L173;
												} else {
													__ecx =  *(__ebp + 8);
													__eax =  *(__ebp + 0x6c);
													__ecx =  *( *(__ebp + 8)) & 0x000000ff;
													 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
													 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
													 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													_t466 = __ebp + 8;
													 *_t466 =  *(__ebp + 8) + 1;
													__eflags =  *_t466;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
													L150:
													_t469 = __ebp + 0x30;
													 *_t469 =  *(__ebp + 0x30) - 1;
													__eflags =  *_t469;
													__edx =  *(__ebp + 0x74);
													L151:
													__eflags =  *(__ebp + 0x30);
													if( *(__ebp + 0x30) <= 0) {
														__ecx =  *(__ebp + 0x38);
														__ebx =  *(__ebp + 0x28);
														0 = 1;
														__eax = 1 << __cl;
														__ebx =  *(__ebp + 0x28) - (1 << __cl);
														__eax =  *(__ebp - 4);
														 *(__ebp + 0x34) = __ebx;
														while(1) {
															 *(_t596 - 0x10) = _t516;
															goto L2;
														}
													} else {
														__edx =  *(__ebp + 0x28);
														__eax =  *(__ebp + 0x20);
														__ecx =  *(__ebp + 0x68);
														__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
														__esi = __edx +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__edi = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__edx = __edx + 1;
															__eflags = __edx;
															 *__esi = __ax;
															 *(__ebp + 0x28) = __edx;
														} else {
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L150;
														} else {
															goto L148;
														}
													}
												}
												goto L175;
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp + 0x4c) = __ebx;
													goto L122;
												} else {
													__ecx = __ebx;
													__ebx = __ebx & 0x00000001;
													__ecx = __ebx >> 1;
													__ecx = (__ebx >> 1) - 1;
													__eax = __ebx & 0x00000001 | 0x00000002;
													__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
													__eflags = __ebx - 0xe;
													 *(__ebp + 0x4c) = __eax;
													if(__ebx >= 0xe) {
														__ebx = 0;
														 *(__ebp + 0x30) = __ecx;
														L105:
														__eflags =  *(__ebp + 0x30);
														if( *(__ebp + 0x30) <= 0) {
															__eax = __eax + __ebx;
															__edx = __edx + 0x644;
															__eflags = __edx;
															 *(__ebp + 0x4c) = __eax;
															 *(__ebp + 0x20) = __edx;
															 *(__ebp + 0x38) = 4;
															goto L111;
														} else {
															__ecx =  *(__ebp + 0x6c);
															 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
															__ebx = __ebx + __ebx;
															__eflags = __ecx -  *(__ebp + 0x68);
															 *(__ebp + 0x34) = __ebx;
															if(__ecx >=  *(__ebp + 0x68)) {
																__ecx = __ecx -  *(__ebp + 0x68);
																__ebx = __ebx | 0x00000001;
																__eflags = __ebx;
																 *(__ebp + 0x6c) = __ecx;
																 *(__ebp + 0x34) = __ebx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															if( *(__ebp + 0x68) >= 0x1000000) {
																L104:
																_t325 = __ebp + 0x30;
																 *_t325 =  *(__ebp + 0x30) - 1;
																__eflags =  *_t325;
																goto L105;
															} else {
																L102:
																__eflags =  *(__ebp + 0xc);
																if( *(__ebp + 0xc) == 0) {
																	 *(__ebp - 0x10) = 0xc;
																	goto L173;
																} else {
																	__edi =  *(__ebp + 8);
																	__ecx =  *(__ebp + 0x6c);
																	__edi =  *( *(__ebp + 8)) & 0x000000ff;
																	 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																	 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																	 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																	_t322 = __ebp + 8;
																	 *_t322 =  *(__ebp + 8) + 1;
																	__eflags =  *_t322;
																	 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																	goto L104;
																}
															}
														}
													} else {
														__eax = __eax - __ebx;
														 *(__ebp + 0x20) = __eax;
														 *(__ebp + 0x38) = __ecx;
														L111:
														__ebx = 0;
														 *(__ebp + 0x28) = 1;
														 *(__ebp + 0x34) = 0;
														 *(__ebp + 0x30) = 0;
														L115:
														__eax =  *(__ebp + 0x38);
														__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
														if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
															_t375 = __ebp + 0x4c;
															 *_t375 =  *(__ebp + 0x4c) + __ebx;
															__eflags =  *_t375;
															L122:
															_t377 = __ebp + 0x4c;
															 *_t377 =  *(__ebp + 0x4c) + 1;
															__eflags =  *_t377;
															L123:
															__eax =  *(__ebp + 0x4c);
															__eflags = __eax;
															if(__eax == 0) {
																 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
																goto L173;
															} else {
																__eflags = __eax -  *(__ebp + 0x18);
																if(__eax >  *(__ebp + 0x18)) {
																	goto L174;
																} else {
																	 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																	__eax =  *(__ebp + 0x48);
																	_t384 = __ebp + 0x18;
																	 *_t384 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																	__eflags =  *_t384;
																	goto L126;
																}
															}
														} else {
															__edi =  *(__ebp + 0x28);
															__eax =  *(__ebp + 0x20);
															__edx =  *(__ebp + 0x68);
															__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
															__esi = __edi +  *(__ebp + 0x20);
															__eax =  *__esi & 0x0000ffff;
															__ecx = __ax & 0x0000ffff;
															__edx =  *(__ebp + 0x68) >> 0xb;
															__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
															__eflags =  *(__ebp + 0x6c) - __edx;
															 *(__ebp + 0x24) = __esi;
															if( *(__ebp + 0x6c) >= __edx) {
																 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
																0 = 1;
																__ebx = 1;
																__ecx =  *(__ebp + 0x30);
																__ebx = 1 << __cl;
																__ecx = 1 << __cl;
																__ebx =  *(__ebp + 0x34);
																__ebx =  *(__ebp + 0x34) | 1 << __cl;
																__cx = __ax;
																__cx = __ax >> 5;
																__ax = __ax - __cx;
																__edi = __edi + 1;
																__eflags = __edi;
																 *(__ebp + 0x34) = __ebx;
																 *__esi = __ax;
																 *(__ebp + 0x28) = __edi;
															} else {
																 *(__ebp + 0x68) = __edx;
																0x800 = 0x800 - __ecx;
																0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
																 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
																 *__esi = __dx;
															}
															__eflags =  *(__ebp + 0x68) - 0x1000000;
															if( *(__ebp + 0x68) >= 0x1000000) {
																L114:
																_t353 = __ebp + 0x30;
																 *_t353 =  *(__ebp + 0x30) + 1;
																__eflags =  *_t353;
																goto L115;
															} else {
																goto L112;
															}
														}
													}
												}
												goto L175;
											case 0x1a:
												L58:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													 *(__ebp - 0x10) = 0x1a;
													goto L173;
												} else {
													__al =  *(__ebp + 0x1c);
													__ecx =  *(__ebp + 0x10);
													__edx =  *(__ebp + 0x70);
													 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
													 *( *(__ebp + 0x10)) = __al;
													__ecx =  *(__ebp + 0x64);
													 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
													__eax = __ecx + 1;
													__edx = 0;
													_t185 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t185;
													goto L82;
												}
												goto L175;
											case 0x1b:
												L78:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													 *(__ebp - 0x10) = 0x1b;
													goto L173;
												} else {
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__edx =  *(__ebp + 0x70);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp + 0x64);
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t263 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t263;
													 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
													__eax =  *(__ebp + 0x10);
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													_t272 = __ebp + 0x14;
													 *_t272 =  *(__ebp + 0x14) - 1;
													__eflags =  *_t272;
													 *(__ebp + 0x1c) = __cl;
													 *( *(__ebp + 0x10)) = __cl;
													L82:
													 *(__ebp + 0x64) = __edx;
													goto L83;
												}
												goto L175;
											case 0x1c:
												while(1) {
													L126:
													__eflags =  *(__ebp + 0x14);
													if( *(__ebp + 0x14) == 0) {
														break;
													}
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__edx =  *(__ebp + 0x70);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp + 0x64);
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t397 = __eax %  *(__ebp + 4);
													__eax = __eax /  *(__ebp + 4);
													__edx = _t397;
													__eax =  *(__ebp + 0x10);
													 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
													 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
													 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
													__eflags =  *(__ebp + 0x48);
													 *(__ebp + 0x1c) = __cl;
													 *( *(__ebp + 0x10)) = __cl;
													 *(__ebp + 0x64) = __edx;
													if( *(__ebp + 0x48) > 0) {
														continue;
													} else {
														L83:
														 *(__ebp - 0x10) = 2;
														goto L2;
													}
													goto L175;
												}
												 *(__ebp - 0x10) = 0x1c;
												goto L173;
										}
									}
									L174:
									_t518 = _t517 | 0xffffffff;
									goto L175;
								}
							}
						}
					}
					L134:
					 *(_t596 + 0x24) = _t589;
					goto L135;
				}
			}

0x00000000
0x00408210
0x00408210
0x00408214
0x0040821e
0x00408225
0x00408216
0x00408216
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x0040815f
0x00408162
0x004084a7
0x004084a7
0x004084a7
0x004084aa
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x00000000
0x0040851b
0x004086ae
0x004086b5
0x0040851e
0x0040851e
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00000000
0x00407d17
0x00000000
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x00000000
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00000000
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x0040810e
0x00408112
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408117
0x0040811e
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x004084a7
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x00000000
0x00000000
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00000000
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00000000
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x00000000
0x00000000
0x0040847e
0x00408482
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00408624
0x00000000
0x00000000
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00000000
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00000000
0x00408627
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00000000
0x00408604
0x00408602
0x004085a9
0x00000000
0x00000000
0x004082ac
0x004082af
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00000000
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x00000000
0x00408477
0x00408683
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00408624
0x004084aa
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8a725bcb4d80290e5bb0df5398a7fcc466291c9274a6e856765fae1766d228
Instruction ID: 37c27ae80b8e3d40c50ee427a37dce496d5eef8e92b9570f6c0cf6b021cdd3c5
Opcode Fuzzy Hash: 4e8a725bcb4d80290e5bb0df5398a7fcc466291c9274a6e856765fae1766d228
Instruction Fuzzy Hash: AB615471900248EBDF58CF18C984BA93BB1FF44355F11812AFC5AAB291CB38E985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040816E Relevance: 5.2, APIs: 4, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040816E(void* __edx) {
				signed int _t513;
				unsigned short _t514;
				signed int _t515;
				void _t516;
				signed int _t517;
				signed int _t518;
				signed int _t545;
				signed int _t548;
				signed int _t582;
				signed short* _t589;
				intOrPtr* _t596;

				L0:
				while(1) {
					L0:
					_t513 =  *(_t596 + 0x40);
					if( *(_t596 + 0x38) != 0) {
						_t589 = __edx + 0x1b0 + _t513 * 2;
						 *(_t596 - 0xc) = 0xa;
					} else {
						__eax = __eax + 0xf;
						__eax = __eax << 4;
						__eax = __eax +  *(__ebp + 0x2c);
						 *(__ebp - 0xc) = 9;
					}
					while(1) {
						L134:
						 *(_t596 + 0x24) = _t589;
						while(1) {
							L135:
							_t514 =  *_t589 & 0x0000ffff;
							_t582 = _t514 & 0x0000ffff;
							_t545 = ( *(_t596 + 0x68) >> 0xb) * _t582;
							if( *(_t596 + 0x6c) >= _t545) {
								 *(_t596 + 0x68) =  *(_t596 + 0x68) - _t545;
								 *(_t596 + 0x6c) =  *(_t596 + 0x6c) - _t545;
								_t515 = _t514 - (_t514 >> 5);
								 *_t589 = _t515;
								 *(_t596 + 0x38) = 1;
							} else {
								 *(_t596 + 0x68) = _t545;
								 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
								 *_t589 = (0x800 - _t582 >> 5) + _t514;
							}
							if( *(_t596 + 0x68) >= 0x1000000) {
								goto L141;
							}
							L139:
							if( *(_t596 + 0xc) == 0) {
								L171:
								 *(_t596 - 0x10) = 5;
								L173:
								_t548 = 0x22;
								memcpy( *(_t596 - 0x18), _t596 - 0x10, _t548 << 2);
								_t518 = 0;
							} else {
								L140:
								 *(_t596 + 0x68) =  *(_t596 + 0x68) << 8;
								 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
								 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
								 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
								goto L141;
							}
							L175:
							return _t518;
							L177:
							L141:
							_t516 =  *(_t596 - 0xc);
							while(1) {
								L159:
								 *(_t596 - 0x10) = _t516;
								while(1) {
									L2:
									_t517 =  *(_t596 - 0x10);
									if(_t517 > 0x1c) {
										break;
									}
									L3:
									switch( *((intOrPtr*)(_t517 * 4 +  &M004086B6))) {
										case 0:
											L4:
											if( *(_t596 + 0xc) == 0) {
												goto L173;
											} else {
												L5:
												 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
												_t517 =  *( *(_t596 + 8));
												 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
												if(_t517 > 0xe1) {
													goto L174;
												} else {
													L6:
													_t521 = _t517 & 0x000000ff;
													asm("cdq");
													_push(0x2d);
													_pop(_t550);
													_push(9);
													_pop(_t551);
													_t592 = _t521 / _t550;
													_t523 = _t521 % _t550 & 0x000000ff;
													asm("cdq");
													_t587 = _t523 % _t551 & 0x000000ff;
													 *(_t596 + 0x3c) = _t587;
													 *(_t596 + 0x5c) = (1 << _t592) - 1;
													 *((intOrPtr*)(_t596 + 0x60)) = (1 << _t523 / _t551) - 1;
													_t595 = (0x300 << _t587 + _t592) + 0x736;
													if(0x600 ==  *_t596) {
														L11:
														if(_t595 != 0) {
															do {
																L12:
																_t595 = _t595 - 1;
																 *((short*)( *(_t596 + 0x74) + _t595 * 2)) = 0x400;
															} while (_t595 != 0);
														}
														L13:
														 *(_t596 + 0x30) =  *(_t596 + 0x30) & 0x00000000;
														 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
														goto L16;
													} else {
														L7:
														if( *(_t596 + 0x74) != 0) {
															GlobalFree( *(_t596 + 0x74)); // executed
														}
														_t517 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t596 + 0x74) = _t517;
														if(_t517 == 0) {
															goto L174;
														} else {
															L10:
															 *_t596 = 0x600;
															goto L11;
														}
													}
												}
											}
											goto L175;
										case 1:
											L14:
											__eflags =  *(_t596 + 0xc);
											if( *(_t596 + 0xc) == 0) {
												L160:
												 *(_t596 - 0x10) = 1;
												goto L173;
											} else {
												L15:
												 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
												 *(_t596 + 0x38) =  *(_t596 + 0x38) | ( *( *(_t596 + 8)) & 0x000000ff) <<  *(_t596 + 0x30) << 0x00000003;
												 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
												_t45 = _t596 + 0x30;
												 *_t45 =  *(_t596 + 0x30) + 1;
												__eflags =  *_t45;
												L16:
												if( *(_t596 + 0x30) < 4) {
													goto L14;
												} else {
													L17:
													_t528 =  *(_t596 + 0x38);
													if(_t528 ==  *(_t596 + 4)) {
														L21:
														 *((char*)( *(_t596 + 0x70) +  *(_t596 + 4) - 1)) = 0;
														 *(_t596 + 0x30) = 5;
														goto L24;
													} else {
														L18:
														 *(_t596 + 4) = _t528;
														if( *(_t596 + 0x70) != 0) {
															GlobalFree( *(_t596 + 0x70)); // executed
														}
														_t517 = GlobalAlloc(0x40,  *(_t596 + 0x38)); // executed
														 *(_t596 + 0x70) = _t517;
														if(_t517 == 0) {
															goto L174;
														} else {
															goto L21;
														}
													}
												}
											}
											goto L175;
										case 2:
											L26:
											_t535 =  *(_t596 + 0x18) &  *(_t596 + 0x5c);
											 *(_t596 + 0x2c) = _t535;
											_t589 = _t580 + (( *(_t596 + 0x40) << 4) + _t535) * 2;
											 *(_t596 - 0xc) = 6;
											goto L134;
										case 3:
											L22:
											__eflags =  *(_t596 + 0xc);
											if( *(_t596 + 0xc) == 0) {
												L161:
												 *(_t596 - 0x10) = 3;
												goto L173;
											} else {
												L23:
												 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
												_t65 = _t596 + 8;
												 *_t65 =  &(( *(_t596 + 8))[1]);
												__eflags =  *_t65;
												 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
												L24:
												 *(_t596 + 0x30) =  *(_t596 + 0x30) - 1;
												if( *(_t596 + 0x30) != 0) {
													goto L22;
												} else {
													L25:
													_t580 =  *(_t596 + 0x74);
													goto L26;
												}
											}
											goto L175;
										case 4:
											L135:
											_t514 =  *_t589 & 0x0000ffff;
											_t582 = _t514 & 0x0000ffff;
											_t545 = ( *(_t596 + 0x68) >> 0xb) * _t582;
											if( *(_t596 + 0x6c) >= _t545) {
												 *(_t596 + 0x68) =  *(_t596 + 0x68) - _t545;
												 *(_t596 + 0x6c) =  *(_t596 + 0x6c) - _t545;
												_t515 = _t514 - (_t514 >> 5);
												 *_t589 = _t515;
												 *(_t596 + 0x38) = 1;
											} else {
												 *(_t596 + 0x68) = _t545;
												 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
												 *_t589 = (0x800 - _t582 >> 5) + _t514;
											}
											if( *(_t596 + 0x68) >= 0x1000000) {
												goto L141;
											}
											goto L175;
										case 5:
											goto L139;
										case 6:
											L27:
											__eax = 0;
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L38:
												__eax =  *(__ebp + 0x40);
												 *(__ebp + 0x44) = 1;
												__esi = __edx + 0x180 + __eax * 2;
												 *(__ebp - 0xc) = 7;
												goto L134;
											} else {
												L28:
												__esi =  *(__ebp + 0x1c) & 0x000000ff;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
												_push(8);
												_pop(__ecx);
												__cl = __cl -  *(__ebp + 0x3c);
												__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
												__ecx =  *(__ebp + 0x3c);
												__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
												__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
												__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
												__eflags =  *(__ebp + 0x40) - 4;
												__ecx = __esi + __edx + 0xe6c;
												 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
												if( *(__ebp + 0x40) >= 4) {
													__eflags =  *(__ebp + 0x40) - 0xa;
													if( *(__ebp + 0x40) >= 0xa) {
														_t93 = __ebp + 0x40;
														 *_t93 =  *(__ebp + 0x40) - 6;
														__eflags =  *_t93;
													} else {
														 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
													}
												} else {
													 *(__ebp + 0x40) = 0;
												}
												__eflags =  *(__ebp + 0x44) - __eax;
												if( *(__ebp + 0x44) == __eax) {
													L37:
													__ebx = 0;
													__ebx = 1;
													goto L63;
												} else {
													L34:
													__eax =  *(__ebp + 0x64);
													__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
													__eflags = __eax -  *(__ebp + 4);
													if(__eax >=  *(__ebp + 4)) {
														__eax = __eax +  *(__ebp + 4);
														__eflags = __eax;
													}
													__ecx =  *(__ebp + 0x70);
													__al =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 0;
													 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
													__ebx = 1;
													goto L43;
												}
											}
											goto L175;
										case 7:
											L68:
											__eflags =  *(__ebp + 0x38) - 1;
											if( *(__ebp + 0x38) != 1) {
												L70:
												__eax =  *(__ebp + 0x54);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x50);
												 *(__ebp + 0x54) =  *(__ebp + 0x50);
												__eax =  *(__ebp + 0x4c);
												 *(__ebp + 0x50) =  *(__ebp + 0x4c);
												__eax = 0;
												__eflags =  *(__ebp + 0x40) - 7;
												 *(__ebp - 8) = 0x16;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
												__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
												__eflags = __eax;
												 *(__ebp + 0x40) = __eax;
												__eax = __edx + 0x664;
												 *(__ebp + 0x20) = __eax;
												goto L71;
											} else {
												L69:
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x198 + __eax * 2;
												 *(__ebp - 0xc) = 8;
												while(1) {
													L134:
													 *(_t596 + 0x24) = _t589;
													goto L135;
												}
											}
											L134:
											 *(_t596 + 0x24) = _t589;
											goto L135;
										case 8:
											goto L0;
										case 9:
											L74:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												goto L91;
											} else {
												L75:
												__eflags =  *(__ebp + 0x18);
												if( *(__ebp + 0x18) == 0) {
													goto L174;
												} else {
													L76:
													__eax = 0;
													__eflags =  *(__ebp + 0x40) - 7;
													_t247 =  *(__ebp + 0x40) - 7 >= 0;
													__eflags = _t247;
													__eax = 0 | _t247;
													__eax = _t247 + _t247 + 9;
													 *(__ebp + 0x40) = _t247 + _t247 + 9;
													goto L77;
												}
											}
											goto L175;
										case 0xa:
											L83:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L85:
												__eax =  *(__ebp + 0x40);
												__esi = __edx + 0x1c8 + __eax * 2;
												 *(__ebp - 0xc) = 0xb;
												while(1) {
													L134:
													 *(_t596 + 0x24) = _t589;
													goto L135;
												}
											} else {
												L84:
												__eax =  *(__ebp + 0x50);
												goto L90;
											}
											while(1) {
												L134:
												 *(_t596 + 0x24) = _t589;
												goto L135;
											}
										case 0xb:
											L86:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												__ecx =  *(__ebp + 0x54);
												__eax =  *(__ebp + 0x58);
												 *(__ebp + 0x58) =  *(__ebp + 0x54);
											} else {
												__eax =  *(__ebp + 0x54);
											}
											__ecx =  *(__ebp + 0x50);
											 *(__ebp + 0x54) =  *(__ebp + 0x50);
											L90:
											__ecx =  *(__ebp + 0x4c);
											 *(__ebp + 0x50) =  *(__ebp + 0x4c);
											 *(__ebp + 0x4c) = __eax;
											L91:
											__eax = __edx + 0xa68;
											 *(__ebp + 0x20) = __eax;
											 *(__ebp - 8) = 0x15;
											goto L71;
										case 0xc:
											L101:
											__eax =  *(__ebp + 0x4c);
											goto L102;
										case 0xd:
											L39:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L162:
												 *(__ebp - 0x10) = 0xd;
												goto L173;
											} else {
												L40:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t116 = __ebp + 8;
												 *_t116 =  *(__ebp + 8) + 1;
												__eflags =  *_t116;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L41:
												__eax =  *(__ebp + 0x38);
												__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
												if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
													goto L50;
												} else {
													L42:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														goto L56;
													} else {
														L43:
														__eax =  *(__ebp + 0x1d) & 0x000000ff;
														 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
														__ecx =  *(__ebp + 0x20);
														__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
														 *(__ebp + 0x30) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__esi =  *(__ebp + 0x20) + __eax * 2;
														__eax =  *__esi & 0x0000ffff;
														__ecx =  *(__ebp + 0x68);
														__edx = __ax & 0x0000ffff;
														__ecx =  *(__ebp + 0x68) >> 0xb;
														__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
														__eflags =  *(__ebp + 0x6c) - __ecx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __ecx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__eflags = __ax;
															 *(__ebp + 0x38) = 1;
															 *__esi = __ax;
															__ebx = __ebx + __ebx + 1;
														} else {
															 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
															 *(__ebp + 0x68) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															 *__esi = __cx;
															__ebx = __ebx + __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														 *(__ebp + 0x34) = __ebx;
														if( *(__ebp + 0x68) >= 0x1000000) {
															goto L41;
														} else {
															L47:
															goto L39;
														}
													}
												}
											}
											goto L175;
										case 0xe:
											L48:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L163:
												 *(__ebp - 0x10) = 0xe;
												goto L173;
											} else {
												L49:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t150 = __ebp + 8;
												 *_t150 =  *(__ebp + 8) + 1;
												__eflags =  *_t150;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												while(1) {
													L50:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													L51:
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														continue;
													} else {
														L55:
														goto L48;
													}
													goto L175;
												}
												L56:
												_t167 = __ebp + 0x44;
												 *_t167 =  *(__ebp + 0x44) & 0x00000000;
												__eflags =  *_t167;
												goto L57;
											}
											goto L175;
										case 0xf:
											L60:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L164:
												 *(__ebp - 0x10) = 0xf;
												goto L173;
											} else {
												L61:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t197 = __ebp + 8;
												 *_t197 =  *(__ebp + 8) + 1;
												__eflags =  *_t197;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L62:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L57:
													__al =  *(__ebp + 0x34);
													 *(__ebp + 0x1c) =  *(__ebp + 0x34);
													goto L58;
												} else {
													L63:
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx = __ebx + __ebx;
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__eflags = __ax;
														 *__esi = __ax;
														__ebx = __edx + 1;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *__esi = __cx;
														__ebx = __ebx + __ebx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													 *(__ebp + 0x34) = __ebx;
													if( *(__ebp + 0x68) >= 0x1000000) {
														goto L62;
													} else {
														L67:
														goto L60;
													}
												}
											}
											goto L175;
										case 0x10:
											L112:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L168:
												 *(__ebp - 0x10) = 0x10;
												goto L173;
											} else {
												L113:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t350 = __ebp + 8;
												 *_t350 =  *(__ebp + 8) + 1;
												__eflags =  *_t350;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												goto L114;
											}
											goto L175;
										case 0x11:
											L71:
											__esi =  *(__ebp + 0x20);
											 *(__ebp - 0xc) = 0x12;
											while(1) {
												L134:
												 *(_t596 + 0x24) = _t589;
												goto L135;
											}
										case 0x12:
											L131:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L133:
												 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
												__eflags =  *(__ebp + 0x20) + 2;
												 *(__ebp - 0xc) = 0x13;
												while(1) {
													L134:
													 *(_t596 + 0x24) = _t589;
													goto L135;
												}
											} else {
												L132:
												__eax =  *(__ebp + 0x2c);
												 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
												__ecx =  *(__ebp + 0x20);
												__eax =  *(__ebp + 0x2c) << 4;
												__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
												goto L144;
											}
											goto L175;
										case 0x13:
											L142:
											__eflags =  *(__ebp + 0x38);
											if( *(__ebp + 0x38) != 0) {
												L145:
												_t451 = __ebp + 0x20;
												 *_t451 =  *(__ebp + 0x20) + 0x204;
												__eflags =  *_t451;
												 *(__ebp + 0x48) = 0x10;
												 *(__ebp + 0x38) = 8;
											} else {
												L143:
												__eax =  *(__ebp + 0x2c);
												__ecx =  *(__ebp + 0x20);
												__eax =  *(__ebp + 0x2c) << 4;
												__eflags = __eax;
												 *(__ebp + 0x48) = 8;
												__eax =  *(__ebp + 0x20) + __eax + 0x104;
												L144:
												 *(__ebp + 0x20) = __eax;
												 *(__ebp + 0x38) = 3;
											}
											L146:
											 *(__ebp - 4) = 0x14;
											goto L147;
										case 0x14:
											L158:
											_t492 = __ebp + 0x48;
											 *_t492 =  *(__ebp + 0x48) + __ebx;
											__eflags =  *_t492;
											__eax =  *(__ebp - 8);
											L159:
											 *(_t596 - 0x10) = _t516;
											goto L2;
										case 0x15:
											L92:
											__eax = 0;
											__eflags =  *(__ebp + 0x40) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
											goto L123;
										case 0x16:
											L93:
											__eax =  *(__ebp + 0x48);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__eax = __eax << 7;
											 *(__ebp + 0x20) = __eax;
											 *(__ebp + 0x38) = 6;
											 *(__ebp - 4) = 0x19;
											goto L147;
										case 0x17:
											L147:
											__eax =  *(__ebp + 0x38);
											 *(__ebp + 0x28) = 1;
											 *(__ebp + 0x30) =  *(__ebp + 0x38);
											goto L151;
										case 0x18:
											L148:
											__eflags =  *(__ebp + 0xc);
											if( *(__ebp + 0xc) == 0) {
												L172:
												 *(__ebp - 0x10) = 0x18;
												goto L173;
											} else {
												L149:
												__ecx =  *(__ebp + 8);
												__eax =  *(__ebp + 0x6c);
												__ecx =  *( *(__ebp + 8)) & 0x000000ff;
												 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
												 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
												 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												_t466 = __ebp + 8;
												 *_t466 =  *(__ebp + 8) + 1;
												__eflags =  *_t466;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
												L150:
												_t469 = __ebp + 0x30;
												 *_t469 =  *(__ebp + 0x30) - 1;
												__eflags =  *_t469;
												__edx =  *(__ebp + 0x74);
												L151:
												__eflags =  *(__ebp + 0x30);
												if( *(__ebp + 0x30) <= 0) {
													L157:
													__ecx =  *(__ebp + 0x38);
													__ebx =  *(__ebp + 0x28);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp + 0x28) - (1 << __cl);
													__eax =  *(__ebp - 4);
													 *(__ebp + 0x34) = __ebx;
													while(1) {
														L159:
														 *(_t596 - 0x10) = _t516;
														goto L2;
													}
												} else {
													L152:
													__edx =  *(__ebp + 0x28);
													__eax =  *(__ebp + 0x20);
													__ecx =  *(__ebp + 0x68);
													__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
													__esi = __edx +  *(__ebp + 0x20);
													__eax =  *__esi & 0x0000ffff;
													__edi = __ax & 0x0000ffff;
													__ecx =  *(__ebp + 0x68) >> 0xb;
													__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
													__eflags =  *(__ebp + 0x6c) - __ecx;
													 *(__ebp + 0x24) = __esi;
													if( *(__ebp + 0x6c) >= __ecx) {
														 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__ax = __ax - __cx;
														__edx = __edx + 1;
														__eflags = __edx;
														 *__esi = __ax;
														 *(__ebp + 0x28) = __edx;
													} else {
														 *(__ebp + 0x68) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp + 0x68) - 0x1000000;
													if( *(__ebp + 0x68) >= 0x1000000) {
														goto L150;
													} else {
														L156:
														goto L148;
													}
												}
											}
											goto L175;
										case 0x19:
											L96:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L100:
												 *(__ebp + 0x4c) = __ebx;
												goto L122;
											} else {
												L97:
												__ecx = __ebx;
												__ebx = __ebx & 0x00000001;
												__ecx = __ebx >> 1;
												__ecx = (__ebx >> 1) - 1;
												__eax = __ebx & 0x00000001 | 0x00000002;
												__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp + 0x4c) = __eax;
												if(__ebx >= 0xe) {
													L99:
													__ebx = 0;
													 *(__ebp + 0x30) = __ecx;
													L105:
													__eflags =  *(__ebp + 0x30);
													if( *(__ebp + 0x30) <= 0) {
														L110:
														__eax = __eax + __ebx;
														__edx = __edx + 0x644;
														__eflags = __edx;
														 *(__ebp + 0x4c) = __eax;
														 *(__ebp + 0x20) = __edx;
														 *(__ebp + 0x38) = 4;
														goto L111;
													} else {
														L106:
														__ecx =  *(__ebp + 0x6c);
														 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
														__ebx = __ebx + __ebx;
														__eflags = __ecx -  *(__ebp + 0x68);
														 *(__ebp + 0x34) = __ebx;
														if(__ecx >=  *(__ebp + 0x68)) {
															__ecx = __ecx -  *(__ebp + 0x68);
															__ebx = __ebx | 0x00000001;
															__eflags = __ebx;
															 *(__ebp + 0x6c) = __ecx;
															 *(__ebp + 0x34) = __ebx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L104:
															_t325 = __ebp + 0x30;
															 *_t325 =  *(__ebp + 0x30) - 1;
															__eflags =  *_t325;
															goto L105;
														} else {
															L109:
															L102:
															__eflags =  *(__ebp + 0xc);
															if( *(__ebp + 0xc) == 0) {
																L167:
																 *(__ebp - 0x10) = 0xc;
																goto L173;
															} else {
																L103:
																__edi =  *(__ebp + 8);
																__ecx =  *(__ebp + 0x6c);
																__edi =  *( *(__ebp + 8)) & 0x000000ff;
																 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
																 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
																 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																_t322 = __ebp + 8;
																 *_t322 =  *(__ebp + 8) + 1;
																__eflags =  *_t322;
																 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
																goto L104;
															}
														}
													}
												} else {
													L98:
													__eax = __eax - __ebx;
													 *(__ebp + 0x20) = __eax;
													 *(__ebp + 0x38) = __ecx;
													L111:
													__ebx = 0;
													 *(__ebp + 0x28) = 1;
													 *(__ebp + 0x34) = 0;
													 *(__ebp + 0x30) = 0;
													L115:
													__eax =  *(__ebp + 0x38);
													__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
													if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
														L121:
														_t375 = __ebp + 0x4c;
														 *_t375 =  *(__ebp + 0x4c) + __ebx;
														__eflags =  *_t375;
														L122:
														_t377 = __ebp + 0x4c;
														 *_t377 =  *(__ebp + 0x4c) + 1;
														__eflags =  *_t377;
														L123:
														__eax =  *(__ebp + 0x4c);
														__eflags = __eax;
														if(__eax == 0) {
															L169:
															 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
															goto L173;
														} else {
															L124:
															__eflags = __eax -  *(__ebp + 0x18);
															if(__eax >  *(__ebp + 0x18)) {
																goto L174;
															} else {
																L125:
																 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
																__eax =  *(__ebp + 0x48);
																_t384 = __ebp + 0x18;
																 *_t384 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
																__eflags =  *_t384;
																goto L126;
															}
														}
													} else {
														L116:
														__edi =  *(__ebp + 0x28);
														__eax =  *(__ebp + 0x20);
														__edx =  *(__ebp + 0x68);
														__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
														__esi = __edi +  *(__ebp + 0x20);
														__eax =  *__esi & 0x0000ffff;
														__ecx = __ax & 0x0000ffff;
														__edx =  *(__ebp + 0x68) >> 0xb;
														__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
														__eflags =  *(__ebp + 0x6c) - __edx;
														 *(__ebp + 0x24) = __esi;
														if( *(__ebp + 0x6c) >= __edx) {
															 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
															 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
															0 = 1;
															__ebx = 1;
															__ecx =  *(__ebp + 0x30);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp + 0x34);
															__ebx =  *(__ebp + 0x34) | 1 << __cl;
															__cx = __ax;
															__cx = __ax >> 5;
															__ax = __ax - __cx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp + 0x34) = __ebx;
															 *__esi = __ax;
															 *(__ebp + 0x28) = __edi;
														} else {
															 *(__ebp + 0x68) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp + 0x68) - 0x1000000;
														if( *(__ebp + 0x68) >= 0x1000000) {
															L114:
															_t353 = __ebp + 0x30;
															 *_t353 =  *(__ebp + 0x30) + 1;
															__eflags =  *_t353;
															goto L115;
														} else {
															L120:
															goto L112;
														}
													}
												}
											}
											goto L175;
										case 0x1a:
											L58:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												L165:
												 *(__ebp - 0x10) = 0x1a;
												goto L173;
											} else {
												L59:
												__al =  *(__ebp + 0x1c);
												__ecx =  *(__ebp + 0x10);
												__edx =  *(__ebp + 0x70);
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *( *(__ebp + 0x10)) = __al;
												__ecx =  *(__ebp + 0x64);
												 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t186 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t186;
												goto L81;
											}
											goto L175;
										case 0x1b:
											L77:
											__eflags =  *(__ebp + 0x14);
											if( *(__ebp + 0x14) == 0) {
												L166:
												 *(__ebp - 0x10) = 0x1b;
												goto L173;
											} else {
												L78:
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t262 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t262;
												 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												_t271 = __ebp + 0x14;
												 *_t271 =  *(__ebp + 0x14) - 1;
												__eflags =  *_t271;
												 *(__ebp + 0x1c) = __cl;
												 *__eax = __cl;
												L81:
												 *(__ebp + 0x64) = __edx;
												goto L82;
											}
											goto L175;
										case 0x1c:
											while(1) {
												L126:
												__eflags =  *(__ebp + 0x14);
												if( *(__ebp + 0x14) == 0) {
													break;
												}
												L127:
												__eax =  *(__ebp + 0x64);
												__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
												__eflags = __eax -  *(__ebp + 4);
												if(__eax >=  *(__ebp + 4)) {
													__eax = __eax +  *(__ebp + 4);
													__eflags = __eax;
												}
												__edx =  *(__ebp + 0x70);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp + 0x64);
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t397 = __eax %  *(__ebp + 4);
												__eax = __eax /  *(__ebp + 4);
												__edx = _t397;
												__eax =  *(__ebp + 0x10);
												 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
												 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
												 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
												__eflags =  *(__ebp + 0x48);
												 *(__ebp + 0x1c) = __cl;
												 *__eax = __cl;
												 *(__ebp + 0x64) = __edx;
												if( *(__ebp + 0x48) > 0) {
													continue;
												} else {
													L130:
													L82:
													 *(__ebp - 0x10) = 2;
													goto L2;
												}
												goto L175;
											}
											L170:
											 *(__ebp - 0x10) = 0x1c;
											goto L173;
									}
								}
								L174:
								_t518 = _t517 | 0xffffffff;
								goto L175;
							}
						}
					}
				}
			}

0x0040816e
0x0040816e
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x004084a7
0x004084a7
0x004084a7
0x004084aa
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x0040868c
0x0040869c
0x004086a1
0x004086a5
0x004086a7
0x00408503
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x00000000
0x0040851b
0x004086ae
0x004086b5
0x00000000
0x0040851e
0x0040851e
0x00408624
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00407d0c
0x00000000
0x00407d13
0x00407d17
0x00000000
0x00407d1d
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x0040862c
0x00000000
0x00407dc2
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00408635
0x00000000
0x00407e30
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e74
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x0040810e
0x0040810e
0x00408112
0x0040812a
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408114
0x00408117
0x0040811e
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004081a2
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408210
0x00408214
0x0040821b
0x0040821b
0x0040821e
0x00408225
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408216
0x00408216
0x00408216
0x00000000
0x00408216
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x00408231
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00408650
0x00000000
0x0040808e
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00408674
0x00000000
0x00408379
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00000000
0x0040847e
0x0040847e
0x00408482
0x0040849a
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x004084a7
0x00000000
0x004084a7
0x00408484
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00408564
0x00000000
0x00000000
0x0040861e
0x0040861e
0x0040861e
0x0040861e
0x00408621
0x00408624
0x00408624
0x00000000
0x00000000
0x00408269
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00408695
0x00000000
0x00408584
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00408624
0x00000000
0x00408627
0x004085ab
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00408604
0x00000000
0x00408604
0x00408602
0x004085a9
0x00000000
0x00000000
0x004082ac
0x004082ac
0x004082af
0x004082e6
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408346
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00408659
0x00000000
0x0040805d
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x00000000
0x00408477
0x00408683
0x00408683
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00408624
0x004084aa
0x004084a7

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f761476e996ed2004dfd77cb59c15c700db9ab59434e6bfb83475370b55dd52
Instruction ID: a67f793f66027c493f0f2a4c4e8886926154f44bf382d16c8d5edc609152bc7f
Opcode Fuzzy Hash: 6f761476e996ed2004dfd77cb59c15c700db9ab59434e6bfb83475370b55dd52
Instruction Fuzzy Hash: 6D616571900248EBEF68CF19C944BAD3BB1FF44355F11812AFC5AAA291C738E985CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040861E Relevance: 5.2, APIs: 4, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040861E(void* __ebx) {
				signed int _t514;
				signed int _t515;
				void _t535;
				intOrPtr* _t596;

				L0:
				while(1) {
					L0:
					 *((intOrPtr*)(_t596 + 0x48)) =  *((intOrPtr*)(_t596 + 0x48)) + __ebx;
					while(1) {
						L159:
						 *(_t596 - 0x10) = _t535;
						while(1) {
							L2:
							_t514 =  *(_t596 - 0x10);
							if(_t514 > 0x1c) {
								break;
							}
							L3:
							switch( *((intOrPtr*)(_t514 * 4 +  &M004086B6))) {
								case 0:
									L4:
									if( *(_t596 + 0xc) == 0) {
										goto L173;
									} else {
										L5:
										 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
										_t514 =  *( *(_t596 + 8));
										 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
										if(_t514 > 0xe1) {
											goto L174;
										} else {
											L6:
											_t518 = _t514 & 0x000000ff;
											asm("cdq");
											_push(0x2d);
											_pop(_t546);
											_push(9);
											_pop(_t547);
											_t591 = _t518 / _t546;
											_t520 = _t518 % _t546 & 0x000000ff;
											asm("cdq");
											_t586 = _t520 % _t547 & 0x000000ff;
											 *(_t596 + 0x3c) = _t586;
											 *(_t596 + 0x5c) = (1 << _t591) - 1;
											 *((intOrPtr*)(_t596 + 0x60)) = (1 << _t520 / _t547) - 1;
											_t594 = (0x300 << _t586 + _t591) + 0x736;
											if(0x600 ==  *_t596) {
												L11:
												if(_t594 != 0) {
													do {
														L12:
														_t594 = _t594 - 1;
														 *((short*)( *(_t596 + 0x74) + _t594 * 2)) = 0x400;
													} while (_t594 != 0);
												}
												L13:
												 *(_t596 + 0x30) =  *(_t596 + 0x30) & 0x00000000;
												 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
												goto L16;
											} else {
												L7:
												if( *(_t596 + 0x74) != 0) {
													GlobalFree( *(_t596 + 0x74)); // executed
												}
												_t514 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t596 + 0x74) = _t514;
												if(_t514 == 0) {
													goto L174;
												} else {
													L10:
													 *_t596 = 0x600;
													goto L11;
												}
											}
										}
									}
									goto L175;
								case 1:
									L14:
									__eflags =  *(_t596 + 0xc);
									if( *(_t596 + 0xc) == 0) {
										L160:
										 *(_t596 - 0x10) = 1;
										goto L173;
									} else {
										L15:
										 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
										 *(_t596 + 0x38) =  *(_t596 + 0x38) | ( *( *(_t596 + 8)) & 0x000000ff) <<  *(_t596 + 0x30) << 0x00000003;
										 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
										_t46 = _t596 + 0x30;
										 *_t46 =  *(_t596 + 0x30) + 1;
										__eflags =  *_t46;
										L16:
										if( *(_t596 + 0x30) < 4) {
											goto L14;
										} else {
											L17:
											_t525 =  *(_t596 + 0x38);
											if(_t525 ==  *(_t596 + 4)) {
												L21:
												 *((char*)( *(_t596 + 0x70) +  *(_t596 + 4) - 1)) = 0;
												 *(_t596 + 0x30) = 5;
												goto L24;
											} else {
												L18:
												 *(_t596 + 4) = _t525;
												if( *(_t596 + 0x70) != 0) {
													GlobalFree( *(_t596 + 0x70)); // executed
												}
												_t514 = GlobalAlloc(0x40,  *(_t596 + 0x38)); // executed
												 *(_t596 + 0x70) = _t514;
												if(_t514 == 0) {
													goto L174;
												} else {
													goto L21;
												}
											}
										}
									}
									goto L175;
								case 2:
									L26:
									_t532 =  *(_t596 + 0x18) &  *(_t596 + 0x5c);
									 *(_t596 + 0x2c) = _t532;
									_t595 = _t581 + (( *(_t596 + 0x40) << 4) + _t532) * 2;
									 *(_t596 - 0xc) = 6;
									goto L135;
								case 3:
									L22:
									__eflags =  *(_t596 + 0xc);
									if( *(_t596 + 0xc) == 0) {
										L161:
										 *(_t596 - 0x10) = 3;
										goto L173;
									} else {
										L23:
										 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
										_t66 = _t596 + 8;
										 *_t66 =  &(( *(_t596 + 8))[1]);
										__eflags =  *_t66;
										 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
										L24:
										 *(_t596 + 0x30) =  *(_t596 + 0x30) - 1;
										if( *(_t596 + 0x30) != 0) {
											goto L22;
										} else {
											L25:
											_t581 =  *(_t596 + 0x74);
											goto L26;
										}
									}
									goto L175;
								case 4:
									L136:
									_t533 =  *_t595 & 0x0000ffff;
									_t588 = _t533 & 0x0000ffff;
									_t561 = ( *(_t596 + 0x68) >> 0xb) * _t588;
									if( *(_t596 + 0x6c) >= _t561) {
										 *(_t596 + 0x68) =  *(_t596 + 0x68) - _t561;
										 *(_t596 + 0x6c) =  *(_t596 + 0x6c) - _t561;
										_t534 = _t533 - (_t533 >> 5);
										__eflags = _t534;
										 *_t595 = _t534;
										 *(_t596 + 0x38) = 1;
									} else {
										 *(_t596 + 0x68) = _t561;
										 *(_t596 + 0x38) =  *(_t596 + 0x38) & 0x00000000;
										 *_t595 = (0x800 - _t588 >> 5) + _t533;
									}
									if( *(_t596 + 0x68) >= 0x1000000) {
										goto L142;
									} else {
										goto L140;
									}
									goto L175;
								case 5:
									L140:
									if( *(_t596 + 0xc) == 0) {
										L171:
										 *(_t596 - 0x10) = 5;
										goto L173;
									} else {
										L141:
										 *(_t596 + 0x68) =  *(_t596 + 0x68) << 8;
										 *(_t596 + 0xc) =  *(_t596 + 0xc) - 1;
										 *(_t596 + 8) =  &(( *(_t596 + 8))[1]);
										 *(_t596 + 0x6c) =  *(_t596 + 0x6c) << 0x00000008 |  *( *(_t596 + 8)) & 0x000000ff;
										L142:
										_t535 =  *(_t596 - 0xc);
										L159:
										 *(_t596 - 0x10) = _t535;
										goto L2;
									}
									goto L175;
								case 6:
									L27:
									__eax = 0;
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										L38:
										__eax =  *(__ebp + 0x40);
										 *(__ebp + 0x44) = 1;
										__esi = __edx + 0x180 +  *(__ebp + 0x40) * 2;
										 *(__ebp - 0xc) = 7;
										goto L135;
									} else {
										L28:
										__esi =  *(__ebp + 0x1c) & 0x000000ff;
										 *(__ebp + 0x18) =  *(__ebp + 0x18) &  *(__ebp + 0x60);
										_push(8);
										_pop(__ecx);
										__cl = __cl -  *(__ebp + 0x3c);
										__esi = ( *(__ebp + 0x1c) & 0x000000ff) >> __cl;
										__ecx =  *(__ebp + 0x3c);
										__edi = ( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl;
										__esi = (( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl);
										__esi = ((( *(__ebp + 0x1c) & 0x000000ff) >> __cl) + (( *(__ebp + 0x18) &  *(__ebp + 0x60)) << __cl)) * 0x600;
										__eflags =  *(__ebp + 0x40) - 4;
										__ecx = __esi + __edx + 0xe6c;
										 *(__ebp + 0x20) = __esi + __edx + 0xe6c;
										if( *(__ebp + 0x40) >= 4) {
											__eflags =  *(__ebp + 0x40) - 0xa;
											if( *(__ebp + 0x40) >= 0xa) {
												_t94 = __ebp + 0x40;
												 *_t94 =  *(__ebp + 0x40) - 6;
												__eflags =  *_t94;
											} else {
												 *(__ebp + 0x40) =  *(__ebp + 0x40) - 3;
											}
										} else {
											 *(__ebp + 0x40) = 0;
										}
										__eflags =  *(__ebp + 0x44) - __eax;
										if( *(__ebp + 0x44) == __eax) {
											L37:
											__ebx = 0;
											__ebx = 1;
											goto L63;
										} else {
											L34:
											__eax =  *(__ebp + 0x64);
											__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
											__eflags = __eax -  *(__ebp + 4);
											if(__eax >=  *(__ebp + 4)) {
												__eax = __eax +  *(__ebp + 4);
												__eflags = __eax;
											}
											__ecx =  *(__ebp + 0x70);
											__al =  *((intOrPtr*)(__eax + __ecx));
											__ebx = 0;
											 *(__ebp + 0x1d) =  *((intOrPtr*)(__eax + __ecx));
											__ebx = 1;
											goto L43;
										}
									}
									goto L175;
								case 7:
									L68:
									__eflags =  *(__ebp + 0x38) - 1;
									if( *(__ebp + 0x38) != 1) {
										L70:
										__eax =  *(__ebp + 0x54);
										 *(__ebp + 0x58) =  *(__ebp + 0x54);
										__eax =  *(__ebp + 0x50);
										 *(__ebp + 0x54) =  *(__ebp + 0x50);
										__eax =  *(__ebp + 0x4c);
										 *(__ebp + 0x50) =  *(__ebp + 0x4c);
										__eax = 0;
										__eflags =  *(__ebp + 0x40) - 7;
										 *((intOrPtr*)(__ebp - 8)) = 0x16;
										0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
										__eax = (__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd;
										__eax = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xa;
										__eflags = __eax;
										 *(__ebp + 0x40) = __eax;
										__eax = __edx + 0x664;
										 *(__ebp + 0x20) = __edx + 0x664;
										goto L71;
									} else {
										L69:
										__eax =  *(__ebp + 0x40);
										__esi = __edx + 0x198 +  *(__ebp + 0x40) * 2;
										 *(__ebp - 0xc) = 8;
									}
									goto L135;
								case 8:
									L72:
									__eflags =  *(__ebp + 0x38);
									__eax =  *(__ebp + 0x40);
									if( *(__ebp + 0x38) != 0) {
										__esi = __edx + 0x1b0 + __eax * 2;
										 *(__ebp - 0xc) = 0xa;
									} else {
										__eax = __eax + 0xf;
										__eax = __eax << 4;
										__eax = __eax +  *(__ebp + 0x2c);
										 *(__ebp - 0xc) = 9;
										__esi = __edx + __eax * 2;
									}
									goto L135;
								case 9:
									L75:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										goto L92;
									} else {
										L76:
										__eflags =  *(__ebp + 0x18);
										if( *(__ebp + 0x18) == 0) {
											goto L174;
										} else {
											L77:
											__eax = 0;
											__eflags =  *(__ebp + 0x40) - 7;
											_t250 =  *(__ebp + 0x40) - 7 >= 0;
											__eflags = _t250;
											__eax = 0 | _t250;
											__eax = _t250 + _t250 + 9;
											 *(__ebp + 0x40) = _t250 + _t250 + 9;
											goto L78;
										}
									}
									goto L175;
								case 0xa:
									L84:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										L86:
										__eax =  *(__ebp + 0x40);
										__esi = __edx + 0x1c8 +  *(__ebp + 0x40) * 2;
										 *(__ebp - 0xc) = 0xb;
									} else {
										L85:
										__eax =  *(__ebp + 0x50);
										goto L91;
									}
									goto L135;
								case 0xb:
									L87:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										__ecx =  *(__ebp + 0x54);
										__eax =  *(__ebp + 0x58);
										 *(__ebp + 0x58) =  *(__ebp + 0x54);
									} else {
										__eax =  *(__ebp + 0x54);
									}
									__ecx =  *(__ebp + 0x50);
									 *(__ebp + 0x54) =  *(__ebp + 0x50);
									L91:
									__ecx =  *(__ebp + 0x4c);
									 *(__ebp + 0x50) =  *(__ebp + 0x4c);
									 *(__ebp + 0x4c) = __eax;
									L92:
									__eax = __edx + 0xa68;
									 *(__ebp + 0x20) = __edx + 0xa68;
									 *((intOrPtr*)(__ebp - 8)) = 0x15;
									goto L71;
								case 0xc:
									L102:
									__eax =  *(__ebp + 0x4c);
									goto L103;
								case 0xd:
									L39:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										L162:
										 *(__ebp - 0x10) = 0xd;
										goto L173;
									} else {
										L40:
										__ecx =  *(__ebp + 8);
										__eax =  *(__ebp + 0x6c);
										__ecx =  *( *(__ebp + 8)) & 0x000000ff;
										 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
										 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										_t117 = __ebp + 8;
										 *_t117 =  *(__ebp + 8) + 1;
										__eflags =  *_t117;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										L41:
										__eax =  *(__ebp + 0x38);
										__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
										if( *(__ebp + 0x30) !=  *(__ebp + 0x38)) {
											goto L50;
										} else {
											L42:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L56;
											} else {
												L43:
												__eax =  *(__ebp + 0x1d) & 0x000000ff;
												 *(__ebp + 0x1d) =  *(__ebp + 0x1d) << 1;
												__ecx =  *(__ebp + 0x20);
												__eax = ( *(__ebp + 0x1d) & 0x000000ff) >> 7;
												 *(__ebp + 0x30) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__esi =  *(__ebp + 0x20) + __eax * 2;
												__eax =  *__esi & 0x0000ffff;
												__ecx =  *(__ebp + 0x68);
												__edx = __ax & 0x0000ffff;
												__ecx =  *(__ebp + 0x68) >> 0xb;
												__ecx = ( *(__ebp + 0x68) >> 0xb) * __edx;
												__eflags =  *(__ebp + 0x6c) - __ecx;
												 *(__ebp + 0x24) = __esi;
												if( *(__ebp + 0x6c) >= __ecx) {
													 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__ax = __ax - __cx;
													__eflags = __ax;
													 *(__ebp + 0x38) = 1;
													 *__esi = __ax;
													__ebx = __ebx + __ebx + 1;
												} else {
													 *(__ebp + 0x38) =  *(__ebp + 0x38) & 0x00000000;
													 *(__ebp + 0x68) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													 *__esi = __cx;
													__ebx = __ebx + __ebx;
												}
												__eflags =  *(__ebp + 0x68) - 0x1000000;
												 *(__ebp + 0x34) = __ebx;
												if( *(__ebp + 0x68) >= 0x1000000) {
													goto L41;
												} else {
													L47:
													goto L39;
												}
											}
										}
									}
									goto L175;
								case 0xe:
									L48:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										L163:
										 *(__ebp - 0x10) = 0xe;
										goto L173;
									} else {
										L49:
										__ecx =  *(__ebp + 8);
										__eax =  *(__ebp + 0x6c);
										__ecx =  *( *(__ebp + 8)) & 0x000000ff;
										 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
										 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										_t151 = __ebp + 8;
										 *_t151 =  *(__ebp + 8) + 1;
										__eflags =  *_t151;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										while(1) {
											L50:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												break;
											}
											L51:
											__eax =  *(__ebp + 0x20);
											__ecx =  *(__ebp + 0x68);
											__edx = __ebx + __ebx;
											__esi = __edx +  *(__ebp + 0x20);
											__eax =  *__esi & 0x0000ffff;
											__edi = __ax & 0x0000ffff;
											__ecx =  *(__ebp + 0x68) >> 0xb;
											__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
											__eflags =  *(__ebp + 0x6c) - __ecx;
											 *(__ebp + 0x24) = __esi;
											if( *(__ebp + 0x6c) >= __ecx) {
												 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__ax = __ax - __cx;
												__eflags = __ax;
												 *__esi = __ax;
												__ebx = __edx + 1;
											} else {
												 *(__ebp + 0x68) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *__esi = __cx;
												__ebx = __ebx + __ebx;
											}
											__eflags =  *(__ebp + 0x68) - 0x1000000;
											 *(__ebp + 0x34) = __ebx;
											if( *(__ebp + 0x68) >= 0x1000000) {
												continue;
											} else {
												L55:
												goto L48;
											}
											goto L175;
										}
										L56:
										_t168 = __ebp + 0x44;
										 *_t168 =  *(__ebp + 0x44) & 0x00000000;
										__eflags =  *_t168;
										goto L57;
									}
									goto L175;
								case 0xf:
									L60:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										L164:
										 *(__ebp - 0x10) = 0xf;
										goto L173;
									} else {
										L61:
										__ecx =  *(__ebp + 8);
										__eax =  *(__ebp + 0x6c);
										__ecx =  *( *(__ebp + 8)) & 0x000000ff;
										 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
										 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										_t198 = __ebp + 8;
										 *_t198 =  *(__ebp + 8) + 1;
										__eflags =  *_t198;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										L62:
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											L57:
											__al =  *(__ebp + 0x34);
											 *(__ebp + 0x1c) =  *(__ebp + 0x34);
											goto L58;
										} else {
											L63:
											__eax =  *(__ebp + 0x20);
											__ecx =  *(__ebp + 0x68);
											__edx = __ebx + __ebx;
											__esi = __edx +  *(__ebp + 0x20);
											__eax =  *__esi & 0x0000ffff;
											__edi = __ax & 0x0000ffff;
											__ecx =  *(__ebp + 0x68) >> 0xb;
											__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
											__eflags =  *(__ebp + 0x6c) - __ecx;
											 *(__ebp + 0x24) = __esi;
											if( *(__ebp + 0x6c) >= __ecx) {
												 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__ax = __ax - __cx;
												__eflags = __ax;
												 *__esi = __ax;
												__ebx = __edx + 1;
											} else {
												 *(__ebp + 0x68) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *__esi = __cx;
												__ebx = __ebx + __ebx;
											}
											__eflags =  *(__ebp + 0x68) - 0x1000000;
											 *(__ebp + 0x34) = __ebx;
											if( *(__ebp + 0x68) >= 0x1000000) {
												goto L62;
											} else {
												L67:
												goto L60;
											}
										}
									}
									goto L175;
								case 0x10:
									L113:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										L168:
										 *(__ebp - 0x10) = 0x10;
										goto L173;
									} else {
										L114:
										__ecx =  *(__ebp + 8);
										__eax =  *(__ebp + 0x6c);
										__ecx =  *( *(__ebp + 8)) & 0x000000ff;
										 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
										 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										_t353 = __ebp + 8;
										 *_t353 =  *(__ebp + 8) + 1;
										__eflags =  *_t353;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										goto L115;
									}
									goto L175;
								case 0x11:
									L71:
									__esi =  *(__ebp + 0x20);
									 *(__ebp - 0xc) = 0x12;
									goto L135;
								case 0x12:
									L132:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										L134:
										 *(__ebp + 0x20) =  *(__ebp + 0x20) + 2;
										__eflags =  *(__ebp + 0x20) + 2;
										 *(__ebp - 0xc) = 0x13;
										L135:
										 *(_t596 + 0x24) = _t595;
										goto L136;
									} else {
										L133:
										__eax =  *(__ebp + 0x2c);
										 *(__ebp + 0x48) =  *(__ebp + 0x48) & 0x00000000;
										__ecx =  *(__ebp + 0x20);
										__eax =  *(__ebp + 0x2c) << 4;
										__eax =  *(__ebp + 0x20) + ( *(__ebp + 0x2c) << 4) + 4;
										goto L145;
									}
									goto L175;
								case 0x13:
									L143:
									__eflags =  *(__ebp + 0x38);
									if( *(__ebp + 0x38) != 0) {
										L146:
										_t454 = __ebp + 0x20;
										 *_t454 =  *(__ebp + 0x20) + 0x204;
										__eflags =  *_t454;
										 *(__ebp + 0x48) = 0x10;
										 *(__ebp + 0x38) = 8;
									} else {
										L144:
										__eax =  *(__ebp + 0x2c);
										__ecx =  *(__ebp + 0x20);
										__eax =  *(__ebp + 0x2c) << 4;
										__eflags = __eax;
										 *(__ebp + 0x48) = 8;
										__eax =  *(__ebp + 0x20) + __eax + 0x104;
										L145:
										 *(__ebp + 0x20) = __eax;
										 *(__ebp + 0x38) = 3;
									}
									L147:
									 *(__ebp - 4) = 0x14;
									goto L148;
								case 0x14:
									goto L0;
								case 0x15:
									L93:
									__eax = 0;
									__eflags =  *(__ebp + 0x40) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									(__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
									 *(__ebp + 0x40) = ((__eflags >= 0x00000000) - 0x00000001 & 0xfffffffd) + 0xb;
									goto L124;
								case 0x16:
									L94:
									__eax =  *(__ebp + 0x48);
									__eflags = __eax - 4;
									if(__eax >= 4) {
										_push(3);
										_pop(__eax);
									}
									__eax = __eax << 7;
									 *(__ebp + 0x20) = __eax;
									 *(__ebp + 0x38) = 6;
									 *(__ebp - 4) = 0x19;
									goto L148;
								case 0x17:
									L148:
									__eax =  *(__ebp + 0x38);
									 *(__ebp + 0x28) = 1;
									 *(__ebp + 0x30) =  *(__ebp + 0x38);
									goto L152;
								case 0x18:
									L149:
									__eflags =  *(__ebp + 0xc);
									if( *(__ebp + 0xc) == 0) {
										L172:
										 *(__ebp - 0x10) = 0x18;
										goto L173;
									} else {
										L150:
										__ecx =  *(__ebp + 8);
										__eax =  *(__ebp + 0x6c);
										__ecx =  *( *(__ebp + 8)) & 0x000000ff;
										 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
										 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
										 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										_t469 = __ebp + 8;
										 *_t469 =  *(__ebp + 8) + 1;
										__eflags =  *_t469;
										 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
										L151:
										_t472 = __ebp + 0x30;
										 *_t472 =  *(__ebp + 0x30) - 1;
										__eflags =  *_t472;
										__edx =  *(__ebp + 0x74);
										L152:
										__eflags =  *(__ebp + 0x30);
										if( *(__ebp + 0x30) <= 0) {
											L158:
											__ecx =  *(__ebp + 0x38);
											__ebx =  *(__ebp + 0x28);
											0 = 1;
											__eax = 1 << __cl;
											__ebx =  *(__ebp + 0x28) - (1 << __cl);
											__eax =  *(__ebp - 4);
											 *(__ebp + 0x34) = __ebx;
											while(1) {
												L159:
												 *(_t596 - 0x10) = _t535;
												goto L2;
											}
										} else {
											L153:
											__edx =  *(__ebp + 0x28);
											__eax =  *(__ebp + 0x20);
											__ecx =  *(__ebp + 0x68);
											__edx =  *(__ebp + 0x28) +  *(__ebp + 0x28);
											__esi = __edx +  *(__ebp + 0x20);
											__eax =  *__esi & 0x0000ffff;
											__edi = __ax & 0x0000ffff;
											__ecx =  *(__ebp + 0x68) >> 0xb;
											__ecx = ( *(__ebp + 0x68) >> 0xb) * __edi;
											__eflags =  *(__ebp + 0x6c) - __ecx;
											 *(__ebp + 0x24) = __esi;
											if( *(__ebp + 0x6c) >= __ecx) {
												 *(__ebp + 0x68) =  *(__ebp + 0x68) - __ecx;
												 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__ax = __ax - __cx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp + 0x28) = __edx;
											} else {
												 *(__ebp + 0x68) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp + 0x68) - 0x1000000;
											if( *(__ebp + 0x68) >= 0x1000000) {
												goto L151;
											} else {
												L157:
												goto L149;
											}
										}
									}
									goto L175;
								case 0x19:
									L97:
									__eflags = __ebx - 4;
									if(__ebx < 4) {
										L101:
										 *(__ebp + 0x4c) = __ebx;
										goto L123;
									} else {
										L98:
										__ecx = __ebx;
										__ebx = __ebx & 0x00000001;
										__ecx = __ebx >> 1;
										__ecx = (__ebx >> 1) - 1;
										__eax = __ebx & 0x00000001 | 0x00000002;
										__eax = (__ebx & 0x00000001 | 0x00000002) << __cl;
										__eflags = __ebx - 0xe;
										 *(__ebp + 0x4c) = __eax;
										if(__ebx >= 0xe) {
											L100:
											__ebx = 0;
											 *(__ebp + 0x30) = __ecx;
											L106:
											__eflags =  *(__ebp + 0x30);
											if( *(__ebp + 0x30) <= 0) {
												L111:
												__eax = __eax + __ebx;
												__edx = __edx + 0x644;
												__eflags = __edx;
												 *(__ebp + 0x4c) = __eax;
												 *(__ebp + 0x20) = __edx;
												 *(__ebp + 0x38) = 4;
												goto L112;
											} else {
												L107:
												__ecx =  *(__ebp + 0x6c);
												 *(__ebp + 0x68) =  *(__ebp + 0x68) >> 1;
												__ebx = __ebx + __ebx;
												__eflags = __ecx -  *(__ebp + 0x68);
												 *(__ebp + 0x34) = __ebx;
												if(__ecx >=  *(__ebp + 0x68)) {
													__ecx = __ecx -  *(__ebp + 0x68);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp + 0x6c) = __ecx;
													 *(__ebp + 0x34) = __ebx;
												}
												__eflags =  *(__ebp + 0x68) - 0x1000000;
												if( *(__ebp + 0x68) >= 0x1000000) {
													L105:
													_t328 = __ebp + 0x30;
													 *_t328 =  *(__ebp + 0x30) - 1;
													__eflags =  *_t328;
													goto L106;
												} else {
													L110:
													L103:
													__eflags =  *(__ebp + 0xc);
													if( *(__ebp + 0xc) == 0) {
														L167:
														 *(__ebp - 0x10) = 0xc;
														goto L173;
													} else {
														L104:
														__edi =  *(__ebp + 8);
														__ecx =  *(__ebp + 0x6c);
														__edi =  *( *(__ebp + 8)) & 0x000000ff;
														 *(__ebp + 0x68) =  *(__ebp + 0x68) << 8;
														 *(__ebp + 0xc) =  *(__ebp + 0xc) - 1;
														 *(__ebp + 0x6c) << 8 =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
														_t325 = __ebp + 8;
														 *_t325 =  *(__ebp + 8) + 1;
														__eflags =  *_t325;
														 *(__ebp + 0x6c) =  *(__ebp + 0x6c) << 0x00000008 |  *( *(__ebp + 8)) & 0x000000ff;
														goto L105;
													}
												}
											}
										} else {
											L99:
											__eax = __eax - __ebx;
											 *(__ebp + 0x20) = __eax;
											 *(__ebp + 0x38) = __ecx;
											L112:
											__ebx = 0;
											 *(__ebp + 0x28) = 1;
											 *(__ebp + 0x34) = 0;
											 *(__ebp + 0x30) = 0;
											L116:
											__eax =  *(__ebp + 0x38);
											__eflags =  *(__ebp + 0x30) -  *(__ebp + 0x38);
											if( *(__ebp + 0x30) >=  *(__ebp + 0x38)) {
												L122:
												_t378 = __ebp + 0x4c;
												 *_t378 =  *(__ebp + 0x4c) + __ebx;
												__eflags =  *_t378;
												L123:
												_t380 = __ebp + 0x4c;
												 *_t380 =  *(__ebp + 0x4c) + 1;
												__eflags =  *_t380;
												L124:
												__eax =  *(__ebp + 0x4c);
												__eflags = __eax;
												if(__eax == 0) {
													L169:
													 *(__ebp + 0x48) =  *(__ebp + 0x48) | 0xffffffff;
													goto L173;
												} else {
													L125:
													__eflags = __eax -  *(__ebp + 0x18);
													if(__eax >  *(__ebp + 0x18)) {
														goto L174;
													} else {
														L126:
														 *(__ebp + 0x48) =  *(__ebp + 0x48) + 2;
														__eax =  *(__ebp + 0x48);
														_t387 = __ebp + 0x18;
														 *_t387 =  *(__ebp + 0x18) +  *(__ebp + 0x48);
														__eflags =  *_t387;
														goto L127;
													}
												}
											} else {
												L117:
												__edi =  *(__ebp + 0x28);
												__eax =  *(__ebp + 0x20);
												__edx =  *(__ebp + 0x68);
												__edi =  *(__ebp + 0x28) +  *(__ebp + 0x28);
												__esi = __edi +  *(__ebp + 0x20);
												__eax =  *__esi & 0x0000ffff;
												__ecx = __ax & 0x0000ffff;
												__edx =  *(__ebp + 0x68) >> 0xb;
												__edx = ( *(__ebp + 0x68) >> 0xb) * __ecx;
												__eflags =  *(__ebp + 0x6c) - __edx;
												 *(__ebp + 0x24) = __esi;
												if( *(__ebp + 0x6c) >= __edx) {
													 *(__ebp + 0x68) =  *(__ebp + 0x68) - __edx;
													 *(__ebp + 0x6c) =  *(__ebp + 0x6c) - __edx;
													0 = 1;
													__ebx = 1;
													__ecx =  *(__ebp + 0x30);
													__ebx = 1 << __cl;
													__ecx = 1 << __cl;
													__ebx =  *(__ebp + 0x34);
													__ebx =  *(__ebp + 0x34) | 1 << __cl;
													__cx = __ax;
													__cx = __ax >> 5;
													__ax = __ax - __cx;
													__edi = __edi + 1;
													__eflags = __edi;
													 *(__ebp + 0x34) = __ebx;
													 *__esi = __ax;
													 *(__ebp + 0x28) = __edi;
												} else {
													 *(__ebp + 0x68) = __edx;
													0x800 = 0x800 - __ecx;
													0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
													 *(__ebp + 0x28) =  *(__ebp + 0x28) << 1;
													 *__esi = __dx;
												}
												__eflags =  *(__ebp + 0x68) - 0x1000000;
												if( *(__ebp + 0x68) >= 0x1000000) {
													L115:
													_t356 = __ebp + 0x30;
													 *_t356 =  *(__ebp + 0x30) + 1;
													__eflags =  *_t356;
													goto L116;
												} else {
													L121:
													goto L113;
												}
											}
										}
									}
									goto L175;
								case 0x1a:
									L58:
									__eflags =  *(__ebp + 0x14);
									if( *(__ebp + 0x14) == 0) {
										L165:
										 *(__ebp - 0x10) = 0x1a;
										goto L173;
									} else {
										L59:
										__al =  *(__ebp + 0x1c);
										__ecx =  *(__ebp + 0x10);
										__edx =  *(__ebp + 0x70);
										 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
										 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
										 *( *(__ebp + 0x10)) = __al;
										__ecx =  *(__ebp + 0x64);
										 *((char*)(__ecx +  *(__ebp + 0x70))) = __al;
										__eax = __ecx + 1;
										__edx = 0;
										_t187 = __eax %  *(__ebp + 4);
										__eax = __eax /  *(__ebp + 4);
										__edx = _t187;
										goto L82;
									}
									goto L175;
								case 0x1b:
									L78:
									__eflags =  *(__ebp + 0x14);
									if( *(__ebp + 0x14) == 0) {
										L166:
										 *(__ebp - 0x10) = 0x1b;
										goto L173;
									} else {
										L79:
										__eax =  *(__ebp + 0x64);
										__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
										__eflags = __eax -  *(__ebp + 4);
										if(__eax >=  *(__ebp + 4)) {
											__eax = __eax +  *(__ebp + 4);
											__eflags = __eax;
										}
										__edx =  *(__ebp + 0x70);
										__cl =  *(__eax + __edx);
										__eax =  *(__ebp + 0x64);
										 *(__eax + __edx) = __cl;
										__eax = __eax + 1;
										__edx = 0;
										_t265 = __eax %  *(__ebp + 4);
										__eax = __eax /  *(__ebp + 4);
										__edx = _t265;
										 *(__ebp + 0x18) =  *(__ebp + 0x18) + 1;
										__eax =  *(__ebp + 0x10);
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
										_t274 = __ebp + 0x14;
										 *_t274 =  *(__ebp + 0x14) - 1;
										__eflags =  *_t274;
										 *(__ebp + 0x1c) = __cl;
										 *( *(__ebp + 0x10)) = __cl;
										L82:
										 *(__ebp + 0x64) = __edx;
										goto L83;
									}
									goto L175;
								case 0x1c:
									while(1) {
										L127:
										__eflags =  *(__ebp + 0x14);
										if( *(__ebp + 0x14) == 0) {
											break;
										}
										L128:
										__eax =  *(__ebp + 0x64);
										__eax =  *(__ebp + 0x64) -  *(__ebp + 0x4c);
										__eflags = __eax -  *(__ebp + 4);
										if(__eax >=  *(__ebp + 4)) {
											__eax = __eax +  *(__ebp + 4);
											__eflags = __eax;
										}
										__edx =  *(__ebp + 0x70);
										__cl =  *(__eax + __edx);
										__eax =  *(__ebp + 0x64);
										 *(__eax + __edx) = __cl;
										__eax = __eax + 1;
										__edx = 0;
										_t400 = __eax %  *(__ebp + 4);
										__eax = __eax /  *(__ebp + 4);
										__edx = _t400;
										__eax =  *(__ebp + 0x10);
										 *(__ebp + 0x10) =  *(__ebp + 0x10) + 1;
										 *(__ebp + 0x14) =  *(__ebp + 0x14) - 1;
										 *(__ebp + 0x48) =  *(__ebp + 0x48) - 1;
										__eflags =  *(__ebp + 0x48);
										 *(__ebp + 0x1c) = __cl;
										 *( *(__ebp + 0x10)) = __cl;
										 *(__ebp + 0x64) = __edx;
										if( *(__ebp + 0x48) > 0) {
											continue;
										} else {
											L131:
											L83:
											 *(__ebp - 0x10) = 2;
											goto L2;
										}
										L175:
										__eflags = _t596 + 0x78;
										return _t515;
										L177:
									}
									L170:
									 *(__ebp - 0x10) = 0x1c;
									L173:
									_push(0x22);
									_pop(_t544);
									memcpy( *(_t596 - 0x18), _t596 - 0x10, _t544 << 2);
									_t515 = 0;
									goto L175;
							}
						}
						L174:
						_t515 = _t514 | 0xffffffff;
						goto L175;
					}
				}
			}

0x0040861e
0x0040861e
0x0040861e
0x0040861e
0x00408624
0x00408624
0x00408624
0x00407d00
0x00407d00
0x00407d00
0x00407d06
0x00000000
0x00000000
0x00407d0c
0x00407d0c
0x00000000
0x00407d13
0x00407d17
0x00000000
0x00407d1d
0x00407d1d
0x00407d20
0x00407d23
0x00407d25
0x00407d2a
0x00000000
0x00407d30
0x00407d30
0x00407d30
0x00407d33
0x00407d34
0x00407d36
0x00407d39
0x00407d3b
0x00407d3c
0x00407d3e
0x00407d41
0x00407d46
0x00407d50
0x00407d54
0x00407d67
0x00407d6a
0x00407d76
0x00407d9e
0x00407da0
0x00407da2
0x00407da2
0x00407da5
0x00407da6
0x00407da6
0x00407da2
0x00407dae
0x00407dae
0x00407db2
0x00000000
0x00407d78
0x00407d78
0x00407d7c
0x00407d81
0x00407d81
0x00407d8a
0x00407d92
0x00407d95
0x00000000
0x00407d9b
0x00407d9b
0x00407d9b
0x00000000
0x00407d9b
0x00407d95
0x00407d76
0x00407d2a
0x00000000
0x00000000
0x00407db8
0x00407db8
0x00407dbc
0x0040862c
0x0040862c
0x00000000
0x00407dc2
0x00407dc2
0x00407dcb
0x00407dd3
0x00407dd6
0x00407dd9
0x00407dd9
0x00407dd9
0x00407ddc
0x00407de0
0x00000000
0x00407de2
0x00407de2
0x00407de2
0x00407de8
0x00407e12
0x00407e18
0x00407e1d
0x00000000
0x00407dea
0x00407dea
0x00407dee
0x00407df1
0x00407df6
0x00407df6
0x00407e01
0x00407e09
0x00407e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e0c
0x00407de8
0x00407de0
0x00000000
0x00000000
0x00407e54
0x00407e57
0x00407e62
0x00407e65
0x00407e68
0x00000000
0x00000000
0x00407e26
0x00407e26
0x00407e2a
0x00408635
0x00408635
0x00000000
0x00407e30
0x00407e30
0x00407e39
0x00407e41
0x00407e41
0x00407e41
0x00407e44
0x00407e47
0x00407e4a
0x00407e4f
0x00000000
0x00407e51
0x00407e51
0x00407e51
0x00000000
0x00407e51
0x00407e4f
0x00000000
0x00000000
0x004084aa
0x004084aa
0x004084b0
0x004084b6
0x004084bc
0x004084d6
0x004084d9
0x004084e3
0x004084e3
0x004084e6
0x004084e9
0x004084be
0x004084be
0x004084cd
0x004084d1
0x004084d1
0x004084f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004084f9
0x004084fd
0x0040868c
0x0040868c
0x00000000
0x00408503
0x00408503
0x0040850c
0x00408510
0x00408518
0x0040851b
0x0040851e
0x0040851e
0x00408624
0x00408624
0x00000000
0x00408627
0x00000000
0x00000000
0x00407e74
0x00407e74
0x00407e76
0x00407e79
0x00407ee8
0x00407ee8
0x00407eeb
0x00407ef2
0x00407ef9
0x00000000
0x00407e7b
0x00407e7b
0x00407e7b
0x00407e82
0x00407e85
0x00407e87
0x00407e88
0x00407e8b
0x00407e8d
0x00407e90
0x00407e92
0x00407e94
0x00407e9a
0x00407e9e
0x00407ea5
0x00407ea8
0x00407eaf
0x00407eb3
0x00407ebb
0x00407ebb
0x00407ebb
0x00407eb5
0x00407eb5
0x00407eb5
0x00407eaa
0x00407eaa
0x00407eaa
0x00407ebf
0x00407ec2
0x00407ee0
0x00407ee0
0x00407ee2
0x00000000
0x00407ec4
0x00407ec4
0x00407ec4
0x00407ec7
0x00407eca
0x00407ecd
0x00407ecf
0x00407ecf
0x00407ecf
0x00407ed2
0x00407ed5
0x00407ed8
0x00407eda
0x00407edd
0x00000000
0x00407edd
0x00407ec2
0x00000000
0x00000000
0x0040810e
0x0040810e
0x00408112
0x0040812a
0x0040812a
0x0040812d
0x00408130
0x00408133
0x00408136
0x00408139
0x0040813c
0x0040813e
0x00408142
0x0040814c
0x0040814d
0x00408150
0x00408150
0x00408153
0x00408156
0x0040815c
0x00000000
0x00408114
0x00408114
0x00408114
0x00408117
0x0040811e
0x0040811e
0x00000000
0x00000000
0x0040816e
0x0040816e
0x00408172
0x00408175
0x0040818f
0x00408196
0x00408177
0x00408177
0x0040817a
0x0040817d
0x00408180
0x00408187
0x00408187
0x00000000
0x00000000
0x004081a2
0x004081a2
0x004081a6
0x00000000
0x004081ac
0x004081ac
0x004081ac
0x004081b0
0x00000000
0x004081b6
0x004081b6
0x004081b6
0x004081b8
0x004081bc
0x004081bc
0x004081bc
0x004081bf
0x004081c3
0x00000000
0x004081c3
0x004081b0
0x00000000
0x00000000
0x00408210
0x00408210
0x00408214
0x0040821b
0x0040821b
0x0040821e
0x00408225
0x00408216
0x00408216
0x00408216
0x00000000
0x00408216
0x00000000
0x00000000
0x00408231
0x00408231
0x00408235
0x0040823c
0x0040823f
0x00408242
0x00408237
0x00408237
0x00408237
0x00408245
0x00408248
0x0040824b
0x0040824b
0x0040824e
0x00408251
0x00408254
0x00408254
0x0040825a
0x0040825d
0x00000000
0x00000000
0x004082ee
0x004082ee
0x00000000
0x00000000
0x00407f05
0x00407f05
0x00407f09
0x0040863e
0x0040863e
0x00000000
0x00407f0f
0x00407f0f
0x00407f0f
0x00407f12
0x00407f15
0x00407f18
0x00407f1c
0x00407f22
0x00407f24
0x00407f24
0x00407f24
0x00407f27
0x00407f2a
0x00407f2a
0x00407f2d
0x00407f30
0x00000000
0x00407f36
0x00407f36
0x00407f36
0x00407f3c
0x00000000
0x00407f42
0x00407f42
0x00407f42
0x00407f46
0x00407f49
0x00407f4c
0x00407f4f
0x00407f52
0x00407f53
0x00407f58
0x00407f5b
0x00407f5e
0x00407f61
0x00407f64
0x00407f67
0x00407f6a
0x00407f6d
0x00407f70
0x00407f8c
0x00407f8f
0x00407f92
0x00407f95
0x00407f99
0x00407f99
0x00407f9c
0x00407fa3
0x00407fa6
0x00407f72
0x00407f72
0x00407f76
0x00407f7e
0x00407f83
0x00407f85
0x00407f88
0x00407f88
0x00407faa
0x00407fb1
0x00407fb4
0x00000000
0x00407fba
0x00407fba
0x00000000
0x00407fba
0x00407fb4
0x00407f3c
0x00407f30
0x00000000
0x00000000
0x00407fbf
0x00407fbf
0x00407fc3
0x00408647
0x00408647
0x00000000
0x00407fc9
0x00407fc9
0x00407fc9
0x00407fcc
0x00407fcf
0x00407fd2
0x00407fd6
0x00407fdc
0x00407fde
0x00407fde
0x00407fde
0x00407fe1
0x00407fe4
0x00407fe4
0x00407fe4
0x00407fea
0x00000000
0x00000000
0x00407fec
0x00407fec
0x00407fef
0x00407ff2
0x00407ff5
0x00407ff8
0x00407ffb
0x00407ffe
0x00408001
0x00408004
0x00408007
0x0040800a
0x00408022
0x00408025
0x00408028
0x0040802b
0x0040802f
0x0040802f
0x00408032
0x00408035
0x0040800c
0x0040800c
0x00408014
0x00408019
0x0040801b
0x0040801e
0x0040801e
0x00408038
0x0040803f
0x00408042
0x00000000
0x00408044
0x00408044
0x00000000
0x00408044
0x00000000
0x00408042
0x00408049
0x00408049
0x00408049
0x00408049
0x00000000
0x00408049
0x00000000
0x00000000
0x00408084
0x00408084
0x00408088
0x00408650
0x00408650
0x00000000
0x0040808e
0x0040808e
0x0040808e
0x00408091
0x00408094
0x00408097
0x0040809b
0x004080a1
0x004080a3
0x004080a3
0x004080a3
0x004080a6
0x004080a9
0x004080a9
0x004080af
0x0040804d
0x0040804d
0x00408050
0x00000000
0x004080b1
0x004080b1
0x004080b1
0x004080b4
0x004080b7
0x004080ba
0x004080bd
0x004080c0
0x004080c3
0x004080c6
0x004080c9
0x004080cc
0x004080cf
0x004080e7
0x004080ea
0x004080ed
0x004080f0
0x004080f4
0x004080f4
0x004080f7
0x004080fa
0x004080d1
0x004080d1
0x004080d9
0x004080de
0x004080e0
0x004080e3
0x004080e3
0x004080fd
0x00408104
0x00408107
0x00000000
0x00408109
0x00408109
0x00000000
0x00408109
0x00408107
0x004080af
0x00000000
0x00000000
0x0040836f
0x0040836f
0x00408373
0x00408674
0x00408674
0x00000000
0x00408379
0x00408379
0x00408379
0x0040837c
0x0040837f
0x00408382
0x00408386
0x0040838c
0x0040838e
0x0040838e
0x0040838e
0x00408391
0x00000000
0x00408391
0x00000000
0x00000000
0x0040815f
0x0040815f
0x00408162
0x00000000
0x00000000
0x0040847e
0x0040847e
0x00408482
0x0040849a
0x0040849d
0x0040849d
0x004084a0
0x004084a7
0x004084a7
0x00000000
0x00408484
0x00408484
0x00408484
0x00408487
0x0040848b
0x0040848e
0x00408491
0x00000000
0x00408491
0x00000000
0x00000000
0x00408526
0x00408526
0x0040852a
0x0040854f
0x0040854f
0x0040854f
0x0040854f
0x00408556
0x0040855d
0x0040852c
0x0040852c
0x0040852c
0x0040852f
0x00408532
0x00408532
0x00408535
0x0040853c
0x00408543
0x00408543
0x00408546
0x00408546
0x00408564
0x00408564
0x00000000
0x00000000
0x00000000
0x00000000
0x00408269
0x00408269
0x0040826b
0x00408272
0x00408276
0x00408279
0x00000000
0x00000000
0x00408281
0x00408281
0x00408284
0x00408287
0x00408289
0x0040828b
0x0040828b
0x0040828c
0x00408296
0x00408299
0x004082a0
0x00000000
0x00000000
0x0040856b
0x0040856b
0x0040856e
0x00408575
0x00000000
0x00000000
0x0040857a
0x0040857a
0x0040857e
0x00408695
0x00408695
0x00000000
0x00408584
0x00408584
0x00408584
0x00408587
0x0040858a
0x0040858d
0x00408591
0x00408597
0x00408599
0x00408599
0x00408599
0x0040859c
0x0040859f
0x0040859f
0x0040859f
0x0040859f
0x004085a2
0x004085a5
0x004085a5
0x004085a9
0x00408609
0x00408609
0x0040860c
0x00408611
0x00408612
0x00408614
0x00408616
0x00408619
0x00408624
0x00408624
0x00408624
0x00000000
0x00408627
0x004085ab
0x004085ab
0x004085ab
0x004085ae
0x004085b1
0x004085b4
0x004085b6
0x004085b9
0x004085bc
0x004085bf
0x004085c2
0x004085c5
0x004085c8
0x004085cb
0x004085e4
0x004085e7
0x004085ea
0x004085ed
0x004085f1
0x004085f4
0x004085f4
0x004085f5
0x004085f8
0x004085cd
0x004085cd
0x004085d5
0x004085da
0x004085dc
0x004085df
0x004085df
0x004085fb
0x00408602
0x00000000
0x00408604
0x00408604
0x00000000
0x00408604
0x00408602
0x004085a9
0x00000000
0x00000000
0x004082ac
0x004082ac
0x004082af
0x004082e6
0x004082e6
0x00000000
0x004082b1
0x004082b1
0x004082b1
0x004082b5
0x004082b8
0x004082ba
0x004082bb
0x004082be
0x004082c0
0x004082c3
0x004082c6
0x004082dc
0x004082dc
0x004082e1
0x00408319
0x00408319
0x0040831d
0x00408346
0x00408349
0x0040834b
0x0040834b
0x00408351
0x00408354
0x00408357
0x00000000
0x0040831f
0x0040831f
0x0040831f
0x00408322
0x00408325
0x00408327
0x0040832a
0x0040832d
0x0040832f
0x00408332
0x00408332
0x00408335
0x00408338
0x00408338
0x0040833b
0x00408342
0x00408316
0x00408316
0x00408316
0x00408316
0x00000000
0x00408344
0x00408344
0x004082f1
0x004082f1
0x004082f5
0x0040866b
0x0040866b
0x00000000
0x004082fb
0x004082fb
0x004082fb
0x004082fe
0x00408301
0x00408304
0x00408308
0x0040830e
0x00408310
0x00408310
0x00408310
0x00408313
0x00000000
0x00408313
0x004082f5
0x00408342
0x004082c8
0x004082c8
0x004082c8
0x004082d1
0x004082d4
0x0040835e
0x0040835e
0x00408360
0x00408367
0x0040836a
0x00408397
0x00408397
0x0040839a
0x0040839d
0x00408411
0x00408411
0x00408411
0x00408411
0x00408414
0x00408414
0x00408414
0x00408414
0x00408417
0x00408417
0x0040841a
0x0040841c
0x0040867d
0x0040867d
0x00000000
0x00408422
0x00408422
0x00408422
0x00408425
0x00000000
0x0040842b
0x0040842b
0x0040842b
0x0040842f
0x00408432
0x00408432
0x00408432
0x00000000
0x00408432
0x00408425
0x0040839f
0x0040839f
0x0040839f
0x004083a2
0x004083a5
0x004083a8
0x004083aa
0x004083ad
0x004083b0
0x004083b3
0x004083b6
0x004083b9
0x004083bc
0x004083bf
0x004083d8
0x004083db
0x004083e0
0x004083e1
0x004083e3
0x004083e6
0x004083e8
0x004083ea
0x004083ed
0x004083ef
0x004083f2
0x004083f6
0x004083f9
0x004083f9
0x004083fa
0x004083fd
0x00408400
0x004083c1
0x004083c1
0x004083c9
0x004083ce
0x004083d0
0x004083d3
0x004083d3
0x00408403
0x0040840a
0x00408394
0x00408394
0x00408394
0x00408394
0x00000000
0x0040840c
0x0040840c
0x00000000
0x0040840c
0x0040840a
0x0040839d
0x004082c6
0x00000000
0x00000000
0x00408053
0x00408053
0x00408057
0x00408659
0x00408659
0x00000000
0x0040805d
0x0040805d
0x0040805d
0x00408060
0x00408063
0x00408066
0x00408069
0x0040806c
0x0040806f
0x00408071
0x00408074
0x00408077
0x0040807a
0x0040807c
0x0040807c
0x0040807c
0x00000000
0x0040807c
0x00000000
0x00000000
0x004081c6
0x004081c6
0x004081ca
0x00408662
0x00408662
0x00000000
0x004081d0
0x004081d0
0x004081d0
0x004081d3
0x004081d6
0x004081d9
0x004081db
0x004081db
0x004081db
0x004081de
0x004081e1
0x004081e4
0x004081e7
0x004081ea
0x004081eb
0x004081ed
0x004081ed
0x004081ed
0x004081f0
0x004081f3
0x004081f6
0x004081f9
0x004081f9
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408201
0x00000000
0x00408201
0x00000000
0x00000000
0x00408435
0x00408435
0x00408435
0x00408439
0x00000000
0x00000000
0x0040843f
0x0040843f
0x00408442
0x00408445
0x00408448
0x0040844a
0x0040844a
0x0040844a
0x0040844d
0x00408450
0x00408453
0x00408456
0x00408459
0x0040845a
0x0040845c
0x0040845c
0x0040845c
0x0040845f
0x00408462
0x00408465
0x00408468
0x0040846b
0x0040846f
0x00408472
0x00408474
0x00408477
0x00000000
0x00408479
0x00408479
0x00408204
0x00408204
0x00000000
0x00407cfd
0x004086ae
0x004086b1
0x004086b5
0x00000000
0x004086b5
0x00408683
0x00408683
0x0040869c
0x0040869f
0x004086a1
0x004086a5
0x004086a7
0x00000000
0x00000000
0x00407d0c
0x004086ab
0x004086ab
0x00000000
0x004086ab
0x00408624

APIs

GlobalFree.KERNEL32 ref: 00407D81
GlobalAlloc.KERNELBASE(00000040,?,00000000,00420150,00004000), ref: 00407D8A
GlobalFree.KERNEL32 ref: 00407DF6
GlobalAlloc.KERNELBASE(00000040,?,00000000,00420150,00004000), ref: 00407E01

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: 727bfd094498c27da261b1b0a80c84f7c7aa89ff736c7626a545fe60cf32de6b
Instruction ID: e88af5cfac7a6df1224d104c0644a9f80ea25778771eac455195e847f503c6a5
Opcode Fuzzy Hash: 727bfd094498c27da261b1b0a80c84f7c7aa89ff736c7626a545fe60cf32de6b
Instruction Fuzzy Hash: 52514571910248EBDF58CF19C984BAD3BB1FF44355F11812AFC5AAA291C738E985CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00401392 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401392(signed int _a4) {
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x473df0;
					if( *((intOrPtr*)(_t17 * 0x1c +  *0x473df0)) == 1) {
						break;
					}
					_t8 = E00401593(_t6); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E00401373(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x46bdac =  *0x46bdac + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x46bdac, 0x7530,  *0x46bda4), 0);
					}
				}
				return 0;
			}

0x00401393
0x00401403
0x004013a4
0x004013a9
0x00000000
0x00000000
0x004013ac
0x004013b6
0x00000000
0x0040140d
0x004013b9
0x004013c0
0x004013c6
0x004013c7
0x004013c9
0x004013cb
0x004013c2
0x004013c2
0x004013c3
0x004013c3
0x004013d2
0x004013d4
0x004013fd
0x004013fd
0x004013d2
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013ED
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013FD

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0727eb72d530338327fd2f07efb37a59c2089f1ab857e5200dd742504dfa4478
Instruction ID: af0e1cbff66fdebca0db7d4f586941347445bebd6606a7d697289bcd4aaec1d5
Opcode Fuzzy Hash: 0727eb72d530338327fd2f07efb37a59c2089f1ab857e5200dd742504dfa4478
Instruction Fuzzy Hash: 350144316202109FD7554B35EC04B2A3A98E741325F10413BF815FA2F2E778CC828B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E77 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405E77(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405e7b
0x00405e88
0x00405e9d
0x00405ea3

APIs

GetFileAttributesW.KERNELBASE(00000003,004035EE,004E00D8,80000000,00000003,?,?,?,004D80C8,00403A74,?), ref: 00405E7B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,004D80C8,00403A74,?), ref: 00405E9D

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29922bd4308ea13be46c82946cf0db2c231ed7108659491920434244cdff7faa
Instruction ID: ab29df9fdfb8a907330e0d25dbdf7b6ecbed57ee1bca34f1585a717c1e770363
Opcode Fuzzy Hash: 29922bd4308ea13be46c82946cf0db2c231ed7108659491920434244cdff7faa
Instruction Fuzzy Hash: 3DD09E71654201EFEF099F20DD1AF6EBBA2EB84B01F10852CB693941E1D6B15C15DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402DDD

Part of subcall function 00405F74: wsprintfW.USER32 ref: 00405F81

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 11b263626265d99cc21f35e4b8d01862e64811d521f3abe37454febf15a7c5e3
Instruction ID: 22ec30b4620eb3cdabae04caf3bb1cb7bcb132a3b53a19968671d57f7263cc6c
Opcode Fuzzy Hash: 11b263626265d99cc21f35e4b8d01862e64811d521f3abe37454febf15a7c5e3
Instruction Fuzzy Hash: 8DE01A72A04114ABDB11EFA5A845CAE7A78EB4835AB14443BF501F8091C67D8A50AA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040335D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040335D(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x40c010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403361
0x00403374
0x0040337c
0x00000000
0x00403383
0x00000000
0x00403385

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033F5,000000FF,00000004,00000000,00000000,00000000), ref: 00403374

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a0ffaee30a8c8f60a883f43b81636d07f0967c7cf138ba0a994fd08ea3763c6a
Instruction ID: c118c1695ae71753ee653abfb91a4cced9948a4000a5aa6fcb53befee0282704
Opcode Fuzzy Hash: a0ffaee30a8c8f60a883f43b81636d07f0967c7cf138ba0a994fd08ea3763c6a
Instruction Fuzzy Hash: 74E08C32210319FBDB109FA29C84EE77B6CEB043A2F408437FD15E9090DA30DA00DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004037F3 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037F3(void* __ecx, void* __eflags) {
				void* _t2;
				void* _t5;
				void* _t6;

				_t6 = __ecx;
				E0040605C(0x4d80c8);
				_t2 = E00405D4B(0x4d80c8);
				if(_t2 != 0) {
					E0040673D(0x4d80c8);
					CreateDirectoryW(0x4d80c8, 0); // executed
					_t5 = E00405EA6(_t6, 0x4d40c0, 0x4d80c8); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004037f3
0x004037fa
0x00403800
0x00403807
0x0040380c
0x00403814
0x00403820
0x00403826
0x0040380a
0x0040380a
0x0040380a

APIs

Part of subcall function 0040605C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060BF
Part of subcall function 0040605C: CharNextW.USER32(?,?,?,00000000), ref: 004060CE
Part of subcall function 0040605C: CharNextW.USER32(?,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060D3
Part of subcall function 0040605C: CharPrevW.USER32(?,?,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060E6

CreateDirectoryW.KERNELBASE(004D80C8,00000000,004D80C8,004D80C8,004D80C8,00000002,00403A38), ref: 00403814

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: f6669e30b962dee64775ea2d1f56a0bf45d9014998f80b9df8cbd09de0c3784e
Instruction ID: d2ba79d2d0616876763753581ef3da438734523d250276b00b78a1eaf9ab3cf6
Opcode Fuzzy Hash: f6669e30b962dee64775ea2d1f56a0bf45d9014998f80b9df8cbd09de0c3784e
Instruction Fuzzy Hash: 30D0C922543D3062DA63376A3D16FCF194C4FA3719B12807BF601BA2D28B7C4A4649FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402AFA Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00402AFA(void* __eflags) {
				void* _t7;
				void* _t8;
				void* _t11;

				_pop(ds);
				if(__eflags != 0) {
					_push(E00405F8D(_t7, _t8)); // executed
					FindCloseChangeNotification(); // executed
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x00402afa
0x00402afb
0x00402b07
0x00402b08
0x00402b08
0x0040310e
0x0040311a

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,000000EB,00000000), ref: 00402B08

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f47a4699138c2b2e57cb1798c8c98dc6101ad4c6d00b524798173963568361a2
Instruction ID: 3b207c59ab600bc47d1d6d2ccfae15f4585b145761cfe0e4c7bd675e2421020e
Opcode Fuzzy Hash: f47a4699138c2b2e57cb1798c8c98dc6101ad4c6d00b524798173963568361a2
Instruction Fuzzy Hash: 9BC012737181109BC701DFA8BC848AE7B68DB443163108837E102F6081D37CCA41AA2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040338F Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040338F(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40c010, _a4, 0, 0); // executed
				return _t2;
			}

0x0040339d
0x004033a3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403781,?,?,?,?,004D80C8,00403A74,?), ref: 0040339D

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 482fb72625fd76082891501abc64efa02dd80cc662032f2b0e6ae75ba374442e
Instruction ID: a083ef67dddd087183a562ee38312f1eff516b497eb3089e4d7ceb6467aad99c
Opcode Fuzzy Hash: 482fb72625fd76082891501abc64efa02dd80cc662032f2b0e6ae75ba374442e
Instruction Fuzzy Hash: 11B01231240200FFEA214F40DE09F06BB21B7D4700F208430F751380F082711420FB0C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004050FE Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 290
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004050FE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t91;
				struct HMENU__* _t93;
				unsigned int _t96;
				int _t98;
				int _t99;
				void* _t106;
				intOrPtr _t128;
				struct HWND__* _t132;
				intOrPtr _t134;
				int _t156;
				int _t157;
				struct HMENU__* _t162;
				struct HWND__* _t166;
				struct HWND__* _t167;
				void* _t169;
				void* _t170;
				short* _t171;
				short* _t173;

				_t167 =  *0x46bd8c;
				_t156 = 0;
				_v8 = _t167;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405078, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L18:
						if(_a8 != 0x404) {
							L26:
							if(_a8 != 0x7b || _a12 != _t167) {
								goto L21;
							} else {
								_t91 = SendMessageW(_t167, 0x1004, _t156, _t156);
								_a8 = _t91;
								if(_t91 <= _t156) {
									L12:
									return 0;
								}
								_t93 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t156);
								_t162 = _t93;
								AppendMenuW(_t162, _t156, 1, E00406820(_t156, _t162, _t167));
								_t96 = _a16;
								if(_t96 != 0xffffffff) {
									_t157 = _t96;
									_t98 = _t96 >> 0x10;
								} else {
									GetWindowRect(_t167,  &_v28);
									_t157 = _v28.left;
									_t98 = _v28.top;
								}
								_t99 = TrackPopupMenu(_t162, 0x180, _t157, _t98, _t156, _a4, _t156);
								_t169 = 1;
								if(_t99 == 1) {
									_v60 = _t156;
									_v48 = 0x448240;
									_v44 = 0x1001f;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t169 = _t169 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
									} while (_a4 != _t156);
									OpenClipboard(_t156);
									EmptyClipboard();
									_t106 = GlobalAlloc(0x42, _t169 + _t169);
									_a4 = _t106;
									_t170 = GlobalLock(_t106);
									do {
										_v48 = _t170;
										_t171 = _t170 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
										 *_t171 = 0xd;
										_t173 = _t171 + 2;
										 *_t173 = 0xa;
										_t170 = _t173 + 2;
										_t156 = _t156 + 1;
									} while (_t156 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(0xd, _a4);
									CloseClipboard();
								}
								goto L12;
							}
						}
						if( *0x46bd94 == _t156) {
							ShowWindow( *0x473dd4, 8);
							if( *0x473e8c == _t156) {
								E00404FA5( *((intOrPtr*)( *0x458260 + 0x34)), _t156);
							}
							E00403D60(1);
							goto L26;
						}
						 *0x458268 = 2;
						E00403D60(0x78);
						goto L21;
					} else {
						if(_a12 != 0x403) {
							L21:
							return E00403E12(_a8, _a12, _a16);
						}
						ShowWindow( *0x46bda0, _t156);
						ShowWindow(_t167, 8);
						E00403DE0(_t167);
						goto L18;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t128 =  *0x473ddc;
				_a8 =  *((intOrPtr*)(_t128 + 0x5c));
				_a12 =  *((intOrPtr*)(_t128 + 0x60));
				 *0x46bda0 = GetDlgItem(_a4, 0x403);
				 *0x46bd98 = GetDlgItem(_a4, 0x3ee);
				_t132 = GetDlgItem(_a4, 0x3f8);
				 *0x46bd8c = _t132;
				_v8 = _t132;
				E00403DE0( *0x46bda0);
				_t134 = E004044BA(4);
				_push(0x4c80a8);
				_push(0xfffffffd);
				_push(0);
				 *0x46bda4 = _t134;
				 *0x46bdac = 0;
				E004062C7(L"New install of \"%s\" to \"%s\"", E00406820(0, GetDlgItem, _t167));
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403D87(_a4);
				if(( *0x473e28 & 0x00000003) != 0) {
					ShowWindow( *0x46bda0, _t156);
					if(( *0x473e28 & 0x00000002) != 0) {
						 *0x46bda0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403DE0( *0x46bd98);
				}
				_t166 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t166, 0x401, _t156, 0x75300000);
				if(( *0x473e28 & 0x00000004) != 0) {
					SendMessageW(_t166, 0x409, _t156, _a12);
					SendMessageW(_t166, 0x2001, _t156, _a8);
				}
				goto L12;
			}

0x00405106
0x0040510c
0x00405116
0x00405119
0x004052ca
0x004052ee
0x004052ee
0x00405301
0x0040531f
0x00405326
0x0040537d
0x00405381
0x00000000
0x00405388
0x00405390
0x00405398
0x0040539b
0x004052bc
0x00000000
0x004052bc
0x004053a1
0x004053a7
0x004053a9
0x004053aa
0x004053b6
0x004053bc
0x004053c2
0x004053d7
0x004053dd
0x004053c4
0x004053c9
0x004053cf
0x004053d2
0x004053d2
0x004053ed
0x004053f5
0x004053f8
0x00405401
0x00405404
0x0040540b
0x00405412
0x0040541a
0x0040541a
0x00405431
0x00405431
0x00405438
0x0040543e
0x0040544a
0x00405451
0x0040545a
0x0040545c
0x00405465
0x0040546e
0x00405471
0x00405477
0x00405478
0x0040547e
0x0040547f
0x00405480
0x00405488
0x00405493
0x00405499
0x00405499
0x00000000
0x004053f8
0x00405381
0x0040532e
0x0040535e
0x00405366
0x00405371
0x00405371
0x00405378
0x00000000
0x00405378
0x00405332
0x0040533c
0x00000000
0x00405303
0x00405309
0x00405341
0x00000000
0x0040534a
0x00405312
0x00405317
0x0040531a
0x00000000
0x0040531a
0x00405301
0x0040511f
0x00405123
0x00405127
0x0040512e
0x00405131
0x00405134
0x0040513c
0x0040513d
0x0040513e
0x00405157
0x0040515a
0x00405167
0x00405176
0x0040517b
0x00405183
0x00405188
0x0040518b
0x00405192
0x00405197
0x0040519c
0x0040519e
0x0040519f
0x004051a4
0x004051b5
0x004051c4
0x004051ea
0x004051ed
0x004051fe
0x00405203
0x00405211
0x0040521f
0x0040521f
0x00405224
0x00405232
0x00405232
0x00405237
0x0040523a
0x0040523f
0x0040524b
0x00405254
0x00405261
0x00405270
0x00405263
0x00405268
0x00405268
0x0040527c
0x0040527c
0x00405291
0x00405299
0x004052a2
0x004052ae
0x004052ba
0x004052ba
0x00000000

APIs

GetDlgItem.USER32 ref: 0040515D
GetDlgItem.USER32 ref: 0040516C
GetClientRect.USER32 ref: 004051C4
GetSystemMetrics.USER32 ref: 004051CC
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405211
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405232
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405254
ShowWindow.USER32(?,00000008), ref: 00405268
GetDlgItem.USER32 ref: 00405289
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405299
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AE
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052BA
GetDlgItem.USER32 ref: 0040517B

Part of subcall function 00403DE0: SendMessageW.USER32(00000028,?,00000001,004057DF), ref: 00403DEE

Part of subcall function 00406820: GetVersion.KERNEL32(00000000,?,0043C228,?,0043C228,00000000,00424150,00000000,00000000), ref: 004068F0

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

GetDlgItem.USER32 ref: 004052D9
CreateThread.KERNEL32 ref: 004052E7
CloseHandle.KERNEL32(00000000), ref: 004052EE
ShowWindow.USER32(00000000), ref: 00405312
ShowWindow.USER32(?,00000008), ref: 00405317
ShowWindow.USER32(00000008), ref: 0040535E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405390
CreatePopupMenu.USER32 ref: 004053A1
AppendMenuW.USER32 ref: 004053B6
GetWindowRect.USER32 ref: 004053C9
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053ED
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405428
OpenClipboard.USER32(00000000), ref: 00405438
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040543E
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040544A
GlobalLock.KERNEL32 ref: 00405454
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405468
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405488
SetClipboardData.USER32 ref: 00405493
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405499

Strings

New install of "%s" to "%s", xrefs: 004051B0
{, xrefs: 0040537D

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: f0c821864b8a79b17d2d4097c0847ce5bd361073b1f402f82d1640e8dde98e18
Instruction ID: e08dfd4d09cb12445b7de09e4ebb649403bebcf170dfaaae3e2bb8cf35cee1b0
Opcode Fuzzy Hash: f0c821864b8a79b17d2d4097c0847ce5bd361073b1f402f82d1640e8dde98e18
Instruction Fuzzy Hash: F4B15A70900209BFEB11AF61DD89AAE7B78FF04355F00402AFA05BA1A1C7B49E91DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004049B5 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 469
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E004049B5(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t177;
				intOrPtr _t193;
				long _t199;
				signed int _t203;
				signed int _t214;
				void* _t217;
				void* _t218;
				int _t224;
				signed int* _t231;
				signed int _t233;
				struct HBITMAP__* _t243;
				void* _t245;
				intOrPtr _t251;
				signed char* _t264;
				signed char _t265;
				long _t268;
				int _t275;
				signed int _t279;
				signed int _t286;
				signed int _t288;
				int* _t296;
				signed char* _t297;
				int _t300;
				int _t301;
				int _t302;
				signed int* _t303;
				int _t304;
				long _t305;
				long _t306;
				int _t307;
				signed int _t308;
				void* _t310;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t177 = GetDlgItem(_a4, 0x408);
				_t310 = SendMessageW;
				_v8 = _t177;
				_v28 =  *0x473de8;
				_t275 = 0;
				_v32 =  *0x473ddc + 0x94;
				_t300 = 0x10;
				if(_a8 != 0x110) {
					L24:
					if(_a8 == 0x405) {
						_a12 = _t275;
						_a16 = 1;
						_a8 = 0x40f;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_t301 = _a16;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x473e28 & 0x00000200) != 0) {
								L41:
								if(_t301 != _t275) {
									if( *((intOrPtr*)(_t301 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t275,  *(_t301 + 0x5c));
									}
									if( *((intOrPtr*)(_t301 + 8)) == 0xfffffe39) {
										_t277 = _v28;
										_t231 =  *(_t301 + 0x5c) * 0x4020 + _v28 + 8;
										if( *((intOrPtr*)(_t301 + 0xc)) != 2) {
											 *_t231 =  *_t231 & 0xffffffdf;
										} else {
											 *_t231 =  *_t231 | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t277 = 0 | _a8 != 0x00000413;
								_t233 = E00404885(_v8, _a8 != 0x413);
								if(_t233 >= _t275) {
									_t95 = _v28 + 8; // 0x8
									_t296 = _t233 * 0x4020 + _t95;
									_t277 =  *_t296;
									if((_t277 & 0x00000010) == 0) {
										if((_t277 & 0x00000040) == 0) {
											_t286 = _t277 ^ 0x00000001;
										} else {
											_t288 = _t277 ^ 0x00000080;
											if(_t288 >= 0) {
												_t286 = _t288 & 0xfffffffe;
											} else {
												_t286 = _t288 | 0x00000001;
											}
										}
										 *_t296 = _t286;
										E0040117D(_t233);
										_t277 = 1;
										_a12 = 1;
										_a16 =  !( *0x473e28 >> 8) & 1;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t277 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t275, _t275);
							}
							if(_a8 == 0x40b) {
								_t217 =  *0x438210;
								if(_t217 != _t275) {
									ImageList_Destroy(_t217);
								}
								_t218 =  *0x438214;
								if(_t218 != _t275) {
									GlobalFree(_t218);
								}
								 *0x438210 = _t275;
								 *0x438214 = _t275;
								 *0x473e30 = _t275;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x473e28 & 0x00000100) != 0) {
									_t302 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t302);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t302);
								}
								goto L89;
							} else {
								E004011EF(_t277, _t275, _t275);
								if(_a12 != _t275) {
									E00401414(8);
								}
								if(_a16 == _t275) {
									L73:
									E004011EF(_t277, _t275, _t275);
									_v36 =  *0x438214;
									_t193 =  *0x473de8;
									_v64 = 0xf030;
									_v28 = _t275;
									if( *0x473dec <= _t275) {
										L84:
										InvalidateRect(_v8, _t275, 1);
										if( *((intOrPtr*)( *0x46bda8 + 0x10)) != _t275) {
											E004043F1(E004044BA(5), 0x3ff, 0xfffffffb);
										}
										goto L86;
									}
									_t303 = _t193 + 8;
									do {
										_t199 =  *((intOrPtr*)(_v36 + _v28 * 4));
										if(_t199 != _t275) {
											_t279 =  *_t303;
											_v72 = _t199;
											_v76 = 8;
											if((_t279 & 0x00000100) != 0) {
												_v76 = 9;
												_v60 =  &(_t303[4]);
												 *_t303 =  *_t303 & 0xfffffeff;
											}
											if((_t279 & 0x00000040) == 0) {
												_t203 = (_t279 & 0x00000001) + 1;
												if((_t279 & 0x00000010) != 0) {
													_t203 = _t203 + 3;
												}
											} else {
												_t203 = 3;
											}
											_v68 = (_t203 << 0x0000000b | _t279 & 0x00000008) + (_t203 << 0x0000000b | _t279 & 0x00000008) | _t279 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t279 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, _t275,  &_v76);
										}
										_v28 = _v28 + 1;
										_t303 =  &(_t303[0x1008]);
									} while (_v28 <  *0x473dec);
									goto L84;
								} else {
									_t304 = E004012E8( *0x438214);
									E0040129D(_t304);
									_t214 = 0;
									_t277 = 0;
									if(_t304 <= _t275) {
										L72:
										SendMessageW(_v12, 0x14e, _t277, _t275);
										_a16 = _t304;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v32 + _t214 * 4)) != _t275) {
											_t277 = _t277 + 1;
										}
										_t214 = _t214 + 1;
									} while (_t214 < _t304);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t224 = SendMessageW(_v12, 0x147, _t275, _t275);
							if(_t224 == 0xffffffff) {
								goto L89;
							}
							_t305 = SendMessageW(_v12, 0x150, _t224, _t275);
							if(_t305 == 0xffffffff ||  *((intOrPtr*)(_v32 + _t305 * 4)) == _t275) {
								_t305 = 0x20;
							}
							E0040129D(_t305);
							SendMessageW(_a4, 0x420, _t275, _t305);
							_a12 = 1;
							_a16 = _t275;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x473e30 = _a4;
					_v36 = 0;
					_v24 = 2;
					 *0x438214 = GlobalAlloc(0x40,  *0x473dec << 2);
					_t243 = LoadBitmapW( *0x473dd8, 0x6e);
					 *0x458270 =  *0x458270 | 0xffffffff;
					_v20 = _t243;
					 *0x438200 = SetWindowLongW(_v8, 0xfffffffc, E00404905);
					_t245 = ImageList_Create(_t300, _t300, 0x21, 6, 0);
					 *0x438210 = _t245;
					ImageList_AddMasked(_t245, _v20, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x438210);
					if(SendMessageW(_v8, 0x111c, 0, 0) < _t300) {
						SendMessageW(_v8, 0x111b, _t300, 0);
					}
					DeleteObject(_v20);
					_t306 = 0;
					do {
						_t251 =  *((intOrPtr*)(_v32 + _t306 * 4));
						if(_t251 != _t275) {
							if(_t306 != 0x20) {
								_v24 = _t275;
							}
							_push(_t251);
							_push(_t275);
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t275, E00406820(_t275, _t306, _t310)), _t306);
						}
						_t306 = _t306 + 1;
					} while (_t306 < 0x21);
					_t307 = _a16;
					_push( *((intOrPtr*)(_t307 + 0x30 + _v24 * 4)));
					_push(0x15);
					E00403D87(_a4);
					_push( *((intOrPtr*)(_t307 + 0x34 + _v24 * 4)));
					_push(0x16);
					E00403D87(_a4);
					_t308 = 0;
					_v16 = _t275;
					if( *0x473dec <= _t275) {
						L20:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0xfffffffb);
						goto L21;
					} else {
						_v20 = _v28 + 8;
						do {
							_t297 = _v20;
							_t264 =  &(_t297[0x10]);
							if( *_t264 == 0) {
								goto L18;
							}
							_v64 = _t264;
							_t265 =  *_t297;
							_v88 = _v16;
							_t277 = 0x20;
							_v84 = 0xffff0002;
							_v80 = 0xd;
							_v68 = _t277;
							_v44 = _t308;
							_v72 = _t265 & _t277;
							if((_t265 & 0x00000002) == 0) {
								if(( *_v20 & 0x00000004) == 0) {
									_t268 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									goto L17;
								}
								_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
							} else {
								_v80 = 0x4d;
								_v48 = 1;
								_t268 = SendMessageW(_v8, 0x1132, 0,  &_v88);
								_v16 = _t268;
								_v36 = 1;
								L17:
								_t277 =  *0x438214;
								 *( *0x438214 + _t308 * 4) = _t268;
							}
							L18:
							_v20 = _v20 + 0x4020;
							_t308 = _t308 + 1;
						} while (_t308 <  *0x473dec);
						if(_v36 != 0) {
							L21:
							if(_v24 != 0) {
								E00403DE0(_v8);
								_t275 = 0;
								goto L24;
							}
							ShowWindow(_v12, 5);
							E00403DE0(_v12);
							L89:
							return E00403E12(_a8, _a12, _a16);
						}
						goto L20;
					}
				}
			}

0x004049d6
0x004049d9
0x004049db
0x004049e1
0x004049e9
0x004049f6
0x00404a01
0x00404a04
0x00404a05
0x00404c25
0x00404c2c
0x00404c2e
0x00404c31
0x00404c38
0x00404c38
0x00404c48
0x00404c56
0x00404c59
0x00404c71
0x00404cec
0x00404cee
0x00404cf7
0x00404d05
0x00404d05
0x00404d0e
0x00404d13
0x00404d20
0x00404d24
0x00404d2b
0x00404d26
0x00404d26
0x00404d26
0x00404d24
0x00404d0e
0x00000000
0x00404cee
0x00404c76
0x00404c81
0x00404c86
0x00404c8d
0x00404c94
0x00404ca1
0x00404ca1
0x00404ca5
0x00404caa
0x00404caf
0x00404cc5
0x00404cb1
0x00404cb1
0x00404cb9
0x00404cc0
0x00404cbb
0x00404cbb
0x00404cbb
0x00404cb9
0x00404cc9
0x00404ccb
0x00404cda
0x00404cdf
0x00404ce2
0x00404ce5
0x00404ce5
0x00404caa
0x00000000
0x00404c94
0x00404c78
0x00404c7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d2e
0x00404d2e
0x00404d35
0x00404da9
0x00404db0
0x00404dbc
0x00404dbc
0x00404dc5
0x00404dc7
0x00404dce
0x00404dd1
0x00404dd1
0x00404dd7
0x00404dde
0x00404de1
0x00404de1
0x00404de7
0x00404ded
0x00404df3
0x00404df3
0x00404e00
0x00404f50
0x00404f57
0x00404f76
0x00404f7c
0x00404f8e
0x00404f8e
0x00000000
0x00404e06
0x00404e08
0x00404e10
0x00404e14
0x00404e14
0x00404e1c
0x00404e5d
0x00404e5f
0x00404e6f
0x00404e72
0x00404e77
0x00404e7e
0x00404e81
0x00404f27
0x00404f2d
0x00404f3b
0x00404f4b
0x00404f4b
0x00000000
0x00404f3b
0x00404e87
0x00404e8a
0x00404e90
0x00404e95
0x00404e97
0x00404e9e
0x00404ea1
0x00404ea8
0x00404ead
0x00404eb4
0x00404eb7
0x00404eb7
0x00404ec0
0x00404ecc
0x00404ed0
0x00404ed2
0x00404ed2
0x00404ec2
0x00404ec4
0x00404ec4
0x00404efb
0x00404efe
0x00404f0d
0x00404f0d
0x00404f0f
0x00404f15
0x00404f1b
0x00000000
0x00404e1e
0x00404e29
0x00404e2c
0x00404e31
0x00404e33
0x00404e37
0x00404e47
0x00404e51
0x00404e53
0x00404e56
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e39
0x00404e39
0x00404e3f
0x00404e41
0x00404e41
0x00404e42
0x00404e43
0x00000000
0x00404e39
0x00404e1c
0x00404e00
0x00404d3d
0x00000000
0x00404d53
0x00404d5d
0x00404d62
0x00000000
0x00000000
0x00404d74
0x00404d79
0x00404d85
0x00404d85
0x00404d87
0x00404d96
0x00404d98
0x00404d9f
0x00404da2
0x00000000
0x00404da2
0x00404d3d
0x00404a0b
0x00404a0e
0x00404a1e
0x00404a21
0x00404a36
0x00404a3b
0x00404a41
0x00404a52
0x00404a62
0x00404a67
0x00404a75
0x00404a7b
0x00404a91
0x00404aa1
0x00404aad
0x00404aad
0x00404ab2
0x00404ab8
0x00404aba
0x00404abd
0x00404ac2
0x00404ac7
0x00404ac9
0x00404ac9
0x00404acc
0x00404acd
0x00404ae9
0x00404ae9
0x00404aeb
0x00404aec
0x00404af4
0x00404af7
0x00404afb
0x00404b00
0x00404b08
0x00404b0c
0x00404b11
0x00404b16
0x00404b1e
0x00404b21
0x00404be3
0x00404bf7
0x00000000
0x00404b27
0x00404b2d
0x00404b35
0x00404b35
0x00404b38
0x00404b3f
0x00000000
0x00000000
0x00404b48
0x00404b4b
0x00404b4f
0x00404b52
0x00404b59
0x00404b60
0x00404b67
0x00404b6a
0x00404b6d
0x00404b70
0x00404b9e
0x00404bbe
0x00000000
0x00404bbe
0x00404baf
0x00404b72
0x00404b7c
0x00404b83
0x00404b8a
0x00404b8c
0x00404b8f
0x00404bc0
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bc9
0x00404bc9
0x00404bd0
0x00404bd1
0x00404be1
0x00404bfd
0x00404c01
0x00404c1e
0x00404c23
0x00000000
0x00404c23
0x00404c08
0x00404c11
0x00404f90
0x00404fa2
0x00404fa2
0x00000000
0x00404be1
0x00404b21

APIs

GetDlgItem.USER32 ref: 004049CC
GetDlgItem.USER32 ref: 004049D9
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A28
LoadBitmapW.USER32(0000006E), ref: 00404A3B
SetWindowLongW.USER32 ref: 00404A55
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A67
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A7B
SendMessageW.USER32(?,00001109,00000002), ref: 00404A91
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A9D
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AAD
DeleteObject.GDI32(?), ref: 00404AB2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404ADD
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AE9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B8A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BAD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BBE
GetWindowLongW.USER32(?,000000F0), ref: 00404BE8
SetWindowLongW.USER32 ref: 00404BF7
ShowWindow.USER32(?,00000005), ref: 00404C08
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404D05
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D5D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D72
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D96
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DBC
ImageList_Destroy.COMCTL32(?), ref: 00404DD1
GlobalFree.KERNEL32 ref: 00404DE1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E51
SendMessageW.USER32(?,00001102,?,?), ref: 00404EFE
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F0D
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F2D
ShowWindow.USER32(?,00000000), ref: 00404F7C
GetDlgItem.USER32 ref: 00404F87
ShowWindow.USER32(00000000), ref: 00404F8E

Strings

M, xrefs: 00404B7C
, xrefs: 00404F6C
@, xrefs: 00404BC9
N, xrefs: 00404C3F

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 6411370767ad88956dce949ccc73fe93a5d455d1ad0c16ed7a10e8747db3868c
Instruction ID: 238f419044e60574a8517aab33a2a3d6d075401044bcc0c33d74977834277f4d
Opcode Fuzzy Hash: 6411370767ad88956dce949ccc73fe93a5d455d1ad0c16ed7a10e8747db3868c
Instruction Fuzzy Hash: 3F027BB0900209AFEF109F94DD85AAE7BB9FB84315F10413AF614B62E1C7799E81DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004044E9 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 295
stringkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004044E9(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				WCHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				WCHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t84;
				long _t89;
				signed int** _t91;
				void* _t97;
				signed int _t98;
				signed short _t118;
				signed int _t122;
				char* _t127;
				intOrPtr _t130;
				intOrPtr* _t142;
				struct HWND__* _t146;
				signed int* _t156;
				signed int* _t157;
				struct HWND__* _t159;
				signed int _t161;
				signed int _t167;
				intOrPtr _t173;
				WCHAR* _t177;
				int _t178;

				_t84 =  *0x458260;
				_v36 = _t84;
				_t177 = 0x474000 +  *(_t84 + 0x3c) * 0x4008;
				_v8 =  *((intOrPtr*)(_t84 + 0x38));
				if(_a8 != 0x40b) {
					L3:
					if(_a8 != 0x110) {
						L12:
						if(_a8 != 0x111) {
							L24:
							if(_a8 == 0x40f) {
								L26:
								_v8 = _v8 & 0x00000000;
								_v12 = _v12 & 0x00000000;
								E00405CAC(0x3fb, _t177);
								if(E00406798(_t197, _t177) == 0) {
									_v8 = 1;
								}
								E0040602D(0x444238, _t177);
								_t156 = 0;
								_t89 = E00406320(0);
								_v16 = _t89;
								if(_t89 == 0) {
									L35:
									E0040602D(0x444238, _t177);
									_t91 = E00405D80(0x444238);
									if(_t91 != _t156) {
										 *_t91 = _t156;
									}
									if(GetDiskFreeSpaceW(0x444238,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
										_t167 = _a4;
										goto L41;
									} else {
										_t178 = 0x400;
										_t167 = MulDiv(_v20 * _v28, _v16, 0x400);
										_v12 = 1;
										goto L42;
									}
								} else {
									if(0 == 0x444238) {
										L34:
										_t156 = 0;
										goto L35;
									} else {
										goto L30;
									}
									while(1) {
										L30:
										_t118 = _v16(0x444238,  &_v44,  &_v24,  &_v32);
										if(_t118 != 0) {
											break;
										}
										if(_t156 != 0) {
											 *_t156 =  *_t156 & _t118;
										}
										_t157 = E0040676C(0x444238);
										 *_t157 =  *_t157 & 0x00000000;
										_t156 = _t157;
										 *_t156 = 0x5c;
										if(_t156 != 0x444238) {
											continue;
										} else {
											goto L34;
										}
									}
									_t167 = (_v40 << 0x00000020 | _v44) >> 0xa;
									_v12 = 1;
									_t156 = 0;
									L41:
									_t178 = 0x400;
									L42:
									_t97 = E004044BA(5);
									if(_v12 != _t156 && _t167 < _t97) {
										_v8 = 2;
									}
									if( *((intOrPtr*)( *0x46bda8 + 0x10)) != _t156) {
										E004043F1(_t97, 0x3ff, 0xfffffffb);
										if(_v12 == _t156) {
											SetDlgItemTextW(_a4, _t178, 0x40a2cc);
										} else {
											E004043F1(_t167, _t178, 0xfffffffc);
										}
									}
									_t98 = _v8;
									 *0x473ea4 = _t98;
									if(_t98 == _t156) {
										_v8 = E00401414(7);
									}
									if(( *(_v36 + 0x14) & _t178) != 0) {
										_v8 = _t156;
									}
									E00403DCD(0 | _v8 == _t156);
									if(_v8 == _t156 &&  *0x438204 == _t156) {
										E00403DA9();
									}
									 *0x438204 = _t156;
									goto L57;
								}
							}
							_t197 = _a8 - 0x405;
							if(_a8 != 0x405) {
								goto L57;
							}
							goto L26;
						}
						_t122 = _a12 & 0x0000ffff;
						if(_t122 != 0x3fb) {
							L16:
							if(_t122 == 0x3e9) {
								_t161 = 7;
								memset( &_v72, 0, _t161 << 2);
								_v76 = _a4;
								_v68 = 0x448240;
								_v56 = E00403FA9;
								_v52 = _t177;
								_v64 = E00406820(0x3fb, 0x448240, _t177);
								_t127 =  &_v76;
								_v60 = 0x41;
								__imp__SHBrowseForFolderW(_t127, 0x438220, _v8);
								if(_t127 == 0) {
									_a8 = 0x40f;
								} else {
									__imp__CoTaskMemFree(_t127);
									E0040673D(_t177);
									_t130 =  *((intOrPtr*)( *0x473ddc + 0x11c));
									if(_t130 != 0 && _t177 == 0x4c80a8) {
										_push(_t130);
										_push(0);
										E00406820(0x3fb, 0x448240, _t177);
										if(lstrcmpiW(0x463540, 0x448240) != 0) {
											lstrcatW(_t177, 0x463540);
										}
									}
									 *0x438204 =  &(( *0x438204)[0]);
									SetDlgItemTextW(_a4, 0x3fb, _t177);
								}
							}
							goto L24;
						}
						if(_a12 >> 0x10 != 0x300) {
							goto L57;
						}
						_a8 = 0x40f;
						goto L16;
					} else {
						_v12 = GetDlgItem(_a4, 0x3fb);
						if(GetAsyncKeyState(0x10) >= 0) {
							_t159 = _a4;
						} else {
							_t159 = _a4;
							_t146 = GetDlgItem(_t159, 0x3f0);
							_push(0xffffffe0);
							_push(8);
							E00403D87(_t159);
							ShowWindow(_t146, 8);
						}
						if(E00405D4B(_t177) != 0 && E00405D80(_t177) == 0) {
							E0040673D(_t177);
						}
						 *0x46bd88 = _t159;
						SetWindowTextW(_v12, _t177);
						_t173 = _a16;
						_push( *((intOrPtr*)(_t173 + 0x34)));
						_push(1);
						E00403D87(_t159);
						_push( *((intOrPtr*)(_t173 + 0x30)));
						_push(0x14);
						E00403D87(_t159);
						E00403DE0(_v12);
						_t142 = E00406320(7);
						if(_t142 == 0) {
							L57:
							return E00403E12(_a8, _a12, _a16);
						}
						 *_t142(_v12, 1);
						goto L12;
					}
				}
				E00405CAC(0x3fb, _t177);
				E0040605C(_t177);
				E00403EBC();
				if(GetDlgItem(_a4, 0x3f0) == 0) {
					goto L57;
				} else {
					 *0x462528 = IsDlgButtonChecked(_a4, 0x3f0);
					goto L3;
				}
			}

0x004044ef
0x004044ff
0x00404505
0x00404519
0x00404521
0x00404556
0x0040455d
0x004045ff
0x0040460b
0x004046e0
0x004046e7
0x004046f6
0x004046f6
0x004046fa
0x00404700
0x0040470d
0x0040470f
0x0040470f
0x0040471d
0x00404722
0x00404725
0x0040472c
0x0040472f
0x0040476b
0x0040476d
0x00404773
0x0040477a
0x0040477c
0x0040477c
0x00404798
0x004047d4
0x00000000
0x0040479a
0x004047a1
0x004047b1
0x004047b3
0x00000000
0x004047b3
0x00404731
0x00404735
0x00404769
0x00404769
0x00000000
0x00000000
0x00000000
0x00000000
0x00404737
0x00404737
0x00404744
0x00404749
0x00000000
0x00000000
0x0040474d
0x0040474f
0x0040474f
0x00404758
0x0040475a
0x0040475f
0x00404762
0x00404767
0x00000000
0x00000000
0x00000000
0x00000000
0x00404767
0x004047c2
0x004047c9
0x004047d0
0x004047d7
0x004047d7
0x004047dc
0x004047de
0x004047e6
0x004047ec
0x004047ec
0x004047fc
0x00404805
0x0040480d
0x00404824
0x0040480f
0x00404814
0x00404814
0x0040480d
0x00404829
0x0040482e
0x00404833
0x0040483c
0x0040483c
0x00404845
0x00404847
0x00404847
0x00404853
0x0040485b
0x00404865
0x00404865
0x0040486a
0x00000000
0x0040486a
0x0040472f
0x004046e9
0x004046f0
0x00000000
0x00000000
0x00000000
0x004046f0
0x00404611
0x00404617
0x00404631
0x00404636
0x0040463e
0x00404647
0x00404656
0x00404659
0x0040465c
0x00404663
0x0040466b
0x0040466e
0x00404672
0x00404679
0x00404681
0x004046d9
0x00404683
0x00404684
0x0040468b
0x00404695
0x0040469d
0x004046a7
0x004046a8
0x004046aa
0x004046be
0x004046c2
0x004046c2
0x004046be
0x004046c7
0x004046d2
0x004046d2
0x00404681
0x00000000
0x00404636
0x00404624
0x00000000
0x00000000
0x0040462a
0x00000000
0x00404563
0x0040456f
0x0040457b
0x0040459b
0x0040457d
0x0040457e
0x00404582
0x00404584
0x00404586
0x0040458b
0x00404593
0x00404593
0x004045a6
0x004045b3
0x004045b3
0x004045bc
0x004045c2
0x004045c8
0x004045cb
0x004045ce
0x004045d1
0x004045d6
0x004045d9
0x004045dc
0x004045e4
0x004045eb
0x004045f2
0x00404870
0x00404882
0x00404882
0x004045fd
0x00000000
0x004045fd
0x0040455d
0x00404529
0x0040452f
0x00404534
0x00404541
0x00000000
0x00404547
0x00404551
0x00000000
0x00404551

APIs

GetDlgItem.USER32 ref: 0040453D
IsDlgButtonChecked.USER32(?,000003F0), ref: 0040454B

Part of subcall function 00406820: GetVersion.KERNEL32(00000000,?,0043C228,?,0043C228,00000000,00424150,00000000,00000000), ref: 004068F0

GetDlgItem.USER32 ref: 0040456B
GetAsyncKeyState.USER32(00000010), ref: 00404572
GetDlgItem.USER32 ref: 00404582
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404593
SetWindowTextW.USER32(?,?), ref: 004045C2
SHBrowseForFolderW.SHELL32(?), ref: 00404679
lstrcmpiW.KERNEL32(00463540,00448240,00000000,?,?), ref: 004046B6
lstrcatW.KERNEL32(?,00463540), ref: 004046C2
SetDlgItemTextW.USER32 ref: 004046D2
CoTaskMemFree.OLE32(00000000), ref: 00404684

Part of subcall function 00405CAC: GetDlgItemTextW.USER32 ref: 00405CBF

Part of subcall function 0040605C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060BF
Part of subcall function 0040605C: CharNextW.USER32(?,?,?,00000000), ref: 004060CE
Part of subcall function 0040605C: CharNextW.USER32(?,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060D3
Part of subcall function 0040605C: CharPrevW.USER32(?,?,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060E6

Part of subcall function 00403EBC: lstrcatW.KERNEL32(00000000,00000000), ref: 00403ED7

GetDiskFreeSpaceW.KERNEL32(00444238,?,?,0000040F,?,00444238,00444238,?,00000000,00444238,?,?,000003FB,?), ref: 00404790
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047AB
SetDlgItemTextW.USER32 ref: 00404824

Part of subcall function 004043F1: lstrlenW.KERNEL32(00448240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00448240,?), ref: 0040448E
Part of subcall function 004043F1: wsprintfW.USER32 ref: 0040449B
Part of subcall function 004043F1: SetDlgItemTextW.USER32 ref: 004044AE

Strings

A, xrefs: 00404672
8BD, xrefs: 00404717
@5F, xrefs: 004046B0

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Item$Text$Char$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpilstrlenwsprintf
String ID: 8BD$@5F$A
API String ID: 3101929685-788763830
Opcode ID: 399c5e16325478b6e93c27abd0ffd8ae63e6ae384ed1c197a37184b083dee42f
Instruction ID: 031565c9d91755f774610b87268ac3e661acc549343c84fe1b33d87a70148bf4
Opcode Fuzzy Hash: 399c5e16325478b6e93c27abd0ffd8ae63e6ae384ed1c197a37184b083dee42f
Instruction Fuzzy Hash: 29A194B1900209ABDF11AFA1CD85AAF7AB8EF85314F10843BF605B72D1D77C9A418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406EE6 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 216
filestringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406EE6(WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, int _a16) {
				void* _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				char _v20;
				char _v24;
				void* _v27;
				signed short _v28;
				void* _v29;
				signed short _v30;
				void _v32;
				void* _v33;
				signed short _v34;
				void* _v35;
				signed int _v36;
				void* _v37;
				signed short _v38;
				void* _v39;
				short _v40;
				void* _v43;
				void _v44;
				void* _v51;
				signed short _v52;
				void* _v53;
				short _v54;
				void* _v55;
				void _v56;
				void* _v59;
				unsigned int _v60;
				void* _v63;
				unsigned int _v64;
				char _v72;
				void* _t91;
				short _t98;
				void* _t145;
				void* _t150;
				void* _t181;
				void* _t183;
				signed int _t185;
				signed int _t187;
				void* _t188;

				_v16 = 0;
				_v12 = 0;
				_t91 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_v8 = _t91;
				if(_t91 != 0xffffffff) {
					ReadFile(_t91,  &_v56, 0xc,  &_v12, 0);
					_t98 = _v54;
					_v54 = _t98;
					if(_v56 != 1 || _t98 != 0) {
						return 0;
					} else {
						_t181 = 0;
						if(_v52 <= 0) {
							L17:
							CloseHandle(_v8);
							L18:
							return _v16;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							ReadFile(_v8,  &_v72, 0x10,  &_v12, 0);
							lstrcpynA( &_v24,  &_v72, 5);
							_v20 = 0;
							if(lstrcmpA("name",  &_v24) == 0) {
								break;
							}
							_t181 = _t181 + 1;
							if(_t181 < (_v52 & 0x0000ffff)) {
								continue;
							}
							goto L17;
						}
						_v60 = 0 << 0x00000010 | _v60 >> 0x00000010 & 0x0000ffff | _v60 >> 0x00000010 & 0x000000ff;
						_v64 = 0 << 0x00000010 | _v64 >> 0x00000010 & 0x0000ffff | _v64 >> 0x00000010 & 0x000000ff;
						SetFilePointer(_v8, 0 << 0x10, 0, 0);
						ReadFile(_v8,  &_v32, 6,  &_v12, 0);
						_t183 = 0;
						if(_v30 <= 0) {
							goto L17;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							ReadFile(_v8,  &_v44, 0xc,  &_v12, 0);
							if((_v38 & 0x0000ffff) == _a8 && _v44 == 3 && _v40 == 0x409) {
								break;
							}
							_t183 = _t183 + 1;
							if(_t183 < (_v30 & 0x0000ffff)) {
								continue;
							}
							goto L17;
						}
						_t185 = (_v36 & 0x0000ffff) >> 1;
						SetFilePointer(_v8, (_v28 & 0x0000ffff) + (_v34 & 0x0000ffff) + _v64, 0, 0);
						_t145 = GlobalAlloc(0x40, (_v36 & 0x0000ffff) + 2);
						_v16 = _t145;
						ReadFile(_v8, _t145, _v36 & 0x0000ffff,  &_v12, 0);
						_t187 = 0;
						if(_t185 <= 0) {
							L16:
							_t188 = _v16;
							 *((short*)(_t188 + _t185 * 2)) = 0;
							lstrcpynW(_a12, _t188, _a16);
							_v16 = 1;
							GlobalFree(_t188);
							goto L17;
						} else {
							goto L15;
						}
						do {
							L15:
							_t150 = _v16 + _t187 * 2;
							_t187 = _t187 + 1;
						} while (_t187 < _t185);
						goto L16;
					}
				}
				_push(_a4);
				E004062C7(L"%s: failed opening file \"%s\"\n", L"GetTTFNameString");
				goto L18;
			}

0x00406f03
0x00406f06
0x00406f09
0x00406f12
0x00406f15
0x00406f43
0x00406f67
0x00406f6a
0x00406f6e
0x00000000
0x00406f7d
0x00406f7e
0x00406f84
0x0040713f
0x00407142
0x00407149
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f8a
0x00406f8a
0x00406f98
0x00406fa4
0x00406fb3
0x00406fbe
0x00000000
0x00000000
0x00406fc4
0x00406fc7
0x00000000
0x00000000
0x00000000
0x00406fc9
0x00406ff2
0x00407015
0x00407018
0x0040702c
0x00407036
0x0040704c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407052
0x00407052
0x00407060
0x004070a5
0x00000000
0x00000000
0x004070ba
0x004070bd
0x00000000
0x00000000
0x00000000
0x004070bf
0x004070d8
0x004070da
0x004070e9
0x004070fd
0x00407100
0x00407102
0x00407106
0x0040711d
0x00407120
0x00407127
0x0040712b
0x00407132
0x00407139
0x00000000
0x00000000
0x00000000
0x00000000
0x00407108
0x00407108
0x0040710b
0x00407115
0x00407116
0x00000000
0x00407108
0x00406f6e
0x00406f17
0x00406f24
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F09
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F43
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406F98
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FA4
lstrcmpA.KERNEL32(name,?), ref: 00406FB6
CloseHandle.KERNEL32(?), ref: 00407142

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Strings

GetTTFNameString, xrefs: 00406F1A
%s: failed opening file "%s", xrefs: 00406F1F
name, xrefs: 00406FAE

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: 9cc0d16e2932091bdae8be0cb54403e40eb384be280a93e43a5b29013ec958ef
Instruction ID: d91d081492fa117605058a0ab4896e6cf723b7de1b2b1d41e94e573e8865a864
Opcode Fuzzy Hash: 9cc0d16e2932091bdae8be0cb54403e40eb384be280a93e43a5b29013ec958ef
Instruction Fuzzy Hash: EE81B779D0419DAADF019FE4CC54AFEBBB9EF08300F00006AF991B7291E6785A41DB79

Uniqueness

Uniqueness Score: -1.00%

Function 00406CAF Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 189
filestringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406CAF(void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAW _v608;
				signed int _t41;
				signed int _t51;
				signed int* _t55;
				signed int _t59;
				signed int _t62;
				signed int _t70;
				signed int _t72;
				void* _t74;
				signed int _t77;
				signed int _t79;
				WCHAR* _t93;
				short* _t98;

				_t93 = _a4;
				_t41 = E00406798(__eflags, _t93);
				_v16 = _t41;
				if((_a8 & 0x00000008) != 0) {
					_t72 = DeleteFileW(_t93);
					asm("sbb eax, eax");
					_t74 =  ~_t72 + 1;
					 *0x473e88 =  *0x473e88 + _t74;
					return _t74;
				}
				_t77 = _a8 & 0x00000001;
				__eflags = _t77;
				_v8 = _t77;
				if(_t77 == 0) {
					L5:
					E0040602D(0x45d918, _t93);
					__eflags = _t77;
					if(_t77 == 0) {
						E0040676C(_t93);
					} else {
						lstrcatW(0x45d918, L"\\*.*");
					}
					__eflags =  *_t93;
					if( *_t93 != 0) {
						L10:
						lstrcatW(_t93, "\\");
						L11:
						_v12 =  &(_t93[lstrlenW(_t93)]);
						_t41 = FindFirstFileW(0x45d918,  &_v608);
						__eflags = _t41 - 0xffffffff;
						_a4 = _t41;
						if(_t41 == 0xffffffff) {
							_t79 = 0;
							__eflags = 0;
							L30:
							__eflags = _v8 - _t79;
							if(_v8 != _t79) {
								_t41 = _v12;
								_t35 = _t41 - 2;
								 *_t35 =  *(_t41 - 2) & 0x00000000;
								__eflags =  *_t35;
							}
							goto L32;
						} else {
							goto L12;
						}
						do {
							L12:
							_t98 =  &(_v608.cFileName);
							_t55 = E00405D2C(_t98, 0x3f);
							_t79 = 0;
							__eflags =  *_t55;
							if( *_t55 != 0) {
								__eflags = _v608.cAlternateFileName;
								if(_v608.cAlternateFileName != 0) {
									_t98 =  &(_v608.cAlternateFileName);
								}
							}
							__eflags =  *_t98 - 0x2e;
							if( *_t98 != 0x2e) {
								L19:
								E0040602D(_v12, _t98);
								__eflags = _v608.dwFileAttributes & 0x00000010;
								if((_v608.dwFileAttributes & 0x00000010) == 0) {
									E004062C7(L"Delete: DeleteFile(\"%s\")", _t93);
									E00405E57(_t93);
									_t59 = DeleteFileW(_t93);
									__eflags = _t59;
									_push(_t93);
									if(_t59 != 0) {
										_push(0xfffffff2);
										E00404FA5();
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											_push(L"Delete: DeleteFile failed(\"%s\")");
											E004062C7();
											 *0x473e88 =  *0x473e88 + 1;
										} else {
											_push(L"Delete: DeleteFile on Reboot(\"%s\")");
											E004062C7();
											E00404FA5(0xfffffff1, _t93);
											E00406C7C(_t93, _t79);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00406CAF(__eflags, _t93, _a8);
									}
								}
								goto L27;
							}
							_t70 =  *(_t98 + 2) & 0x0000ffff;
							__eflags = _t70 - _t79;
							if(_t70 == _t79) {
								goto L27;
							}
							__eflags = _t70 - 0x2e;
							if(_t70 != 0x2e) {
								goto L19;
							}
							__eflags =  *((intOrPtr*)(_t98 + 4)) - _t79;
							if( *((intOrPtr*)(_t98 + 4)) == _t79) {
								goto L27;
							}
							goto L19;
							L27:
							_t62 = FindNextFileW(_a4,  &_v608);
							__eflags = _t62;
						} while (_t62 != 0);
						_t41 = FindClose(_a4);
						goto L30;
					}
					__eflags =  *0x45d918 - 0x5c;
					if( *0x45d918 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t41;
					if(_t41 == 0) {
						L32:
						__eflags = _v8;
						if(_v8 == 0) {
							L42:
							return _t41;
						}
						__eflags = _v16;
						_push(_t93);
						if(_v16 != 0) {
							_t41 = E004062F9();
							__eflags = _t41;
							if(_t41 == 0) {
								goto L42;
							}
							E0040673D(_t93);
							E004062C7(L"RMDir: RemoveDirectory(\"%s\")", _t93);
							E00405E57(_t93);
							_t51 = RemoveDirectoryW(_t93);
							__eflags = _t51;
							_push(_t93);
							if(_t51 != 0) {
								_push(0xffffffe5);
								_t41 = E00404FA5();
								goto L42;
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								_push(L"RMDir: RemoveDirectory failed(\"%s\")");
								L40:
								_t41 = E004062C7();
								 *0x473e88 =  *0x473e88 + 1;
								goto L42;
							}
							_push(L"RMDir: RemoveDirectory on Reboot(\"%s\")");
							E004062C7();
							E00404FA5(0xfffffff1, _t93);
							_t41 = E00406C7C(_t93, 0);
							goto L42;
						}
						_push(L"RMDir: RemoveDirectory invalid input(\"%s\")");
						goto L40;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L32;
					}
					goto L5;
				}
			}

0x00406cb9
0x00406cbd
0x00406cc6
0x00406cc9
0x00406ccc
0x00406cd4
0x00406cd6
0x00406cd7
0x00000000
0x00406cd7
0x00406ce6
0x00406ce6
0x00406cea
0x00406ced
0x00406d01
0x00406d08
0x00406d0d
0x00406d15
0x00406d22
0x00406d17
0x00406d1d
0x00406d1d
0x00406d27
0x00406d2b
0x00406d37
0x00406d3d
0x00406d3f
0x00406d49
0x00406d54
0x00406d5a
0x00406d5d
0x00406d60
0x00406e50
0x00406e50
0x00406e52
0x00406e52
0x00406e55
0x00406e57
0x00406e5a
0x00406e5a
0x00406e5a
0x00406e5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d66
0x00406d66
0x00406d66
0x00406d71
0x00406d76
0x00406d78
0x00406d7b
0x00406d7d
0x00406d81
0x00406d83
0x00406d83
0x00406d81
0x00406d86
0x00406d8a
0x00406da9
0x00406dad
0x00406db2
0x00406db9
0x00406dd6
0x00406dde
0x00406de4
0x00406dea
0x00406dec
0x00406ded
0x00406e26
0x00406e28
0x00406def
0x00406def
0x00406df3
0x00406e12
0x00406e17
0x00406e1c
0x00406df5
0x00406df5
0x00406dfa
0x00406e04
0x00406e0b
0x00406e0b
0x00406df3
0x00406dbb
0x00406dc1
0x00406dc3
0x00406dc9
0x00406dc9
0x00406dc3
0x00000000
0x00406db9
0x00406d8c
0x00406d90
0x00406d93
0x00000000
0x00000000
0x00406d99
0x00406d9d
0x00000000
0x00000000
0x00406d9f
0x00406da3
0x00000000
0x00000000
0x00000000
0x00406e2d
0x00406e37
0x00406e3d
0x00406e3d
0x00406e48
0x00000000
0x00406e48
0x00406d2d
0x00406d35
0x00000000
0x00000000
0x00000000
0x00406cef
0x00406cef
0x00406cf1
0x00406e5f
0x00406e61
0x00406e64
0x00406edf
0x00000000
0x00406ee0
0x00406e66
0x00406e69
0x00406e6a
0x00406e73
0x00406e78
0x00406e7a
0x00000000
0x00000000
0x00406e7d
0x00406e88
0x00406e90
0x00406e96
0x00406e9c
0x00406e9e
0x00406e9f
0x00406ed8
0x00406eda
0x00000000
0x00406eda
0x00406ea1
0x00406ea5
0x00406ec4
0x00406ec9
0x00406ec9
0x00406ece
0x00000000
0x00406ed5
0x00406ea7
0x00406eac
0x00406eb6
0x00406ebd
0x00000000
0x00406ebd
0x00406e6c
0x00000000
0x00406e6c
0x00406cf7
0x00406cfb
0x00000000
0x00000000
0x00000000
0x00406cfb

APIs

DeleteFileW.KERNEL32(?,?,004C40A0), ref: 00406CCC
lstrcatW.KERNEL32(0045D918,\*.*), ref: 00406D1D
lstrcatW.KERNEL32(?,004098A0), ref: 00406D3D
lstrlenW.KERNEL32(?), ref: 00406D40
FindFirstFileW.KERNEL32(0045D918,?), ref: 00406D54
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E37
FindClose.KERNEL32(?), ref: 00406E48

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DF5
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EC4
\*.*, xrefs: 00406D17
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EA7
Delete: DeleteFile("%s"), xrefs: 00406DD1
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E6C
RMDir: RemoveDirectory("%s"), xrefs: 00406E83
Delete: DeleteFile failed("%s"), xrefs: 00406E12

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 95659ebd8a87fc8578b2f0f1bea34855ed5963742f4e2fa4fa39d860cf3a255d
Instruction ID: f770438ee6303c3f700bac50618578f3cbf6d592144e289a54b1863ae81a66b7
Opcode Fuzzy Hash: 95659ebd8a87fc8578b2f0f1bea34855ed5963742f4e2fa4fa39d860cf3a255d
Instruction Fuzzy Hash: C151D475504305AADB117B65CC45ABF3B74DF41724F22803FF902760C2D77C49A19AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00407277 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407277(void* __ecx, void* __eflags) {
				void* _t53;
				void* _t56;
				intOrPtr _t78;
				intOrPtr* _t91;
				intOrPtr* _t96;
				void* _t102;
				void* _t104;

				_t102 = _t104 - 0x58;
				 *(_t102 + 0x4c) = 0;
				 *(_t102 + 0x44) = 1;
				 *(_t102 + 0x54) = 0;
				 *(_t102 - 0x3c) = 0;
				E0040872A(_t102 - 0x3b, 0, 0x7f);
				_t53 = InternetConnectA(E004071DC(),  *(_t102 + 0x60),  *(_t102 + 0x78), 0x40ac15, 0x40ac15, 3, 0, 0);
				_t96 =  *((intOrPtr*)(_t102 + 0x74));
				 *(_t102 + 0x48) = _t53;
				if(_t53 == 0) {
					L18:
					 *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x70)))) = 0;
					 *_t96 = 0;
				} else {
					_t56 = HttpOpenRequestA(_t53, "POST",  *(_t102 + 0x64), 0, 0, 0, 0x84080100, 0);
					 *(_t102 + 0x50) = _t56;
					if(_t56 != 0) {
						InternetSetOptionA(_t56, 2, _t102 + 0x7c, 4);
						InternetSetOptionA( *(_t102 + 0x50), 6, _t102 + 0x7c, 4);
						InternetSetOptionA( *(_t102 + 0x50), 5, _t102 + 0x7c, 4);
						InternetSetOptionA( *(_t102 + 0x50), 3, _t102 + 0x44, 4);
						if(HttpSendRequestA( *(_t102 + 0x50), 0, 0,  *(_t102 + 0x68),  *(_t102 + 0x6c)) != 0) {
							 *(_t102 + 0x54) = 0x80;
							 *(_t102 + 0x7c) = 0;
							if(HttpQueryInfoA( *(_t102 + 0x50), 0x13, _t102 - 0x3c, _t102 + 0x54, _t102 + 0x7c) != 0 &&  *(_t102 - 0x3c) == 0x32 &&  *((char*)(_t102 - 0x3b)) == 0x30 &&  *((char*)(_t102 - 0x3a)) == 0x30) {
								 *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x70)))) = 0;
								 *_t96 = 0;
								 *(_t102 + 0x54) = 0x80;
								while(InternetReadFile( *(_t102 + 0x50), _t102 - 0x3c, 0x80, _t102 + 0x54) != 0) {
									_t88 =  *(_t102 + 0x54);
									if( *(_t102 + 0x54) <= 0) {
										break;
									} else {
										_t75 =  *_t96;
										if( *_t96 != 0) {
											_t78 = E0040723D( *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x70)))), _t75 + _t88);
										} else {
											_t78 = E004071FC(_t88);
										}
										_t91 =  *((intOrPtr*)(_t102 + 0x70));
										 *_t91 = _t78;
										_t80 =  *_t91;
										if( *_t91 != 0) {
											E00405E33( *_t96 + _t80, _t102 - 0x3c,  *(_t102 + 0x54));
											 *_t96 =  *_t96 +  *(_t102 + 0x54);
											continue;
										}
									}
									goto L16;
								}
								 *(_t102 + 0x4c) = 1;
							}
						}
						L16:
						InternetCloseHandle( *(_t102 + 0x50));
					}
					InternetCloseHandle( *(_t102 + 0x48));
					if( *(_t102 + 0x4c) == 0) {
						goto L18;
					}
				}
				return  *(_t102 + 0x4c);
			}

0x00407278
0x0040728d
0x00407290
0x00407297
0x0040729a
0x0040729d
0x004072bc
0x004072c4
0x004072c7
0x004072ca
0x00407409
0x0040740c
0x0040740e
0x004072d0
0x004072e2
0x004072ea
0x004072ed
0x00407303
0x00407310
0x0040731d
0x0040732a
0x0040733f
0x0040735b
0x0040735e
0x00407369
0x00407384
0x00407386
0x00407388
0x004073d4
0x0040738d
0x00407392
0x00000000
0x00407394
0x00407394
0x00407398
0x004073aa
0x0040739a
0x0040739b
0x0040739b
0x004073b1
0x004073b4
0x004073b8
0x004073bc
0x004073ca
0x004073d2
0x00000000
0x004073d2
0x004073bc
0x00000000
0x00407392
0x004073ea
0x004073ea
0x00407369
0x004073f1
0x004073f4
0x004073fa
0x004073fe
0x00407407
0x00000000
0x00000000
0x00407407
0x00407419

APIs

Part of subcall function 004071DC: InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; www.eliang.com),00000000,00000000,00000000,00000000), ref: 004071F0

InternetConnectA.WININET(00000000,?,?,0040AC15,0040AC15,00000003,00000000,00000000), ref: 004072BC
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,84080100,00000000), ref: 004072E2
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 00407303
InternetSetOptionA.WININET(?,00000006,?,00000004), ref: 00407310
InternetSetOptionA.WININET(?,00000005,?,00000004), ref: 0040731D
InternetSetOptionA.WININET(?,00000003,?,00000004), ref: 0040732A
HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 00407337
HttpQueryInfoA.WININET(?,00000013,?,?,?), ref: 00407361
InternetReadFile.WININET(?,?,00000080,?), ref: 004073E0
InternetCloseHandle.WININET(?), ref: 004073F4
InternetCloseHandle.WININET(?), ref: 004073FE

Strings

POST, xrefs: 004072DC

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Internet$Option$Http$CloseHandleOpenRequest$ConnectFileInfoQueryReadSend
String ID: POST
API String ID: 3584683635-1814004025
Opcode ID: fcf7c6f7eb7fa12a266b0c3aa8b4391cb82b50ba1d985123f6bbb75b1204df8c
Instruction ID: cfdd3c33369983fcdbfd34786cc6817472fb1a6c70621991d6357d557c5bdcad
Opcode Fuzzy Hash: fcf7c6f7eb7fa12a266b0c3aa8b4391cb82b50ba1d985123f6bbb75b1204df8c
Instruction Fuzzy Hash: 0E5119B190424CAFEF259FA5DC84AAE3BA9FB08344F10403AFE14E22A1D775AC14DF55

Uniqueness

Uniqueness Score: -1.00%

Function 004077D3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004077D3(void* __eflags, int _a4) {
				char _v8;
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				union _LARGE_INTEGER _v28;
				struct _SYSTEM_INFO _v64;
				signed int _v116;
				signed int _v120;
				char _v124;
				char _v128;
				intOrPtr _t47;
				struct _MEMORYSTATUSEX* _t49;
				char _t61;
				signed int _t67;
				CHAR* _t75;

				_t67 = 8;
				_v64.dwOemId = 0;
				memset( &(_v64.dwPageSize), 0, _t67 << 2);
				_v8 = 0;
				_v128 = 0;
				E0040872A( &_v124, 0, 0x3c);
				_t75 = _a4;
				_v12 = 0;
				 *_t75 = 0;
				GetSystemInfo( &_v64);
				_t47 = _v64.dwNumberOfProcessors;
				_v20 = _t47;
				if(_t47 > 0) {
					_t49 =  &_v128;
					_v128 = 0x40;
					GlobalMemoryStatusEx(_t49);
					if(_t49 != 0) {
						_v16 = (_v116 << 0x00000020 | _v120) >> 0x14;
						if(RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v12) == 0) {
							_a4 = 4;
							RegQueryValueExW(_v12, L"~MHz", 0, 0,  &_v8,  &_a4);
							RegCloseKey(_v12);
						}
						if(_v8 > 0) {
							L7:
							_a4 = GetSystemMetrics(1);
							_a4 = _a4 << 0x10;
							wsprintfA(_t75, "%d,%d,%d,%u", _v20, _v8, _v16, GetSystemMetrics(0) | _a4);
						} else {
							if(QueryPerformanceFrequency( &_v28) != 0) {
								asm("cdq");
								_t61 = _v28.LowPart / 0xf4240;
								_v8 = _t61;
								if(_t61 > 0) {
									goto L7;
								}
							}
						}
					}
				}
				return _t75;
			}

0x004077df
0x004077e7
0x004077ea
0x004077f1
0x004077f4
0x004077f7
0x004077fc
0x00407806
0x00407809
0x0040780b
0x00407811
0x00407816
0x00407819
0x0040781f
0x00407823
0x0040782a
0x00407832
0x00407842
0x00407864
0x00407878
0x0040787f
0x00407888
0x00407888
0x00407891
0x004078b3
0x004078be
0x004078c1
0x004078db
0x00407893
0x0040789f
0x004078a4
0x004078aa
0x004078ae
0x004078b1
0x00000000
0x00000000
0x004078b1
0x0040789f
0x00407891
0x00407832
0x004078ea

APIs

GetSystemInfo.KERNEL32(?,?,74CF81D0,00000000), ref: 0040780B
GlobalMemoryStatusEx.KERNEL32(?,?,74CF81D0,00000000), ref: 0040782A
RegOpenKeyExW.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,00407BA8,?,74CF81D0,00000000), ref: 0040785C
RegQueryValueExW.ADVAPI32(00407BA8,~MHz,00000000,00000000,?,00407BA8,?,74CF81D0,00000000), ref: 0040787F
RegCloseKey.ADVAPI32(00000004,?,74CF81D0,00000000), ref: 00407888
QueryPerformanceFrequency.KERNEL32(?,?,74CF81D0,00000000), ref: 00407897
GetSystemMetrics.USER32 ref: 004078BC
GetSystemMetrics.USER32 ref: 004078C6
wsprintfA.USER32 ref: 004078DB

Strings

~MHz, xrefs: 00407870
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040784F
%d,%d,%d,%u, xrefs: 004078D5

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: System$MetricsQuery$CloseFrequencyGlobalInfoMemoryOpenPerformanceStatusValuewsprintf
String ID: %d,%d,%d,%u$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 706806705-919379891
Opcode ID: be668654b86ec6fc0adbfafc6e8b21c766fdcc22c3b203f8fb14157018861919
Instruction ID: a11e5eece8d7d8676704bcee07a191f7a6bb161e8170cf46822f5423c20b6114
Opcode Fuzzy Hash: be668654b86ec6fc0adbfafc6e8b21c766fdcc22c3b203f8fb14157018861919
Instruction Fuzzy Hash: 0E313C72D00209EFEB00DFA5DD89ADEBBB8EB08344F10807AF605F6291D7749A54DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004076C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004076C5() {
				char _v8;
				char _v12;
				char _v16;
				char* _t18;
				intOrPtr* _t34;
				intOrPtr* _t35;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t35 = E004071FC(0x288);
				if(_t35 == 0) {
					L12:
					return _v16;
				}
				E0040872A(_t35, 0, _v8);
				_t18 =  &_v8;
				_push(_t18);
				_push(_t35);
				_v8 = 0x288;
				L00408782();
				if(_t18 != 0x6f) {
					L4:
					_t34 = _t35;
					if(_t18 != 0) {
						L10:
						if(_t34 != 0) {
							E0040721C(_t34);
						}
						goto L12;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((intOrPtr*)(_t35 + 0x1a0)) != 6) {
							goto L7;
						}
						_t11 = _t35 + 0x10c; // 0x10c
						if(StrStrIA(_t11, "vmware") == 0) {
							E00405E33( &_v16, _t35 + 0x194, 8);
							goto L10;
						}
						L7:
						_t35 =  *_t35;
					} while (_t35 != 0);
					goto L10;
				}
				E0040721C(_t35);
				_t35 = E004071FC(_v8);
				if(_t35 == 0) {
					goto L12;
				}
				E0040872A(_t35, 0, _v8);
				_t18 =  &_v8;
				_push(_t18);
				_push(_t35);
				L00408782();
				goto L4;
			}

0x004076d6
0x004076d9
0x004076dc
0x004076e4
0x004076e9
0x00407785
0x0040778f
0x0040778f
0x004076f4
0x004076fc
0x004076ff
0x00407700
0x00407701
0x00407704
0x0040770c
0x0040773b
0x0040773d
0x0040773f
0x0040777a
0x0040777c
0x0040777f
0x00407784
0x00000000
0x00000000
0x00000000
0x00000000
0x00407741
0x00407741
0x00407748
0x00000000
0x00000000
0x0040774f
0x0040775e
0x00407775
0x00000000
0x00407775
0x00407760
0x00407760
0x00407762
0x00000000
0x00407766
0x0040770f
0x0040771c
0x00407722
0x00000000
0x00000000
0x00407729
0x00407731
0x00407734
0x00407735
0x00407736
0x00000000

APIs

Part of subcall function 004071FC: GlobalAlloc.KERNEL32(00000002,00000000,00407BD6,00407917,00000000,00407BD6,?,00000000,74CF81D0), ref: 00407205
Part of subcall function 004071FC: GlobalLock.KERNEL32 ref: 00407210

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00407704
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00407736
StrStrIA.SHLWAPI(0000010C,vmware,74CF81D0,7491C740,00000000,?,00407C04,?), ref: 00407756

Part of subcall function 0040721C: GlobalHandle.KERNEL32(00000000), ref: 00407221
Part of subcall function 0040721C: GlobalUnlock.KERNEL32(00000000), ref: 0040722E
Part of subcall function 0040721C: GlobalFree.KERNEL32 ref: 00407235

Strings

vmware, xrefs: 0040774A

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Global$AdaptersInfo$AllocFreeHandleLockUnlock
String ID: vmware
API String ID: 489309316-2453097234
Opcode ID: 09df0f87751ac4fde58175558e4809d7eb63fdf4c897862f8acd13fa73580ebe
Instruction ID: 1271a70d417f539259fbb9142c069e97f5a9f71276bf3e959977fc82537db362
Opcode Fuzzy Hash: 09df0f87751ac4fde58175558e4809d7eb63fdf4c897862f8acd13fa73580ebe
Instruction Fuzzy Hash: 6821A476D05118BADB10ABA59CC1D9FB3ACAF55354F24057FF840B3281EA3C7E0096DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040250B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
comCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040250B() {
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				signed int _t52;
				void* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				signed int _t69;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr* _t79;
				void* _t83;
				signed int _t92;
				intOrPtr* _t98;
				intOrPtr* _t99;
				void* _t104;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t115;

				_t108 = 0xfffffff0;
				_t46 = E00401453(_t108);
				_t109 = 0xffffffdf;
				 *((intOrPtr*)(_t115 - 0x3c)) = _t46;
				_t47 = E00401453(_t109);
				_t110 = 2;
				_t104 = _t47;
				_t48 = E00401453(_t110);
				_t111 = 0xffffffcd;
				 *((intOrPtr*)(_t115 - 0xc)) = _t48;
				_t49 = E00401453(_t111);
				_t112 = 0x45;
				 *((intOrPtr*)(_t115 - 8)) = _t49;
				 *((intOrPtr*)(_t115 - 0x34)) = E00401453(_t112);
				if(E00405D4B(_t104) == 0) {
					__esi = 0x21;
					E00401453(__esi);
				}
				_t52 =  *(_t115 - 0x1c);
				E004062C7(L"CreateShortCut: out: \"%s\", in: \"%s %s\", icon: %s,%d, sw=%d, hk=%d",  *((intOrPtr*)(_t115 - 0x3c)));
				_t55 = _t115 + 8;
				__imp__CoCreateInstance(0x40ad84, _t83, 1, 0x40ad74, _t55, _t104,  *((intOrPtr*)(_t115 - 0xc)),  *((intOrPtr*)(_t115 - 8)), _t52 & 0x000000ff, _t52 & 0x000000ff, _t52 >> 0x10);
				if(_t55 < _t83) {
					L13:
					 *((intOrPtr*)(_t115 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t59 =  *((intOrPtr*)(_t115 + 8));
					_t60 =  *((intOrPtr*)( *_t59))(_t59, 0x40ad94, _t115 - 0x44);
					 *((intOrPtr*)(_t115 - 0x10)) = _t60;
					if(_t60 >= _t83) {
						_t63 =  *((intOrPtr*)(_t115 + 8));
						 *((intOrPtr*)(_t115 - 0x10)) =  *((intOrPtr*)( *_t63 + 0x50))(_t63, _t104);
						_t65 =  *((intOrPtr*)(_t115 + 8));
						 *((intOrPtr*)( *_t65 + 0x24))(_t65, 0x4cc0b0);
						_t92 =  *(_t115 - 0x1c);
						_t69 = _t92 >> 0x00000008 & 0x000000ff;
						if(_t69 != 0) {
							_t99 =  *((intOrPtr*)(_t115 + 8));
							 *((intOrPtr*)( *_t99 + 0x3c))(_t99, _t69);
							_t92 =  *(_t115 - 0x1c);
						}
						_t70 =  *((intOrPtr*)(_t115 + 8));
						 *((intOrPtr*)( *_t70 + 0x34))(_t70, _t92 >> 0x10);
						_t72 =  *((intOrPtr*)(_t115 - 8));
						if( *_t72 != _t83) {
							_t98 =  *((intOrPtr*)(_t115 + 8));
							 *((intOrPtr*)( *_t98 + 0x44))(_t98, _t72,  *(_t115 - 0x1c) & 0x000000ff);
						}
						_t73 =  *((intOrPtr*)(_t115 + 8));
						 *((intOrPtr*)( *_t73 + 0x2c))(_t73,  *((intOrPtr*)(_t115 - 0xc)));
						_t75 =  *((intOrPtr*)(_t115 + 8));
						 *((intOrPtr*)( *_t75 + 0x1c))(_t75,  *((intOrPtr*)(_t115 - 0x34)));
						if( *((intOrPtr*)(_t115 - 0x10)) >= _t83) {
							_t79 =  *((intOrPtr*)(_t115 - 0x44));
							 *((intOrPtr*)(_t115 - 0x10)) =  *((intOrPtr*)( *_t79 + 0x18))(_t79,  *((intOrPtr*)(_t115 - 0x3c)), 1);
						}
						_t77 =  *((intOrPtr*)(_t115 - 0x44));
						 *((intOrPtr*)( *_t77 + 8))(_t77);
					}
					_t61 =  *((intOrPtr*)(_t115 + 8));
					 *((intOrPtr*)( *_t61 + 8))(_t61);
					if( *((intOrPtr*)(_t115 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E0040142C();
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t115 - 4));
				return 0;
			}

0x0040250d
0x0040250e
0x00402515
0x00402516
0x00402519
0x00402520
0x00402521
0x00402523
0x0040252a
0x0040252b
0x0040252e
0x00402535
0x00402536
0x0040253f
0x00402549
0x0040254d
0x0040254e
0x0040254e
0x00402553
0x00402577
0x0040257f
0x00402590
0x00402598
0x00402658
0x00402658
0x0040265f
0x0040259e
0x0040259e
0x004025ad
0x004025b1
0x004025b4
0x004025ba
0x004025c4
0x004025c7
0x004025d2
0x004025d5
0x004025dd
0x004025df
0x004025e1
0x004025e8
0x004025eb
0x004025eb
0x004025ee
0x004025f8
0x004025fb
0x00402601
0x00402606
0x00402610
0x00402610
0x00402613
0x0040261c
0x0040261f
0x00402628
0x0040262e
0x00402630
0x0040263e
0x0040263e
0x00402641
0x00402647
0x00402647
0x0040264a
0x00402650
0x00402656
0x00402666
0x00000000
0x00000000
0x00000000
0x00402656
0x0040187b
0x0040310e
0x0040311a

APIs

CoCreateInstance.OLE32(0040AD84,?,00000001,0040AD74,?), ref: 00402590

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402572

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 87cd2033820800d5b8c540ee5632a71d0f401701dbeaa92e01e58174be4278c8
Instruction ID: 7a9cd48b32f7798e9cb36282e70a59a87989dda987dc0365ff1300497b509536
Opcode Fuzzy Hash: 87cd2033820800d5b8c540ee5632a71d0f401701dbeaa92e01e58174be4278c8
Instruction Fuzzy Hash: E0415F75A00205AFCB04EFA4CC88DAE7BB9FF48314B10856AF915EB2E1C779DA41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3C Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00402E3C(void* __ebx, void* __edi) {
				void* _t19;
				void* _t21;

				_t19 = 2;
				if(FindFirstFileW(E00401453(_t19), _t21 - 0x3ac) != 0xffffffff) {
					E00405F74( *((intOrPtr*)(_t21 + 8)), _t8);
					_push(_t21 - 0x380);
					_push(__edi);
					E0040602D();
				} else {
					 *((short*)( *((intOrPtr*)(__ebp + 8)))) = __bx;
					 *__edi = __bx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402e3e
0x00402e55
0x00402e66
0x00402e71
0x00402e72
0x00402e73
0x00402e57
0x00402e5a
0x00402b30
0x004019fd
0x004019fd
0x0040310e
0x0040311a

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00402E4C

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b47689a93a65e468af44f217487e9431f4159c9d260b939f086134cfc0164cb2
Instruction ID: 55ad9af99828f63f91e6e2d1edf6ba894b2851bfd542305d393cef409bf85575
Opcode Fuzzy Hash: b47689a93a65e468af44f217487e9431f4159c9d260b939f086134cfc0164cb2
Instruction Fuzzy Hash: 00E03072600114ABDB01EF64DC49DAE77A8EF11364F108176F501EA0D1D7789F41AB59

Uniqueness

Uniqueness Score: -1.00%

Function 004063D1 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 255
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004063D1(_Unknown_base(*)()* _a4) {
				void* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				struct HINSTANCE__* _v20;
				unsigned int _v24;
				_Unknown_base(*)()* _v28;
				char _v32;
				_Unknown_base(*)()* _v36;
				struct _OSVERSIONINFOW _v312;
				short _v832;
				intOrPtr _v1380;
				char _v1388;
				short _v1908;
				short _v2940;
				char _v2972;
				void* _t79;
				_Unknown_base(*)()* _t88;
				unsigned int _t94;
				_Unknown_base(*)()* _t103;
				void* _t104;
				void* _t105;
				void* _t111;
				WCHAR* _t141;
				struct HINSTANCE__* _t142;
				signed int _t143;
				void* _t146;
				signed int _t150;
				intOrPtr* _t151;
				struct HINSTANCE__* _t152;
				void* _t153;
				signed int _t154;
				void* _t156;
				void* _t157;
				void* _t160;

				_t79 = GlobalAlloc(0x40, 0xfa0);
				_t141 = _a4;
				_v8 = _t79;
				_t154 = lstrlenW(_t141);
				_t3 = _t154 - 1; // -1
				if(_t3 > 0x103) {
					return 0x278;
				}
				_t150 = 0;
				if(_t154 <= 0) {
					L4:
					 *(_t160 + _t154 * 2 - 0x33c) =  *(_t160 + _t154 * 2 - 0x33c) & 0x00000000;
					_v312.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v312) != 0) {
						if(_v312.dwPlatformId == 2) {
							_t142 = LoadLibraryA("PSAPI.DLL");
							_v20 = _t142;
							if(_t142 != 0) {
								_t151 = GetProcAddress(_t142, "EnumProcesses");
								_a4 = GetProcAddress(_t142, "EnumProcessModules");
								_t88 = GetProcAddress(_t142, "GetModuleBaseNameW");
								_v12 = _t88;
								if(_t151 == 0 || _a4 == 0 || _t88 == 0) {
									FreeLibrary(_t142);
									goto L35;
								} else {
									_push( &_v24);
									_push(0x3e8);
									_push(_v8);
									if( *_t151() != 0) {
										_t94 = _v24 >> 2;
										_v16 = _t94;
										_t143 = 0;
										if(_t94 == 0) {
											L24:
											GlobalFree(_v8);
											if(_v312.dwPlatformId != 1) {
												L44:
												FreeLibrary(_v20);
												return 0;
											}
											_t152 = LoadLibraryA("Kernel32.DLL");
											_v20 = _t152;
											if(_t152 == 0) {
												goto L10;
											}
											_a4 = GetProcAddress(_t152, "CreateToolhelp32Snapshot");
											_v28 = GetProcAddress(_t152, "Process32FirstW");
											_v12 = GetProcAddress(_t152, "Process32NextW");
											_v16 = GetProcAddress(_t152, "Module32FirstW");
											_t103 = GetProcAddress(_t152, "Module32NextW");
											_v36 = _t103;
											if(_v12 == 0 || _v28 == 0 || _t103 == 0 || _v16 == 0 || _a4 == 0) {
												L48:
												FreeLibrary(_t152);
												L35:
												goto L10;
											} else {
												_t104 = _a4(2, 0);
												_v8 = _t104;
												if(_t104 == 0xffffffff) {
													goto L48;
												}
												_v1388 = 0x22c;
												_t105 = _v28(_t104,  &_v1388);
												while(_t105 != 0) {
													_t156 = _a4(8, _v1380);
													if(_t156 == 0xffffffff) {
														_t157 = 0x25d;
														L46:
														CloseHandle(_v8);
														FreeLibrary(_t152);
														L17:
														return _t157;
													}
													_v2972 = 0x428;
													_t111 = _v16(_t156,  &_v2972);
													while(_t111 != 0) {
														if(lstrcmpW( &_v2940,  &_v832) == 0) {
															CloseHandle(_t156);
															_t157 = 1;
															goto L46;
														}
														_v2972 = 0x428;
														_t111 = _v36(_t156,  &_v2972);
													}
													CloseHandle(_t156);
													_v1388 = 0x22c;
													_t105 = _v12(_v8,  &_v1388);
												}
												CloseHandle(_v8);
												goto L44;
											}
										} else {
											goto L19;
										}
										while(1) {
											L19:
											lstrcpyW( &_v1908, L"Unknown");
											_t153 = OpenProcess(0x410, 0,  *(_v8 + _t143 * 4));
											if(_t153 != 0) {
												_push( &_v24);
												_push(4);
												_push( &_v32);
												_push(_t153);
												if(_a4() != 0) {
													_v12(_t153, _v32,  &_v1908, 0x104);
												}
											}
											CloseHandle(_t153);
											if(lstrcmpW(CharUpperW( &_v1908),  &_v832) == 0) {
												break;
											}
											_t143 = _t143 + 1;
											if(_t143 < _v16) {
												continue;
											}
											goto L24;
										}
										_t142 = _v20;
										_t157 = 1;
										L16:
										FreeLibrary(_t142);
										GlobalFree(_v8);
										goto L17;
									}
									_t157 = 0x25d;
									goto L16;
								}
							}
							L10:
							return 0x25d;
						}
						if(_v312.dwPlatformId == 1) {
							goto L24;
						}
						return 0x25f;
					}
					return 0x25e;
				}
				_t146 = _t141 -  &_v832;
				do {
					 *((short*)(_t160 + _t150 * 2 - 0x33c)) = E0040604F( *(_t160 + _t146 + _t150 * 2 - 0x33c) & 0x0000ffff);
					_t150 = _t150 + 1;
				} while (_t150 < _t154);
				goto L4;
			}

0x004063e4
0x004063ea
0x004063ee
0x004063f7
0x004063f9
0x00406401
0x00000000
0x00406731
0x00406407
0x0040640b
0x00406434
0x00406434
0x00406444
0x00406456
0x0040646f
0x00406493
0x00406497
0x0040649a
0x004064b4
0x004064be
0x004064c1
0x004064c5
0x004064c8
0x0040666c
0x00000000
0x004064e0
0x004064e3
0x004064e4
0x004064e9
0x004064f0
0x00406511
0x00406516
0x00406519
0x0040651a
0x004065a0
0x004065a3
0x004065b0
0x004066f8
0x004066fb
0x00000000
0x00406701
0x004065c1
0x004065c7
0x004065ca
0x00000000
0x00000000
0x004065de
0x004065e9
0x004065f4
0x004065ff
0x00406602
0x00406607
0x0040660a
0x0040672b
0x0040666c
0x0040666c
0x00000000
0x00406633
0x00406636
0x0040663c
0x0040663f
0x00000000
0x00000000
0x00406652
0x00406658
0x004066eb
0x00406682
0x00406687
0x00406705
0x0040670a
0x0040670d
0x00406714
0x00406507
0x00000000
0x00406507
0x00406691
0x0040669b
0x004066cd
0x004066b6
0x00406720
0x00406728
0x00000000
0x00406728
0x004066c0
0x004066ca
0x004066ca
0x004066d2
0x004066e2
0x004066e8
0x004066e8
0x004066f2
0x00000000
0x004066f2
0x00000000
0x00000000
0x00000000
0x00406520
0x00406520
0x0040652c
0x00406545
0x00406549
0x0040654e
0x0040654f
0x00406554
0x00406555
0x0040655b
0x0040656d
0x0040656d
0x0040655b
0x00406571
0x00406594
0x00000000
0x00000000
0x0040659a
0x0040659e
0x00000000
0x00000000
0x00000000
0x0040659e
0x00406660
0x00406665
0x004064f7
0x004064f8
0x00406501
0x00000000
0x00406501
0x004064f2
0x00000000
0x004064f2
0x004064c8
0x0040649c
0x00000000
0x0040649c
0x00406478
0x00000000
0x00000000
0x00000000
0x0040647e
0x00000000
0x00406458
0x00406413
0x00406415
0x00406426
0x0040642e
0x00406431
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063E4
lstrlenW.KERNEL32(?), ref: 004063F1
GetVersionExW.KERNEL32(?), ref: 0040644E

Part of subcall function 0040604F: CharUpperW.USER32(?,00406426,?), ref: 00406055

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 0040648D
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064AC
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064B6
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C1
FreeLibrary.KERNEL32(00000000), ref: 004064F8
GlobalFree.KERNEL32 ref: 00406501

Strings

Module32FirstW, xrefs: 004065EE
CreateToolhelp32Snapshot, xrefs: 004065D0
EnumProcessModules, xrefs: 004064AE
Kernel32.DLL, xrefs: 004065B6
EnumProcesses, xrefs: 004064A6
Unknown, xrefs: 00406520
Process32FirstW, xrefs: 004065D8
GetModuleBaseNameW, xrefs: 004064B8
PSAPI.DLL, xrefs: 00406488
Process32NextW, xrefs: 004065E3
Module32NextW, xrefs: 004065F9

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: 7b0b24a9f0192154ef008dda34af5ef8f695ac5a7bdcb8258ece82c63921a56f
Instruction ID: d7c3a7ab887c1f7f115b448b8907c69b3f967e7839189082eb3b5f14475a261f
Opcode Fuzzy Hash: 7b0b24a9f0192154ef008dda34af5ef8f695ac5a7bdcb8258ece82c63921a56f
Instruction Fuzzy Hash: B5917F71D00219EBDF209FA4CD88AAEBBB8AF04745F114476E506F62D0DB788E51CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00407A0F Relevance: 50.9, APIs: 19, Strings: 10, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00407A0F(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				char _v263;
				char _v264;
				char _v523;
				char _v524;
				char _v2571;
				char _v2572;
				signed int _t58;

				_v2572 = 0;
				E0040872A( &_v2571, 0, 0x7ff);
				_v264 = 0;
				E0040872A( &_v263, 0, 0x103);
				_v524 = 0;
				E0040872A( &_v523, 0, 0x103);
				_t58 =  *0x473ddc;
				if( *((intOrPtr*)(_t58 + 0x120)) != 0) {
					wsprintfA( &_v2572, "v=%d", 3);
					wsprintfA( &_v264, "\nid=%s",  *0x473ddc + 0x120);
					lstrcatA( &_v2572,  &_v264);
					wsprintfA( &_v264, "\nret=%d", _a4);
					lstrcatA( &_v2572,  &_v264);
					_t73 = _a8;
					wsprintfA( &_v264, "\nut=%d", _a8 / 0x3e8);
					lstrcatA( &_v2572,  &_v264);
					__eflags =  *0x473e24;
					wsprintfA( &_v264, "\nun=%d", 0 |  *0x473e24 != 0x00000000);
					lstrcatA( &_v2572,  &_v264);
					__eflags =  *0x473ea0;
					wsprintfA( &_v264, "\nslt=%d", 0 | __eflags != 0x00000000);
					lstrcatA( &_v2572,  &_v264);
					_push( &_v524);
					wsprintfA( &_v264, "\nos=%s", E004075FF(0x3e8, __eflags));
					lstrcatA( &_v2572,  &_v264);
					wsprintfA( &_v264, "\nhw=%s", E004077D3(__eflags,  &_v524));
					lstrcatA( &_v2572,  &_v264);
					wsprintfA( &_v264, "\nii=%s", E00407976(0x3e8,  &_v524));
					lstrcatA( &_v2572,  &_v264);
					E00407790(0x3e8, _t73 % 0x3e8,  &_v524);
					wsprintfA( &_v264, "\ncid=%s",  &_v524);
					lstrcatA( &_v2572,  &_v264);
					E00407550(_t73 % 0x3e8, __eflags,  &_v2572);
					__eflags = 0;
					return 0;
				}
				return _t58 | 0xffffffff;
			}

0x00407a29
0x00407a2f
0x00407a42
0x00407a48
0x00407a56
0x00407a5c
0x00407a61
0x00407a6f
0x00407a8e
0x00407aa7
0x00407ac0
0x00407ad1
0x00407ae4
0x00407ae6
0x00407aff
0x00407b12
0x00407b16
0x00407b2c
0x00407b3f
0x00407b43
0x00407b59
0x00407b6c
0x00407b74
0x00407b87
0x00407b9a
0x00407bb5
0x00407bc8
0x00407be3
0x00407bf6
0x00407bff
0x00407c17
0x00407c2a
0x00407c33
0x00407c39
0x00000000
0x00407c3b
0x00000000

APIs

wsprintfA.USER32 ref: 00407A8E
wsprintfA.USER32 ref: 00407AA7
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 00407AC0
wsprintfA.USER32 ref: 00407AD1
lstrcatA.KERNEL32(?,?), ref: 00407AE4
wsprintfA.USER32 ref: 00407AFF
lstrcatA.KERNEL32(?,?), ref: 00407B12
wsprintfA.USER32 ref: 00407B2C
lstrcatA.KERNEL32(?,?), ref: 00407B3F
wsprintfA.USER32 ref: 00407B59
lstrcatA.KERNEL32(?,?), ref: 00407B6C
wsprintfA.USER32 ref: 00407B87
lstrcatA.KERNEL32(?,?), ref: 00407B9A
wsprintfA.USER32 ref: 00407BB5

Strings

hw=%s, xrefs: 00407BAF
un=%d, xrefs: 00407B26
ret=%d, xrefs: 00407ACB
v=%d, xrefs: 00407A88
os=%s, xrefs: 00407B7B
ut=%d, xrefs: 00407AF9
ii=%s, xrefs: 00407BDD
slt=%d, xrefs: 00407B53
cid=%s, xrefs: 00407C11
id=%s, xrefs: 00407AA1

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: wsprintf$lstrcat
String ID: cid=%s$hw=%s$id=%s$ii=%s$os=%s$ret=%d$slt=%d$un=%d$ut=%d$v=%d
API String ID: 2661776893-1482094183
Opcode ID: dfba30720681c2c083e7d0a6ee07cafdaa28bb4a5eed3a6119af4bf4dbbd9804
Instruction ID: 77dbce5f544b4df3ea99fc7fac16f1237b093c7cd46cf4f084a09725f4ca4ff7
Opcode Fuzzy Hash: dfba30720681c2c083e7d0a6ee07cafdaa28bb4a5eed3a6119af4bf4dbbd9804
Instruction Fuzzy Hash: EC51B1B6D0026C6BDB11E6A4DD85ECB77BC9F14304F0005F7A689E3441EA78ABD48FA5

Uniqueness

Uniqueness Score: -1.00%

Function 004054A4 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004054A4(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v20;
				struct HWND__* _v32;
				struct tagPOINT _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					__eflags = _t118 - 0x110;
					_t37 = _a12;
					_t128 = _a4;
					 *0x4381fc = _t37;
					if(_t118 == 0x110) {
						 *0x473dd4 = _t128;
						 *0x43821c = GetDlgItem(_t128, 1);
						_t93 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x43820c = _t93;
						E00403D87(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x46bd90);
						 *0x46bd94 = E00401414(4);
						_t37 = 1;
						__eflags = 1;
						 *0x4381fc = 1;
					}
					_t125 =  *0x40c014; // 0xffffffff
					_t133 = (_t125 << 6) +  *0x473de0;
					_t136 = 0;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00403DF7(0x40b);
						while(1) {
							_t39 =  *0x4381fc;
							 *0x40c014 =  *0x40c014 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40c014; // 0xffffffff
							__eflags = _t41 -  *0x473de4;
							if(_t41 ==  *0x473de4) {
								E00401414(1);
							}
							__eflags =  *0x46bd94 - _t136;
							if( *0x46bd94 != _t136) {
								break;
							}
							__eflags =  *0x40c014 -  *0x473de4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t133 + 0x24)));
							_t119 =  *(_t133 + 0x14);
							_push(0x4ec0f0);
							E00406820(_t119, _t128, _t133);
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00403D87(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00403D87(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00403D87(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x473e8c - _t136;
							_v32 = _t51;
							if( *0x473e8c != _t136) {
								_t119 = _t119 & 0xfffffefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008);
							EnableWindow(_v20, _t119 & 0x00000100);
							E00403DCD(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x43820c, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW(_v20, 0xf4, _t136, 1);
							__eflags =  *0x473e8c - _t136;
							if( *0x473e8c == _t136) {
								_push( *0x43821c);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x43820c);
							}
							E00403DE0();
							_push(0x448240);
							E0040602D();
							_push( *((intOrPtr*)(_t133 + 0x18)));
							_push( &(0x448240[lstrlenW(0x448240)]));
							E00406820(0x448240, _t128, _t133);
							SetWindowTextW(_t128, 0x448240);
							_push(_t136);
							_t69 = E00401392( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x46bd88);
									__eflags =  *_t133 - _t136;
									 *0x458260 = _t133;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x473dd8,  *_t133 +  *0x46bd9c & 0x0000ffff, _t128,  *(0x40c018 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t75 - _t136;
									 *0x46bd88 = _t75;
									if(_t75 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00403D87(_t75);
									GetWindowRect(GetDlgItem(_t128, 0x3fa),  &_v76);
									ScreenToClient(_t128,  &_v76);
									SetWindowPos( *0x46bd88, _t136, _v76, _v76.y, _t136, _t136, 0x15);
									_push(_t136);
									E00401392( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x46bd94 - _t136;
									if( *0x46bd94 != _t136) {
										goto L61;
									}
									ShowWindow( *0x46bd88, 8);
									E00403DF7(0x405);
									goto L58;
								}
								__eflags =  *0x473e8c - _t136;
								if( *0x473e8c != _t136) {
									goto L61;
								}
								__eflags =  *0x473e80 - _t136;
								if( *0x473e80 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x46bd88);
						 *0x473dd4 = _t136;
						EndDialog(_t128,  *0x458268);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401392( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x46bd88, 0x40f, 0, 1);
						__eflags =  *0x46bd94;
						return 0 |  *0x46bd94 == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x438218, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x438218,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E00403E12(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x46bd88, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x473e8c - _t136;
										if( *0x473e8c == _t136) {
											_t102 = E00401414(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x458268 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D60();
											goto L26;
										}
										E00401414(_t130);
										 *0x458268 = _t130;
										goto L21;
									}
									__eflags =  *0x40c014 - _t136; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x46bd88);
						 *0x46bd88 = _a12;
						L58:
						if( *0x458274 == _t136 &&  *0x46bd88 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x458274 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004054a8
0x004054b6
0x004055f8
0x004055fa
0x004055fe
0x00405602
0x00405607
0x00405612
0x0040561d
0x00405622
0x00405624
0x00405626
0x00405629
0x0040562e
0x0040563c
0x00405649
0x00405650
0x00405650
0x00405651
0x00405651
0x00405656
0x00405661
0x00405667
0x00405669
0x0040566b
0x004056ab
0x004056b0
0x004056b5
0x004056b5
0x004056ba
0x004056c3
0x004056c5
0x004056ca
0x004056d0
0x004056d4
0x004056d4
0x004056d9
0x004056df
0x00000000
0x00000000
0x004056ea
0x004056f0
0x00000000
0x00000000
0x004056f6
0x004056f9
0x004056fc
0x00405701
0x00405706
0x00405709
0x0040570f
0x00405714
0x00405717
0x0040571d
0x00405722
0x00405725
0x0040572b
0x00405733
0x00405739
0x0040573f
0x00405743
0x0040574b
0x0040574b
0x0040574b
0x00405755
0x00405767
0x00405773
0x00405778
0x00405782
0x00405788
0x0040578a
0x0040578f
0x0040578c
0x0040578c
0x0040578c
0x0040579f
0x004057b7
0x004057b9
0x004057bf
0x004057d4
0x004057c1
0x004057ca
0x004057cc
0x004057cc
0x004057da
0x004057e9
0x004057ea
0x004057ef
0x004057ff
0x00405800
0x00405807
0x0040580d
0x00405811
0x00405816
0x00405818
0x00000000
0x0040581e
0x0040581e
0x00405820
0x00000000
0x00000000
0x00405826
0x0040582a
0x0040584f
0x00405855
0x00405857
0x0040585d
0x00000000
0x00000000
0x00405883
0x00405889
0x0040588b
0x00405890
0x00000000
0x00000000
0x00405896
0x00405899
0x0040589c
0x004058b3
0x004058bf
0x004058d8
0x004058de
0x004058e2
0x004058e7
0x004058ed
0x00000000
0x00000000
0x004058f7
0x00405902
0x00000000
0x00405902
0x0040582c
0x00405832
0x00000000
0x00000000
0x00405838
0x0040583e
0x00000000
0x00000000
0x00000000
0x00405844
0x00405818
0x0040590f
0x0040591b
0x00405922
0x00000000
0x0040566d
0x0040566d
0x00405670
0x004056a3
0x004056a3
0x004056a5
0x00000000
0x00000000
0x00000000
0x004056a5
0x00405672
0x00405676
0x0040567b
0x0040567d
0x00000000
0x00000000
0x0040568d
0x00405695
0x00000000
0x0040569b
0x004054c8
0x004054c8
0x004054cc
0x004054d1
0x004054e0
0x004054e0
0x004054e9
0x004054f2
0x004054fd
0x004054fd
0x00405509
0x00405525
0x00405528
0x0040553b
0x00405541
0x004055e4
0x00000000
0x004055ee
0x00405547
0x00405554
0x00405556
0x00405558
0x00405577
0x00405577
0x0040557a
0x0040557f
0x00405582
0x00405592
0x00405593
0x00405595
0x004055cb
0x004055de
0x00000000
0x004055de
0x00405597
0x0040559d
0x004055b6
0x004055bb
0x004055bd
0x00000000
0x00000000
0x004055bf
0x004055ab
0x004055ab
0x004055ad
0x004055ad
0x00000000
0x004055ad
0x004055a0
0x004055a5
0x00000000
0x004055a5
0x00405584
0x0040558a
0x00000000
0x00000000
0x0040558c
0x00000000
0x0040558c
0x0040557c
0x00000000
0x0040557c
0x00405562
0x00405569
0x0040556f
0x00405571
0x00000000
0x00000000
0x00000000
0x00405571
0x0040552d
0x00000000
0x0040550b
0x00405511
0x0040551b
0x00405928
0x0040592e
0x0040593b
0x00405941
0x00405941
0x0040594b
0x00000000
0x0040594b
0x00405509

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E0
ShowWindow.USER32(?), ref: 004054FD
DestroyWindow.USER32 ref: 00405511
SetWindowLongW.USER32 ref: 0040552D
GetDlgItem.USER32 ref: 0040554E
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405562
IsWindowEnabled.USER32(00000000), ref: 00405569
GetDlgItem.USER32 ref: 00405618
GetDlgItem.USER32 ref: 00405622
SetClassLongW.USER32(?,000000F2,?), ref: 0040563C
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568D
GetDlgItem.USER32 ref: 00405733
ShowWindow.USER32(00000000,?), ref: 00405755
EnableWindow.USER32(?,?), ref: 00405767
EnableWindow.USER32(?,?), ref: 00405782
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405798
EnableMenuItem.USER32 ref: 0040579F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B7
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CA
lstrlenW.KERNEL32(00448240,?,00448240,0046BDC0), ref: 004057F3
SetWindowTextW.USER32(?,00448240), ref: 00405807
ShowWindow.USER32(?,0000000A), ref: 0040593B

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 14635cfc4c9ad5d473345402a5a9a4cfbd5a4044f6f5b4ae9ca187e9f98eef2e
Instruction ID: 81f438938877f566b56eaf8a416bcc46fc8cf5da08425915ae839819f7bf310c
Opcode Fuzzy Hash: 14635cfc4c9ad5d473345402a5a9a4cfbd5a4044f6f5b4ae9ca187e9f98eef2e
Instruction Fuzzy Hash: CBC1C971500604FBDB206F61ED85E2B7AA9EB44716F00093EF551B11F2CB7A9880EF2E

Uniqueness

Uniqueness Score: -1.00%

Function 004040FD Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004040FD(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				short* _v20;
				intOrPtr _v24;
				void* _v28;
				struct HWND__* _t58;
				signed int _t76;
				signed short* _t77;
				signed short* _t79;
				long _t92;
				intOrPtr _t103;
				signed char _t110;
				intOrPtr _t114;
				WCHAR* _t115;
				signed int* _t118;
				WCHAR* _t119;
				struct HWND__* _t120;

				_v12 = 0;
				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L14:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x45826c =  *0x45826c + 1;
							}
							L28:
							_t115 = _a16;
							L29:
							return E00403E12(_a8, _a12, _t115);
						}
						_t58 = GetDlgItem(_a4, 0x3e8);
						_t115 = _a16;
						if( *((intOrPtr*)(_t115 + 8)) == 0x70b &&  *((intOrPtr*)(_t115 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t115 + 0x1c));
							_t114 =  *((intOrPtr*)(_t115 + 0x18));
							_v24 = _t103;
							_v28 = _t114;
							_v20 = 0x463540;
							if(_t103 - _t114 < 0x8010) {
								SendMessageW(_t58, 0x44b, 0,  &_v28);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v20, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t115 = _a16;
							}
						}
						if( *((intOrPtr*)(_t115 + 8)) != 0x700 ||  *((intOrPtr*)(_t115 + 0xc)) != 0x100) {
							goto L29;
						} else {
							if( *((intOrPtr*)(_t115 + 0x10)) == 0xd) {
								SendMessageW( *0x473dd4, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t115 + 0x10)) == 0x1b) {
								SendMessageW( *0x473dd4, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x45826c != 0) {
						goto L28;
					} else {
						_t118 =  *0x458260 + 0x14;
						if(( *_t118 & 0x00000020) == 0) {
							goto L28;
						}
						 *_t118 =  *_t118 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DCD(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00403DA9();
						goto L14;
					}
				}
				_t119 = _a16;
				_t76 =  *(_t119 + 0x30);
				if(_t76 < 0) {
					_t76 =  *( *0x46bda8 - 4 + _t76 * 4);
				}
				_t77 =  *0x473df8 + _t76 * 2;
				_t110 =  *_t77 & 0x0000ffff;
				_t79 =  &(_t77[1]);
				_a8 = _t110;
				 *0x458264 = 0;
				_a16 = _t79;
				if((_t110 & 0x00000010) == 0) {
					_v8 = E00404052;
					_t79 = E0040400F(_t79);
					 *0x438208 = 1;
				} else {
					_v8 = E004040BC;
				}
				_push( *((intOrPtr*)(_t119 + 0x34)));
				_v16 = _t79;
				_push(0x22);
				E00403D87(_a4);
				_push( *((intOrPtr*)(_t119 + 0x38)));
				_push(0x23);
				E00403D87(_a4);
				CheckDlgButton(_a4, (0 | (( !( *(_t119 + 0x14) >> 5) |  *(_t119 + 0x14)) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DCD(( !( *(_t119 + 0x14) >> 5) |  *(_t119 + 0x14)) & 0x00000001);
				_t120 = GetDlgItem(_a4, 0x3e8);
				E00403DE0(_t120);
				SendMessageW(_t120, 0x45b, 1, 0);
				_t92 =  *( *0x473ddc + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t120, 0x443, 0, _t92);
				SendMessageW(_t120, 0x445, 0, 0x4010000);
				 *0x4381f8 = 0;
				SendMessageW(_t120, 0x435, 0, lstrlenW(_a16));
				SendMessageW(_t120, 0x449, _a8,  &_v16);
				 *0x45826c = 0;
				return 0;
			}

0x0040410f
0x00404112
0x00404252
0x004042b0
0x004042b4
0x00404389
0x0040438b
0x0040438b
0x00404391
0x00404391
0x00404394
0x00000000
0x0040439b
0x004042c2
0x004042c8
0x004042d2
0x004042dd
0x004042e0
0x004042e3
0x004042ee
0x004042f1
0x004042f8
0x00404305
0x00404316
0x0040432b
0x0040433a
0x00404340
0x00404340
0x004042f8
0x0040434a
0x00000000
0x00404355
0x00404359
0x00404369
0x00404369
0x0040436f
0x0040437b
0x0040437b
0x00000000
0x0040437f
0x0040434a
0x0040425d
0x00000000
0x0040426f
0x00404275
0x0040427b
0x00000000
0x00000000
0x004042a4
0x004042a6
0x004042ab
0x00000000
0x004042ab
0x0040425d
0x00404118
0x0040411b
0x00404120
0x00404131
0x00404131
0x00404139
0x0040413c
0x00404140
0x00404144
0x00404147
0x0040414d
0x00404150
0x0040415c
0x00404163
0x00404169
0x00404152
0x00404152
0x00404152
0x00404173
0x00404176
0x00404183
0x0040418d
0x00404192
0x00404195
0x0040419a
0x004041b1
0x004041b8
0x004041cb
0x004041ce
0x004041e2
0x004041e9
0x004041ee
0x004041f3
0x004041f3
0x00404201
0x0040420f
0x00404214
0x00404227
0x00404236
0x00404238
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004041B1
GetDlgItem.USER32 ref: 004041C5
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041E2
GetSysColor.USER32(?), ref: 004041F3
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404201
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040420F
lstrlenW.KERNEL32(?), ref: 0040421A
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404227
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404236

Part of subcall function 0040400F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404168,?), ref: 00404026
Part of subcall function 0040400F: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404168,?), ref: 00404035
Part of subcall function 0040400F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404168,?), ref: 00404049

GetDlgItem.USER32 ref: 00404290
SendMessageW.USER32(00000000), ref: 00404297
GetDlgItem.USER32 ref: 004042C2
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00404305
LoadCursorW.USER32(00000000,00007F02), ref: 00404313
SetCursor.USER32(00000000), ref: 00404316
ShellExecuteW.SHELL32(0000070B,open,00463540,00000000,00000000,00000001), ref: 0040432B
LoadCursorW.USER32(00000000,00007F00), ref: 00404337
SetCursor.USER32(00000000), ref: 0040433A
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404369
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040437B

Strings

N, xrefs: 004042B0
open, xrefs: 00404323
@5F, xrefs: 004042F1

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @5F$N$open
API String ID: 3928313111-1236370126
Opcode ID: 41aeb5665a5c8657be407e5f4a8e36f3f80e18e4c0f2955538879c70d013f91b
Instruction ID: 4b62a6b82deaee318ca33e401d5f4da869724d327aa8a9bdf2ef8485f4962cb4
Opcode Fuzzy Hash: 41aeb5665a5c8657be407e5f4a8e36f3f80e18e4c0f2955538879c70d013f91b
Instruction Fuzzy Hash: D271A3B1A00209BFDB10AF65DD85A6A7B69FF44305F00843AFA05B62D1C778AD51DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406AB1 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 163
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00406AB1() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				int _t19;
				long _t31;
				char* _t38;
				int _t45;
				void* _t46;
				intOrPtr* _t47;
				WCHAR* _t49;
				long _t51;
				void* _t55;
				struct _OVERLAPPED* _t56;
				void* _t57;
				void* _t60;
				void* _t61;

				lstrcpyW(0x45c2c8, L"NUL");
				_t49 =  *(_t60 + 0x1c);
				_t56 = 0;
				if(_t49 == 0) {
					L3:
					_t18 = GetShortPathNameW( *(_t60 + 0x20), 0x461920, 0x400);
					if(_t18 != _t56 && _t18 <= 0x400) {
						_t18 = WideCharToMultiByte(_t56, _t56, 0x45c2c8, 0xffffffff, 0x45cac8, 0x400, _t56, _t56);
						if(_t18 != 0) {
							_t18 = WideCharToMultiByte(_t56, _t56, 0x461920, 0xffffffff, 0x45d118, 0x400, _t56, _t56);
							if(_t18 != 0) {
								_t19 = wsprintfA(0x45d518, "%s=%s\r\n", 0x45cac8, 0x45d118);
								_t61 = _t60 + 0x10;
								_t45 = _t19;
								_push( *((intOrPtr*)( *0x473ddc + 0x13c)));
								_push(0x461920);
								E00406820(_t45, 0x461920, 0x45d118);
								_t18 = E00405E77(0x461920, 0xc0000000, 4);
								 *(_t61 + 0x1c) = _t18;
								if(_t18 != 0xffffffff) {
									_t51 = GetFileSize(_t18, _t56);
									_t6 = _t45 + 0xa; // 0xa
									_t55 = GlobalAlloc(0x40, _t51 + _t6);
									if(_t55 == _t56 || ReadFile( *(_t61 + 0x2c), _t55, _t51, _t61 + 0x14, _t56) == 0 || _t51 !=  *((intOrPtr*)(_t61 + 0x10))) {
										L21:
										return CloseHandle( *(_t61 + 0x1c));
									} else {
										if(E00405DDD(_t46, _t55, "[Rename]\r\n") != _t56) {
											_t57 = E00405DDD(_t46, _t28 + 0xa, "\n[");
											if(_t57 == 0) {
												_t56 = 0;
												L19:
												_t31 = _t51;
												L20:
												E00405E33(_t55 + _t31, 0x45d518, _t45);
												SetFilePointer( *(_t61 + 0x28), _t56, _t56, _t56);
												WriteFile( *(_t61 + 0x2c), _t55, _t51 + _t45, _t61 + 0x14, _t56);
												GlobalFree(_t55);
												goto L21;
											}
											_t47 = _t55 + _t51;
											_t38 = _t47 + _t45;
											while(_t47 > _t57) {
												 *_t38 =  *_t47;
												_t38 = _t38 - 1;
												_t47 = _t47 - 1;
											}
											_t31 = _t57 - _t55 + 1;
											_t56 = 0;
											goto L20;
										}
										lstrcpyA(_t55 + _t51, "[Rename]\r\n");
										_t51 = _t51 + 0xa;
										goto L19;
									}
								}
							}
						}
					}
				} else {
					CloseHandle(E00405E77(_t49, 0, 1));
					_t18 = GetShortPathNameW(_t49, 0x45c2c8, 0x400);
					if(_t18 != 0 && _t18 <= 0x400) {
						goto L3;
					}
				}
				return _t18;
			}

0x00406ac1
0x00406ac7
0x00406acb
0x00406ad4
0x00406aff
0x00406b0a
0x00406b12
0x00406b33
0x00406b37
0x00406b4b
0x00406b4f
0x00406b65
0x00406b6b
0x00406b6e
0x00406b75
0x00406b7b
0x00406b7c
0x00406b89
0x00406b91
0x00406b95
0x00406ba3
0x00406ba5
0x00406bb2
0x00406bb6
0x00406c6c
0x00000000
0x00406be0
0x00406bed
0x00406c11
0x00406c15
0x00406c32
0x00406c34
0x00406c34
0x00406c36
0x00406c3f
0x00406c4b
0x00406c5f
0x00406c66
0x00000000
0x00406c66
0x00406c17
0x00406c1a
0x00406c25
0x00406c21
0x00406c23
0x00406c24
0x00406c24
0x00406c2c
0x00406c2e
0x00000000
0x00406c2e
0x00406bf8
0x00406bfe
0x00000000
0x00406bfe
0x00406bb6
0x00406b95
0x00406b4f
0x00406b37
0x00406ad6
0x00406ae0
0x00406ae9
0x00406af1
0x00000000
0x00000000
0x00406af1
0x00406c7b

APIs

lstrcpyW.KERNEL32 ref: 00406AC1
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CA4,000000F1,000000F1,00000001,00406EC2,?,00000000,000000F1,?), ref: 00406AE0
GetShortPathNameW.KERNEL32 ref: 00406AE9

Part of subcall function 00405DDD: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BEB,00000000,[Rename]), ref: 00405DED
Part of subcall function 00405DDD: lstrlenA.KERNEL32(?,?,00000000,00406BEB,00000000,[Rename]), ref: 00405E1F

GetShortPathNameW.KERNEL32 ref: 00406B0A
WideCharToMultiByte.KERNEL32(00000000,00000000,0045C2C8,000000FF,0045CAC8,00000400,00000000,00000000,?,00000000,?,00406CA4,000000F1,000000F1,00000001,00406EC2), ref: 00406B33
WideCharToMultiByte.KERNEL32(00000000,00000000,00461920,000000FF,0045D118,00000400,00000000,00000000,?,00000000,?,00406CA4,000000F1,000000F1,00000001,00406EC2), ref: 00406B4B
wsprintfA.USER32 ref: 00406B65
GetFileSize.KERNEL32(00000000,00000000,00461920,C0000000,00000004,00461920,?,?,00000000,000000F1,?), ref: 00406B9D
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BAC
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BF8
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045D518,00000000,-0000000A,0040A8E4,00000000,[Rename]), ref: 00406C4B

Part of subcall function 00405E77: GetFileAttributesW.KERNELBASE(00000003,004035EE,004E00D8,80000000,00000003,?,?,?,004D80C8,00403A74,?), ref: 00405E7B
Part of subcall function 00405E77: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,004D80C8,00403A74,?), ref: 00405E9D

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C5F
GlobalFree.KERNEL32 ref: 00406C66
CloseHandle.KERNEL32(?), ref: 00406C70

Strings

NUL, xrefs: 00406AB6
[Rename], xrefs: 00406BE0, 00406BEF
%s=%s, xrefs: 00406B5B

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 565278875-4148678300
Opcode ID: 2828cfa20ebc1eaddc3ea088fefc640786ba8739be36647fa54fee2cb95b1a62
Instruction ID: 67de9b0460d35590819a48ec9a1f866f7088498493a4b2071bad3e04cfd3f915
Opcode Fuzzy Hash: 2828cfa20ebc1eaddc3ea088fefc640786ba8739be36647fa54fee2cb95b1a62
Instruction Fuzzy Hash: C5416B72204319BBE6206F62DD8CE2B3E6CDF46754B16443BF182F21D2DA399C10867D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x473ddc;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						asm("cdq");
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x46bdc0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x473dd4;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108e
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010da
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401147
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,0046BDC0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 23b7ed7a5e999f5a6d7f25f3ddf1acfd9cd537c7a638f32731670a6aee812307
Instruction ID: ee67d5492c68d40e6801df12f1d956db5a632411433d24a6eebf657d0ffcc291
Opcode Fuzzy Hash: 23b7ed7a5e999f5a6d7f25f3ddf1acfd9cd537c7a638f32731670a6aee812307
Instruction Fuzzy Hash: D5417972800219AFCF058F95DD459AFBFB9FF44315F00842AF956AA1A1C738EA50DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402898 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 130
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00402898(int __ebx, void* __esi) {
				short* _t42;
				intOrPtr _t44;
				char _t60;
				int _t63;
				int _t66;
				void* _t68;
				void* _t70;
				void* _t74;
				void* _t75;
				int _t77;
				void* _t78;
				void* _t79;
				void* _t81;

				_t66 = __ebx;
				if(__esi == __ebx) {
					_t70 =  *0x473e84 + 0x80000001;
				}
				 *((intOrPtr*)(_t79 - 8)) =  *((intOrPtr*)(_t79 - 0x1c));
				_t74 = 2;
				 *(_t79 - 0x44) =  *(_t79 - 0x18);
				_t42 = E00401453(_t74);
				_t75 = 0x11;
				 *(_t79 - 0xc) = _t42;
				 *(_t79 + 8) = E00401453(_t75);
				_t44 = E004061E4(_t70);
				_pop(_t68);
				 *((intOrPtr*)(_t79 - 0x10)) = _t44;
				 *(_t79 - 4) = 1;
				if(RegCreateKeyExW(_t70,  *(_t79 + 8), _t66, _t66, _t66,  *0x473eb0 | 0x00000002, _t66, _t79 - 0x3c, _t66) != 0) {
					_push( *(_t79 + 8));
					_push( *((intOrPtr*)(_t79 - 0x10)));
					_push(L"WriteReg: error creating key \"%s\\%s\"");
					E004062C7();
				} else {
					_t77 = 0;
					if( *((intOrPtr*)(_t79 - 8)) != 1) {
						L10:
						if( *((intOrPtr*)(_t79 - 8)) == 4) {
							_t68 = 3;
							_t60 = E0040143D(_t68);
							_t77 = 4;
							_push(_t60);
							_push( *(_t79 - 0xc));
							 *0x4140d8 = _t60;
							_push( *(_t79 + 8));
							E004062C7(L"WriteRegDWORD: \"%s\\%s\" \"%s\"=\"0x%08x\"",  *((intOrPtr*)(_t79 - 0x10)));
							_t81 = _t81 + 0x14;
						}
						if( *((intOrPtr*)(_t79 - 8)) == 3) {
							_t77 = E004033A6( *((intOrPtr*)(_t79 - 0x20)), _t66, 0x4140d8, 0xc018);
							E00406248(_t68, _t79 - 0x15c, 0x100, 0x4140d8, _t77);
							_push(_t79 - 0x15c);
							_push( *(_t79 - 0xc));
							_push( *(_t79 + 8));
							E004062C7(L"WriteRegBin: \"%s\\%s\" \"%s\"=\"%s\"",  *((intOrPtr*)(_t79 - 0x10)));
							_t81 = _t81 + 0x24;
						}
					} else {
						_t78 = 0x23;
						E00401453(_t78);
						_t63 = lstrlenW(0x4140d8);
						_push(0x4140d8);
						_push( *(_t79 - 0xc));
						_t15 = _t63 + 2; // 0x2
						_t77 = _t63 + _t15;
						_push( *(_t79 + 8));
						_push( *((intOrPtr*)(_t79 - 0x10)));
						if( *(_t79 - 0x44) != 1) {
							_push(L"WriteRegExpandStr: \"%s\\%s\" \"%s\"=\"%s\"");
							E004062C7();
							_t81 = _t81 + 0x14;
							goto L10;
						} else {
							_push(L"WriteRegStr: \"%s\\%s\" \"%s\"=\"%s\"");
							E004062C7();
							_t81 = _t81 + 0x14;
						}
					}
					if(RegSetValueExW( *(_t79 - 0x3c),  *(_t79 - 0xc), _t66,  *(_t79 - 0x44), 0x4140d8, _t77) != 0) {
						_push( *(_t79 - 0xc));
						_push( *(_t79 + 8));
						E004062C7(L"WriteReg: error writing into \"%s\\%s\" \"%s\"",  *((intOrPtr*)(_t79 - 0x10)));
					} else {
						 *(_t79 - 4) = _t66;
					}
					_push( *(_t79 - 0x3c));
					RegCloseKey();
				}
				 *0x473e88 =  *0x473e88 +  *(_t79 - 4);
				return 0;
			}

0x00402898
0x0040289a
0x004028a6
0x004028a6
0x004028af
0x004028b7
0x004028b8
0x004028bb
0x004028c2
0x004028c3
0x004028cc
0x004028cf
0x004028d4
0x004028d6
0x004028ed
0x004028fd
0x00402a04
0x00402a07
0x00402a0a
0x00401b71
0x00402903
0x00402903
0x0040290e
0x00402951
0x00402955
0x00402959
0x0040295a
0x00402961
0x00402962
0x00402963
0x00402966
0x0040296b
0x00402976
0x0040297b
0x0040297b
0x00402982
0x00402993
0x004029a3
0x004029ae
0x004029af
0x004029b2
0x004029bd
0x004029c2
0x004029c2
0x00402910
0x00402912
0x00402913
0x00402919
0x00402922
0x00402923
0x00402926
0x00402926
0x0040292a
0x0040292d
0x00402930
0x00402944
0x00402949
0x0040294e
0x00000000
0x00402932
0x00402932
0x00402937
0x0040293c
0x0040293c
0x00402930
0x004029d9
0x004029e0
0x004029e3
0x004029ee
0x004029db
0x004029db
0x004029db
0x004029f6
0x004029f9
0x004029f9
0x0040310e
0x0040311a

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?), ref: 004028F5
lstrlenW.KERNEL32(004140D8,?,?,?,?,?,?), ref: 00402919
RegSetValueExW.ADVAPI32(?,?,?,?,004140D8,00000000,?,?,?,?,?,?), ref: 004029D1
RegCloseKey.ADVAPI32(?), ref: 004029F9

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402971
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402932
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029B8
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 00402944
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029E9
WriteReg: error creating key "%s\%s", xrefs: 00402A0A

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 5cec06ba89d1c516ebd8a90d18ad9aa5566520b90a8112d5b084fc555fe08d12
Instruction ID: ecd025c5a9376f9ba447804f06a94dcde93cdd4d1846322b2952ade1eb051e2f
Opcode Fuzzy Hash: 5cec06ba89d1c516ebd8a90d18ad9aa5566520b90a8112d5b084fc555fe08d12
Instruction Fuzzy Hash: 3441AFB2D00108BBDF11AF95CC45DEEBB79EF48358F11807AF604761E1D67A8A50DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402E7D(struct _OVERLAPPED* __ebx) {
				void* _t29;
				long _t35;
				struct _OVERLAPPED* _t50;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t61;
				void* _t62;

				_t50 = __ebx;
				_t56 = 0xfffffff0;
				 *(_t62 - 8) = 0xfffffd66;
				_t53 = E00401453(_t56);
				 *(_t62 - 0x3c) = _t26;
				if(E00405D4B(_t53) == 0) {
					__esi = 0xffffffed;
					E00401453(__esi);
				}
				E00405E57(_t53);
				_t29 = E00405E77(_t53, 0x40000000, 2);
				 *(_t62 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					_t35 =  *0x473e2c;
					 *(_t62 - 0x44) = _t35;
					_t55 = GlobalAlloc(0x40, _t35);
					if(_t55 != _t50) {
						E0040338F(_t50);
						E0040335D(_t55,  *(_t62 - 0x44));
						_t60 = GlobalAlloc(0x40,  *(_t62 - 0x24));
						 *(_t62 - 0x34) = _t60;
						if(_t60 != _t50) {
							E004033A6( *((intOrPtr*)(_t62 - 0x28)), _t50, _t60,  *(_t62 - 0x24));
							while( *_t60 != _t50) {
								_t52 =  *_t60;
								_t61 = _t60 + 8;
								 *(_t62 - 0x14) =  *_t60;
								E00405E33( *((intOrPtr*)(_t60 + 4)) + _t55, _t61, _t52);
								_t60 = _t61 +  *(_t62 - 0x14);
							}
							GlobalFree( *(_t62 - 0x34));
						}
						WriteFile( *(_t62 + 8), _t55,  *(_t62 - 0x44), _t62 - 8, _t50);
						GlobalFree(_t55);
						 *(_t62 - 8) = E004033A6(0xffffffff,  *(_t62 + 8), _t50, _t50);
					}
					CloseHandle( *(_t62 + 8));
				}
				_push( *(_t62 - 0x3c));
				E004062C7(L"created uninstaller: %d, \"%s\"",  *(_t62 - 8));
				_t57 = 0xfffffff3;
				if( *(_t62 - 8) < _t50) {
					_t57 = 0xffffffef;
					DeleteFileW( *(_t62 - 0x3c));
					 *((intOrPtr*)(_t62 - 4)) = 1;
				}
				_push(_t57);
				E0040142C();
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t62 - 4));
				return 0;
			}

0x00402e7d
0x00402e7f
0x00402e80
0x00402e8c
0x00402e8f
0x00402e99
0x00402e9d
0x00402e9e
0x00402e9e
0x00402ea4
0x00402eb1
0x00402eb9
0x00402ebc
0x00402ec2
0x00402ed0
0x00402ed5
0x00402ed9
0x00402edc
0x00402ee5
0x00402ef1
0x00402ef5
0x00402ef8
0x00402f02
0x00402f21
0x00402f09
0x00402f0f
0x00402f16
0x00402f19
0x00402f1e
0x00402f1e
0x00402f28
0x00402f28
0x00402f3a
0x00402f41
0x00402f53
0x00402f53
0x00402f59
0x00402f59
0x00402f5f
0x00402f6a
0x00402f77
0x00402f78
0x00402f7c
0x00402f80
0x00402f86
0x00402f86
0x00402f8d
0x0040187b
0x0040310e
0x0040311a

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402ED3
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402EEF
GlobalFree.KERNEL32 ref: 00402F28
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66), ref: 00402F3A
GlobalFree.KERNEL32 ref: 00402F41
CloseHandle.KERNEL32(FFFFFD66), ref: 00402F59
DeleteFileW.KERNEL32(?), ref: 00402F80

Strings

created uninstaller: %d, "%s", xrefs: 00402F65

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 15e3207768f27923baa622d22ecbf95401a9da3c42a3f33aa78a08533e7a0c27
Instruction ID: 1ad6f68a22db03c80c128f26dd25fea365ff9bee734c20d7e3667a87b171cf9b
Opcode Fuzzy Hash: 15e3207768f27923baa622d22ecbf95401a9da3c42a3f33aa78a08533e7a0c27
Instruction Fuzzy Hash: 5831A072800115BBDF11BFA4DD89DAE7B79EF09364F20022AF914761E1C7794E409F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040610B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040610B(void* __ecx, void _a4) {
				long _v8;
				void* _t8;
				long _t11;

				if(_a4 == 0) {
					__eflags =  *0x462528; // 0x0
					if(__eflags != 0) {
						__eflags =  *0x46b560;
						if( *0x46b560 == 0) {
							L11:
							__eflags =  *0x40c058 - 0xffffffff;
							if( *0x40c058 != 0xffffffff) {
								goto L12;
							}
						} else {
							__eflags =  *0x40c058 - 0xffffffff;
							if( *0x40c058 != 0xffffffff) {
								L12:
								lstrcatW(0x462540, L"\r\n");
								_t11 = lstrlenW(0x462540) + _t10;
								__eflags = _t11;
								_t8 = WriteFile( *0x40c058, 0x462540, _t11,  &_a4, 0);
							} else {
								_a4 = GetFileAttributesW(0x46b560);
								_t8 = E00405E77(0x46b560, 0x40000000, 4);
								__eflags = _t8 - 0xffffffff;
								 *0x40c058 = _t8;
								if(_t8 != 0xffffffff) {
									__eflags = _a4 - 0xffffffff;
									if(_a4 == 0xffffffff) {
										_a4 = 0xfeff;
										WriteFile(_t8,  &_a4, 2,  &_v8, 0);
										_t8 =  *0x40c058; // 0xffffffff
									}
									_t8 = SetFilePointer(_t8, 0, 0, 2);
									goto L11;
								}
							}
						}
					}
				} else {
					_t8 =  *0x40c058; // 0xffffffff
					if(_t8 != 0xffffffff) {
						_t8 = CloseHandle(_t8);
					}
					 *0x40c058 =  *0x40c058 | 0xffffffff;
				}
				return _t8;
			}

0x00406115
0x00406134
0x0040613a
0x00406140
0x0040614f
0x004061ab
0x004061ab
0x004061b2
0x00000000
0x00000000
0x00406151
0x00406151
0x00406158
0x004061b4
0x004061bf
0x004061d1
0x004061d1
0x004061db
0x0040615a
0x0040616e
0x00406171
0x00406176
0x00406179
0x0040617e
0x00406180
0x00406184
0x00406192
0x00406199
0x0040619b
0x0040619b
0x004061a5
0x00000000
0x004061a5
0x0040617e
0x00406158
0x004061de
0x00406117
0x00406117
0x0040611f
0x00406122
0x00406122
0x00406128
0x00406128
0x004061e1

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062F8,00000000), ref: 00406122
GetFileAttributesW.KERNEL32(0046B560,?,00000000,00000000,?,?,004062F8,00000000), ref: 00406160
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046B560,40000000,00000004), ref: 00406199
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046B560,40000000,00000004), ref: 004061A5
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A6E0), ref: 004061BF
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062F8,00000000), ref: 004061C6
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062F8,00000000,?,?,004062F8,00000000), ref: 004061DB

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061B9, 004061BE, 004061C5, 004061D4

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: 5fc63b83fe8ccfd32fb3a0e86a4b71af5a31ba85f6dbdd844f06c1f5d51dc541
Instruction ID: 3adf6e75e3424647fcccc84f18d11227d1b68b72d2033f1b2193c86b971c6a43
Opcode Fuzzy Hash: 5fc63b83fe8ccfd32fb3a0e86a4b71af5a31ba85f6dbdd844f06c1f5d51dc541
Instruction Fuzzy Hash: F221F271500254FBDB209FA4EC88DA73768EB01374B208336F926B51E1E3785D85CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004075FF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004075FF(void* __ecx, void* __eflags) {
				_Unknown_base(*)()* _t31;
				CHAR* _t38;
				void* _t40;
				void* _t42;

				_t40 = _t42 - 0x74;
				 *(_t40 - 0xac) = 0x11c;
				E0040872A(_t40 - 0xa8, 0, 0x118);
				_t38 =  *(_t40 + 0x7c);
				 *(_t40 + 0x70) =  *(_t40 + 0x70) & 0x00000000;
				 *_t38 = 0;
				if(GetVersionExW(_t40 - 0xac) != 0) {
					 *(_t40 + 0x70) =  *(_t40 + 0x6e) & 0x000000ff;
					if( *((intOrPtr*)(_t40 - 0xa8)) >= 6) {
						_t31 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetProductInfo");
						if(_t31 != 0) {
							 *_t31( *((intOrPtr*)(_t40 - 0xa8)),  *((intOrPtr*)(_t40 - 0xa4)),  *(_t40 + 0x68) & 0x0000ffff,  *(_t40 + 0x6a) & 0x0000ffff, _t40 + 0x70);
						}
					}
					wsprintfA(_t38, "%d,%d,%d,%d,%d,%d",  *((intOrPtr*)(_t40 - 0xa8)),  *((intOrPtr*)(_t40 - 0xa4)),  *(_t40 + 0x68) & 0x0000ffff,  *((intOrPtr*)(_t40 - 0xa0)),  *(_t40 + 0x70), GetSystemDefaultLCID());
				}
				return _t38;
			}

0x00407600
0x00407619
0x00407623
0x00407628
0x0040762b
0x00407639
0x00407644
0x00407651
0x00407654
0x00407667
0x0040766f
0x0040768b
0x0040768b
0x0040766f
0x004076b4
0x004076ba
0x004076c4

APIs

GetVersionExW.KERNEL32(0000011C,?,?,7491C740), ref: 0040763C
GetModuleHandleW.KERNEL32(kernel32.dll,GetProductInfo,?,?,7491C740), ref: 00407660
GetProcAddress.KERNEL32(00000000), ref: 00407667
GetSystemDefaultLCID.KERNEL32(?,?,7491C740), ref: 0040768D
wsprintfA.USER32 ref: 004076B4

Strings

GetProductInfo, xrefs: 00407656
kernel32.dll, xrefs: 0040765B
%d,%d,%d,%d,%d,%d, xrefs: 004076AE

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: AddressDefaultHandleModuleProcSystemVersionwsprintf
String ID: %d,%d,%d,%d,%d,%d$GetProductInfo$kernel32.dll
API String ID: 3720319752-3999576995
Opcode ID: b5ed91ae735c1c0ef00ca9aca9aad992baa3d11987b654a3dbb39577fdb6bf96
Instruction ID: 97a53d7f4f2d13e33573a8625d102415d39b81beaf5caaee3ae544fab2da674f
Opcode Fuzzy Hash: b5ed91ae735c1c0ef00ca9aca9aad992baa3d11987b654a3dbb39577fdb6bf96
Instruction Fuzzy Hash: 10119671A04318AFDF205FA4DD09BEE7BB8BF09301F1001A5F989A1191D7798A94CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00403163 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00403163(void* __eax, signed int __ebx, intOrPtr* __ecx, intOrPtr* __edx, intOrPtr* __edi, signed int __esi, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a28, intOrPtr _a38, intOrPtr _a46) {
				intOrPtr _v16;
				intOrPtr _v117;
				short _v132;
				intOrPtr _v1392492514;
				signed int _t95;
				void* _t98;
				void* _t100;
				void* _t101;
				signed int _t103;
				void* _t104;
				void* _t106;
				intOrPtr* _t107;
				intOrPtr* _t115;
				signed int _t120;
				signed int _t122;
				void* _t124;
				void* _t125;
				void* _t128;
				void* _t129;
				int _t134;
				signed int _t149;
				signed int _t150;
				intOrPtr* _t151;
				signed int* _t152;
				int _t153;
				intOrPtr* _t154;
				signed int _t155;
				intOrPtr* _t156;
				signed int _t157;
				signed int _t158;
				void* _t159;

				_t157 = __esi;
				_t156 = __edi;
				_t154 = __edx;
				_t151 = __ecx;
				_t150 = __ebx;
				asm("out 0x19, al");
				_t95 = __eax + 1;
				 *__ecx =  *__ecx + __ecx;
				asm("sbb al, [eax]");
				 *(_t95 + _t95 * 2) =  *(_t95 + _t95 * 2) ^ __ebx;
				_a28 = _a28 + __edx;
				 *((intOrPtr*)(__edi - 0x4effbfe4)) =  *((intOrPtr*)(__edi - 0x4effbfe4)) + __ebx;
				asm("sbb al, 0x40");
				asm("sbb al, 0x40");
				 *((intOrPtr*)(__esi + 0x1d)) =  *((intOrPtr*)(__esi + 0x1d)) + __ecx;
				_t98 = _t95 + 1 + _t95 + 1 + 1;
				 *((intOrPtr*)(__edx - 0x3bffbfe3)) =  *((intOrPtr*)(__edx - 0x3bffbfe3)) + _t98;
				asm("sbb eax, 0x1e000040");
				_v1392492514 = _v1392492514 + __ecx;
				_push(ds);
				_t100 = _t98 + 2;
				 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __edx;
				 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __edx;
				 *((intOrPtr*)(__esi + 0x20)) =  *((intOrPtr*)(__esi + 0x20)) + _t100;
				_t101 = _t100 + 1;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(__ecx + 0x20)) + _t101;
				 *((intOrPtr*)(__esi + 0x20)) =  *((intOrPtr*)(__esi + 0x20)) + __ebx;
				_t103 = _t101 + 2;
				 *((intOrPtr*)(__ebx - 0x9ffbfe0)) =  *((intOrPtr*)(__ebx - 0x9ffbfe0)) + __ebx;
				 *_t103 =  *_t103 & _t103;
				if( *_t103 >= 0) {
					 *((intOrPtr*)(__edx + 0x3d004021)) =  *((intOrPtr*)(__edx + 0x3d004021)) + __edx;
					asm("frstor [edx]");
					 *__edx =  *__edx + __edx;
					_t149 = ((_t103 + 0x00000001 &  *(_t103 + 1)) + 0x00000001 &  *((_t103 + 0x00000001 &  *(_t103 + 1)) + 1)) + 0x00000001 + __ebx &  *(((_t103 + 0x00000001 &  *(_t103 + 1)) + 0x00000001 &  *((_t103 + 0x00000001 &  *(_t103 + 1)) + 1)) + 1 + __ebx);
					 *(_t149 + _t149 * 2) =  *(_t149 + _t149 * 2) | _t149;
					 *__ebx =  *__ebx + __ecx;
					_t103 = _t149 & 0x266d0040;
				}
				_a38 = _a38 + _t151;
				_t104 = _t103 + 1;
				 *_t156 =  *_t156 + _t104;
				asm("daa");
				 *_t157 =  *_t157 + _t150;
				asm("daa");
				_t106 = _t104 + 2;
				 *((intOrPtr*)(_t156 + 0x27f90040)) =  *((intOrPtr*)(_t156 + 0x27f90040)) + _t106;
				_t107 = _t106 + 1;
				 *((intOrPtr*)(_t107 + 0x14004028)) =  *((intOrPtr*)(_t107 + 0x14004028)) + _t150;
				0x402a();
				 *_t150 =  *_t150 + _t154;
				 *((intOrPtr*)(_t157 - 0x5cffbfd5)) =  *((intOrPtr*)(_t157 - 0x5cffbfd5)) + _t154;
				_t152 = _t151 + _t154;
				_t115 = _t107 -  *_t107 -  *((intOrPtr*)(_t107 -  *_t107)) + 1 + _t107 -  *_t107 -  *((intOrPtr*)(_t107 -  *_t107)) + 1 - 0x2df50040 + 1;
				 *_t115 =  *_t115 + _t154;
				 *((intOrPtr*)(_t157 + _t159)) =  *((intOrPtr*)(_t157 + _t159)) + _t150;
				_a46 = _a46 + _t150;
				 *((intOrPtr*)(_t150 - 0x19ffbfd1)) =  *((intOrPtr*)(_t150 - 0x19ffbfd1)) + _t154;
				asm("das");
				 *((intOrPtr*)(_t157 + 0x30)) =  *((intOrPtr*)(_t157 + 0x30)) + _t152;
				_t120 = _t115 + 5;
				 *_t150 =  *_t150 + _t152;
				 *_t120 =  *_t120 ^ _t120;
				_t158 = _t157 |  *_t152;
				_t122 = _t120 + 1 + _t154;
				 *_t122 =  *_t122 ^ _t122;
				_t155 = _t122 %  *_t122;
				_t124 = _t122 /  *_t122 + 1;
				 *_t150 =  *_t150 + _t124;
				_push(ds);
				_t125 = _t124 + 1;
				 *_t156 =  *_t156 + _t125;
				_push(ds);
				 *_t150 =  *_t150 + _t152;
				_push(ds);
				 *_t155 =  *_t155 + _t155;
				_push(ds);
				_t128 = _t125 + 3;
				 *((intOrPtr*)(_t128 + 0x1e)) =  *((intOrPtr*)(_t128 + 0x1e)) + _t152;
				_t129 = _t128 + 1;
				 *((intOrPtr*)(_t158 + _t150 + 0x40)) =  *((intOrPtr*)(_t158 + _t150 + 0x40)) + _t152;
				 *((intOrPtr*)(_t129 + 0x1e)) =  *((intOrPtr*)(_t129 + 0x1e)) + _t155;
				 *((intOrPtr*)(_t158 + _t150 + 0x40)) =  *((intOrPtr*)(_t158 + _t150 + 0x40)) + _t155;
				 *((intOrPtr*)(_t156 + 0x1e)) =  *((intOrPtr*)(_t156 + 0x1e)) + _t150;
				 *((intOrPtr*)(_t158 + _t150 + 0x40)) =  *((intOrPtr*)(_t158 + _t150 + 0x40)) + _t152;
				 *((intOrPtr*)(_t158 + _t150 + 0x40)) =  *((intOrPtr*)(_t158 + _t150 + 0x40)) + _t155;
				 *((intOrPtr*)(_t152 - 0x7affbfe2)) =  *((intOrPtr*)(_t152 - 0x7affbfe2)) + _t129 + 2;
				_push(ds);
				_v117 = _v117 + _t155;
				_push(_t159);
				if(_v16 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t153 =  *0x42c154; // 0x607048
					_t134 =  *0x4341e0; // 0x60b618
					if(_t153 >= _t134) {
						_t153 = _t134;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t153, 0x64, _t134));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00403163
0x00403163
0x00403163
0x00403163
0x00403163
0x00403163
0x00403165
0x00403166
0x00403168
0x0040316b
0x0040316e
0x00403172
0x00403178
0x0040317c
0x0040317e
0x00403181
0x00403182
0x00403188
0x0040318e
0x00403194
0x00403195
0x00403196
0x0040319a
0x0040319e
0x004031a1
0x004031a2
0x004031a6
0x004031a9
0x004031aa
0x004031b0
0x004031b3
0x004031b6
0x004031bf
0x004031c2
0x004031cc
0x004031cf
0x004031d2
0x004031d4
0x004031d4
0x004031d6
0x004031d9
0x004031da
0x004031dc
0x004031de
0x004031e0
0x004031e1
0x004031e2
0x004031e9
0x004031ea
0x004031f3
0x004031fa
0x00403202
0x0040320a
0x00403215
0x00403216
0x0040321a
0x0040321e
0x00403222
0x00403228
0x0040322a
0x0040322d
0x0040322e
0x00403230
0x00403233
0x00403236
0x00403238
0x0040323b
0x0040323d
0x0040323e
0x00403240
0x00403241
0x00403242
0x00403244
0x00403246
0x00403248
0x0040324a
0x0040324c
0x0040324d
0x0040324e
0x00403251
0x00403252
0x00403256
0x0040325a
0x0040325e
0x00403262
0x00403266
0x0040326a
0x00403270
0x00403272
0x00403273
0x00403283
0x00403291
0x00403297
0x00403297
0x004032a5
0x004032a7
0x004032ad
0x004032b4
0x004032b6
0x004032b6
0x004032cc
0x004032dc
0x004032ee
0x004032ee
0x004032f6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403291
MulDiv.KERNEL32(00607048,00000064,0060B618), ref: 004032BC
wsprintfW.USER32 ref: 004032CC
SetWindowTextW.USER32(?,?), ref: 004032DC
SetDlgItemTextW.USER32 ref: 004032EE

Strings

Hp`, xrefs: 004032A7
verifying installer: %d%%, xrefs: 004032C6

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: Hp`$verifying installer: %d%%
API String ID: 1451636040-3313956115
Opcode ID: 4bbf174520246298368fe2439afde038c414757128a30bda65852b2037d293eb
Instruction ID: 7ef398043e98099b76090aeef59ee5076079f849038621651d071e0b575b2081
Opcode Fuzzy Hash: 4bbf174520246298368fe2439afde038c414757128a30bda65852b2037d293eb
Instruction Fuzzy Hash: B851C32158D3C25FDB138BB08C6A9E57FE0EF02214B1845DED4D69A0D3D7AC919BCB06

Uniqueness

Uniqueness Score: -1.00%

Function 00403273 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403273(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x42c154; // 0x607048
					_t11 =  *0x4341e0; // 0x60b618
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00403283
0x00403291
0x00403297
0x00403297
0x004032a5
0x004032a7
0x004032ad
0x004032b4
0x004032b6
0x004032b6
0x004032cc
0x004032dc
0x004032ee
0x004032ee
0x004032f6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403291
MulDiv.KERNEL32(00607048,00000064,0060B618), ref: 004032BC
wsprintfW.USER32 ref: 004032CC
SetWindowTextW.USER32(?,?), ref: 004032DC
SetDlgItemTextW.USER32 ref: 004032EE

Strings

Hp`, xrefs: 004032A7
verifying installer: %d%%, xrefs: 004032C6

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: Hp`$verifying installer: %d%%
API String ID: 1451636040-3313956115
Opcode ID: 178baeb0dd0c4c867469be33f3fcfc9fe1a5e181a8244e425655c85122fd903e
Instruction ID: e99399dea0981d6d100b8ca35cb9bb95f1c16180f538ec96745a452e7f583efd
Opcode Fuzzy Hash: 178baeb0dd0c4c867469be33f3fcfc9fe1a5e181a8244e425655c85122fd903e
Instruction Fuzzy Hash: 4F014470600209BBEF249F60DD4AFEE3B69BB00345F004039FA06B51D1DBB89A558F58

Uniqueness

Uniqueness Score: -1.00%

Function 00403E12 Relevance: 12.1, APIs: 8, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E12(void* __eax, struct HDC__* _a4, struct HWND__* _a8) {
				struct tagLOGBRUSH _v16;
				void* _t32;
				long _t34;
				long _t36;
				void* _t38;
				long* _t49;

				if(__eax + 0xfffffecd > 5) {
					L15:
					_t32 = 0;
				} else {
					_t49 = GetWindowLongW(_a8, 0xffffffeb);
					if(_t49 == 0) {
						goto L15;
					} else {
						_t34 =  *_t49;
						if((_t49[5] & 0x00000002) != 0) {
							_t34 = GetSysColor(_t34);
						}
						if((_t49[5] & 0x00000001) != 0) {
							SetTextColor(_a4, _t34);
						}
						SetBkMode(_a4, _t49[4]);
						_t36 = _t49[1];
						_v16.lbColor = _t36;
						if((_t49[5] & 0x00000008) != 0) {
							_t36 = GetSysColor(_t36);
							_v16.lbColor = _t36;
						}
						if((_t49[5] & 0x00000004) != 0) {
							SetBkColor(_a4, _t36);
						}
						if((_t49[5] & 0x00000010) != 0) {
							_v16.lbStyle = _t49[2];
							_t38 = _t49[3];
							if(_t38 != 0) {
								DeleteObject(_t38);
							}
							_t49[3] = CreateBrushIndirect( &_v16);
						}
						_t32 = _t49[3];
					}
				}
				return _t32;
			}

0x00403e21
0x00403eb5
0x00403eb5
0x00403e27
0x00403e32
0x00403e36
0x00000000
0x00403e38
0x00403e3c
0x00403e45
0x00403e48
0x00403e48
0x00403e4e
0x00403e54
0x00403e54
0x00403e60
0x00403e6a
0x00403e6d
0x00403e70
0x00403e73
0x00403e75
0x00403e75
0x00403e7d
0x00403e83
0x00403e83
0x00403e8d
0x00403e92
0x00403e95
0x00403e9a
0x00403e9d
0x00403e9d
0x00403ead
0x00403ead
0x00403eb0
0x00403eb0
0x00403e36
0x00403eb9

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E2C
GetSysColor.USER32(00000000), ref: 00403E48
SetTextColor.GDI32(?,00000000), ref: 00403E54
SetBkMode.GDI32(?,?), ref: 00403E60
GetSysColor.USER32(?), ref: 00403E73
SetBkColor.GDI32(?,?), ref: 00403E83
DeleteObject.GDI32(?), ref: 00403E9D
CreateBrushIndirect.GDI32(?), ref: 00403EA7

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e31bc4f30b646b1708dcce36f214d291f8fc252f0bf23f32389a70becad34644
Instruction ID: 81f37f88044c5303dcf4761a14bc6cbbc1c3ce8a99cd1a805bc6e07e88ce3838
Opcode Fuzzy Hash: e31bc4f30b646b1708dcce36f214d291f8fc252f0bf23f32389a70becad34644
Instruction Fuzzy Hash: 41113371500704ABCB219F74D908B5BBFFCAF01715F048A69EC96F26A1D738EA48CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402409 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00402409(void* __ebx, void* __eflags) {
				void* _t28;

				asm("sbb eax, 0x473eb8");
				 *(_t28 - 4) = 1;
				if(__eflags < 0) {
					E0040142C(0xffffffe7);
					_push(L"Error registering DLL: Could not initialize OLE");
					E004062C7();
					goto L2;
				} else {
					__esi = 0xfffffff0;
					__eax = E00401453(__esi);
					__esi = 0;
					__esi = 1;
					__edi = __eax;
					__eax = E00401453(1);
					__eflags =  *((intOrPtr*)(__ebp - 0x1c)) - __ebx;
					 *(__ebp - 0x10) = __eax;
					if( *((intOrPtr*)(__ebp - 0x1c)) == __ebx) {
						L6:
						__eax = LoadLibraryExW(__edi, __ebx, 8);
						__eflags = __eax - __ebx;
						 *(__ebp + 8) = __eax;
						if(__eax == __ebx) {
							__eax = E0040142C(0xfffffff6);
							_push(__edi);
							_push(L"Error registering DLL: Could not load %s");
							__eax = E004062C7();
							L2:
						} else {
							goto L7;
						}
					} else {
						__eax = GetModuleHandleW(__edi);
						__eflags = __eax - __ebx;
						 *(__ebp + 8) = __eax;
						if(__eax != __ebx) {
							L7:
							__esi = E0040638A( *(__ebp + 8),  *(__ebp - 0x10));
							__eflags = __esi - __ebx;
							if(__esi == __ebx) {
								__eax = E00404FA5(0xfffffff7,  *(__ebp - 0x10));
								_push(__edi);
								__eax = E004062C7(L"Error registering DLL: %s not found in %s",  *(__ebp - 0x10));
							} else {
								__eflags =  *((intOrPtr*)(__ebp - 0x24)) - __ebx;
								 *(__ebp - 4) = __ebx;
								if( *((intOrPtr*)(__ebp - 0x24)) == __ebx) {
									__eax =  *__esi( *((intOrPtr*)(__ebp - 0xc)), 0x2004, 0x474000, 0x40c0c0, 0x40c000);
									__esp = __esp + 0x14;
								} else {
									__eax = E0040142C( *((intOrPtr*)(__ebp - 0x24)));
									__eax =  *__esi();
									__eflags = __eax;
									if(__eax != 0) {
										 *(__ebp - 4) = 1;
									}
								}
							}
							__eflags =  *((intOrPtr*)(__ebp - 0x20)) - __ebx;
							if( *((intOrPtr*)(__ebp - 0x20)) == __ebx) {
								__eax = E00403D00( *(__ebp + 8));
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary( *(__ebp + 8));
								}
							}
						} else {
							goto L6;
						}
					}
				}
				 *0x473e88 =  *0x473e88 +  *(_t28 - 4);
				return 0;
			}

0x00402409
0x0040240e
0x00402415
0x004024fc
0x00402501
0x0040179e
0x00000000
0x0040241b
0x0040241d
0x0040241e
0x00402423
0x00402425
0x00402426
0x00402428
0x0040242d
0x00402430
0x00402433
0x00402443
0x00402447
0x0040244d
0x0040244f
0x00402452
0x004024ea
0x004024ef
0x004024f0
0x0040193f
0x004017a3
0x00000000
0x00000000
0x00000000
0x00402435
0x00402436
0x0040243c
0x0040243e
0x00402441
0x00402458
0x00402463
0x00402465
0x00402467
0x004024ab
0x004024b0
0x004024b9
0x00402469
0x00402469
0x0040246c
0x0040246f
0x0040249f
0x004024a1
0x00402471
0x00402474
0x00402479
0x0040247b
0x0040247d
0x0040247f
0x0040247f
0x0040247d
0x0040246f
0x004024c1
0x004024c4
0x004024cd
0x004024d2
0x004024d4
0x004024dd
0x004024dd
0x004024d4
0x00000000
0x00000000
0x00000000
0x00402441
0x00402433
0x0040310e
0x0040311a

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00402436

Part of subcall function 00404FA5: lstrlenW.KERNEL32(0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000,?), ref: 00404FDD
Part of subcall function 00404FA5: lstrlenW.KERNEL32(004034E2,0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000), ref: 00404FED
Part of subcall function 00404FA5: lstrcatW.KERNEL32(0043C228,004034E2), ref: 00405000
Part of subcall function 00404FA5: SetWindowTextW.USER32(0043C228,0043C228), ref: 00405012
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405038
Part of subcall function 00404FA5: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405052
Part of subcall function 00404FA5: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405060

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

LoadLibraryExW.KERNEL32(00000000,?,00000008), ref: 00402447
FreeLibrary.KERNEL32(?,?), ref: 004024DD

Strings

Error registering DLL: Could not initialize OLE, xrefs: 00402501
Error registering DLL: Could not load %s, xrefs: 004024F0
Error registering DLL: %s not found in %s, xrefs: 004024B4

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: 0cdf26429234b435ca80a0a7df8db24665399ee339d69cf961afb3319290b223
Instruction ID: a581e234e4cc04d896a6c00ce440bdba709984e0369237aab15acb10fb3c16b2
Opcode Fuzzy Hash: 0cdf26429234b435ca80a0a7df8db24665399ee339d69cf961afb3319290b223
Instruction Fuzzy Hash: B121E532900215F6CF10BFA5CD89AAE7E70AB04355B30823BF515B21E1D7BD8E41DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404FA5 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FA5(WCHAR* _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t27;
				WCHAR* _t28;
				signed int _t38;
				signed int _t39;

				_t27 =  *0x46bd8c;
				_v8 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t38 =  *0x473eb4;
				_v12 = _t38;
				_t39 = _t38 & 0x00000001;
				if(_t39 == 0) {
					E00406820(_t39, 0, 0x43c228, 0x43c228, _a4);
				}
				_t28 = lstrlenW(0x43c228);
				_a4 = _t28;
				if(_a8 == 0) {
					L6:
					if((_v12 & 0x00000004) == 0) {
						_t28 = SetWindowTextW( *0x46bd98, 0x43c228);
					}
					if((_v12 & 0x00000002) == 0) {
						_v32 = 0x43c228;
						_v52 = 1;
						_v48 = SendMessageW(_v8, 0x1004, 0, 0) - _t39;
						_v44 = 0;
						SendMessageW(_v8, 0x104d - _t39, 0,  &_v52);
						_t28 = SendMessageW(_v8, 0x1013, _v48, 0);
					}
					if(_t39 != 0) {
						_t28 = _a4;
						0x43c228[_t28] = 0;
					}
					goto L12;
				} else {
					_t28 = _a4 + lstrlenW(_a8);
					if(_t28 >= 0x8010) {
						L12:
						return _t28;
					}
					_t28 = lstrcatW(0x43c228, _a8);
					goto L6;
				}
			}

0x00404fab
0x00404fb5
0x00404fb8
0x00405075
0x00405075
0x00404fbf
0x00404fc5
0x00404fc8
0x00404fd1
0x00404fd7
0x00404fd7
0x00404fdd
0x00404fe5
0x00404fe8
0x00405005
0x00405009
0x00405012
0x00405012
0x0040501c
0x00405028
0x00405031
0x0040503c
0x0040504f
0x00405052
0x00405060
0x00405060
0x00405064
0x00405066
0x00405069
0x00405069
0x00000000
0x00404fea
0x00404ff2
0x00404ffa
0x00405071
0x00000000
0x00405072
0x00405000
0x00000000
0x00405000

APIs

lstrlenW.KERNEL32(0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000,?), ref: 00404FDD
lstrlenW.KERNEL32(004034E2,0043C228,00424150,00000000,00000000,?,?,?,?,?,?,?,?,?,004034E2,00000000), ref: 00404FED
lstrcatW.KERNEL32(0043C228,004034E2), ref: 00405000
SetWindowTextW.USER32(0043C228,0043C228), ref: 00405012
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405038
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405052
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405060

Part of subcall function 00406820: GetVersion.KERNEL32(00000000,?,0043C228,?,0043C228,00000000,00424150,00000000,00000000), ref: 004068F0

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: febda246b17a523c9ca0551b2e674f840b21212937f53f318ceff2cb3944be7d
Instruction ID: eb6c296811ac51471a94928f52579b6b5ea09c6d4eb2eb8d31c56b0272b9a052
Opcode Fuzzy Hash: febda246b17a523c9ca0551b2e674f840b21212937f53f318ceff2cb3944be7d
Instruction Fuzzy Hash: 46215C75900118BACF219FA5DC849DFBFB9EF44314F10807AF904B22A1C3798A909FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404885 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404885(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404893
0x004048a0
0x004048a6
0x004048e4
0x004048e4
0x004048f3
0x004048fa
0x00000000
0x004048fc
0x004048a8
0x004048b7
0x004048bf
0x004048c2
0x004048d4
0x004048da
0x004048e1
0x00000000
0x004048e1
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004048A0
GetMessagePos.USER32 ref: 004048A8
ScreenToClient.USER32 ref: 004048C2
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048D4
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048FA

Strings

f, xrefs: 004048D6

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: cc5b9826420a0e0fc41d3fc3061095059366be7824a4c9b1446e86db4278a39c
Instruction ID: 23280c8cc980a53c829418c2babc0ecdd6f9ad84b03f1f12f08343cc696fad3e
Opcode Fuzzy Hash: cc5b9826420a0e0fc41d3fc3061095059366be7824a4c9b1446e86db4278a39c
Instruction Fuzzy Hash: 03019275900219BADB00DB95CC85BFEBBBCAF54710F10452BBB10B61C0C3B45A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407550 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407550(void* __edx, void* __eflags, CHAR* _a4) {
				signed int _v8;
				int _v12;
				void* __ecx;
				int _t18;
				CHAR* _t20;
				void* _t38;
				void* _t42;
				CHAR* _t43;
				int _t47;
				int _t48;
				void* _t49;
				void* _t54;

				_t54 = __eflags;
				_push(_t37);
				_t18 = lstrlenA(_a4);
				_v8 = _v8 & 0x00000000;
				_t35 = _t18;
				_t5 = _t35 + 0x24; // 0x24
				_v12 = _t18;
				_t20 = E004071FC(_t35 + _t5);
				_t38 = _t42;
				_t43 = _t20;
				wsprintfA(_t43, "#%u\n", E00407C40(0, _a4, _t35));
				E0040741A(_a4, _t35);
				_t47 = lstrlenA(_t43);
				E00407445(_a4, _t35,  &(_t43[_t47]),  &_v12);
				_t48 = _t47 + _v12;
				_push(0x7d0);
				_push(0x50);
				_push( &_v12);
				_push( &_v8);
				_push(_t48);
				_push(_t43);
				_push("/cstat.php");
				_push("stat.eliang.com");
				_v12 = _t48;
				_t49 = E00407277(_t38, _t54);
				if(_v8 != 0) {
					E0040721C(_v8);
				}
				if(_t43 != 0) {
					E0040721C(_t43);
				}
				return _t49;
			}

0x00407550
0x00407554
0x00407561
0x00407563
0x00407567
0x00407569
0x0040756e
0x00407571
0x00407576
0x0040757b
0x0040758b
0x00407595
0x004075a0
0x004075ae
0x004075b3
0x004075b6
0x004075bb
0x004075c0
0x004075c4
0x004075c5
0x004075c6
0x004075c7
0x004075cc
0x004075d1
0x004075e0
0x004075e2
0x004075e7
0x004075ec
0x004075ef
0x004075f2
0x004075f7
0x004075fe

APIs

lstrlenA.KERNEL32(00407C38,74CF81D0,7491C740,00000000,?,?,?,00407C38,?), ref: 00407561

Part of subcall function 004071FC: GlobalAlloc.KERNEL32(00000002,00000000,00407BD6,00407917,00000000,00407BD6,?,00000000,74CF81D0), ref: 00407205
Part of subcall function 004071FC: GlobalLock.KERNEL32 ref: 00407210

wsprintfA.USER32 ref: 0040758B
lstrlenA.KERNEL32(00000000,?,?,?,00407C38), ref: 0040759E

Part of subcall function 00407277: InternetConnectA.WININET(00000000,?,?,0040AC15,0040AC15,00000003,00000000,00000000), ref: 004072BC
Part of subcall function 00407277: HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,84080100,00000000), ref: 004072E2
Part of subcall function 00407277: InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 00407303
Part of subcall function 00407277: InternetSetOptionA.WININET(?,00000006,?,00000004), ref: 00407310
Part of subcall function 00407277: InternetSetOptionA.WININET(?,00000005,?,00000004), ref: 0040731D
Part of subcall function 00407277: InternetSetOptionA.WININET(?,00000003,?,00000004), ref: 0040732A
Part of subcall function 00407277: HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 00407337
Part of subcall function 00407277: HttpQueryInfoA.WININET(?,00000013,?,?,?), ref: 00407361

Part of subcall function 0040721C: GlobalHandle.KERNEL32(00000000), ref: 00407221
Part of subcall function 0040721C: GlobalUnlock.KERNEL32(00000000), ref: 0040722E
Part of subcall function 0040721C: GlobalFree.KERNEL32 ref: 00407235

Strings

stat.eliang.com, xrefs: 004075CC
/cstat.php, xrefs: 004075C7
#%u, xrefs: 00407585

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: GlobalInternet$Option$Http$Requestlstrlen$AllocConnectFreeHandleInfoLockOpenQuerySendUnlockwsprintf
String ID: #%u$/cstat.php$stat.eliang.com
API String ID: 728356174-2141822171
Opcode ID: 7027587384789f6a1bd194f12c1ccb2c1f16aca8fd6394660640adf97a831f78
Instruction ID: 3c23ed2f0b3fd8f875c347f91a48a9a713c82f2ea655c29de02b712b412ddf97
Opcode Fuzzy Hash: 7027587384789f6a1bd194f12c1ccb2c1f16aca8fd6394660640adf97a831f78
Instruction Fuzzy Hash: 89118172D44208BBEB019B95CC42EEF7B7CEB44754F10007BF900B6191EA79AE409BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040605C(WCHAR* _a4) {
				signed int _t5;
				signed int _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405D4B(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20 & 0x0000ffff;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405D2C(L"*?|<>/\":", _t5))) == 0) {
							E00405E33(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20 & 0x0000ffff;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19 & 0x0000ffff;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0040605e
0x00406067
0x0040607e
0x0040607e
0x00406085
0x00406091
0x00406091
0x00406094
0x0040609a
0x0040609c
0x0040609e
0x004060a7
0x004060ab
0x004060c8
0x004060d0
0x004060d0
0x004060d5
0x004060d7
0x004060da
0x004060df
0x004060e0
0x004060e4
0x004060e4
0x004060e5
0x004060ec
0x004060ee
0x004060f5
0x00000000
0x00000000
0x004060fd
0x00406103
0x00000000
0x00000000
0x00000000
0x00406103
0x00406108

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060BF
CharNextW.USER32(?,?,?,00000000), ref: 004060CE
CharNextW.USER32(?,00000000,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060D3
CharPrevW.USER32(?,?,004C40A0,004D80C8,004D80C8,004037FF,004D80C8,00000002,00403A38), ref: 004060E6

Strings

*?|<>/":, xrefs: 004060AE

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: d4276728c57472b976bc86ebbf3d1c7f7172e4169f7911c1df155973aa1c50ca
Instruction ID: 3dcae7bb3ee9773f04c908203bfbf99bdcc0aab8163f16f85618b777322692fb
Opcode Fuzzy Hash: d4276728c57472b976bc86ebbf3d1c7f7172e4169f7911c1df155973aa1c50ca
Instruction Fuzzy Hash: 5111862184062159DB30AB559844A77B2E8AF54750F56843FEDCAB22C1E77C9CE281AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401EAD Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00401EAD(void* __ebx, void* __edx) {
				intOrPtr _t13;
				void* _t15;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t28;
				void* _t30;

				_t27 =  *0x40c0c0; // 0x0
				if( *((intOrPtr*)(_t30 - 0x24)) == __ebx) {
					if(__edx == __ebx) {
						_t28 = GlobalAlloc(0x40, 0x400c);
						_t7 = _t28 + 4; // 0x4
						E00406820(__ebx, _t25, _t28, _t7,  *((intOrPtr*)(_t30 - 0x2c)));
						_t13 =  *0x40c0c0; // 0x0
						 *_t28 = _t13;
						 *0x40c0c0 = _t28;
					} else {
						if(_t27 != __ebx) {
							_t5 = _t27 + 4; // 0x4
							E0040602D(_t25, _t5);
							 *0x40c0c0 =  *_t27;
							_push(_t27);
							GlobalFree();
						} else {
							_push(L"Pop: stack empty");
							E004062C7();
							 *((intOrPtr*)(_t30 - 4)) = 1;
						}
					}
					goto L17;
				} else {
					while(1) {
						__eax = __eax - 1;
						if(__esi == __ebx) {
							break;
						}
						__esi =  *__esi;
						if(__eax != __ebx) {
							continue;
						} else {
							if(__esi != __ebx) {
								__edi = __esi + 4;
								__esi = 0x40c0c8;
								__eax = E0040602D(0x40c0c8, __edi);
								__eax =  *0x40c0c0; // 0x0
								__eax = E0040602D(__edi, __eax);
								__eax =  *0x40c0c0; // 0x0
								_push(0x40c0c8);
								_push(__eax);
								__eax = E0040602D();
								L17:
								 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t30 - 4));
								_t15 = 0;
							} else {
								break;
							}
						}
						goto L19;
					}
					__eax = E004062C7(L"Exch: stack < %d elements",  *((intOrPtr*)(__ebp - 0x24)));
					_push(0x200010);
					_push(E00406820(__ebx, __edi, __esi, __ebx, 0xffffffe8));
					__eax = E00405CC8();
					_t15 = 0x7fffffff;
				}
				L19:
				return _t15;
			}

0x00401eb2
0x00401eb8
0x00401f1a
0x00401f57
0x00401f59
0x00401f5d
0x00401f62
0x00401f67
0x00401f69
0x00401f1c
0x00401f1e
0x00401f30
0x00401f35
0x00401f3c
0x00401f41
0x0040239d
0x00401f20
0x00401f20
0x00401f25
0x004019fd
0x004019fd
0x00401f1e
0x00000000
0x00401eba
0x00401eba
0x00401eba
0x00401ebd
0x00000000
0x00000000
0x00401ec1
0x00401ec3
0x00000000
0x00401ec5
0x00401ec7
0x00401eeb
0x00401eef
0x00401ef5
0x00401efa
0x00401f04
0x00401f09
0x00401f0e
0x00401f12
0x00402e73
0x0040310b
0x0040310e
0x00403114
0x00000000
0x00000000
0x00000000
0x00401ec7
0x00000000
0x00401ec3
0x00401ed1
0x00401ed8
0x00401ee5
0x00401c27
0x00401629
0x00401629
0x00403116
0x0040311a

APIs

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00002004,00403920,0046BDC0,NSIS Error), ref: 0040603A

GlobalFree.KERNEL32 ref: 0040239D

Strings

Pop: stack empty, xrefs: 00401F20
Exch: stack < %d elements, xrefs: 00401ECC
end, xrefs: 00401EEF, 00401EF4, 00401F0E

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$end
API String ID: 1459762280-2778750477
Opcode ID: 178d8af8e26f3fe3a293d2a766ffdaee0c31cc13eeaf444a109390416acd03cb
Instruction ID: e0ef30aa06b409099dd9eeb17dd55fc59169940b351c7b2763c506a0d97f0d24
Opcode Fuzzy Hash: 178d8af8e26f3fe3a293d2a766ffdaee0c31cc13eeaf444a109390416acd03cb
Instruction Fuzzy Hash: 1D218E73614211EBD720EF989DC19AE77A8AA08318721463BF542B32D1C778AC11DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040148E Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040148E(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x473eb0 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E0040148E(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406320(2);
					if(_t27 == 0) {
						if( *0x473eb0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x473eb0, 0);
				}
				return _t18;
			}

0x004014b0
0x004014b8
0x004014e0
0x004014ca
0x0040151a
0x00401520
0x00000000
0x00401522
0x004014de
0x00000000
0x00000000
0x004014de
0x004014f5
0x004014fd
0x00401504
0x00401530
0x00000000
0x00000000
0x00401538
0x00401540
0x00000000
0x00000000
0x00000000
0x00401540
0x00000000
0x00401513
0x00401527

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014EC
RegCloseKey.ADVAPI32(?), ref: 004014F5
RegCloseKey.ADVAPI32(?), ref: 0040151A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401538

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7d8adeb3e60b43d138d9736f0ee582de93b6cf2ca0bbfca245df823ae51dcdd1
Instruction ID: 933b76dbaf7ec81e5fb9f56e6c7c1f637ad1be58491c1c6257d6701127502b37
Opcode Fuzzy Hash: 7d8adeb3e60b43d138d9736f0ee582de93b6cf2ca0bbfca245df823ae51dcdd1
Instruction Fuzzy Hash: 84117C72500008FBDF219F90DD84EAE3B79FB84385F004436F906B51B0D3759E54AA69

Uniqueness

Uniqueness Score: -1.00%

Function 00402312 Relevance: 7.6, APIs: 5, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402312(int __ebx, short* __edi) {
				short* _t18;
				void* _t23;
				void* _t38;
				int _t39;
				void* _t41;

				_t38 = 0xffffffee;
				_t18 = E00401453(_t38);
				 *(_t41 - 0x44) = _t18;
				_t39 = GetFileVersionInfoSizeW(_t18, _t41 - 0x34);
				 *__edi = __ebx;
				 *((short*)( *((intOrPtr*)(_t41 + 8)))) = __ebx;
				 *((intOrPtr*)(_t41 - 4)) = 1;
				if(_t39 != __ebx) {
					_t23 = GlobalAlloc(0x40, _t39);
					 *(_t41 - 0x10) = _t23;
					if(_t23 != __ebx) {
						if(GetFileVersionInfoW( *(_t41 - 0x44), __ebx, _t39, _t23) != 0 && VerQueryValueW( *(_t41 - 0x10), "\\", _t41 - 8, _t41 - 0x44) != 0) {
							E00405F74(__edi,  *((intOrPtr*)( *(_t41 - 8) + 8)));
							E00405F74( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)( *(_t41 - 8) + 0xc)));
							 *((intOrPtr*)(_t41 - 4)) = __ebx;
						}
						_push( *(_t41 - 0x10));
						GlobalFree();
					}
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x00402314
0x00402315
0x0040231f
0x00402327
0x0040232e
0x00402331
0x00402334
0x0040233b
0x00402344
0x0040234c
0x0040234f
0x00402362
0x00402384
0x00402392
0x00402397
0x00402397
0x0040239a
0x0040239d
0x0040239d
0x0040234f
0x0040310e
0x0040311a

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 00402322
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 00402344
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 0040235B
VerQueryValueW.VERSION(?,004098A0,?,?,?,?,00000000,00000000), ref: 00402374

Part of subcall function 00405F74: wsprintfW.USER32 ref: 00405F81

GlobalFree.KERNEL32 ref: 0040239D

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 94efb8b4bdff596bba9121c5ff9a8542e65e4612298cc629a554f451ec30bc33
Instruction ID: ac368786480e16614dfcd0c1e0e664a4103b7e0844105eeb438d4cb88bbf274d
Opcode Fuzzy Hash: 94efb8b4bdff596bba9121c5ff9a8542e65e4612298cc629a554f451ec30bc33
Instruction Fuzzy Hash: E1112872900119AEDB01EFA5CE499DEBBB8EF09354B10453AF505FB2A1D7789E40DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040209B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040209B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t24;
				void* _t28;

				_t24 = GetDlgItem( *(_t28 - 0xc), __edx);
				GetClientRect(_t24, _t28 - 0x50);
				_t17 = SendMessageW(_t24, 0x172, _t21, LoadImageW(_t21, E00401453(0), _t21,  *(_t28 - 0x48) *  *(_t28 - 0x24),  *(_t28 - 0x44) *  *(_t28 - 0x24), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x004020a5
0x004020ac
0x004020dc
0x004020e4
0x004020eb
0x004020eb
0x0040310e
0x0040311a

APIs

GetDlgItem.USER32 ref: 0040209F
GetClientRect.USER32 ref: 004020AC
LoadImageW.USER32 ref: 004020CE
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DC
DeleteObject.GDI32(00000000), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 032d279765b53f6bb1104de201f37c1b9a79d729d693549f7a42e1a1f5edeee5
Instruction ID: 027f90bf1ae669a3a88e02f4ab2f63d37d40b55c2d361e9495e8440de7db6366
Opcode Fuzzy Hash: 032d279765b53f6bb1104de201f37c1b9a79d729d693549f7a42e1a1f5edeee5
Instruction Fuzzy Hash: E6F0ECB2500014BFD701EBA4EE84DAEBBBCEB58301B104465F501F61A2C7759E419A28

Uniqueness

Uniqueness Score: -1.00%

Function 00401F74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401F74() {
				int _t27;
				signed int _t29;
				signed int _t30;
				long _t32;
				struct HWND__* _t36;
				int _t37;
				signed int _t38;
				int _t43;
				void* _t45;
				void* _t46;
				void* _t55;
				int _t57;
				void* _t63;
				struct HWND__* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t45 = 3;
				_t27 = E0040143D(_t45);
				_t46 = 4;
				 *(_t68 - 0x10) = _t27;
				 *(_t68 + 8) = E0040143D(_t46);
				if(( *(_t68 - 0x18) & 0x00000001) != 0) {
					_t67 = 0x33;
					 *(_t68 - 0x10) = E00401453(_t67);
				}
				if(( *(_t68 - 0x18) & 0x00000002) != 0) {
					_t66 = 0x44;
					 *(_t68 + 8) = E00401453(_t66);
				}
				if( *((intOrPtr*)(_t68 - 0x30)) != 0x21) {
					_t29 = E00401453(1);
					_t63 = 0x12;
					 *(_t68 - 0x44) = _t29;
					_t30 = E00401453(_t63);
					asm("sbb ecx, ecx");
					asm("sbb ecx, ecx");
					_t32 = FindWindowExW( *(_t68 - 0x10),  *(_t68 + 8),  ~( *( *(_t68 - 0x44))) &  *(_t68 - 0x44),  ~( *_t30) & _t30);
					goto L9;
				} else {
					_t36 = E0040143D(1);
					_t55 = 2;
					_t65 = _t36;
					_t37 = E0040143D(_t55);
					_t57 =  *(_t68 - 0x18) >> 2;
					if(1 == 0) {
						_t32 = SendMessageW(_t65, _t37,  *(_t68 - 0x10),  *(_t68 + 8));
						L9:
						 *(_t68 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t65, _t37,  *(_t68 - 0x10),  *(_t68 + 8), _t43, _t57, _t68 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t68 - 4)) =  ~_t38 + 1;
					}
				}
				if( *((intOrPtr*)(_t68 - 0x2c)) >= _t43) {
					_push( *(_t68 - 0xc));
					E00405F74();
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t68 - 4));
				return 0;
			}

0x00401f76
0x00401f77
0x00401f7e
0x00401f7f
0x00401f8b
0x00401f8e
0x00401f92
0x00401f98
0x00401f98
0x00401f9f
0x00401fa3
0x00401fa9
0x00401fa9
0x00401fb0
0x00401ffd
0x00402004
0x00402005
0x00402008
0x00402013
0x00402021
0x0040202c
0x00000000
0x00401fb2
0x00401fb5
0x00401fbc
0x00401fbd
0x00401fbf
0x00401fc7
0x00401fca
0x00401ff2
0x00402032
0x00402032
0x00401fcc
0x00401fda
0x00401fe2
0x00401fe5
0x00401fe5
0x00401fca
0x00402038
0x0040203e
0x00403106
0x00403106
0x0040310e
0x0040311a

APIs

SendMessageTimeoutW.USER32 ref: 00401FDA
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FF2

Strings

!, xrefs: 00401FAC

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 307093b868c6ced1e0b6b0a65866a8e305fb31b326e9e96c3087e29f4801f310
Instruction ID: 0fab4af6200b7ced2f675a087fd1c46b163c566a1190ba542ca0429189719143
Opcode Fuzzy Hash: 307093b868c6ced1e0b6b0a65866a8e305fb31b326e9e96c3087e29f4801f310
Instruction Fuzzy Hash: 98218271D04219AADF15AFB4E846AFE7BB4EF04344F14853EF606BA1E1D7784A40DB88

Uniqueness

Uniqueness Score: -1.00%

Function 004043F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E004043F1(unsigned int __eax, int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v72;
				char _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				signed int _t43;
				unsigned int _t47;

				_t47 = __eax;
				_push(0x14);
				_pop(0);
				_v8 = 0xffffffdc;
				if(__eax < 0x100000) {
					_push(0xa);
					_pop(0);
					_v8 = 0xffffffdd;
				}
				if(_t47 < 0x400) {
					_v8 = 0xffffffde;
				}
				if(_t47 < 0xffff3333) {
					_t43 = 0x14;
					asm("cdq");
					_t47 = _t47 + 1 / _t43;
				}
				E00406820(0, _t47, 0x448240, 0x448240, _a8);
				_push(E00406820(0, _t47, 0x448240,  &_v72, 0xffffffdf));
				_push(E00406820(0, _t47, 0x448240,  &_v136, _v8));
				_t40 = 0xa;
				_push(((_t47 & 0x00ffffff) * 0xa >> 0) % _t40);
				_push(_t47 >> 0);
				wsprintfW( &(0x448240[lstrlenW(0x448240)]), L"%u.%u%s%s");
				return SetDlgItemTextW( *0x46bd88, _a4, 0x448240);
			}

0x004043fd
0x00404405
0x00404407
0x00404408
0x0040440f
0x00404411
0x00404413
0x00404414
0x00404414
0x00404421
0x00404425
0x00404425
0x00404432
0x0040443d
0x0040443e
0x00404441
0x00404441
0x0040444c
0x0040445c
0x0040446c
0x0040447d
0x00404486
0x00404487
0x0040449b
0x004044b7

APIs

lstrlenW.KERNEL32(00448240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00448240,?), ref: 0040448E
wsprintfW.USER32 ref: 0040449B
SetDlgItemTextW.USER32 ref: 004044AE

Strings

%u.%u%s%s, xrefs: 00404488

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ba5e8dc630582c1fb8a7ffd816ecda46f6997df385f31292ff57687ecd99090f
Instruction ID: dbf6a6ea80d48f9a5c36e6b279e5b75b5ffc630c2a3e9d8c31259d51dd3bfb4e
Opcode Fuzzy Hash: ba5e8dc630582c1fb8a7ffd816ecda46f6997df385f31292ff57687ecd99090f
Instruction Fuzzy Hash: EB117B7270020477CB10AA7A9D41F9E765AEBC5334F10413AF615F31D1D6789A114299

Uniqueness

Uniqueness Score: -1.00%

Function 004027F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62
registryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004027F9(void* __ebx, intOrPtr __edx) {
				short* _t13;
				void* _t20;
				void* _t27;
				void* _t30;

				_t20 = __ebx;
				 *((intOrPtr*)(_t30 + 8)) = E004061E4(__edx);
				if( *(_t30 - 0x1c) != __ebx) {
					_t27 = 0x22;
					_t13 = E00401453(_t27);
					_t28 = _t13;
					_push(_t13);
					E004062C7(L"DeleteRegKey: \"%s\\%s\"",  *((intOrPtr*)(_t30 + 8)));
					_t15 =  *((intOrPtr*)(_t30 - 0x28));
					if( *((intOrPtr*)(_t30 - 0x28)) == __ebx) {
						_t15 =  *0x473e84 + 0x80000001;
					}
					 *((intOrPtr*)(_t30 - 0x44)) = E0040148E(_t15, _t28,  *(_t30 - 0x1c) & 0x00000002);
					goto L7;
				} else {
					__edi = E00401544(2);
					if(__edi == __ebx) {
						L1:
						 *((intOrPtr*)(_t30 - 4)) = 1;
					} else {
						__esi = 0x33;
						__esi = E00401453(__esi);
						__eax = RegDeleteValueW(__edi, __esi);
						_push(__esi);
						_push(0x4140d8);
						 *(__ebp - 0x44) = __eax;
						E004062C7(L"DeleteRegValue: \"%s\\%s\" \"%s\"",  *((intOrPtr*)(__ebp + 8))) = RegCloseKey(__edi);
						L7:
						if( *((intOrPtr*)(_t30 - 0x44)) != _t20) {
							goto L1;
						}
					}
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004027f9
0x00402803
0x00402806
0x0040284f
0x00402850
0x00402855
0x00402857
0x00402860
0x00402865
0x0040286d
0x00402874
0x00402874
0x00402887
0x00000000
0x00402808
0x0040280f
0x00402813
0x004019fd
0x004019fd
0x00402819
0x0040281b
0x00402821
0x00402825
0x0040282b
0x0040282c
0x00402834
0x00402845
0x0040288a
0x0040288d
0x00000000
0x00402893
0x0040288d
0x00402813
0x0040310e
0x0040311a

APIs

Part of subcall function 00401544: RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0040157E

RegCloseKey.ADVAPI32(00000000), ref: 00402845
RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 00402825

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Strings

DeleteRegKey: "%s\%s", xrefs: 0040285B
DeleteRegValue: "%s\%s" "%s", xrefs: 00402837

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: f0473a3880686fcb4649a4f1751f5c08576cb0973a330e9269df6b01d3bb1fe7
Instruction ID: 72889cc0f6395430d8d13bb6b2796bffa0cc8d42c82087029d80121eb90163e1
Opcode Fuzzy Hash: f0473a3880686fcb4649a4f1751f5c08576cb0973a330e9269df6b01d3bb1fe7
Instruction Fuzzy Hash: 0B118F72900110ABCB20AFA5DD46AEE7AA4EB40358F10403FF509BA1E2D6B88E51DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040266D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040266D() {
				WCHAR* _t22;
				WCHAR* _t23;
				intOrPtr _t24;
				WCHAR* _t37;
				WCHAR* _t40;
				void* _t43;
				void* _t44;
				WCHAR* _t45;
				void* _t47;

				_t22 = E00401453(0);
				_t43 = 0x11;
				_t40 = _t22;
				_t23 = E00401453(_t43);
				_t44 = 0x23;
				 *(_t47 + 8) = _t23;
				_t24 = E00401453(_t44);
				_t45 =  *(_t47 + 8);
				_push(_t45);
				 *((intOrPtr*)(_t47 - 0x34)) = _t24;
				E004062C7(L"CopyFiles \"%s\"->\"%s\"", _t40);
				if(E004062F9(_t40) != 0) {
					 *(_t47 - 0x5c) =  *(_t47 - 0xc);
					 *((intOrPtr*)(_t47 - 0x58)) = 2;
					 *((short*)(_t40 + 2 + lstrlenW(_t40) * 2)) = _t37;
					 *((short*)(_t45 + 2 + lstrlenW(_t45) * 2)) = _t37;
					_t30 =  *((intOrPtr*)(_t47 - 0x34));
					 *(_t47 - 0x54) = _t40;
					 *(_t47 - 0x50) = _t45;
					 *((intOrPtr*)(_t47 - 0x42)) =  *((intOrPtr*)(_t47 - 0x34));
					 *((short*)(_t47 - 0x4c)) =  *((intOrPtr*)(_t47 - 0x24));
					E00404FA5(_t37, _t30);
					if(SHFileOperationW(_t47 - 0x5c) != 0) {
						goto L2;
					}
				} else {
					L2:
					E00404FA5(0xfffffff9, _t37);
					 *((intOrPtr*)(_t47 - 4)) = 1;
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t47 - 4));
				return 0;
			}

0x0040266f
0x00402676
0x00402677
0x00402679
0x00402680
0x00402681
0x00402684
0x00402689
0x0040268c
0x00402693
0x00402696
0x004026a6
0x004026b9
0x004026bc
0x004026c9
0x004026d3
0x004026d8
0x004026e1
0x004026e4
0x004026e7
0x004026ea
0x004026ee
0x004026ff
0x00000000
0x00402705
0x004026a8
0x004026a8
0x004026ab
0x004019fd
0x004019fd
0x0040310e
0x0040311a

APIs

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Part of subcall function 004062F9: FindFirstFileW.KERNELBASE(004582C0,0045CEC8,004582C0,004067E9,004582C0), ref: 00406304
Part of subcall function 004062F9: FindClose.KERNEL32(00000000), ref: 00406310

lstrlenW.KERNEL32 ref: 004026C3
lstrlenW.KERNEL32(?), ref: 004026CE
SHFileOperationW.SHELL32(?,?,?,?), ref: 004026F7

Strings

CopyFiles "%s"->"%s", xrefs: 0040268E

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: f424bb9e69c5623f11b07d959900444b67400ad8589523bca711dcdf2b09f1e7
Instruction ID: 08000ea9312af1e10131280f9ce75be090390845ad8c24bb817a97088ba4db6e
Opcode Fuzzy Hash: f424bb9e69c5623f11b07d959900444b67400ad8589523bca711dcdf2b09f1e7
Instruction Fuzzy Hash: 93118FB1D00214AACB10FFEAD8469DEB7B8AF04354F10803FF505F7291E6BC8A518B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406248 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406248(void* __ecx, WCHAR* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				WCHAR* _v8;
				intOrPtr _v12;
				int _t22;
				void* _t31;
				signed int _t34;
				int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t44;

				_v8 = _a4;
				_t34 = 3;
				_t22 = _a8 / _t34;
				_t42 = 0;
				_v12 = 0;
				_t38 = _t22;
				if(_a16 <= _t38) {
					_t39 = _a16;
				} else {
					_t39 = _t38 - 1;
					_v12 = 1;
				}
				if(_t39 > _t42) {
					_t31 = _t39 - 1;
					do {
						asm("sbb eax, eax");
						_t22 = wsprintfW(_v8, L"%02x%c",  *(_t42 + _a12) & 0x000000ff,  ~(_t42 - _t31) & 0x00000020);
						_v8 =  &(_v8[3]);
						_t44 = _t44 + 0x10;
						_t42 = _t42 + 1;
					} while (_t42 < _t39);
				}
				if(_v12 != 0) {
					return lstrcatW(_a4, L"...");
				}
				return _t22;
			}

0x00406252
0x0040625c
0x0040625d
0x0040625f
0x00406261
0x00406264
0x00406269
0x00406275
0x0040626b
0x0040626b
0x0040626c
0x0040626c
0x0040627a
0x0040627d
0x00406280
0x00406286
0x0040629c
0x004062a2
0x004062a6
0x004062a9
0x004062aa
0x004062ae
0x004062b5
0x00000000
0x004062bf
0x004062c6

APIs

wsprintfW.USER32 ref: 0040629C
lstrcatW.KERNEL32(00000000,...), ref: 004062BF

Strings

..., xrefs: 004062B7
%02x%c, xrefs: 00406294

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: 5c68c889d565eaf190f3ac0b6839d76c96adb98a724596c50df6c805443fbd9f
Instruction ID: 9d5e9ce4911a0047d4e4d2f1560cdf4e60f35c93c038e969eb338f3aebf88232
Opcode Fuzzy Hash: 5c68c889d565eaf190f3ac0b6839d76c96adb98a724596c50df6c805443fbd9f
Instruction Fuzzy Hash: 6301D672500215AFCB00EF58DD45A9EBBB9EB44710F20817AF405F2280D2789E6587A4

Uniqueness

Uniqueness Score: -1.00%

Function 00407976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407976(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v6;
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v10;
				struct HINSTANCE__* _v12;
				char _v271;
				char _v272;
				CHAR* _t35;

				_v272 = 0;
				E0040872A( &_v271, 0, 0x103);
				_t35 = _a4;
				_v12 = 0;
				_v10 = 0;
				_v8 = 0;
				_v6 = 0;
				 *_t35 = 0;
				GetModuleFileNameA(0,  &_v272, 0x104);
				E004078EB( &_v272,  &_v12);
				wsprintfA(_t35, "%u,%u,%u,%u,%s", _v12 & 0x0000ffff, _v10 & 0x0000ffff, _v8 & 0x0000ffff, _v6 & 0x0000ffff, PathFindFileNameA( &_v272));
				return _t35;
			}

0x00407990
0x00407996
0x0040799b
0x004079ae
0x004079b2
0x004079b6
0x004079ba
0x004079be
0x004079c0
0x004079d1
0x00407a00
0x00407a0e

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,7491C740,00000000), ref: 004079C0

Part of subcall function 004078EB: GetFileVersionInfoSizeA.VERSION(?,00000000,74CF81D0,004079D6,?), ref: 004078FD
Part of subcall function 004078EB: GetFileVersionInfoA.VERSION(00000000,00000000,00000000,00000000,00407BD6,?,00000000,74CF81D0), ref: 00407926
Part of subcall function 004078EB: VerQueryValueA.VERSION(00000000,0040AD10,00000000,00000000,00000000,00000000,00000000,00000000,00407BD6,?,00000000,74CF81D0), ref: 0040793D

PathFindFileNameA.SHLWAPI(?,?,7491C740,00000000), ref: 004079DF
wsprintfA.USER32 ref: 00407A00

Strings

%u,%u,%u,%u,%s, xrefs: 004079FA

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: File$InfoNameVersion$FindModulePathQuerySizeValuewsprintf
String ID: %u,%u,%u,%u,%s
API String ID: 4282680381-2603795374
Opcode ID: 583fd072486c6c0131bbd4370e82dbb48ad7de711442a760237fda95c596c899
Instruction ID: 9d11099dcca14597c80956326a877e84531247d782b343d11e0297d63deff287
Opcode Fuzzy Hash: 583fd072486c6c0131bbd4370e82dbb48ad7de711442a760237fda95c596c899
Instruction Fuzzy Hash: B711617690011CBADB10DBE89C459EEB7BCEF18304F0040A6F684F3191E2789F848BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040271E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040271E(WCHAR* __ebx) {
				int _t13;
				WCHAR* _t20;
				void* _t25;
				WCHAR* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				int _t36;

				_t20 = __ebx;
				 *(_t30 - 0x44) = __ebx;
				 *(_t30 + 8) = __ebx;
				E0040602D(0x4100d0, L"<RM>");
				_t13 = E0040602D(0x4140d8, 0x4100d0);
				if( *((intOrPtr*)(_t30 - 0x2c)) != __ebx) {
					__esi = 0;
					 *((intOrPtr*)(__ebp - 0x44)) = E00401453(0);
				}
				if( *((intOrPtr*)(_t30 - 0x28)) != _t20) {
					_t29 = 0x11;
					 *(_t30 + 8) = E00401453(_t29);
				}
				if( *((intOrPtr*)(_t30 - 0x1c)) != _t20) {
					_t28 = 0x22;
					_t20 = E00401453(_t28);
				}
				_t25 = 0xffffffcd;
				_t26 = E00401453(_t25);
				_push(_t26);
				_push(0x4140d8);
				_push(0x4100d0);
				E004062C7(L"WriteINIStr: wrote [%s] %s=%s in %s", "end");
				_t13 = WritePrivateProfileStringW( *(_t30 - 0x44),  *(_t30 + 8), _t20, _t26);
				_t36 = _t13;
				if(_t36 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 1;
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x0040271e
0x00402729
0x0040272c
0x0040272f
0x0040273b
0x00402743
0x00402745
0x0040274c
0x0040274c
0x00402752
0x00402756
0x0040275c
0x0040275c
0x00402762
0x00402766
0x0040276c
0x0040276c
0x00402770
0x00402776
0x00402778
0x00402779
0x0040277a
0x00402789
0x00402799
0x004019f5
0x004019f7
0x004019fd
0x004019fd
0x0040310e
0x0040311a

APIs

Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00002004,00403920,0046BDC0,NSIS Error), ref: 0040603A

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 00402799

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402784
<RM>, xrefs: 0040271E
end, xrefs: 0040277F

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$end
API String ID: 247603264-1461967235
Opcode ID: 9e5a1b42026d0510df3b51812f236b104904613b27c47224b552257d5e4230a4
Instruction ID: d94e17f4987cf0e71fedb6b31b995469f3247732c308c3f72b19ecb9237c73fc
Opcode Fuzzy Hash: 9e5a1b42026d0510df3b51812f236b104904613b27c47224b552257d5e4230a4
Instruction Fuzzy Hash: 85016271D41224AACB207FA55D86ADE7D64AF05754F11803FF519361E2C2BC0E819BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405078 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405088

Part of subcall function 00403DF7: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403E09

OleUninitialize.OLE32(00000404,00000000), ref: 004050D6

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Strings

Skipping section: "%s", xrefs: 004050E6
Section: "%s", xrefs: 004050AA

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 80e20fd828e8bc89dda798c50c3813fcc819a22f9eac499261a51b2aef2e54d7
Instruction ID: 98367e855004c0ee79bdca31c1e6a3a2e3962c76f5b77a72ca4e617090c69141
Opcode Fuzzy Hash: 80e20fd828e8bc89dda798c50c3813fcc819a22f9eac499261a51b2aef2e54d7
Instruction Fuzzy Hash: 3FF0F937454700ABE3146B50AC02B9E77A4EF85725F14403FFE48731D297B95C819A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00407790 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407790(void* __ecx, void* __edx, CHAR* _a4) {
				long _v8;
				void* _t5;
				void* _t12;

				_t12 = __edx;
				_t5 = E004076C5();
				GetVolumeInformationA("c:\\", 0, 0,  &_v8, 0, 0, 0, 0);
				wsprintfA(_a4, "%u,%u,%u", _t12, _t5, _v8);
				return _a4;
			}

0x00407790
0x00407796
0x004077b0
0x004077c3
0x004077d2

APIs

Part of subcall function 004076C5: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00407704
Part of subcall function 004076C5: GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00407736
Part of subcall function 004076C5: StrStrIA.SHLWAPI(0000010C,vmware,74CF81D0,7491C740,00000000,?,00407C04,?), ref: 00407756

GetVolumeInformationA.KERNEL32(c:\,00000000,00000000,?,00000000,00000000,00000000,00000000,74CF81D0,7491C740,?,?,00407C04,?), ref: 004077B0
wsprintfA.USER32 ref: 004077C3

Strings

c:\, xrefs: 004077A9
%u,%u,%u, xrefs: 004077BB

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: AdaptersInfo$InformationVolumewsprintf
String ID: %u,%u,%u$c:\
API String ID: 2832006997-1098778900
Opcode ID: 1378d263664e72a0fb9e98e9ba013b5515d9d2c6303b54a3e5097fc6c07dfc01
Instruction ID: 639f785529ae473f436b5ba291e678d43a97233c65e8f014b44abe7366cfb547
Opcode Fuzzy Hash: 1378d263664e72a0fb9e98e9ba013b5515d9d2c6303b54a3e5097fc6c07dfc01
Instruction Fuzzy Hash: 3BE0DFB2200104BFFB04AB69CE0ACBB3F6CDA802647110475FD06E6191EA74AE20D6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00407154 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407154(void* __eflags, WCHAR* _a4, WCHAR* _a8, int _a12) {
				signed short _v8;
				short _v24;
				char _v264;
				char _v280;
				void* _t20;
				WCHAR* _t22;

				_t20 = E00406EE6(_a4, 5,  &_v280, 0x80);
				if(_t20 == 1) {
					_t22 =  &_v280;
					lstrcpynW( &_v24, _t22, 9);
					_v8 = _v8 & 0x00000000;
					if(lstrcmpW( &_v24, L"Version ") == 0) {
						_t22 =  &_v264;
					}
					lstrcpynW(_a8, _t22, _a12);
				}
				return _t20;
			}

0x00407174
0x0040717c
0x00407186
0x00407195
0x00407197
0x004071ad
0x004071af
0x004071af
0x004071bc
0x004071bf
0x004071c4

APIs

Part of subcall function 00406EE6: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F09

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407195
lstrcmpW.KERNEL32(?,Version ), ref: 004071A5
lstrcpynW.KERNEL32(?,?,?), ref: 004071BC

Strings

Version , xrefs: 0040719C

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 96b9ae64f41fd6eb80df6c037b44edd357485fb33881521d473a95340edff873
Instruction ID: 38589afbcfc4115d6ab1431b0da6e5ddb2d5aed87f305ed3dd4a971a4c02f3ca
Opcode Fuzzy Hash: 96b9ae64f41fd6eb80df6c037b44edd357485fb33881521d473a95340edff873
Instruction Fuzzy Hash: D1F04F72A0021CABDF109BE5DD46FDA777DEB48714F100476FB00B7181E2B5AE148BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004032F9 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032F9(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42c150; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x473e20;
						if(_t2 >  *0x473e20) {
							_t3 = CreateDialogParamW( *0x473dd8, 0x6f, 0, E00403273, 0);
							 *0x42c150 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406357(0);
					}
				} else {
					_t6 =  *0x42c150; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42c150 = 0;
					return _t6;
				}
			}

0x00403300
0x0040331a
0x00403320
0x0040332a
0x00403330
0x00403336
0x00403347
0x00403350
0x00000000
0x00403355
0x0040335c
0x00403322
0x00403329
0x00403329
0x00403302
0x00403302
0x00403309
0x0040330c
0x0040330c
0x00403312
0x00403319
0x00403319

APIs

DestroyWindow.USER32(00000000,00000000,0040372A,00000001,?,?,?,004D80C8,00403A74,?), ref: 0040330C
GetTickCount.KERNEL32 ref: 0040332A
CreateDialogParamW.USER32 ref: 00403347
ShowWindow.USER32(00000000,00000005,?,?,?,004D80C8,00403A74,?), ref: 00403355

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: cbc2a64098dd7588ba4187a5b41697e4e57ee9dcc8b874b40b8e8f0099b36f3e
Instruction ID: 0fbad9865eb508c962008b13c1ec7d445a754bfb6238712b8738b1fc233469b4
Opcode Fuzzy Hash: cbc2a64098dd7588ba4187a5b41697e4e57ee9dcc8b874b40b8e8f0099b36f3e
Instruction Fuzzy Hash: 5BF03031501220ABC621AF60BC8DA9E7B69B744782740087AF505B12A5C7344D918ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040638A Relevance: 6.0, APIs: 4, Instructions: 31
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040638A(struct HINSTANCE__* _a4, short* _a8) {
				void* _t3;
				void* _t8;
				_Unknown_base(*)()* _t9;

				_t3 = GlobalAlloc(0x40, 0x2004);
				_t9 = 0;
				_t8 = _t3;
				if(WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t8, 0x2004, 0, 0) != 0) {
					_t9 = GetProcAddress(_a4, _t8);
				}
				GlobalFree(_t8);
				return _t9;
			}

0x00406395
0x0040639b
0x004063a0
0x004063b3
0x004063c0
0x004063c0
0x004063c3
0x004063ce

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000001,?,00402463,?,?,?,00000008), ref: 00406395
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,00402463,?,?,?,00000008), ref: 004063AB
GetProcAddress.KERNEL32(?,00000000), ref: 004063BA
GlobalFree.KERNEL32 ref: 004063C3

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: b7e2402a09f56174f1d3fac8e6afdf1de52397fce869acdc40e0422f4b52e11d
Instruction ID: a0439ab564bf774e5612c8b382c89393acfe2e2e42b67b9c7da9a17307b4db43
Opcode Fuzzy Hash: b7e2402a09f56174f1d3fac8e6afdf1de52397fce869acdc40e0422f4b52e11d
Instruction Fuzzy Hash: 9BE092713001117BF6101B269D4CD677EACDBCA7B2B014136F645E12A1C6348C14C674

Uniqueness

Uniqueness Score: -1.00%

Function 0040723D Relevance: 6.0, APIs: 4, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040723D(void* _a4, long _a8) {
				void* _t6;
				void* _t8;
				void* _t9;

				_t9 = GlobalHandle(_a4);
				_t8 = 0;
				if(_t9 != 0) {
					GlobalUnlock(_t9);
					_t6 = GlobalReAlloc(_t9, _a8, 2);
					if(_t6 != 0) {
						_t8 = GlobalLock(_t6);
					}
				}
				return _t8;
			}

0x00407249
0x0040724b
0x0040724f
0x00407252
0x0040725f
0x00407267
0x00407270
0x00407270
0x00407267
0x00407276

APIs

GlobalHandle.KERNEL32(004073AF), ref: 00407243
GlobalUnlock.KERNEL32(00000000,?,00000000,00000000), ref: 00407252
GlobalReAlloc.KERNEL32 ref: 0040725F
GlobalLock.KERNEL32 ref: 0040726A

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: 84ca56021a0c02c143d121dc0e7e50d9dfa760b0061935ee982f0558aabaf0d3
Instruction ID: 70ff2d3bfc18e0c29a2fa24cba67b2c3bafe637130087af695bd4879023f0d3a
Opcode Fuzzy Hash: 84ca56021a0c02c143d121dc0e7e50d9dfa760b0061935ee982f0558aabaf0d3
Instruction Fuzzy Hash: B6E08632705121ABDB115B35BE0CD8B3AA5AFC5751B058074F504F6265C7348C02C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404905 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404905(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x458270 != _t22) {
							 *0x458270 = _t22;
							E0040602D(0x448240, 0x474000);
							E00405F74(0x474000, _t22);
							E00401414(6);
							E0040602D(0x474000, 0x448240);
						}
						L11:
						return CallWindowProcW( *0x438200, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404885(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403DF7(0x413);
				return 0;
			}

0x00404911
0x00404936
0x00404956
0x00404959
0x0040495c
0x00404973
0x00404979
0x00404980
0x00404987
0x0040498e
0x00404993
0x00404999
0x00000000
0x004049a9
0x00404943
0x00404996
0x00404996
0x00000000
0x00404996
0x0040494f
0x00404951
0x00000000
0x00404951
0x00404917
0x00000000
0x00000000
0x0040491e
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040493B
CallWindowProcW.USER32(?,00000200,?,?), ref: 004049A9

Part of subcall function 00403DF7: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403E09

Strings

, xrefs: 00404913

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 16c4d6aa58dd157e00a85c0e0de8fbda1ddcf0c199d4cb38ca568e4e339684ed
Instruction ID: 32c081245e767719dc1540eec71a06b383f4f84ebdd2bd37b4e9d70ed0a1c685
Opcode Fuzzy Hash: 16c4d6aa58dd157e00a85c0e0de8fbda1ddcf0c199d4cb38ca568e4e339684ed
Instruction Fuzzy Hash: 8F1182F1500209EBDF219F659C41A9B3B69AF44395F00803BF71879192C7788D508BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004021B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004021B2() {
				signed int _t9;
				short* _t10;
				signed int _t11;
				signed int _t24;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t33;

				_t9 = E00401453(0);
				_t29 = 0x31;
				_t26 = _t9;
				_t10 = E00401453(_t29);
				_t30 = 0x22;
				 *(_t33 + 8) = _t10;
				_t11 = E00401453(_t30);
				_t31 = 0x15;
				_t24 = _t11;
				E00401453(_t31);
				E0040142C(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteW( *(_t33 - 0xc),  ~( *_t9) & _t26,  *(_t33 + 8),  ~( *_t24) & _t24, 0x4cc0b0,  *(_t33 - 0x20)) >= 0x21) {
					_push(_t24);
					_push( *(_t33 + 8));
					E004062C7(L"ExecShell: success (\"%s\": file:\"%s\" params:\"%s\")", _t26);
				} else {
					_push( *((intOrPtr*)(__ebp + 8)));
					__eax = E004062C7(L"ExecShell: warning: error (\"%s\": file:\"%s\" params:\"%s\")=%d", __edi);
					 *((intOrPtr*)(_t33 - 4)) = 1;
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004021b4
0x004021bb
0x004021bc
0x004021be
0x004021c5
0x004021c6
0x004021c9
0x004021d0
0x004021d1
0x004021d3
0x004021da
0x004021ed
0x004021fb
0x0040220c
0x00402226
0x00402227
0x00402230
0x0040220e
0x00402210
0x00402219
0x004019fd
0x004019fd
0x0040310e
0x0040311a

APIs

ShellExecuteW.SHELL32(?,00000000,?,00000000,004CC0B0,?), ref: 00402203

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402214
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 0040222B

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: ExecuteShelllstrlenwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 2380004146-2180253247
Opcode ID: 707b09345c39b15e70188f7127911ff4f00a04c22a7ab9105e122700d0772aaf
Instruction ID: 7bfefa792a6f7c16d4d8349b169ca20c7831fbe2e1afbd2366841c4ee347190e
Opcode Fuzzy Hash: 707b09345c39b15e70188f7127911ff4f00a04c22a7ab9105e122700d0772aaf
Instruction Fuzzy Hash: 6601F5776001047ADB007FF9EC46EED37A8EB44798B20803BF501F90E2E27D8A91D669

Uniqueness

Uniqueness Score: -1.00%

Function 00402172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219C

Part of subcall function 004062C7: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
Part of subcall function 004062C7: wvsprintfW.USER32(00000000,?,?), ref: 004062EB

EnableWindow.USER32(00000000,00000000), ref: 004021A7

Strings

HideWindow, xrefs: 0040218A

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 2d9916d6a0671317b442a61514f16f2f97d29cb7630ecc6534158e58294e8335
Instruction ID: b3941c556e2b0eecf458d0b98135f7b6416b54b9747c20c1221e0ffa1970e5be
Opcode Fuzzy Hash: 2d9916d6a0671317b442a61514f16f2f97d29cb7630ecc6534158e58294e8335
Instruction Fuzzy Hash: B6E09232A04120EBCB18ABF5694949E77A0AB44366360047FE103F50D2DB7CCD01C92D

Uniqueness

Uniqueness Score: -1.00%

Function 004027A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004027A4(short __ebx) {
				short _t11;
				intOrPtr _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				int _t19;
				WCHAR* _t24;
				void* _t28;
				void* _t29;
				void* _t31;

				_t11 =  *L"!N~"; // 0x4e0021
				 *(_t31 - 0x48) = _t11;
				_t12 =  *0x4095f8; // 0x7e
				 *((intOrPtr*)(_t31 - 0x44)) = _t12;
				_t13 = E00401453(1);
				_t28 = 0x12;
				 *(_t31 - 0x34) = _t13;
				_t14 = E00401453(_t28);
				_t29 = 0xffffffdd;
				 *(_t31 + 8) = _t14;
				GetPrivateProfileStringW( *(_t31 - 0x34),  *(_t31 + 8), _t31 - 0x48, _t24, 0x2003, E00401453(_t29));
				_t19 = lstrcmpW(_t24, _t31 - 0x48);
				if(_t19 == 0) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
					 *_t24 = __ebx;
				}
				 *0x473e88 =  *0x473e88 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x004027a4
0x004027a9
0x004027ac
0x004027b4
0x004027b7
0x004027be
0x004027bf
0x004027c2
0x004027c9
0x004027ca
0x004027e3
0x004027ee
0x004019d1
0x004019d7
0x004019de
0x004019de
0x0040310e
0x0040311a

APIs

GetPrivateProfileStringW.KERNEL32 ref: 004027E3
lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 004027EE

Strings

!N~, xrefs: 004027A4

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: cbd1d5a885b902bba5f9af7500443c0f13042f88ca4a4668346f998cc7b7f80d
Instruction ID: c60e5488172c990f07e6a85f6143e507e6ba8ec73c4164372d1e30aa5befefc4
Opcode Fuzzy Hash: cbd1d5a885b902bba5f9af7500443c0f13042f88ca4a4668346f998cc7b7f80d
Instruction Fuzzy Hash: 32F0F8B1900219AFDB11AFA9ED899ED7BB9AF08314F108026F601F61B2D2344A41DB44

Uniqueness

Uniqueness Score: -1.00%

Function 004062C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062C7(WCHAR* _a4, char _a8) {

				 *0x462540 =  *0x462540 & 0x00000000;
				wvsprintfW( &(0x462540[lstrlenW("RMDir: RemoveDirectory invalid input("")")]), _a4,  &_a8);
				return E0040610B( &_a8, 0);
			}

0x004062c7
0x004062eb
0x004062f8

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E8D,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062D4
wvsprintfW.USER32(00000000,?,?), ref: 004062EB

Part of subcall function 0040610B: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062F8,00000000), ref: 00406122

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062C7, 004062CF

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 06cdb0636f31de3caccb2fd5e9dfc28eabedd12d1375c7ebae3e2a73f97f7772
Instruction ID: 37822e3d81ef2f12cd31ff7378191fe851d5065eb970489e9c67b27003f734d2
Opcode Fuzzy Hash: 06cdb0636f31de3caccb2fd5e9dfc28eabedd12d1375c7ebae3e2a73f97f7772
Instruction Fuzzy Hash: 3FD0A730004B26FBDB145B90DE19F197764F750304F50042EF102500B1F7F55004C71B

Uniqueness

Uniqueness Score: -1.00%

Function 00405DDD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DDD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t11;
				int _t13;
				int _t14;
				CHAR* _t16;
				CHAR* _t26;

				_t11 = lstrlenA(_a8);
				_t26 = _a4;
				_v8 = _t11;
				while(lstrlenA(_t26) >= _v8) {
					_t13 = _v8;
					 *((char*)(_t13 + _t26)) = 0;
					_t14 = lstrcmpiA(_t26, _a8);
					_t26[_v8] =  *((intOrPtr*)(_t13 + _t26));
					if(_t14 == 0) {
						_t16 = _t26;
					} else {
						_t26 = CharNextA(_t26);
						continue;
					}
					L5:
					return _t16;
				}
				_t16 = 0;
				goto L5;
			}

0x00405ded
0x00405def
0x00405df2
0x00405e1e
0x00405df7
0x00405e01
0x00405e05
0x00405e10
0x00405e13
0x00405e2f
0x00405e15
0x00405e1c
0x00000000
0x00405e1c
0x00405e28
0x00405e2c
0x00405e2c
0x00405e26
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BEB,00000000,[Rename]), ref: 00405DED
lstrcmpiA.KERNEL32(?,?,?,00000000,00406BEB,00000000,[Rename]), ref: 00405E05
CharNextA.USER32(?,?,00000000,00406BEB,00000000,[Rename]), ref: 00405E16
lstrlenA.KERNEL32(?,?,00000000,00406BEB,00000000,[Rename]), ref: 00405E1F

Memory Dump Source

Source File: 00000000.00000002.358866908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.358855017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358882071.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358893585.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358932212.00000000004F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IdeaShare Key.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 8938d4122ff8cd55b7ba55f287eccf5cabd342054282af70d4c94b6b6d2e7980
Instruction ID: 78520c33c0a771cc30cd74bfe9c147213bd01ab99c85fb8ef123402db4e462ad
Opcode Fuzzy Hash: 8938d4122ff8cd55b7ba55f287eccf5cabd342054282af70d4c94b6b6d2e7980
Instruction Fuzzy Hash: 98F0CD31205558FFCB019BA9DC04C9FBFA8EF4A350B2540AAE841EB311D230DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: IdeaShareKeyForm.exePID: 5948, Parent PID: 5976COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	631
Total number of Limit Nodes:	24

Executed Functions

Function 011C1415 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E011C1415() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(0x11c11c7); // executed
				return _t1;
			}

0x011cbcd1
0x011cbcd7

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000011C7), ref: 011CBCD1

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c52ab3ee09597bb39b8874617b53e4ead3ddc99295da62b93926be56ddf40b41
Instruction ID: 0dd35402592a6ef24e9752a567096adc2bbca57ea3410bc6c1c85037115f0910
Opcode Fuzzy Hash: c52ab3ee09597bb39b8874617b53e4ead3ddc99295da62b93926be56ddf40b41
Instruction Fuzzy Hash: BB900274784641B68E5C76F6971E5562D9059B1F56301045DE116D41064BE40441865E

Uniqueness

Uniqueness Score: -1.00%

Function 011C4A30 Relevance: 133.6, APIs: 68, Strings: 8, Instructions: 575
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QVariant@@QAE@_N@Z.QT5CORE(00000001,4CDB14D0), ref: 011C4A65
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(RootDialog,?), ref: 011C4A83
??1QVariant@@QAE@XZ.QT5CORE(?,00000000,6BEEFDE0), ref: 011C4A95
??0QString@@QAE@XZ.QT5CORE(?,?,00000000,6BEEFDE0), ref: 011C4AA2
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4ACB
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000003), ref: 011C4AF0
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000003), ref: 011C4B17
?setFocusPolicy@QWidget@@QAEXW4FocusPolicy@Qt@@@Z.QT5WIDGETS(00000000,00000000), ref: 011C4B3D
??0QString@@QAE@XZ.QT5CORE ref: 011C4B59
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4B80
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000006), ref: 011C4BA5
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000006), ref: 011C4BCC
?icon@QAbstractButton@@QBE?AVQIcon@@XZ.QT5WIDGETS(?), ref: 011C4BE6
?isNull@QIcon@@QBE_NXZ.QT5GUI ref: 011C4BF2
??1QIcon@@QAE@XZ.QT5GUI ref: 011C4C01
?iconSize@QAbstractButton@@QBE?AVQSize@@XZ.QT5WIDGETS(?), ref: 011C4C11
??0QVariant@@QAE@ABVQSize@@@Z.QT5CORE(?), ref: 011C4C1E
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(ICONSIZE,?), ref: 011C4C33
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4C42
??0QString@@QAE@XZ.QT5CORE ref: 011C4C57
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4C7E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(0000000B), ref: 011C4CA3
?end@QListData@@QBEPAPAXXZ.QT5CORE(0000000B), ref: 011C4CCA
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?), ref: 011C4CDD
?view@QComboBox@@QBEPAVQAbstractItemView@@XZ.QT5WIDGETS ref: 011C4CE9
?childrenRect@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?), ref: 011C4CF8
?height@QRect@@QBEHXZ.QT5CORE ref: 011C4D00
??0QVariant@@QAE@H@Z.QT5CORE(00000000), ref: 011C4D0D
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(ITEMHEIGHT,?), ref: 011C4D25
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4D2D
??1QString@@QAE@XZ.QT5CORE ref: 011C4D36
??0QString@@QAE@XZ.QT5CORE ref: 011C4D47
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4D6E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000010), ref: 011C4D93
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000010), ref: 011C4DBA
?contentsRect@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?), ref: 011C4DD0
?height@QRect@@QBEHXZ.QT5CORE ref: 011C4DDC
??0QVariant@@QAE@N@Z.QT5CORE ref: 011C4E00
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(INDICATORC,?), ref: 011C4E18
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4E24
??0QString@@QAE@XZ.QT5CORE ref: 011C4E31
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4E58
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000014), ref: 011C4E7D
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000014), ref: 011C4EA4
?contentsRect@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?), ref: 011C4EBA
?height@QRect@@QBEHXZ.QT5CORE ref: 011C4EC6
??0QVariant@@QAE@N@Z.QT5CORE ref: 011C4EEA
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(INDICATORL,?), ref: 011C4F02
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4F0E
??0QString@@QAE@XZ.QT5CORE ref: 011C4F1B
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C4F42
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000018), ref: 011C4F67
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000018), ref: 011C4F8E
?contentsRect@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?), ref: 011C4FA9
?frameSize@QWidget@@QBE?AVQSize@@XZ.QT5WIDGETS(?), ref: 011C4FB8
?y@QRect@@QBEHXZ.QT5CORE ref: 011C4FC0
??0QVariant@@QAE@H@Z.QT5CORE(00000000), ref: 011C4FCD
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(INDICKATOR,?), ref: 011C4FE5
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4FF1
??0QVariant@@QAE@N@Z.QT5CORE ref: 011C5011
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(LASTRATE,?), ref: 011C5029
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5035
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C5073
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C50A0
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C50CD
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C50FA
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C5127
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C5155

Strings

ITEMHEIGHT, xrefs: 011C4D1C
, xrefs: 011C512F
RootDialog, xrefs: 011C4A75
INDICATORC, xrefs: 011C4E0F
INDICATORL, xrefs: 011C4EF9
LASTRATE, xrefs: 011C5020
INDICKATOR, xrefs: 011C4FDC
ICONSIZE, xrefs: 011C4C2A

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$String@@Variant@@$?setObject@@Rect@@$Property@Variant@@@$?begin@?dispose@?end@Data@1@@Widget@@$Rect@$?contents?height@AbstractIcon@@$Button@@FocusPolicy@Size@Size@@$?children?frame?icon?icon@?object?view@Box@@ComboItemName@Null@Qt@@@Size@@@View@@
String ID: $ICONSIZE$INDICATORC$INDICATORL$INDICKATOR$ITEMHEIGHT$LASTRATE$RootDialog
API String ID: 2975295530-271165771
Opcode ID: bcb0f907aa2be033bce9c0cebecb6db7f5aa6363f22982a2668a3eac2ba0d758
Instruction ID: 60a1718aa241cda5978625f36815f6befd143986916bb49f9791e1c26df021dc
Opcode Fuzzy Hash: bcb0f907aa2be033bce9c0cebecb6db7f5aa6363f22982a2668a3eac2ba0d758
Instruction Fuzzy Hash: CE327075A0010ADFDF28DBE8D994AEDBBF5BF28704F144168E516E7290DB30AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 011C88B0 Relevance: 84.2, APIs: 39, Strings: 9, Instructions: 248
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?setWindowTitle@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(?,4CDB14D0), ref: 011C88E4
?setWindowFlags@QWidget@@QAEXV?$QFlags@W4WindowType@Qt@@@@@Z.QT5WIDGETS(0004080B), ref: 011C88F1
?setAttribute@QWidget@@QAEXW4WidgetAttribute@Qt@@_N@Z.QT5WIDGETS(00000078,00000001), ref: 011C88FD
??0QGraphicsDropShadowEffect@@QAE@PAVQObject@@@Z.QT5WIDGETS ref: 011C8920
?setOffset@QGraphicsDropShadowEffect@@QAEXABVQPointF@@@Z.QT5WIDGETS(?), ref: 011C8944
??0QColor@@QAE@W4GlobalColor@Qt@@@Z.QT5GUI(00000005), ref: 011C894F
?setColor@QGraphicsDropShadowEffect@@QAEXABVQColor@@@Z.QT5WIDGETS(?), ref: 011C895B
?setBlurRadius@QGraphicsDropShadowEffect@@QAEXN@Z.QT5WIDGETS ref: 011C8973
?setGraphicsEffect@QWidget@@QAEXPAVQGraphicsEffect@@@Z.QT5WIDGETS(00000000), ref: 011C897D
??0QTimer@@QAE@PAVQObject@@@Z.QT5CORE ref: 011C89A0
?setInterval@QTimer@@QAEXH@Z.QT5CORE(000000C8), ref: 011C89C1
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,?,2timeout(),?,1updateWait(),00000000), ref: 011C89DB
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C89E7
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,IdeaShare Key,00000000,000000FF), ref: 011C8A05
?setText@QLabel@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C8A1B
??1QString@@QAE@XZ.QT5CORE ref: 011C8A27
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,Success,00000000,000000FF), ref: 011C8A3F
?setText@QLabel@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C8A4F
??1QString@@QAE@XZ.QT5CORE ref: 011C8A5B
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,Do not remove the IdeaShare Key.,00000000,000000FF), ref: 011C8A73
?setText@QLabel@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C8A83
??1QString@@QAE@XZ.QT5CORE ref: 011C8A8F
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(localappdata,0000000C), ref: 011C8AA2
??0QString@@QAE@XZ.QT5CORE ref: 011C8AB4
GetEnvironmentStringsW.KERNEL32(?), ref: 011C8AC4
?value@QProcessEnvironment@@QBE?AVQString@@ABV2@0@Z.QT5CORE(?,?,00000000), ref: 011C8ADC
??1QProcessEnvironment@@QAE@XZ.QT5CORE ref: 011C8AE5
??1QString@@QAE@XZ.QT5CORE ref: 011C8AEE
??1QString@@QAE@XZ.QT5CORE ref: 011C8AFB
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(\IdeaShareKey\IdeaShareService.exe,00000022), ref: 011C8B08
??1QString@@QAE@XZ.QT5CORE ref: 011C8B2C
??0QFileInfo@@QAE@ABVQString@@@Z.QT5CORE(?), ref: 011C8B39
?isFile@QFileInfo@@QBE_NXZ.QT5CORE ref: 011C8B46
??1QString@@QAE@XZ.QT5CORE ref: 011C8B82
??1QString@@QAE@XZ.QT5CORE ref: 011C8BB7
?hide@QWidget@@QAEXXZ.QT5WIDGETS ref: 011C8BC7
??1QFileInfo@@QAE@XZ.QT5CORE ref: 011C8BD0
??1QString@@QAE@XZ.QT5CORE ref: 011C8BD9
??1QString@@QAE@XZ.QT5CORE ref: 011C8BE2

Strings

Installing..., xrefs: 011C8B91
1updateWait(), xrefs: 011C89C9
\IdeaShareKey\IdeaShareService.exe, xrefs: 011C8B03
Upgrading..., xrefs: 011C8B5C
Success, xrefs: 011C8A31
IdeaShare Key, xrefs: 011C89FA
Do not remove the IdeaShare Key., xrefs: 011C8A65
localappdata, xrefs: 011C8A9D
2timeout(), xrefs: 011C89CF

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$?set$GraphicsObject@@$MetaString@@@Widget@@$DropEffect@@Shadow$?tr@FileInfo@@Label@@Text@Window$?fromArrayAscii_helper@Attribute@Color@Connection@Data@Environment@@Flags@Object@@@ProcessQt@@@Timer@@Type@Typed$?connect@?hide@?value@BlurColor@@Color@@@ConnectionEffect@Effect@@@EnvironmentF@@@File@GlobalInterval@Offset@PointQt@@@@@Qt@@_Radius@StringsTitle@V2@0@Widget
String ID: 1updateWait()$2timeout()$Do not remove the IdeaShare Key.$IdeaShare Key$Installing...$Success$Upgrading...$\IdeaShareKey\IdeaShareService.exe$localappdata
API String ID: 1008449272-3175431068
Opcode ID: 2cd8602a999f981b8dd86edbf528280bfd8cf36630610380e85a511a5c327285
Instruction ID: 6761917dafbdd95a8f1d8ec3724c696e49b4cef8b81018ef5acf8e1b1c95b9f5
Opcode Fuzzy Hash: 2cd8602a999f981b8dd86edbf528280bfd8cf36630610380e85a511a5c327285
Instruction Fuzzy Hash: 74A16EB1900209EFCB18DFE4D948BDDBBF8BF09714F144269E926B7285DB705A84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C7CD0 Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 221
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QtSingleApplication@@QAE@AAHPAPAD_N@Z.QTSINGLEAPP(?,?,00000001,4CDB14D0), ref: 011C7D07
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QAQ!,00000004,?,?,00000001,4CDB14D0), ref: 011C7D20
?sendMessage@QtSingleApplication@@QAE_NABVQString@@H@Z.QTSINGLEAPP(?,00001388), ref: 011C7D38
??1QString@@QAE@XZ.QT5CORE(?,00001388), ref: 011C7D46
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(:/main.qss,0000000A), ref: 011C7D5E
??0QFile@@QAE@ABVQString@@@Z.QT5CORE(?), ref: 011C7D71
??1QString@@QAE@XZ.QT5CORE ref: 011C7D7E
?open@QFile@@UAE_NV?$QFlags@W4OpenModeFlag@QIODevice@@@@@Z.QT5CORE ref: 011C7D90
?readAll@QIODevice@@QAE?AVQByteArray@@XZ.QT5CORE(?), ref: 011C7DA5
?constData@QByteArray@@QBEPBDXZ.QT5CORE ref: 011C7DB8
?constData@QByteArray@@QBEPBDXZ.QT5CORE ref: 011C7DE0
??0QString@@QAE@VQLatin1String@@@Z.QT5CORE(00000000,00000000), ref: 011C7DEF
??1QByteArray@@QAE@XZ.QT5CORE ref: 011C7DFC
?setStyleSheet@QApplication@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C7E09
?close@QFileDevice@@UAEXXZ.QT5CORE ref: 011C7E12
??1QString@@QAE@XZ.QT5CORE ref: 011C7E1F
??0QLocale@@QAE@XZ.QT5CORE ref: 011C7E2E
??0QTranslator@@QAE@PAVQObject@@@Z.QT5CORE(00000000), ref: 011C7E3D
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(:/IdeaShareKey_zh.qm,00000014), ref: 011C7E61
??0QString@@QAE@XZ.QT5CORE ref: 011C7E6C
??0QString@@QAE@XZ.QT5CORE ref: 011C7E77
??0QString@@QAE@XZ.QT5CORE ref: 011C7E82
?load@QTranslator@@QAE_NABVQString@@000@Z.QT5CORE(?,00000000,00000000,00000000), ref: 011C7E96
??1QString@@QAE@XZ.QT5CORE ref: 011C7E9F
??1QApplication@@UAE@XZ.QT5WIDGETS ref: 011C7FA6

Strings

:/IdeaShareKey_zh.qm, xrefs: 011C7E5C, 011C7EBF
:/main.qss, xrefs: 011C7D59
QAQ!, xrefs: 011C7D14

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Data@$Application@@Array@@Byte$?fromArrayAscii_helper@String@@@Typed$?constDevice@@File@@SingleTranslator@@$?close@?load@?open@?read?send?setAll@Device@@@@@FileFlag@Flags@Latin1Locale@@Message@ModeObject@@@OpenSheet@String@@000@Style
String ID: :/IdeaShareKey_zh.qm$:/main.qss$QAQ!
API String ID: 1779654089-2425052429
Opcode ID: 799dd60feddad273fb03d1949965f2140def132eed9481cf59c94e02ed602c42
Instruction ID: e6b7a6a511ef26f468b5ecdd2056e930f62e3e84c8cce4d5d6a22c7e92014401
Opcode Fuzzy Hash: 799dd60feddad273fb03d1949965f2140def132eed9481cf59c94e02ed602c42
Instruction Fuzzy Hash: EC919F7180015AEFCB18DBE4DC58BEEBBB4FF25704F144169E523A7280EB705A89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C8080 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 210
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QString@@QAE@XZ.QT5CORE ref: 011C80F2
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(?,?,PromptWindow,0000000C), ref: 011C8120
??0QTimer@@QAE@PAVQObject@@@Z.QT5CORE ref: 011C8182
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2timeout(),?,1keyStatusDetect(),00000000), ref: 011C81B1
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C81BF
?start@QTimer@@QAEXH@Z.QT5CORE(?), ref: 011C81CA
?singleShot@QTimer@@SAXHPBVQObject@@PBD@Z.QT5CORE(?,?,1winExit()), ref: 011C81EF
?desktop@QApplication@@SAPAVQDesktopWidget@@XZ.QT5WIDGETS ref: 011C81F8
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2resized(int),?,1windowReturn(),00000080), ref: 011C8216
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C821E
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,?,2screenCountChanged(int),?,1windowReturn(),00000080), ref: 011C8237
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C823F
?screens@QGuiApplication@@SA?AV?$QList@PAVQScreen@@@@XZ.QT5GUI(011D3044), ref: 011C8245
?begin@QListData@@QBEPAPAXXZ.QT5CORE(011CA300), ref: 011C8271
?end@QListData@@QBEPAPAXXZ.QT5CORE(011CA300), ref: 011C8298
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2logicalDotsPerInchChanged(qreal),?,1windowReturn(),00000080), ref: 011C82BB
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C82C3
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(011D3044), ref: 011C82FA
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,?,2primaryScreenChanged(QScreen *),?,1windowReturn(),00000080), ref: 011C831E
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C8326
?showNormal@QWidget@@QAEXXZ.QT5WIDGETS ref: 011C833C
?activateWindow@QWidget@@QAEXXZ.QT5WIDGETS ref: 011C8344

Strings

1keyStatusDetect(), xrefs: 011C819D
2primaryScreenChanged(QScreen *), xrefs: 011C830E
2screenCountChanged(int), xrefs: 011C822B
PromptWindow, xrefs: 011C80FA
2logicalDotsPerInchChanged(qreal), xrefs: 011C82B0
2resized(int), xrefs: 011C8209
1winExit(), xrefs: 011C81D7
2timeout(), xrefs: 011C81A3
1windowReturn(), xrefs: 011C8203, 011C8225, 011C82AA, 011C8308

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Object@@$Connection@Meta$?connect@ConnectionQt@@@Type@$Data@@ListTimer@@Widget@@$Application@@String@@$?activate?begin@?desktop@?dispose@?end@?from?screens@?show?single?start@ArrayAscii_helper@Data@Data@1@@DesktopList@Normal@Object@@@Screen@@@@Shot@TypedWindow@
String ID: 1keyStatusDetect()$1winExit()$1windowReturn()$2logicalDotsPerInchChanged(qreal)$2primaryScreenChanged(QScreen *)$2resized(int)$2screenCountChanged(int)$2timeout()$PromptWindow
API String ID: 1966278780-3200450471
Opcode ID: 10facc1fcb14a25df03d62a8f350503519f29a9dd77e62ebfa21f6425ffa113d
Instruction ID: c6bdb2fe29a868e1ef707a5a3a074559916514728c58019c48c55262704351ca
Opcode Fuzzy Hash: 10facc1fcb14a25df03d62a8f350503519f29a9dd77e62ebfa21f6425ffa113d
Instruction Fuzzy Hash: 5281CF70A00206FBDB18DFA8CC89B9DBBF5FF14B04F044118E925AB281DB75AA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011CB06C Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011C1357: ___get_entropy.LIBCMT ref: 011CBE85

_initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(011D1418,011D1724,011DF928,00000014), ref: 011CB0C9
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(011D1000,011D1314,011DF928,00000014), ref: 011CB0EF
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,011DF928,00000014), ref: 011CB150
_get_narrow_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,011DF928,00000014), ref: 011CB15F
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0(011DF928,00000014), ref: 011CB17F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000007,011DF928,00000014), ref: 011CB1E6
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,011DF928,00000014), ref: 011CB1EE
_get_narrow_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000007,011DF928,00000014), ref: 011CB25C

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: _get_narrow_winmain_command_line$___get_entropy_cexit_exit_initterm_initterm_e_register_thread_local_exe_atexit_callbackexit
String ID:
API String ID: 1215483903-0
Opcode ID: 1275fda19cb6ef2e075eba5501499fd12d015ec745be4ab5663bd5e8b0794ed9
Instruction ID: d55eb2f216e0df6a1f4e734b1e16792e202f4b1e8bac628c79ada028d23ddcda
Opcode Fuzzy Hash: 1275fda19cb6ef2e075eba5501499fd12d015ec745be4ab5663bd5e8b0794ed9
Instruction Fuzzy Hash: 4231FD36688353F5DA3C7BB4A8027AD67A15FB2E69F24001DE540E71C2CF554941C799

Uniqueness

Uniqueness Score: -1.00%

Function 011C1064 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E011C1064(void* __fp0) {
				void* __ebp;
				signed int _t33;
				signed int _t35;
				intOrPtr _t37;
				void* _t39;
				signed int _t42;
				char* _t44;
				int _t47;
				void* _t49;
				short* _t50;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				void* _t60;
				char* _t62;
				signed int _t64;
				int _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t76;

				_t76 = __fp0;
				 *(_t70 + 4) = 0;
				_t33 = CommandLineToArgvW(GetCommandLineW(), _t70 + 4);
				_t49 = _t33;
				 *(_t70 + 0x18) = _t49;
				if(_t49 != 0) {
					_t35 =  *(_t70 + 4) + 1;
					_t58 = _t35 * 4 >> 0x20;
					_push( ~(0 | __eflags > 0x00000000) | _t35 * 0x00000004);
					_t37 = L011C10EB();
					_t55 =  *(_t70 + 0x14);
					_t71 = _t70 + 4;
					 *(_t71 + 0x14) = 0;
					_t68 = _t37;
					 *((intOrPtr*)(_t71 + 0x20)) = _t68;
					__eflags = _t55;
					if(_t55 != 0) {
						_t42 = _t49 - _t68;
						__eflags = _t42;
						 *(_t71 + 0x1c) = _t42;
						do {
							_t50 =  *(_t42 + _t68);
							_t66 = WideCharToMultiByte(0, 0, _t50, 0xffffffff, 0, 0, 0, 0);
							_push(_t66);
							_t44 = L011C10EB();
							_t71 = _t71 + 4;
							_t62 = _t44;
							WideCharToMultiByte(0, 0, _t50, 0xffffffff, _t62, _t66, 0, 0);
							_t68 = _t68 + 4;
							_t47 =  *(_t71 + 0x14) + 1;
							 *(_t68 - 4) = _t62;
							_t55 =  *(_t71 + 0x10);
							__eflags = _t47 - _t55;
							 *(_t71 + 0x14) = _t47;
							_t42 =  *(_t71 + 0x1c);
						} while (_t47 != _t55);
						_t68 =  *((intOrPtr*)(_t71 + 0x20));
						_t49 =  *(_t71 + 0x24);
					}
					 *(_t68 + _t55 * 4) = 0;
					LocalFree(_t49);
					_t39 = L011C132F(_t58, _t76,  *(_t71 + 0x14), _t68); // executed
					_t64 = 0;
					_t72 = _t71 + 8;
					_t60 = _t39;
					__eflags =  *(_t72 + 0x10);
					if( *(_t72 + 0x10) != 0) {
						while(1) {
							_t56 =  *(_t68 + _t64 * 4);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L10;
							}
							_push(_t56);
							L011C127B();
							_t64 = _t64 + 1;
							_t72 = _t72 + 4;
							__eflags = _t64 -  *(_t72 + 0x10);
							if(_t64 !=  *(_t72 + 0x10)) {
								continue;
							}
							goto L10;
						}
					}
					L10:
					_push(_t68);
					L011C127B();
					return _t60;
				} else {
					return _t33 | 0xffffffff;
				}
			}

0x011c1064
0x011cc0c8
0x011cc0d8
0x011cc0de
0x011cc0e0
0x011cc0e6
0x011cc0f8
0x011cc0fe
0x011cc10a
0x011cc10b
0x011cc110
0x011cc114
0x011cc117
0x011cc11f
0x011cc121
0x011cc125
0x011cc127
0x011cc12b
0x011cc12b
0x011cc12d
0x011cc131
0x011cc131
0x011cc149
0x011cc14b
0x011cc14c
0x011cc151
0x011cc154
0x011cc163
0x011cc16d
0x011cc170
0x011cc171
0x011cc174
0x011cc178
0x011cc17a
0x011cc17e
0x011cc17e
0x011cc184
0x011cc188
0x011cc188
0x011cc18d
0x011cc195
0x011cc1a0
0x011cc1a5
0x011cc1a7
0x011cc1aa
0x011cc1ac
0x011cc1b0
0x011cc1b2
0x011cc1b2
0x011cc1b6
0x011cc1b8
0x00000000
0x00000000
0x011cc1ba
0x011cc1bb
0x011cc1c0
0x011cc1c1
0x011cc1c4
0x011cc1c8
0x00000000
0x00000000
0x00000000
0x011cc1c8
0x011cc1b2
0x011cc1ca
0x011cc1ca
0x011cc1cb
0x011cc1dc
0x011cc0e8
0x011cc0ef
0x011cc0ef

APIs

GetCommandLineW.KERNEL32(?), ref: 011CC0D1
CommandLineToArgvW.SHELL32(00000000), ref: 011CC0D8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 011CC143
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 011CC163
LocalFree.KERNEL32(00000000), ref: 011CC195

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
String ID:
API String ID: 4060259846-0
Opcode ID: f0adfb92fdbd9c7679f5a46de9a07571084cd1cdf491e875b85a809c26803b4e
Instruction ID: 07c5c2e4bfdc7770ececc6d078ada2411b225f8b6b9075c88846f8cd8aeae6a7
Opcode Fuzzy Hash: f0adfb92fdbd9c7679f5a46de9a07571084cd1cdf491e875b85a809c26803b4e
Instruction Fuzzy Hash: 1931D471644305ABD728EF689C41B1B7BE4EF94B14F10492DF95ADB2C1D730AD088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CB1AD Relevance: 4.6, APIs: 3, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011C1235: GetModuleHandleW.KERNEL32(00000000), ref: 011CBC7B

_c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 011CB1BF
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,011DF928,00000014), ref: 011CB1EE

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: HandleModule_c_exit_exit
String ID:
API String ID: 750871209-0
Opcode ID: 9d3c94f230045c0c348ad0db6325abb81e632fbd6dea1542ef29a16c4d2b985a
Instruction ID: 4d7c2e17aec8823836f33e6e2b0dbdfd3e57a75b7e1ea580bc36708a6423d9e2
Opcode Fuzzy Hash: 9d3c94f230045c0c348ad0db6325abb81e632fbd6dea1542ef29a16c4d2b985a
Instruction Fuzzy Hash: 87E0E5B9E04357EEDF1CBBE898017BD7762AF71D1CF20049DE950A31C1C72448108694

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011C5520 Relevance: 152.7, APIs: 71, Strings: 16, Instructions: 498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C555B
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C5588
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C55AD
?end@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C55D4
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?,00000000), ref: 011C5610
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,INDICATORC), ref: 011C5628
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C5636
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5653
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C5667
??1QVariant@@QAE@XZ.QT5CORE ref: 011C569A
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QCheckBox::indicator{width: %1px;height: %2px;},0000002F), ref: 011C56A7
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C56C6
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C56DB
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C56F1
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C5702
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE( ), ref: 011C572F
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000,00000000,0000000A), ref: 011C5743
??0QString@@QAE@ABV0@@Z.QT5CORE(00000000), ref: 011C5751
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C5761
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C576A
??1QString@@QAE@XZ.QT5CORE ref: 011C5777
??1QString@@QAE@XZ.QT5CORE ref: 011C5780
??1QString@@QAE@XZ.QT5CORE ref: 011C5789
??1QString@@QAE@XZ.QT5CORE ref: 011C5792
??1QString@@QAE@XZ.QT5CORE ref: 011C579E
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C57BC
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C57CE
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C57E4
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C57F5
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C5802
??1QString@@QAE@XZ.QT5CORE ref: 011C580B
??1QString@@QAE@XZ.QT5CORE ref: 011C5814
??1QString@@QAE@XZ.QT5CORE ref: 011C581D
??1QString@@QAE@XZ.QT5CORE ref: 011C582A
??0QString@@QAE@XZ.QT5CORE ref: 011C584B
??1QString@@QAE@XZ.QT5CORE(?,00000000), ref: 011C5872
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C5897
?end@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C58BE
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?,00000000), ref: 011C58F4
??8QString@@QBE_NPBD@Z.QT5CORE(011D1F91), ref: 011C5906
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,INDICATORL), ref: 011C591A
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C5928
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5945
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C5959
??1QVariant@@QAE@XZ.QT5CORE ref: 011C598C
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QRadioButton::indicator{width: %1px;height: %2px;},00000032), ref: 011C5999
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C59B8
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C59CD
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C59E3
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C59F7
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C5A24
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000,00000000,0000000A), ref: 011C5A3B
??0QString@@QAE@ABV0@@Z.QT5CORE(00000000), ref: 011C5A49
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C5A61
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C5A6A
??1QString@@QAE@XZ.QT5CORE ref: 011C5A77
??1QString@@QAE@XZ.QT5CORE ref: 011C5A83
??1QString@@QAE@XZ.QT5CORE ref: 011C5A8C
??1QString@@QAE@XZ.QT5CORE ref: 011C5A98
??1QString@@QAE@XZ.QT5CORE ref: 011C5AA4
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C5AC2
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C5AD4
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C5AEA
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,6BF093C0,00000000,0000000A), ref: 011C5AFE
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C5B0B
??1QString@@QAE@XZ.QT5CORE ref: 011C5B17
??1QString@@QAE@XZ.QT5CORE ref: 011C5B20
??1QString@@QAE@XZ.QT5CORE ref: 011C5B29
??1QString@@QAE@XZ.QT5CORE ref: 011C5B36
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C5B86
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C5BB4

Strings

ALLWINFONTH, xrefs: 011C5661, 011C5953
QRadioButton{font-size:%1px;}, xrefs: 011C5A06
, xrefs: 011C572C
INDICATORL, xrefs: 011C5914
, xrefs: 011C59AB
, xrefs: 011C5AB5
, xrefs: 011C57AF
, xrefs: 011C5A17
, xrefs: 011C56B9
QCheckBox::indicator{width: %1px;height: %2px;}, xrefs: 011C56A2
INDICATORC, xrefs: 011C561E
QCheckBox{font-size:%1px;}, xrefs: 011C5711
, xrefs: 011C56E6
, xrefs: 011C59D8
QRadioButton::indicator{width: %1px;height: %2px;}, xrefs: 011C5994
, xrefs: 011C5ADF

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Char@@@$?arg@Char@@Latin1Variant@@$Data@@ListObject@@$?property@?setSheet@String@@@StyleWidget@@$?append@?begin@?dispose@?end@?from?objectArrayAscii_helper@Data@Data@1@@Int@Name@TypedV0@@V1@@
String ID: $ $ $ $ $ $ $ $ $ALLWINFONTH$INDICATORC$INDICATORL$QCheckBox::indicator{width: %1px;height: %2px;}$QCheckBox{font-size:%1px;}$QRadioButton::indicator{width: %1px;height: %2px;}$QRadioButton{font-size:%1px;}
API String ID: 3337527819-2551277055
Opcode ID: cc9d79dada7c9b5b50dca2fd9276fe882d3b75d3e4cbe2dd8b2d26898bc70502
Instruction ID: d977b1d83d4337020492c3d3c5a1347ad1276969d6643591ae1a20cec2b4b671
Opcode Fuzzy Hash: cc9d79dada7c9b5b50dca2fd9276fe882d3b75d3e4cbe2dd8b2d26898bc70502
Instruction Fuzzy Hash: FD227F71A0024AEFDB29CBE4DC58BEDBBF5BF18304F244168E416EB295DB705A85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011C6BF0 Relevance: 121.2, APIs: 61, Strings: 8, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C6C2A
?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z.QT5CORE(?,00000000,?,00000001), ref: 011C6C5B
??1QString@@QAE@XZ.QT5CORE ref: 011C6C6E
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C6C93
?end@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C6CBA
?orientation@QAbstractSlider@@QBE?AW4Orientation@Qt@@XZ.QT5WIDGETS(00000000), ref: 011C6CF2
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,LASTRATE), ref: 011C6D0F
?toDouble@QVariant@@QBENPA_N@Z.QT5CORE(00000000), ref: 011C6D1D
??1QVariant@@QAE@XZ.QT5CORE ref: 011C6D39
?value@QAbstractSlider@@QBEHXZ.QT5WIDGETS ref: 011C6D3D
??0QVariant@@QAE@N@Z.QT5CORE ref: 011C6D74
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(LASTRATE,?), ref: 011C6D8C
??1QVariant@@QAE@XZ.QT5CORE ref: 011C6D9C
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLRECTWIN), ref: 011C6DAC
?toRect@QVariant@@QBE?AVQRect@@XZ.QT5CORE(?), ref: 011C6DBF
??1QVariant@@QAE@XZ.QT5CORE ref: 011C6DCF
?height@QRect@@QBEHXZ.QT5CORE ref: 011C6DD7
?x@QRect@@QBEHXZ.QT5CORE ref: 011C6E55
?setX@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C6E7F
?y@QRect@@QBEHXZ.QT5CORE ref: 011C6E8B
?setY@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C6EA9
?width@QRect@@QBEHXZ.QT5CORE ref: 011C6EB5
?setWidth@QRect@@QAEXH@Z.QT5CORE(6BF04640), ref: 011C6EF0
?setRange@QAbstractSlider@@QAEXHH@Z.QT5WIDGETS(00000000,6BF04640), ref: 011C6EFB
?height@QRect@@QBEHXZ.QT5CORE ref: 011C6F07
?setHeight@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C6F31
?setGeometry@QWidget@@QAEXABVQRect@@@Z.QT5WIDGETS(?), ref: 011C6F40
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QSlider::handle:horizontal{ width: %1px; margin: -%3px -%4px -%5px -%6px; },0000004B), ref: 011C6F4D
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C6F66
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C6F7A
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C6F90
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C6FA3
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C6FB9
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C6FCC
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE( ), ref: 011C6FE2
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C6FF5
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C700B
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C701E
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QSlider::groove:horizontal{ height: %1px; left: %2px; right: %3px; },00000044), ref: 011C7032
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C704B
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C705F
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C7075
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C7088
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C709E
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C70B1
??0QString@@QAE@ABV0@@Z.QT5CORE(00000000), ref: 011C70BF
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(?), ref: 011C70D6
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C70DF
??1QString@@QAE@XZ.QT5CORE ref: 011C70F4
??1QString@@QAE@XZ.QT5CORE ref: 011C70FD
??1QString@@QAE@XZ.QT5CORE ref: 011C7106
??1QString@@QAE@XZ.QT5CORE ref: 011C710F
??1QString@@QAE@XZ.QT5CORE ref: 011C7118
??1QString@@QAE@XZ.QT5CORE ref: 011C7121
??1QString@@QAE@XZ.QT5CORE ref: 011C712A
??1QString@@QAE@XZ.QT5CORE ref: 011C7133
??1QString@@QAE@XZ.QT5CORE ref: 011C713C
??1QString@@QAE@XZ.QT5CORE ref: 011C7145
??1QString@@QAE@XZ.QT5CORE ref: 011C7152
?setValue@QAbstractSlider@@QAEXH@Z.QT5WIDGETS(?), ref: 011C7160
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C71A1

Strings

, xrefs: 011C6F89
, xrefs: 011C6FDB
QSlider::handle:horizontal{ width: %1px; margin: -%3px -%4px -%5px -%6px; }, xrefs: 011C6F48
, xrefs: 011C6F59
QSlider::groove:horizontal{ height: %1px; left: %2px; right: %3px; }, xrefs: 011C7029
ALLRECTWIN, xrefs: 011C6DA6
LASTRATE, xrefs: 011C6D09, 011C6D83
, xrefs: 011C6FAE

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Char@@@$Rect@@$?set$?arg@Char@@Latin1Variant@@$Object@@$AbstractSlider@@$Data@@List$?from?height@?property@ArrayAscii_helper@Data@FindTypedWidget@@$?append@?begin@?dispose@?end@?orientation@?qt_q?value@?width@ChildChildren_helper@@Data@1@@Double@Flags@Geometry@Height@List@MetaOption@Orientation@Property@Qt@@Qt@@@@@Range@Rect@Rect@@@Sheet@String@@@StyleV0@@V1@@Value@Variant@@@Width@
String ID: $ $ $ $ALLRECTWIN$LASTRATE$QSlider::groove:horizontal{ height: %1px; left: %2px; right: %3px; }$QSlider::handle:horizontal{ width: %1px; margin: -%3px -%4px -%5px -%6px; }
API String ID: 1508970534-59638223
Opcode ID: 96e99060a9a8f4954c2ffafc26b326a7fb7c8cb0c30747de9b373142cbf0dea8
Instruction ID: b1720d6031be8ebe0f87392f2290079ea9d564f173ff53bc9a48686bed12d7d9
Opcode Fuzzy Hash: 96e99060a9a8f4954c2ffafc26b326a7fb7c8cb0c30747de9b373142cbf0dea8
Instruction Fuzzy Hash: 21028B70D0024AEFDB2ACBF4D858BADBBB5BF59344F104269E416AB295EB305985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 011C5D80 Relevance: 112.3, APIs: 53, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C5DB5
?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z.QT5CORE(?,00000000,?,00000001), ref: 011C5DE6
??1QString@@QAE@XZ.QT5CORE ref: 011C5DF6
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C5E1B
?end@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C5E42
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?,00000000), ref: 011C5E7F
??8QString@@QBE_NPBD@Z.QT5CORE(011D1F91), ref: 011C5E91
?setEditable@QComboBox@@QAEX_N@Z.QT5WIDGETS(00000001), ref: 011C5E9B
?view@QComboBox@@QBEPAVQAbstractItemView@@XZ.QT5WIDGETS ref: 011C5E9F
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ITEMHEIGHT), ref: 011C5EB0
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C5EBE
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5EE8
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C5EFC
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C5F0A
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5F2E
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QComboBox{ background-color: #FFFFFF;font-size:%dpx;), ref: 011C5F47
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,border - radius: %dpx; color: #333333; padding: 1px %dpx 1px %dpx;},00000000), ref: 011C5F7E
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C5F8F
??1QString@@QAE@XZ.QT5CORE ref: 011C5F9C
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QAbstractItemView{font-size:%dpx;border-radius: %fpx; },00000000), ref: 011C5FBB
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C5FCC
??1QString@@QAE@XZ.QT5CORE ref: 011C5FD9
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QAbstractItemView::item:selected{color: #0D94FF;background-color: #E6F7FF;},0000004B), ref: 011C5FE6
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(?), ref: 011C5FFD
??1QString@@QAE@XZ.QT5CORE ref: 011C600A
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QComboBox::down-arrow{padding-right: %fpx;width: %fpx;height:%fpx;}), ref: 011C6042
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C6053
??1QString@@QAE@XZ.QT5CORE ref: 011C6060
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QAbstractItemView::item{height: %dpx;},?), ref: 011C6072
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C6083
??1QString@@QAE@XZ.QT5CORE ref: 011C6090
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C609C
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QComboBox{background-color: #FFFFFF;border-radius: %fpx;), ref: 011C60B3
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,color: #333333;padding: 1px %dpx 1px %dpx;}), ref: 011C60E7
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C60F8
??1QString@@QAE@XZ.QT5CORE ref: 011C6105
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QAbstractItemView{border-radius: %fpx;}), ref: 011C6121
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C6132
??1QString@@QAE@XZ.QT5CORE ref: 011C613F
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(QAbstractItemView::item:selected{color: #0D94FF;background-color: #E6F7FF;},0000004B), ref: 011C614C
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(?), ref: 011C6163
??1QString@@QAE@XZ.QT5CORE ref: 011C6170
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QComboBox::down-arrow{padding-right: %fpx;width: %fpx;height:%fpx;}), ref: 011C61A8
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C61B9
??1QString@@QAE@XZ.QT5CORE ref: 011C61C6
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,QAbstractItemView::item{height: %dpx;},?), ref: 011C61D8
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(00000000), ref: 011C61E9
??1QString@@QAE@XZ.QT5CORE ref: 011C61F6
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C6202
??1QString@@QAE@XZ.QT5CORE ref: 011C620F
?setEditable@QComboBox@@QAEX_N@Z.QT5WIDGETS(00000000), ref: 011C6219
??1QString@@QAE@XZ.QT5CORE ref: 011C6222
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C625F

Strings

QComboBox{background-color: #FFFFFF;border-radius: %fpx;, xrefs: 011C60AD
ALLWINFONTH, xrefs: 011C5EF6
ITEMHEIGHT, xrefs: 011C5EAA
border - radius: %dpx; color: #333333; padding: 1px %dpx 1px %dpx;}, xrefs: 011C5F78
QComboBox{ background-color: #FFFFFF;font-size:%dpx;, xrefs: 011C5F41
QAbstractItemView{border-radius: %fpx;}, xrefs: 011C611B
QAbstractItemView::item{height: %dpx;}, xrefs: 011C606C, 011C61D2
QComboBox::down-arrow{padding-right: %fpx;width: %fpx;height:%fpx;}, xrefs: 011C603C, 011C61A2
color: #333333;padding: 1px %dpx 1px %dpx;}, xrefs: 011C60E1
QAbstractItemView::item:selected{color: #0D94FF;background-color: #E6F7FF;}, xrefs: 011C5FE1, 011C6147
QAbstractItemView{font-size:%dpx;border-radius: %fpx; }, xrefs: 011C5FB5

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$?append@?asprintf@V1@@$Variant@@$Object@@$?set$Box@@ComboData@@List$?from?property@ArrayAscii_helper@Data@Editable@FindInt@Sheet@String@@@StyleTypedWidget@@$?begin@?dispose@?end@?object?qt_q?view@AbstractChildChildren_helper@@Data@1@@Flags@ItemList@MetaName@Option@Qt@@@@@View@@
String ID: ALLWINFONTH$ITEMHEIGHT$QAbstractItemView::item:selected{color: #0D94FF;background-color: #E6F7FF;}$QAbstractItemView::item{height: %dpx;}$QAbstractItemView{border-radius: %fpx;}$QAbstractItemView{font-size:%dpx;border-radius: %fpx; }$QComboBox::down-arrow{padding-right: %fpx;width: %fpx;height:%fpx;}$QComboBox{ background-color: #FFFFFF;font-size:%dpx;$QComboBox{background-color: #FFFFFF;border-radius: %fpx;$border - radius: %dpx; color: #333333; padding: 1px %dpx 1px %dpx;}$color: #333333;padding: 1px %dpx 1px %dpx;}
API String ID: 482402492-3389520417
Opcode ID: 90c2dfd0170553994fc4f12879e3aaef289c9b8a92dde091f0e35c69f08bc202
Instruction ID: a04f5216b5c7dd96bd3c25ede13ce371e742fbc519e67f3e724c61fe36a9e0a0
Opcode Fuzzy Hash: 90c2dfd0170553994fc4f12879e3aaef289c9b8a92dde091f0e35c69f08bc202
Instruction Fuzzy Hash: 9CF1A171C0024AEFDB19DFE4D858ADDBBB8BF15305F204269E426AB245EB7056C8CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C6650 Relevance: 96.6, APIs: 45, Strings: 10, Instructions: 334COMMON

Download Yara Rule

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C668A
?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z.QT5CORE(?,00000000,?,00000001), ref: 011C66BB
??1QString@@QAE@XZ.QT5CORE ref: 011C66CB
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C66F0
?end@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C6717
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?,00000000), ref: 011C674C
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C6764
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C6772
??1QVariant@@QAE@XZ.QT5CORE ref: 011C679C
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ICONSIZE), ref: 011C67AC
?toSize@QVariant@@QBE?AVQSize@@XZ.QT5CORE(?), ref: 011C67BC
??0QSize@@QAE@HH@Z.QT5CORE(00000000), ref: 011C685C
??1QVariant@@QAE@XZ.QT5CORE ref: 011C686C
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(qproperty-iconSize:%1px %2px;font-size: %3px;border-radius: %4px;,00000041), ref: 011C687D
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C6896
?x@QRect@@QBEHXZ.QT5CORE(00000000,0000000A), ref: 011C68A3
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000), ref: 011C68B1
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C68C7
?y@QRect@@QBEHXZ.QT5CORE(00000000,0000000A), ref: 011C68D4
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000), ref: 011C68E1
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE( ), ref: 011C68F7
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C6908
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020,?,?,00000000,0000000A), ref: 011C691E
?arg@QString@@QBE?AV1@NHDHVQChar@@@Z.QT5CORE(?), ref: 011C6945
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C6952
??1QString@@QAE@XZ.QT5CORE ref: 011C695B
??1QString@@QAE@XZ.QT5CORE ref: 011C6964
??1QString@@QAE@XZ.QT5CORE ref: 011C696D
??1QString@@QAE@XZ.QT5CORE ref: 011C6976
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(qproperty-iconSize:%1px %2px;border-radius: %3px;,00000031), ref: 011C698B
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C69A4
?x@QRect@@QBEHXZ.QT5CORE(00000000,0000000A), ref: 011C69B1
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000), ref: 011C69BF
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C69D5
?y@QRect@@QBEHXZ.QT5CORE(00000000,0000000A), ref: 011C69E2
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,00000000), ref: 011C69EF
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE( ), ref: 011C6A05
?arg@QString@@QBE?AV1@NHDHVQChar@@@Z.QT5CORE(?), ref: 011C6A2C
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000), ref: 011C6A39
??1QString@@QAE@XZ.QT5CORE ref: 011C6A42
??1QString@@QAE@XZ.QT5CORE ref: 011C6A4B
??1QString@@QAE@XZ.QT5CORE ref: 011C6A54
??1QString@@QAE@XZ.QT5CORE ref: 011C6A5D
??1QString@@QAE@XZ.QT5CORE ref: 011C6A6A
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C6AB1

Strings

ALLWINFONTH, xrefs: 011C675A
qproperty-iconSize:%1px %2px;border-radius: %3px;, xrefs: 011C6986
, xrefs: 011C6889
, xrefs: 011C69FE
qproperty-iconSize:%1px %2px;font-size: %3px;border-radius: %4px;, xrefs: 011C6878
, xrefs: 011C68F0
, xrefs: 011C6997
, xrefs: 011C69CA
, xrefs: 011C68BC
ICONSIZE, xrefs: 011C67A6

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Char@@@$?arg@Char@@Latin1$Variant@@$Object@@$Rect@@$Data@@List$?from?property@?setArrayAscii_helper@Data@FindSheet@Size@@String@@@StyleTypedWidget@@$?begin@?dispose@?end@?object?qt_qChildChildren_helper@@Data@1@@Flags@Int@List@MetaName@Option@Qt@@@@@Size@
String ID: $ $ $ $ $ $ALLWINFONTH$ICONSIZE$qproperty-iconSize:%1px %2px;border-radius: %3px;$qproperty-iconSize:%1px %2px;font-size: %3px;border-radius: %4px;
API String ID: 326357220-2301679172
Opcode ID: 70651698f0ad91e9a89d54cd275128963d39147d28ced20cdaa6e68257812088
Instruction ID: b386b4d20c14b96fe23fa0d49de74936cccc6c2f7a17eb879844ca12cf666a00
Opcode Fuzzy Hash: 70651698f0ad91e9a89d54cd275128963d39147d28ced20cdaa6e68257812088
Instruction Fuzzy Hash: 89E1B17190024AEFDB2ACBF4DC59BADBBF4BF19344F144229E426EB295DB305985CB10

Uniqueness

Uniqueness Score: -1.00%

Function 011C7330 Relevance: 64.9, APIs: 34, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLRANGEL,?,4CDB14D0), ref: 011C7373
?toRect@QVariant@@QBE?AVQRect@@XZ.QT5CORE(?), ref: 011C738C
??1QVariant@@QAE@XZ.QT5CORE ref: 011C7398
?y@QRect@@QBEHXZ.QT5CORE ref: 011C73A1
?setMaximumHeight@QWidget@@QAEXH@Z.QT5WIDGETS(00000000), ref: 011C73C8
?bottom@QRect@@QBEHXZ.QT5CORE ref: 011C73D1
?setMinimumHeight@QWidget@@QAEXH@Z.QT5WIDGETS(00000000), ref: 011C73EC
?right@QRect@@QBEHXZ.QT5CORE ref: 011C73F5
?setMaximumWidth@QWidget@@QAEXH@Z.QT5WIDGETS(00000000), ref: 011C741C
?x@QRect@@QBEHXZ.QT5CORE ref: 011C7425
?setMinimumWidth@QWidget@@QAEXH@Z.QT5WIDGETS(00000000), ref: 011C7440
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?), ref: 011C744D
??8QString@@QBE_NPBD@Z.QT5CORE(011D1F91), ref: 011C7462
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLRECTWIN), ref: 011C7474
?toRect@QVariant@@QBE?AVQRect@@XZ.QT5CORE(?), ref: 011C7484
??1QVariant@@QAE@XZ.QT5CORE ref: 011C748D
?x@QRect@@QBEHXZ.QT5CORE(?), ref: 011C74B0
?setX@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C74CB
?y@QRect@@QBEHXZ.QT5CORE ref: 011C74D4
?setY@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C74EF
?width@QRect@@QBEHXZ.QT5CORE(?), ref: 011C74F8
?setWidth@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C751F
?height@QRect@@QBEHXZ.QT5CORE ref: 011C7528
?setHeight@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C754F
?setGeometry@QWidget@@QAEXABVQRect@@@Z.QT5WIDGETS(?), ref: 011C755B
??0QFont@@QAE@ABV0@@Z.QT5GUI(?), ref: 011C756B
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C7580
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C758E
??1QVariant@@QAE@XZ.QT5CORE ref: 011C759D
?setPixelSize@QFont@@QAEXH@Z.QT5GUI(00000000), ref: 011C75BC
?ensurePolished@QWidget@@QBEXXZ.QT5WIDGETS ref: 011C75C4
?setFont@QWidget@@QAEXABVQFont@@@Z.QT5WIDGETS(?), ref: 011C75D0
??1QFont@@QAE@XZ.QT5GUI ref: 011C75D9
??1QString@@QAE@XZ.QT5CORE ref: 011C75E2

Strings

ALLWINFONTH, xrefs: 011C7571
ALLRANGEL, xrefs: 011C7365
ALLRECTWIN, xrefs: 011C746E

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Rect@@$?set$Variant@@$Widget@@$Object@@$?property@Font@@Height@String@@Width@$MaximumMinimumRect@$?bottom@?ensure?height@?object?right@?width@Font@Font@@@Geometry@Int@Name@PixelPolished@Rect@@@Size@V0@@
String ID: ALLRANGEL$ALLRECTWIN$ALLWINFONTH
API String ID: 2868634952-252804041
Opcode ID: cd7db9d94c0b0762c1848a8ec22abc267a3e037b3ab3896051ee65c74a5f78a2
Instruction ID: 1b7218085d53b6dff99c20c2409e0131615df5faec24f027d29f74274c78af1c
Opcode Fuzzy Hash: cd7db9d94c0b0762c1848a8ec22abc267a3e037b3ab3896051ee65c74a5f78a2
Instruction Fuzzy Hash: FA816EB491461AEFCB1ADBF0D8689ADBBB8FF19394F004225E416F7185EB3059C6CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C7AB0 Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(localappdata,0000000C,4CDB14D0), ref: 011C7AE4
??0QString@@QAE@XZ.QT5CORE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,011CE48C), ref: 011C7AF6
?systemEnvironment@QProcessEnvironment@@SA?AV1@XZ.QT5CORE(?), ref: 011C7B06
?value@QProcessEnvironment@@QBE?AVQString@@ABV2@0@Z.QT5CORE(?,?,00000000), ref: 011C7B1E
??1QProcessEnvironment@@QAE@XZ.QT5CORE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011C7B27
??1QString@@QAE@XZ.QT5CORE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011C7B30
??1QString@@QAE@XZ.QT5CORE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 011C7B3D
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(\IdeaShareKey\APConfig.ini,0000001A), ref: 011C7B4A
??1QString@@QAE@XZ.QT5CORE ref: 011C7B6E
??0QFileInfo@@QAE@ABVQString@@@Z.QT5CORE(?), ref: 011C7B7B
?isFile@QFileInfo@@QBE_NXZ.QT5CORE ref: 011C7B88
??0QSettings@@QAE@ABVQString@@W4Format@0@PAVQObject@@@Z.QT5CORE(?,00000001,00000000), ref: 011C7BA1
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(SYSTEM/default-language,00000017), ref: 011C7BB2
??0QVariant@@QAE@XZ.QT5CORE ref: 011C7BBD
?value@QSettings@@QBE?AVQVariant@@ABVQString@@ABV2@@Z.QT5CORE(?,?,00000000), ref: 011C7BD3
?toString@QVariant@@QBE?AVQString@@XZ.QT5CORE(?), ref: 011C7BE3
??1QVariant@@QAE@XZ.QT5CORE ref: 011C7BF2
??1QVariant@@QAE@XZ.QT5CORE ref: 011C7BF7
??1QString@@QAE@XZ.QT5CORE ref: 011C7C00
?toInt@QString@@QBEHPA_NH@Z.QT5CORE(00000000,0000000A), ref: 011C7C0D
??1QString@@QAE@XZ.QT5CORE ref: 011C7C18
??1QSettings@@UAE@XZ.QT5CORE ref: 011C7C21
??1QFileInfo@@QAE@XZ.QT5CORE ref: 011C7C2E
??1QString@@QAE@XZ.QT5CORE ref: 011C7C37
??1QString@@QAE@XZ.QT5CORE ref: 011C7C40

Strings

\IdeaShareKey\APConfig.ini, xrefs: 011C7B45
localappdata, xrefs: 011C7ADF
SYSTEM/default-language, xrefs: 011C7BA9

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Variant@@$?fromArrayAscii_helper@Data@Environment@@FileInfo@@ProcessSettings@@Typed$?value@$?systemEnvironment@File@Format@0@Int@Object@@@String@String@@@V2@0@V2@@
String ID: SYSTEM/default-language$\IdeaShareKey\APConfig.ini$localappdata
API String ID: 2528859157-3218294965
Opcode ID: d2ae14bd32b2f76d755d693899f20f1e5efb88c61bace4280be2bf4929f7db7d
Instruction ID: 0ad546f083f5741def3badcb6a721065c320f1447219299d542be457957e9fad
Opcode Fuzzy Hash: d2ae14bd32b2f76d755d693899f20f1e5efb88c61bace4280be2bf4929f7db7d
Instruction Fuzzy Hash: 2A514E71D0024AEFCB18DBE4D949BEEBBB8FF15305F104169E412B7294EB745A88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C5340 Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

?style@QWidget@@QBEPAVQStyle@@XZ.QT5WIDGETS(4CDB14D0), ref: 011C5372
?style@QWidget@@QBEPAVQStyle@@XZ.QT5WIDGETS ref: 011C537E
?update@QWidget@@QAEXXZ.QT5WIDGETS ref: 011C538A
??0QRect@@QAE@XZ.QT5CORE ref: 011C5393
?minimumWidth@QWidget@@QBEHXZ.QT5WIDGETS ref: 011C539B
?setX@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C53A5
?maximumWidth@QWidget@@QBEHXZ.QT5WIDGETS ref: 011C53AD
?setRight@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C53B7
?minimumHeight@QWidget@@QBEHXZ.QT5WIDGETS ref: 011C53BF
?setBottom@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C53C9
?maximumHeight@QWidget@@QBEHXZ.QT5WIDGETS ref: 011C53D1
?setY@QRect@@QAEXH@Z.QT5CORE(00000000), ref: 011C53DB
??0QVariant@@QAE@ABVQRect@@@Z.QT5CORE(?), ref: 011C53EE
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(ALLRANGEL,?), ref: 011C5402
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5418
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?), ref: 011C5421
??8QString@@QBE_NPBD@Z.QT5CORE(011D1F91), ref: 011C5436
??0QVariant@@QAE@ABVQRect@@@Z.QT5CORE(?), ref: 011C5451
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(ALLRECTWIN,?), ref: 011C5469
??1QVariant@@QAE@XZ.QT5CORE ref: 011C5472
?pixelSize@QFont@@QBEHXZ.QT5GUI ref: 011C547D
??0QVariant@@QAE@H@Z.QT5CORE(00000000), ref: 011C5487
?setProperty@QObject@@QAE_NPBDABVQVariant@@@Z.QT5CORE(ALLWINFONTH,?), ref: 011C549D
??1QVariant@@QAE@XZ.QT5CORE ref: 011C54A2
??1QString@@QAE@XZ.QT5CORE ref: 011C54A7

Strings

ALLWINFONTH, xrefs: 011C5494
ALLRANGEL, xrefs: 011C53FB
ALLRECTWIN, xrefs: 011C5460

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: ?setWidget@@$Variant@@$Rect@@$Object@@$Property@String@@Variant@@@$?maximum?minimum?style@Height@Rect@@@Style@@Width@$?object?pixel?update@Bottom@Font@@Name@Right@Size@
String ID: ALLRANGEL$ALLRECTWIN$ALLWINFONTH
API String ID: 2762037061-252804041
Opcode ID: 513d85e68512df33dc4aff052c9d2c0d3329383f327369a9994701f02718aed3
Instruction ID: c5e71984f7fdfeff0c4c03b4a5800087993b0ac217a9ab4440668f4aa6a267a6
Opcode Fuzzy Hash: 513d85e68512df33dc4aff052c9d2c0d3329383f327369a9994701f02718aed3
Instruction Fuzzy Hash: 9C413975900119EFCB18DFE4DC58AEEBBB9FF58310F144129E812E7294DB706A85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C63C0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C63F7
?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z.QT5CORE(?,00000000,?,00000001), ref: 011C6428
??1QString@@QAE@XZ.QT5CORE ref: 011C6438
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000002), ref: 011C645D
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000002), ref: 011C6484
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE(?,00000000), ref: 011C64B0
??8QString@@QBE_NPBD@Z.QT5CORE(011D1F91), ref: 011C64C2
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,ALLWINFONTH), ref: 011C64D3
?toInt@QVariant@@QBEHPA_N@Z.QT5CORE(00000000), ref: 011C64E1
??1QVariant@@QAE@XZ.QT5CORE ref: 011C64FF
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(font-size: %3px;,00000010), ref: 011C6510
??0QChar@@QAE@UQLatin1Char@@@Z.QT5CORE(00000020), ref: 011C6529
?arg@QString@@QBE?AV1@HHHVQChar@@@Z.QT5CORE(?,?,00000000,0000000A), ref: 011C653B
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(00000000,?,00000000,0000000A), ref: 011C6548
??1QString@@QAE@XZ.QT5CORE(?,00000000,0000000A), ref: 011C6551
??1QString@@QAE@XZ.QT5CORE(?,00000000,0000000A), ref: 011C655A
??1QString@@QAE@XZ.QT5CORE ref: 011C6567
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C65A7

Strings

ALLWINFONTH, xrefs: 011C64CD
font-size: %3px;, xrefs: 011C650B
, xrefs: 011C651C

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Object@@$Data@@ListVariant@@$Char@@@Find$?arg@?begin@?dispose@?end@?from?object?property@?qt_q?setArrayAscii_helper@Char@@ChildChildren_helper@@Data@Data@1@@Flags@Int@Latin1List@MetaName@Option@Qt@@@@@Sheet@String@@@StyleTypedWidget@@
String ID: $ALLWINFONTH$font-size: %3px;
API String ID: 4117990259-4294782997
Opcode ID: 37d59422d0f6107fe3699646717213c277baa4bb163d1d0aeb2198e8b5b0a31a
Instruction ID: 8940ce118f1b63336a2c1af595e03f977e1c9bcd0d7ca54b22f3750d4da28e6d
Opcode Fuzzy Hash: 37d59422d0f6107fe3699646717213c277baa4bb163d1d0aeb2198e8b5b0a31a
Instruction Fuzzy Hash: AB51827190014AEFDB19CFE8C898BEDBBB4FF14744F140129E926E7295DB719A84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C9F20 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 93timeCOMMON

Download Yara Rule

APIs

?stop@QTimer@@QAEXXZ.QT5CORE(4CDB14D0), ref: 011C9F4D
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,Installation Failed,00000000,000000FF), ref: 011C9F74
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,Upgrade Failed,00000000,000000FF), ref: 011C9F85
?setText@QLabel@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C9F9B
??1QString@@QAE@XZ.QT5CORE ref: 011C9FA7
??0QPixmap@@QAE@XZ.QT5GUI ref: 011C9FB0
?setPixmap@QLabel@@QAEXABVQPixmap@@@Z.QT5WIDGETS(?), ref: 011C9FC4
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(border-image:url(:/image/images/30.png);,00000028), ref: 011C9FD1
?setStyleSheet@QWidget@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011C9FE8
??1QString@@QAE@XZ.QT5CORE ref: 011C9FF5
?tr@QMetaObject@@QBE?AVQString@@PBD0H@Z.QT5CORE(?,Reinsert the IdeaShare Key and try again,00000000,000000FF), ref: 011CA00D
?setText@QLabel@@QAEXABVQString@@@Z.QT5WIDGETS(?), ref: 011CA01A
??1QString@@QAE@XZ.QT5CORE ref: 011CA023
?singleShot@QTimer@@SAXHPBVQObject@@PBD@Z.QT5CORE(?,?,1on_pushButtonExit_clicked()), ref: 011CA035
??1QPixmap@@UAE@XZ.QT5GUI ref: 011CA041

Strings

Reinsert the IdeaShare Key and try again, xrefs: 011C9FFF
Installation Failed, xrefs: 011C9F6E
border-image:url(:/image/images/30.png);, xrefs: 011C9FCC
1on_pushButtonExit_clicked(), xrefs: 011CA029
Upgrade Failed, xrefs: 011C9F7F

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$?setObject@@$?tr@Label@@MetaString@@@$Pixmap@@Text@Timer@@$?from?single?stop@ArrayAscii_helper@Data@Pixmap@Pixmap@@@Sheet@Shot@StyleTypedWidget@@
String ID: 1on_pushButtonExit_clicked()$Installation Failed$Reinsert the IdeaShare Key and try again$Upgrade Failed$border-image:url(:/image/images/30.png);
API String ID: 3692475634-47283220
Opcode ID: ce0c6ee1d919f45fce40f0ba290643aba45b95703d7a67fafda76b1a4f8e5517
Instruction ID: 365642b160448d1b851348f2afb2c1157aab93a109baa00020ea12c7e2fb748d
Opcode Fuzzy Hash: ce0c6ee1d919f45fce40f0ba290643aba45b95703d7a67fafda76b1a4f8e5517
Instruction Fuzzy Hash: 113150B190420AEFCB18DBE4DD49FDDBBF8FB19314F100669E526A7291DB706A44CB21

Uniqueness

Uniqueness Score: -1.00%

Function 011C3E6A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 187COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C3E6F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C3E7E
?desktop@QApplication@@SAPAVQDesktopWidget@@XZ.QT5WIDGETS(4CDB14D0), ref: 011C3EEA
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2resized(int),?,1resizeWindow(),00000080), ref: 011C3F0D
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3F15
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2screenCountChanged(int),?,1screenCountChange(int),00000080), ref: 011C3F30
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3F38
?screens@QGuiApplication@@SA?AV?$QList@PAVQScreen@@@@XZ.QT5GUI(?), ref: 011C3F42
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3F71
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3F98
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2logicalDotsPerInchChanged(qreal),?,1resizeWindow(),00000080), ref: 011C3FBA
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3FC6
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C3FFF
?event@QWidget@@MAE_NPAVQEvent@@@Z.QT5WIDGETS(?), ref: 011C4014

Strings

2screenCountChanged(int), xrefs: 011C3F26
1screenCountChange(int), xrefs: 011C3F20
2logicalDotsPerInchChanged(qreal), xrefs: 011C3FAF
2resized(int), xrefs: 011C3F03
1resizeWindow(), xrefs: 011C3EFD, 011C3FA9

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Object@@$Connection@Meta$Data@@List$?connect@ConnectionQt@@@Type@$?dispose@Application@@Widget@@$?begin@?desktop@?end@?event@?screens@Data@1@@DesktopEvent@@@ExceptionList@Screen@@@@Throw
String ID: 1resizeWindow()$1screenCountChange(int)$2logicalDotsPerInchChanged(qreal)$2resized(int)$2screenCountChanged(int)
API String ID: 3213268598-493747443
Opcode ID: 7df0e3dd741aafb374aeebd02462384d05088d346d5af8baf1b6c25e2f726198
Instruction ID: b6d0ee5e2b0793ad351fbef0964d8acb68efc2916852e6fb942a9dca37f78b7c
Opcode Fuzzy Hash: 7df0e3dd741aafb374aeebd02462384d05088d346d5af8baf1b6c25e2f726198
Instruction Fuzzy Hash: D241A171A0020AAFDB28DFE8CC49BAEBBB4FF14614F144928F935E7280D731A944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011C8F30 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

??0QString@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C8F65
?asprintf@QString@@SA?AV1@PBDZZ.QT5CORE(?,%c:/IdeaShareKeyInstaller.exe), ref: 011C8F8D
??4QString@@QAEAAV0@$$QAV0@@Z.QT5CORE(00000000), ref: 011C8F96
??1QString@@QAE@XZ.QT5CORE ref: 011C8F9F
??0QFileInfo@@QAE@ABVQString@@@Z.QT5CORE(?), ref: 011C8FAC
?isFile@QFileInfo@@QBE_NXZ.QT5CORE ref: 011C8FB8
??1QFileInfo@@QAE@XZ.QT5CORE ref: 011C8FC7
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(011D3130,00000002), ref: 011C8FE1
??0QChar@@QAE@H@Z.QT5CORE ref: 011C8FF4
??0QString@@QAE@VQChar@@@Z.QT5CORE ref: 011C8FFD
??0QString@@QAE@ABV0@@Z.QT5CORE(00000000), ref: 011C900B
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(?), ref: 011C9021
??4QString@@QAEAAV0@ABV0@@Z.QT5CORE(00000000), ref: 011C902E
??1QString@@QAE@XZ.QT5CORE ref: 011C9037
??1QString@@QAE@XZ.QT5CORE ref: 011C9040
??1QString@@QAE@XZ.QT5CORE ref: 011C9049
??1QString@@QAE@XZ.QT5CORE ref: 011C9052

Strings

%c:/IdeaShareKeyInstaller.exe, xrefs: 011C8F87

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$FileInfo@@V0@@$?append@?asprintf@?fromArrayAscii_helper@Char@@Char@@@Data@File@String@@@TypedV0@$$V1@@
String ID: %c:/IdeaShareKeyInstaller.exe
API String ID: 2672717203-694981952
Opcode ID: 69e8ee4f41d3d29227094535bc096209d03bed4c894dc96e0be7b5ed728b4715
Instruction ID: afaa6b3da9f2b115382f4a3c56ce28c41970872d90f4a3531ebe9506fd703444
Opcode Fuzzy Hash: 69e8ee4f41d3d29227094535bc096209d03bed4c894dc96e0be7b5ed728b4715
Instruction Fuzzy Hash: 0E31707190010AEFCB18DFE4D849BEEBBB8FF15705F100129E526A7294DB345A88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011C3EC0 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

?desktop@QApplication@@SAPAVQDesktopWidget@@XZ.QT5WIDGETS(4CDB14D0), ref: 011C3EEA
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2resized(int),?,1resizeWindow(),00000080), ref: 011C3F0D
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3F15
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2screenCountChanged(int),?,1screenCountChange(int),00000080), ref: 011C3F30
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3F38
?screens@QGuiApplication@@SA?AV?$QList@PAVQScreen@@@@XZ.QT5GUI(?), ref: 011C3F42
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3F71
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3F98
?connect@QObject@@SA?AVConnection@QMetaObject@@PBV1@PBD01W4ConnectionType@Qt@@@Z.QT5CORE(?,00000000,2logicalDotsPerInchChanged(qreal),?,1resizeWindow(),00000080), ref: 011C3FBA
??1Connection@QMetaObject@@QAE@XZ.QT5CORE ref: 011C3FC6
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?), ref: 011C3FFF
?event@QWidget@@MAE_NPAVQEvent@@@Z.QT5WIDGETS(?), ref: 011C4014

Strings

2screenCountChanged(int), xrefs: 011C3F26
1screenCountChange(int), xrefs: 011C3F20
2logicalDotsPerInchChanged(qreal), xrefs: 011C3FAF
2resized(int), xrefs: 011C3F03
1resizeWindow(), xrefs: 011C3EFD, 011C3FA9

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Object@@$Connection@Meta$?connect@ConnectionData@@ListQt@@@Type@$Application@@Widget@@$?begin@?desktop@?dispose@?end@?event@?screens@Data@1@@DesktopEvent@@@List@Screen@@@@
String ID: 1resizeWindow()$1screenCountChange(int)$2logicalDotsPerInchChanged(qreal)$2resized(int)$2screenCountChanged(int)
API String ID: 3790513899-493747443
Opcode ID: 388c95a1a2e271814793d47094891c86205f5d66bf7c210cab430dae6b70e63f
Instruction ID: 848592afa5670715dfcb4ef84f4b415ce8d13851f1208fdf7fb7ce6c20b2802d
Opcode Fuzzy Hash: 388c95a1a2e271814793d47094891c86205f5d66bf7c210cab430dae6b70e63f
Instruction Fuzzy Hash: 7A41C771A0020AAFDB28DFE8CC45AAEBBB4FF14714F144929F935E7290D7319954CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011C4490 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

?setActiveWindow@QApplication@@SAXPAVQWidget@@@Z.QT5WIDGETS(?,4CDB14D0), ref: 011C44BA
?activeWindow@QApplication@@SAPAVQWidget@@XZ.QT5WIDGETS ref: 011C44C9
?activeWindow@QApplication@@SAPAVQWidget@@XZ.QT5WIDGETS(?), ref: 011C44D3
?objectName@QObject@@QBE?AVQString@@XZ.QT5CORE ref: 011C44D7
??0QMessageLogger@@QAE@PBDH0@Z.QT5CORE(D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp,00000036,void __thiscall HWDialog::mousePressEvent(class QMouseEvent *),?), ref: 011C44F9
?debug@QMessageLogger@@QBE?AVQDebug@@XZ.QT5CORE ref: 011C4501
??6QDebug@@QAEAAV0@PBD@Z.QT5CORE(current activationName ,00000000), ref: 011C4513
??6QDebug@@QAEAAV0@ABVQString@@@Z.QT5CORE ref: 011C451B
??1QDebug@@QAE@XZ.QT5CORE ref: 011C4524
??1QString@@QAE@XZ.QT5CORE ref: 011C4534
?globalPos@QMouseEvent@@QBE?AVQPoint@@XZ.QT5GUI(?), ref: 011C454B
?frameGeometry@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?,?), ref: 011C4566
?topLeft@QRect@@QBE?AVQPoint@@XZ.QT5CORE ref: 011C456E

Strings

void __thiscall HWDialog::mousePressEvent(class QMouseEvent *), xrefs: 011C44EA
current activationName , xrefs: 011C4508
D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp, xrefs: 011C44F1

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Debug@@$Application@@Widget@@Window@$?activeLogger@@MessagePoint@@Rect@@String@@$?debug@?frame?global?object?set?topActiveEvent@@Geometry@Left@MouseName@Object@@Pos@String@@@Widget@@@
String ID: D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp$current activationName $void __thiscall HWDialog::mousePressEvent(class QMouseEvent *)
API String ID: 2259911185-1179072835
Opcode ID: bd7b587b5849e1eb192b52a3bc7f535a9bc1c28b419ed19a12ebf97fa3d6fda6
Instruction ID: eb0f2bbf284959ecf0a490e457508e36767eb956957ad490338f220b68b59f42
Opcode Fuzzy Hash: bd7b587b5849e1eb192b52a3bc7f535a9bc1c28b419ed19a12ebf97fa3d6fda6
Instruction Fuzzy Hash: 0A314F75A00209EFCB28DFE4D948AADBBF9FB18750F14413AE916D7780DB74A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C78C0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

??0QLocale@@QAE@XZ.QT5CORE(4CDB14D0), ref: 011C78F2
memset.VCRUNTIME140(?,00000000,00000100), ref: 011C793F
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 011C7968
VerSetConditionMask.KERNEL32(00000000), ref: 011C796C
VerSetConditionMask.KERNEL32(00000000), ref: 011C7970
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 011C7997
?uiLanguages@QLocale@@QBE?AVQStringList@@XZ.QT5CORE(?), ref: 011C79AE
?at@QListData@@QBEPAPAXH@Z.QT5CORE(00000000), ref: 011C79BC
??0QString@@QAE@ABV0@@Z.QT5CORE(00000000), ref: 011C79C9
??8QString@@QBE_NPBD@Z.QT5CORE(zh-CN), ref: 011C79DE
??1QString@@QAE@XZ.QT5CORE ref: 011C79F4
GetSystemDefaultLangID.KERNEL32 ref: 011C7A07
??1QLocale@@QAE@XZ.QT5CORE ref: 011C7A27

Strings

zh-CN, xrefs: 011C79CF

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: ConditionLocale@@MaskString@@$?at@Data@@DefaultInfoLangLanguages@ListList@@StringSystemV0@@VerifyVersionmemset
String ID: zh-CN
API String ID: 1711499082-4051137917
Opcode ID: a426654753eb231aa2e871d6cd47c4e58f14c1fce0c4a26c7ac045261b2a88f1
Instruction ID: fa432372421d3414b4e0b751eff3579319fbf09b61a242482757082a61ba7688
Opcode Fuzzy Hash: a426654753eb231aa2e871d6cd47c4e58f14c1fce0c4a26c7ac045261b2a88f1
Instruction Fuzzy Hash: 6E413371D40228ABDB28DBA4DC59BEE7BB8EF18704F0041A9E519A72C0DB745B84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 011C9DC0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

??0QMatrix@@QAE@XZ.QT5GUI(4CDB14D0), ref: 011C9DEC
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(:/image/images/31.png,00000015), ref: 011C9DF9
??0QPixmap@@QAE@ABVQString@@PBDV?$QFlags@W4ImageConversionFlag@Qt@@@@@Z.QT5GUI(?,00000000), ref: 011C9E1D
??1QString@@QAE@XZ.QT5CORE ref: 011C9E2A
?rotate@QMatrix@@QAEAAV1@N@Z.QT5GUI ref: 011C9E4A
?transformed@QPixmap@@QBE?AV1@ABVQMatrix@@W4TransformationMode@Qt@@@Z.QT5GUI(?,?,00000000), ref: 011C9E5D
?size@QWidget@@QBE?AVQSize@@XZ.QT5WIDGETS(?,00000000,00000000), ref: 011C9E74
?scaled@QPixmap@@QBE?AV1@ABVQSize@@W4AspectRatioMode@Qt@@W4TransformationMode@4@@Z.QT5GUI(?,00000000), ref: 011C9E81
?setPixmap@QLabel@@QAEXABVQPixmap@@@Z.QT5WIDGETS(00000000), ref: 011C9E8F
??1QPixmap@@UAE@XZ.QT5GUI ref: 011C9E9E
??1QPixmap@@UAE@XZ.QT5GUI ref: 011C9EA3
??1QPixmap@@UAE@XZ.QT5GUI ref: 011C9EC6

Strings

:/image/images/31.png, xrefs: 011C9DF4

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Pixmap@@$Matrix@@String@@$Mode@Size@@Transformation$?from?rotate@?scaled@?set?size@?transformed@ArrayAscii_helper@AspectConversionData@Flag@Flags@ImageLabel@@Mode@4@@Pixmap@Pixmap@@@Qt@@Qt@@@Qt@@@@@RatioTypedWidget@@
String ID: :/image/images/31.png
API String ID: 4243932792-4083094219
Opcode ID: 13e78883785006388ebdaf0a4251463ed5688e21c6f530eb116ad5cc73e46e97
Instruction ID: a22eabd5aa0d861649bc6cda675b289ff014bfd4908478004fa94ff0971fceef
Opcode Fuzzy Hash: 13e78883785006388ebdaf0a4251463ed5688e21c6f530eb116ad5cc73e46e97
Instruction Fuzzy Hash: 80316E72A04249EFDB18DBE4D849BDEBFB8FF18714F14012AE516E7680EB706584CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011C8CE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(IdeaShareKeyInstaller.exe,00000019,4CDB14D0), ref: 011C8D18
??0QString@@QAE@ABV0@@Z.QT5CORE(?), ref: 011C8D35
?append@QString@@QAEAAV1@ABV1@@Z.QT5CORE(?), ref: 011C8D4B
??0QFileInfo@@QAE@ABVQString@@@Z.QT5CORE(00000000), ref: 011C8D55
?isFile@QFileInfo@@QBE_NXZ.QT5CORE ref: 011C8D61
??1QFileInfo@@QAE@XZ.QT5CORE ref: 011C8D6C
??1QString@@QAE@XZ.QT5CORE ref: 011C8D75
??1QString@@QAE@XZ.QT5CORE ref: 011C8D85

Strings

IdeaShareKeyInstaller.exe, xrefs: 011C8D0C

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$FileInfo@@$?append@?fromArrayAscii_helper@Data@File@String@@@TypedV0@@V1@@
String ID: IdeaShareKeyInstaller.exe
API String ID: 3563875994-2404966732
Opcode ID: c271320398d426da21c6a9d08ad7828be2565e5f1a883380c94c79bd0cdf7f7c
Instruction ID: 21e9bcc286d281458357a10a89de6ef80966b9480533c368bca4e471df2fb4b1
Opcode Fuzzy Hash: c271320398d426da21c6a9d08ad7828be2565e5f1a883380c94c79bd0cdf7f7c
Instruction Fuzzy Hash: 4E21637190014AEFCB18DFE4D848BEEBBF8FB15715F100229E426E7280DB751A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011CA0B0 Relevance: 15.1, APIs: 10, Instructions: 61COMMON

Download Yara Rule

APIs

?desktop@QApplication@@SAPAVQDesktopWidget@@XZ.QT5WIDGETS ref: 011CA0C1
?bottomRight@QRect@@QBE?AVQPoint@@XZ.QT5CORE(?), ref: 011CA0CD
?pos@QWidget@@QBE?AVQPoint@@XZ.QT5WIDGETS(?), ref: 011CA0D9
?desktop@QApplication@@SAPAVQDesktopWidget@@XZ.QT5WIDGETS ref: 011CA0E1
?screenNumber@QDesktopWidget@@QBEHABVQPoint@@@Z.QT5WIDGETS(00000000), ref: 011CA0E8
?availableGeometry@QDesktopWidget@@QBE?BVQRect@@H@Z.QT5WIDGETS(?,00000000), ref: 011CA0F5
?bottomRight@QRect@@QBE?AVQPoint@@XZ.QT5CORE(?), ref: 011CA102
?rect@QWidget@@QBE?AVQRect@@XZ.QT5WIDGETS(?,?), ref: 011CA11D
?bottomRight@QRect@@QBE?AVQPoint@@XZ.QT5CORE ref: 011CA125
?move@QWidget@@QAEXABVQPoint@@@Z.QT5WIDGETS(?), ref: 011CA142

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Widget@@$Rect@@$DesktopPoint@@$?bottomRight@$?desktop@Application@@Point@@@$?available?move@?pos@?rect@?screenGeometry@Number@
String ID:
API String ID: 2299878072-0
Opcode ID: 8b1b46dfa2cc944174b39d206c0fbc9b38ddf2fc684e3becf3943a5d698ef826
Instruction ID: 49ef05466f2413fffa081646f71266bf1040c963f598c4d03c4c072a0162285a
Opcode Fuzzy Hash: 8b1b46dfa2cc944174b39d206c0fbc9b38ddf2fc684e3becf3943a5d698ef826
Instruction Fuzzy Hash: FA11CC75A00109AFCB18DFE4D8988EEBBF9FF8C211B04457AE916D7354DA309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011C4090 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,RootDialog,4CDB14D0), ref: 011C40DB
?isNull@QVariant@@QBE_NXZ.QT5CORE(?,?,?,?,?,?,011CDB44,000000FF,?,011C41D2,?), ref: 011C40F0
?property@QObject@@QBE?AVQVariant@@PBD@Z.QT5CORE(?,RootDialog), ref: 011C4105
?toBool@QVariant@@QBE_NXZ.QT5CORE(?,?,?,?,?,?,011CDB44,000000FF,?,011C41D2,?), ref: 011C411A
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4137
??1QVariant@@QAE@XZ.QT5CORE ref: 011C4146
?parentWidget@QWidget@@QBEPAV1@XZ.QT5WIDGETS ref: 011C4150

Strings

RootDialog, xrefs: 011C40D0, 011C40FA

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Variant@@$?property@Object@@$?parentBool@Null@Widget@Widget@@
String ID: RootDialog
API String ID: 3956965825-1062357678
Opcode ID: 31a2b8e94581adba6407c762f28184a6394af61a8c2713c09e68d97713524ccf
Instruction ID: 5064fd6822ff34ef04ccf2f37da5dc338a9fd65b66a38e904f2986c64dfcedc7
Opcode Fuzzy Hash: 31a2b8e94581adba6407c762f28184a6394af61a8c2713c09e68d97713524ccf
Instruction Fuzzy Hash: 3C21D371E00208AFDF29CFE8D85479EBBF4EB58A60F10426DE821E7280D7709A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011C76B0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

??0QMessageLogger@@QAE@PBDH0@Z.QT5CORE(D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp,0000002C,void __thiscall HWDialog::screenCountChange(int),?,4CDB14D0), ref: 011C76EB
?debug@QMessageLogger@@QBE?AVQDebug@@XZ.QT5CORE ref: 011C76F3
??6QDebug@@QAEAAV0@PBD@Z.QT5CORE( screenCountChange ; current Screen count :,?), ref: 011C770A
??6QDebug@@QAEAAV0@H@Z.QT5CORE ref: 011C7712
??1QDebug@@QAE@XZ.QT5CORE ref: 011C7722

Strings

screenCountChange ; current Screen count :, xrefs: 011C7705
void __thiscall HWDialog::screenCountChange(int), xrefs: 011C76DC
D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp, xrefs: 011C76E3

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Debug@@$Logger@@Message$?debug@
String ID: screenCountChange ; current Screen count :$D:\code\IdeaShareWindowsApp\2021-9-16\AirPresence\desktop\Windows\IdeaShareKeyForm\IdeaShareKey\src\HWDialog.cpp$void __thiscall HWDialog::screenCountChange(int)
API String ID: 2032586913-1992771991
Opcode ID: 3d7f6add3bbdbfeacf90605f073eee5c15c339bcf3140e87ad8b251a5c94332e
Instruction ID: a66fd4434c656ad872f4250fbb7789b52a6a2f767926730e6c1e9772e0d6bcb0
Opcode Fuzzy Hash: 3d7f6add3bbdbfeacf90605f073eee5c15c339bcf3140e87ad8b251a5c94332e
Instruction Fuzzy Hash: 86014075A40209EBCB18DFE4DC09F9DBBF4FB08610F10466AF922D7380DB745A408B50

Uniqueness

Uniqueness Score: -1.00%

Function 011C86C0 Relevance: 13.6, APIs: 9, Instructions: 97COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C86F0
?detach_grow@QListData@@QAEPAUData@1@PAHH@Z.QT5CORE(?,?), ref: 011C8701
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C8716
?begin@QListData@@QBEPAPAXXZ.QT5CORE(?), ref: 011C8725
?end@QListData@@QBEPAPAXXZ.QT5CORE(?,00000000), ref: 011C8743
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C874C
??1QString@@QAE@XZ.QT5CORE(00000000), ref: 011C87A5
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C87B0
?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C87BE

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach_grow@?dispose@?end@Data@1@Data@1@@String@@
String ID:
API String ID: 291468209-0
Opcode ID: 7dec218ae6bd407dba8ec7c232b322f66ae7f1918e89ff1df238ccb57059805a
Instruction ID: 5f7a142e068350ca4be99bcb959d245f4116c9369242536075e8e3934af3b1ed
Opcode Fuzzy Hash: 7dec218ae6bd407dba8ec7c232b322f66ae7f1918e89ff1df238ccb57059805a
Instruction Fuzzy Hash: 83319575600209EFCB18DFD8D884AADBBA9FB48354F15463DE926D7381DB30AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011C396A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C396F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C397E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C39F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C39FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3A12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3A1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3A4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: 0b504ccc8b778251d0ed10ac24259e05707c0188cb668e6992ff0e7af5600e32
Instruction ID: cf70ac746a41ec0c9153fd99b5b83abb4b3cc8519e62d2bfb11aaa92763fd272
Opcode Fuzzy Hash: 0b504ccc8b778251d0ed10ac24259e05707c0188cb668e6992ff0e7af5600e32
Instruction Fuzzy Hash: 7721F6B1A00205ABCB148FECDC4476DBBE9FB58760F244229F925D73C0C73499408B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C3D6A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C3D6F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C3D7E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3DF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3DFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3E12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3E1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3E4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: d20e32e130208651022dee93cdabc4f0ca8b25169b4677db880dc6d629012a6d
Instruction ID: d037928387cd4f7a73fa7b27b80d27d247bc68e2e5e30c173bd75514e3be93af
Opcode Fuzzy Hash: d20e32e130208651022dee93cdabc4f0ca8b25169b4677db880dc6d629012a6d
Instruction Fuzzy Hash: 3B21F3B1A00205ABCB288FECDC44B6DBBE9FB58B60F240629F925D73C0DB3459418B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C386A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C386F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C387E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C38F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C38FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3912
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C391B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C394D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: dc13638512d9a1d6d1be36c01f8f23eb25fbd2f6d80d5d8ff9797cd5dda92fb1
Instruction ID: 7061b0c2803a7389cf9b61348aebc5421c684217a21c011b686ccd828930bce5
Opcode Fuzzy Hash: dc13638512d9a1d6d1be36c01f8f23eb25fbd2f6d80d5d8ff9797cd5dda92fb1
Instruction Fuzzy Hash: AC2108B1A00205ABCB148FECDC447ADBBE9FB58760F24022DF925D73C0D73459418B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C3C6A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C3C6F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C3C7E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3CF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3CFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3D12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3D1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3D4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: 88ffd60d4b4623a205e21e6595631bc0d9b26e153b062b284496653af00bb646
Instruction ID: 967edf616fa421096714479ca32679feb79818ad704f9fb257384f7c19ad2cc3
Opcode Fuzzy Hash: 88ffd60d4b4623a205e21e6595631bc0d9b26e153b062b284496653af00bb646
Instruction Fuzzy Hash: 3821C3B1A04205ABCB289FACDC44B6DBBE9FB58760F244229F925D73C0CB3459418B95

Uniqueness

Uniqueness Score: -1.00%

Function 011C3B6A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C3B6F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C3B7E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3BF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3BFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3C12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3C1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3C4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: e01949d94c99134400ef20f0450b16b1d64b11d34c45b4126e318564af96a050
Instruction ID: 9b0ac884231e46806a24f557e0713d9b59f6fe097edb5001a426a5f4a8d5e3a4
Opcode Fuzzy Hash: e01949d94c99134400ef20f0450b16b1d64b11d34c45b4126e318564af96a050
Instruction Fuzzy Hash: 2F2105B1A00205ABCB288FECDC44B6DBBE9FB58760F24422EF925D73C0CB3459408B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C376A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C376F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C377E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C37F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C37FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3812
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C381B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C384D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: f262e32855a2e1632b92c5130be9bed783c7c70aef9cacddbfe7a228d88e0df7
Instruction ID: 08644d036c8d13284b6b4edea0b7c0f6e29cfacc0a9146314b607c7508bb6981
Opcode Fuzzy Hash: f262e32855a2e1632b92c5130be9bed783c7c70aef9cacddbfe7a228d88e0df7
Instruction Fuzzy Hash: 0421D471A00205ABCB188FECDC4476DBBE9FB58760F24422DF925D73C0C73459418B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C3A6A Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

?dispose@QListData@@QAEXXZ.QT5CORE ref: 011C3A6F
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C3A7E
?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3AF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3AFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3B12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3B1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3B4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@?dispose@$?detach@?end@Data@1@Data@1@@ExceptionThrow
String ID:
API String ID: 2768157925-0
Opcode ID: b702e9f052e72ac4afd75d0e12409e092aa175104290d30f443d4f9677c8c350
Instruction ID: b65ad8d97cd6bb6fd70982432b4cf983587e39d550851eb65cdedbfabdfc6b5c
Opcode Fuzzy Hash: b702e9f052e72ac4afd75d0e12409e092aa175104290d30f443d4f9677c8c350
Instruction Fuzzy Hash: D421D5B1A00205ABCB289FECDC44B6DBBE9FB58B60F24422DF925D73C0CB3559418B95

Uniqueness

Uniqueness Score: -1.00%

Function 011C9C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

??0QProcess@@QAE@PAVQObject@@@Z.QT5CORE ref: 011C9CD7
?fromAscii_helper@QString@@CAPAU?$QTypedArrayData@G@@PBDH@Z.QT5CORE(IdeaShareKeyInstaller.exe,00000019), ref: 011C9CF8
??1QString@@QAE@XZ.QT5CORE ref: 011C9D22
?startDetached@QProcess@@SA_NABVQString@@ABVQStringList@@@Z.QT5CORE(?,?,?), ref: 011C9D4C
??1QString@@QAE@XZ.QT5CORE ref: 011C9D67

Strings

IdeaShareKeyInstaller.exe, xrefs: 011C9CE9

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: String@@$Process@@$?from?startArrayAscii_helper@Data@Detached@List@@@Object@@@StringTyped
String ID: IdeaShareKeyInstaller.exe
API String ID: 4221575723-2404966732
Opcode ID: bfcb175732c41e146d474776da88ddde22c70d0fd7d7711c6abfefb81b0db5ea
Instruction ID: 7041165ca9ab2cf743f1a8e95064ed096d08396f273a198fa4e939c0812ee7ea
Opcode Fuzzy Hash: bfcb175732c41e146d474776da88ddde22c70d0fd7d7711c6abfefb81b0db5ea
Instruction Fuzzy Hash: 202141B5D40209EBCB18DFD4C945BDEBBF8FB14B54F10022AE916A7280EB745648CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011C4830 Relevance: 9.1, APIs: 6, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E011C4830(signed int __ecx, void* __edx, long long __fp0) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				long long _v36;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				intOrPtr* _t38;
				intOrPtr _t40;
				signed int _t67;
				intOrPtr _t69;
				void* _t73;
				signed int _t75;
				intOrPtr* _t79;
				signed int _t80;
				signed int _t85;
				long long _t97;

				_t97 = __fp0;
				_t73 = __edx;
				_push(0xffffffff);
				_push(E011CDBE2);
				_push( *[fs:0x0]);
				_t33 =  *0x11e0020; // 0x4cdb14d0
				_t34 = _t33 ^ _t80;
				_t85 = _t34;
				_push(_t34);
				 *[fs:0x0] =  &_v16;
				_t75 = __ecx;
				_v24 = 0;
				_t36 = L011C13A7(__ecx + 0x18, _t85, __ecx);
				asm("movsd xmm1, [edi+0x20]");
				asm("movsd xmm0, [0x11d27d0]");
				_v36 = _t97;
				asm("movsd xmm2, [ebp-0x20]");
				asm("subsd xmm1, xmm2");
				asm("andps xmm1, [0x11d2960]");
				asm("comisd xmm0, xmm1");
				if(_t85 > 0) {
					L15:
					 *[fs:0x0] = _v16;
					return _t36;
				}
				asm("movsd [edi+0x20], xmm2");
				__imp__??0QString@@QAE@XZ();
				_v8 = 0;
				_v20 = __imp__?shared_null@QListData@@2UData@1@B;
				_v8 = 1;
				_v24 = 1;
				__imp__?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z(_t75, _t36, __imp__?staticMetaObject@QWidget@@2UQMetaObject@@B,  &_v20, 1);
				_v8 = 2;
				__imp__??1QString@@QAE@XZ();
				_t38 =  *_v20;
				if(_t38 != 1) {
					_t87 = _t38;
					if(_t38 != 0) {
						_t38 = L011C1082( &_v20, _t87,  *((intOrPtr*)(_v20 + 4)));
					}
				}
				__imp__?begin@QListData@@QBEPAPAXXZ();
				_t79 = _t38;
				_t40 =  *_v20;
				if(_t40 != 1) {
					_t89 = _t40;
					if(_t40 != 0) {
						_t40 = L011C1082( &_v20, _t89,  *((intOrPtr*)(_v20 + 4)));
					}
				}
				__imp__?end@QListData@@QBEPAPAXXZ();
				_v32 = _t40;
				if(_t79 == _t40) {
					L11:
					L011C1136(_t75, _t97, _t75);
					L011C1172(_t75, _t73, _t97, _t75);
					L011C13FC(_t75, _t92, _t97, _t75);
					L011C1352(_t75, _t97, _t75);
					L011C1069(_t75, _t97, _t75);
					_t67 = _t75;
					L011C1109(_t67, _t92, _t97, _t75);
					_v8 = 3;
					_t36 =  *_v20;
					if(_t36 == 0) {
						L14:
						__imp__?dispose@QListData@@SAXPAUData@1@@Z(_v20);
						goto L15;
					}
					if(_t36 == 0xffffffff) {
						goto L15;
					}
					asm("lock xadd [eax], ecx");
					_t36 = _v20 & 0xffffff00 | (_t67 | 0xffffffff) != 0x00000001;
					if(_t36 != 0) {
						goto L15;
					}
					goto L14;
				} else {
					do {
						_t69 =  *_t79;
						_t91 = _t69;
						if(_t69 != 0) {
							L011C1109(_t75, _t91, _t97, _t69);
							_t40 = _v32;
						}
						_t79 = _t79 + 4;
						_t92 = _t79 - _t40;
					} while (_t79 != _t40);
					goto L11;
				}
			}

0x011c4830
0x011c4830
0x011c4833
0x011c4835
0x011c4840
0x011c4846
0x011c484b
0x011c484b
0x011c484d
0x011c4851
0x011c4857
0x011c485d
0x011c4864
0x011c4869
0x011c486e
0x011c4876
0x011c4879
0x011c487e
0x011c4882
0x011c4889
0x011c488d
0x011c49b0
0x011c49b3
0x011c49c0
0x011c49c0
0x011c4896
0x011c489b
0x011c48a1
0x011c48b0
0x011c48bd
0x011c48c3
0x011c48ca
0x011c48d6
0x011c48da
0x011c48e3
0x011c48e8
0x011c48ea
0x011c48ec
0x011c48f7
0x011c48f7
0x011c48ec
0x011c48ff
0x011c4905
0x011c490a
0x011c490f
0x011c4911
0x011c4913
0x011c491e
0x011c491e
0x011c4913
0x011c4926
0x011c492c
0x011c4931
0x011c494b
0x011c494e
0x011c4956
0x011c495e
0x011c4966
0x011c496e
0x011c4974
0x011c4976
0x011c497e
0x011c4985
0x011c4989
0x011c49a4
0x011c49a7
0x00000000
0x011c49ad
0x011c498e
0x00000000
0x00000000
0x011c4996
0x011c499d
0x011c49a2
0x00000000
0x00000000
0x00000000
0x011c4933
0x011c4933
0x011c4933
0x011c4935
0x011c4937
0x011c493c
0x011c4941
0x011c4941
0x011c4944
0x011c4947
0x011c4947
0x00000000
0x011c4933

APIs

??0QString@@QAE@XZ.QT5CORE(?,4CDB14D0), ref: 011C489B
?qt_qFindChildren_helper@@YAXPBVQObject@@ABVQString@@ABUQMetaObject@@PAV?$QList@PAX@@V?$QFlags@W4FindChildOption@Qt@@@@@Z.QT5CORE(?,00000000,?,00000001,?,4CDB14D0), ref: 011C48CA
??1QString@@QAE@XZ.QT5CORE(?,?,4CDB14D0), ref: 011C48DA
?begin@QListData@@QBEPAPAXXZ.QT5CORE(?,?,4CDB14D0), ref: 011C48FF
?end@QListData@@QBEPAPAXXZ.QT5CORE(?,?,4CDB14D0), ref: 011C4926
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(?,?,?,?,?,?,?,?,?,4CDB14D0), ref: 011C49A7

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@ListString@@$FindObject@@$?begin@?dispose@?end@?qt_qChildChildren_helper@@Data@1@@Flags@List@MetaOption@Qt@@@@@
String ID:
API String ID: 2432269031-0
Opcode ID: 21f42fa72577fd729c54fc356b6189bb17e247689fd07eaf013543a82a82dff0
Instruction ID: dfaaf7f6c7435e7a5a77bcfa971886cc0928df2f0fa74383cc6a4fc274132560
Opcode Fuzzy Hash: 21f42fa72577fd729c54fc356b6189bb17e247689fd07eaf013543a82a82dff0
Instruction Fuzzy Hash: 7D41C431A04116EBDB2DDFA8C854ABEB7B4FF65B54F04022DE822A7691EB309940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011C3DC0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3DF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3DFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3E12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3E1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3E4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 4a0535bedfbc3346115d099f65238288ea0c45038ac73a3bc9d78e7bffdb8adc
Instruction ID: 641780b994331bcf476b3022fdf44ba9f1e5b767e4faf2244a17f5eff0fcf55c
Opcode Fuzzy Hash: 4a0535bedfbc3346115d099f65238288ea0c45038ac73a3bc9d78e7bffdb8adc
Instruction Fuzzy Hash: 8411C4B1A00205ABCB248FECDC4476EBBE9FB58A60F24462EF925D72C0DB3459118B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C39C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C39F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C39FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3A12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3A1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3A4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 6fba207e6c350e04940069962b0828fced5a85775e4837ec2989f120e94d6d8e
Instruction ID: 4ceb8b89c84332ed7cc9be4d927fac46f01bf1707b4f66cbf467c82eb949766d
Opcode Fuzzy Hash: 6fba207e6c350e04940069962b0828fced5a85775e4837ec2989f120e94d6d8e
Instruction Fuzzy Hash: 0C11C4B1A00205ABCB248FECDC4476DBBE9FB58660F24432EF829C72D0DB3499118794

Uniqueness

Uniqueness Score: -1.00%

Function 011C38C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C38F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C38FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3912
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C391B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C394D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: b47c5b7f08f9fee551f822a9f88bf8f54f5eb303a62cbe53a8f41141d4fe9dbf
Instruction ID: a7bc6ce2fb7cadd9c6da7cd25ae658929cff857812257f3a11aecff7ab0d173b
Opcode Fuzzy Hash: b47c5b7f08f9fee551f822a9f88bf8f54f5eb303a62cbe53a8f41141d4fe9dbf
Instruction Fuzzy Hash: 9411B2B1A00205ABCB248FAC98447ADBBE9FB58760F24432AF825C72C0DB3459418B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C3CC0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3CF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3CFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3D12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3D1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3D4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 3e42413113ab5a82696ac5474518ff15391dad7a1ed3c0d193a55d2fbf0dfabe
Instruction ID: 6a4601593688f2b8daaa5b0e7be395913377c4519d4152f1c61d600ff3d2b603
Opcode Fuzzy Hash: 3e42413113ab5a82696ac5474518ff15391dad7a1ed3c0d193a55d2fbf0dfabe
Instruction Fuzzy Hash: 4811C4B1A04205ABCB249FADDC4476DBBE9FB58670F24432EF825C72C0DB3459018795

Uniqueness

Uniqueness Score: -1.00%

Function 011C3BC0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3BF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3BFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3C12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3C1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3C4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 9882e853eb20f2383177b3a009c41c50cbff344e966e1727e65b93d910c6c7c4
Instruction ID: e52be8286c3b43bea4a892c64c30519e1c245439de54017bc0a033d34eb275f2
Opcode Fuzzy Hash: 9882e853eb20f2383177b3a009c41c50cbff344e966e1727e65b93d910c6c7c4
Instruction Fuzzy Hash: F111C4B1A04205ABCB288FADDC44B6DBBE9FB58660F24422EF825C72C0DB3459118B94

Uniqueness

Uniqueness Score: -1.00%

Function 011C37C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C37F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C37FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3812
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C381B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C384D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 66294ff3765d0d5a52aec97c4bd1abb62d0229643e89c2823e0580de1293383a
Instruction ID: 3fd2328acc8aaee694a2587f7a6f67b91b55c4d9258106ab9740df94c207c9e9
Opcode Fuzzy Hash: 66294ff3765d0d5a52aec97c4bd1abb62d0229643e89c2823e0580de1293383a
Instruction Fuzzy Hash: C311C4B1A00205ABCB288FECDC4476EBBE9FB58760F24432EF829C72C0DB3459018794

Uniqueness

Uniqueness Score: -1.00%

Function 011C3AC0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C3AF0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C3AFD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3B12
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3B1B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C3B4D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: 5049cd9ca2257059e6f5064210f351254faa69d5669a3ba379aab386039fd5dd
Instruction ID: 7b144dcf428f5857b8accb3d3fd60d905f3d186a0a6737f2050fe1bbdb2c33dd
Opcode Fuzzy Hash: 5049cd9ca2257059e6f5064210f351254faa69d5669a3ba379aab386039fd5dd
Instruction Fuzzy Hash: D111C4B1A00205ABCB248FEDDC44B6DBBE9FB58670F24432EF825D72C0DB3459118794

Uniqueness

Uniqueness Score: -1.00%

Function 011C36C0 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE(4CDB14D0), ref: 011C36F0
?detach@QListData@@QAEPAUData@1@H@Z.QT5CORE(?), ref: 011C36FD
?end@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C3712
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C371B
?dispose@QListData@@SAXPAUData@1@@Z.QT5CORE(00000000,00000000), ref: 011C374D

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?detach@?dispose@?end@Data@1@Data@1@@
String ID:
API String ID: 3079853071-0
Opcode ID: c77d43ce7a6b9a0bd988866aac9d9aab28729c7a5786f6939f6da4ccd38da699
Instruction ID: b379b962335d2cf150737b1d649da43b3f701247b79705fa42c2cd5c7cc8fce1
Opcode Fuzzy Hash: c77d43ce7a6b9a0bd988866aac9d9aab28729c7a5786f6939f6da4ccd38da699
Instruction Fuzzy Hash: 1F11C4B1A00605ABCB298FECDC4476DBBE9FB58660F24422EF825D72C0DB3459118B94

Uniqueness

Uniqueness Score: -1.00%

Function 011CAA42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E011CAA42(int _a4) {
				char _v20;
				intOrPtr _t12;
				char* _t17;
				void* _t20;
				void* _t23;

				_t20 = _t23;
				while(1) {
					_t9 = malloc(_a4);
					if(_t9 != 0) {
						break;
					}
					_push(_a4);
					L011CC015();
					if(_t9 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t20);
							_t20 = _t23;
							_t23 = _t23 - 0xc;
							L011C13ED(_t9,  &_v20);
							_push(0x11df948);
							_t9 =  &_v20;
							_push( &_v20);
							L011CBFE5();
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
						}
						_push(_t20);
						_t17 =  &_v20;
						L011C1091(_t9, _t17);
						_push(0x11df9ac);
						_push( &_v20);
						L011CBFE5();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t12 =  *((intOrPtr*)(_t17 + 4));
						if(_t12 == 0) {
							return "Unknown exception";
						}
						return _t12;
					} else {
						continue;
					}
					L12:
				}
				return _t9;
				goto L12;
			}

0x011caa43
0x011caa54
0x011caa57
0x011caa5f
0x00000000
0x00000000
0x011caa47
0x011caa4a
0x011caa52
0x011caa67
0x011cb86d
0x011cb86e
0x011cb870
0x011cb876
0x011cb87b
0x011cb880
0x011cb883
0x011cb884
0x011cb889
0x011cb88a
0x011cb88b
0x011cb88c
0x011cb88d
0x011cb88e
0x011cb88f
0x011cb890
0x011cb890
0x011cb891
0x011cb897
0x011cb89a
0x011cb89f
0x011cb8a7
0x011cb8a8
0x011cb8ad
0x011cb8ae
0x011cb8af
0x011cb8b0
0x011cb8b1
0x011cb8b2
0x011cb8b3
0x011cb8b4
0x011cb8b5
0x011cb8ba
0x00000000
0x011cb8bc
0x011cb8c1
0x00000000
0x00000000
0x00000000
0x00000000
0x011caa52
0x011caa62
0x00000000

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011CAA4A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011CAA57
_CxxThrowException.VCRUNTIME140(?,011DF9AC), ref: 011CB8A8

Strings

Unknown exception, xrefs: 011CB8BC

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: ExceptionThrow_callnewhmalloc
String ID: Unknown exception
API String ID: 4260808042-410509341
Opcode ID: 96d066b3201feef099b21ae7c4b49fb976750a494e384464120e325558469a61
Instruction ID: bac246ba98b76397246d01338d9dea18259287a4afc1aca0e5337b9297814fc4
Opcode Fuzzy Hash: 96d066b3201feef099b21ae7c4b49fb976750a494e384464120e325558469a61
Instruction Fuzzy Hash: 3BF0973860420EB68F1CB5ACEC006293B585E30EA4B10402CF808C6090FB30C91785C1

Uniqueness

Uniqueness Score: -1.00%

Function 011C41C0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

?pos@QWidget@@QBE?AVQPoint@@XZ.QT5WIDGETS(?,?), ref: 011C41DA
?center@QRect@@QBE?AVQPoint@@XZ.QT5CORE(?), ref: 011C41EF
?screenAt@QGuiApplication@@SAPAVQScreen@@ABVQPoint@@@Z.QT5GUI(?), ref: 011C4204
?logicalDotsPerInch@QScreen@@QBENXZ.QT5GUI ref: 011C421E

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Point@@Screen@@$?center@?logical?pos@?screenApplication@@DotsInch@Point@@@Rect@@Widget@@
String ID:
API String ID: 3923849811-0
Opcode ID: 104417c24650831dde03c09f6c07b7f766b78e1c7a9e6e9048ecc73bc38a4fe0
Instruction ID: 84ed87c02a73b9bbd1abbb7ae760fa0bbafb2a98c140e329a61ede6c293924c5
Opcode Fuzzy Hash: 104417c24650831dde03c09f6c07b7f766b78e1c7a9e6e9048ecc73bc38a4fe0
Instruction Fuzzy Hash: 0F413E76D0694CDAC716DEACB4110EEF7F8FF6A691B0083A7E8257A114EB3145D1C780

Uniqueness

Uniqueness Score: -1.00%

Function 011C87E3 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QT5CORE ref: 011C87E8
?begin@QListData@@QBEPAPAXXZ.QT5CORE(00000000), ref: 011C87F7
?dispose@QListData@@QAEXXZ.QT5CORE(00000000), ref: 011C8807
_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011C8816

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID: Data@@List$?begin@$?dispose@ExceptionThrow
String ID:
API String ID: 1051636472-0
Opcode ID: d30d04e883cad81140be0927ed22678d3c8c00d3f4ca1330a3f62dca71618202
Instruction ID: 0b4f8ba94f51be5273c9a6baba2bc8fa83107c8176c0dee4c4c041c78cadcba7
Opcode Fuzzy Hash: d30d04e883cad81140be0927ed22678d3c8c00d3f4ca1330a3f62dca71618202
Instruction Fuzzy Hash: 8CE0B87570011AABCF19AFD4C819B7D37A6AB54B84F14041CE516DB380CB3459418B95

Uniqueness

Uniqueness Score: -1.00%

Function 011C2D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

HWDialog, xrefs: 011C2D36
CommenMethod, xrefs: 011C2D71

Memory Dump Source

Source File: 00000001.00000002.360817470.00000000011C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 011C0000, based on PE: true

Associated: 00000001.00000002.360808882.00000000011C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360835788.00000000011DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360910856.00000000011E0000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011E8000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011EF000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.00000000011FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.360931079.000000000120E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11c0000_IdeaShareKeyForm.jbxd

Similarity

API ID:
String ID: CommenMethod$HWDialog
API String ID: 0-177194159
Opcode ID: 727fd29122777f9f9add2998f1934ec8d78ceb1c87620718bae1866bd9c78179
Instruction ID: eb6e8f33fec6fbe2d1d3944a6c5cd3cebd0ce37bfe97b8fbd60e27cc448c05fa
Opcode Fuzzy Hash: 727fd29122777f9f9add2998f1934ec8d78ceb1c87620718bae1866bd9c78179
Instruction Fuzzy Hash: 43118A67304194174B3A596DA8915FAAF6BDEB3CB5348447FDA85CB213D733C449C390

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IdeaShare Key.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKeyForm.exe

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll

C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll

C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll

C:\Users\user\AppData\Local\IdeaShareKey\log\insit.log

C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
IdeaShare Key.exe

Function 004038A8 Relevance: 58.1, APIs: 24, Strings: 9, Instructions: 317
filestringcomCOMMON

Function 00406820 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207
stringCOMMON

Function 00407E74 Relevance: 5.4, APIs: 4, Instructions: 381
COMMONCrypto

Function 00406320 Relevance: 4.5, APIs: 3, Instructions: 19
libraryloaderCOMMON

Function 004062F9 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00401593 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 356
sleepfilewindowCOMMON

Function 00405957 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 227
stringregistrylibraryCOMMON

Function 00401A09 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 186
stringtimeCOMMON

Function 004035AE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Function 004033A6 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 166
fileCOMMON

Function 0040223D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63
synchronizationCOMMON

Function 00402B38 Relevance: 6.0, APIs: 4, Instructions: 44
memoryfilestringCOMMON

Function 00405EA6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 00405C67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00408281 Relevance: 5.2, APIs: 4, Instructions: 237
COMMON

Function 0040847E Relevance: 5.2, APIs: 4, Instructions: 210
COMMON

Function 00407CCE Relevance: 5.2, APIs: 4, Instructions: 200
COMMON

Function 0040810E Relevance: 5.2, APIs: 4, Instructions: 178
COMMON

Function 00408210 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 0040816E Relevance: 5.2, APIs: 4, Instructions: 165
COMMON

Function 0040861E Relevance: 5.2, APIs: 4, Instructions: 155
memoryCOMMON

Function 00401392 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405E77 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 0040335D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004037F3 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00402AFA Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 0040338F Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004050FE Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 290
windowclipboardmemoryCOMMON

Function 004049B5 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 469
windowmemoryCOMMONCrypto

Function 004044E9 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 295
stringkeyboardCOMMON

Function 00406EE6 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 216
filestringCOMMONCrypto

Function 00406CAF Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 189
filestringCOMMON

Function 00407277 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159
networkfileCOMMON

Function 004077D3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99
registryCOMMON

Function 004076C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
COMMON

Function 0040250B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
comCOMMON

Function 00402E3C Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Function 004063D1 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 255
libraryloadermemoryCOMMON