Create Interactive Tour

Windows Analysis Report
I2ECXQvrEh

Overview

General Information

Sample Name:	I2ECXQvrEh (renamed file extension from none to exe)
Analysis ID:	695059
MD5:	d36e2f2a3aae17357bd7dbe542209be1
SHA1:	ac8541f0030d7cdecba68ac5615d325c7d92bb2c
SHA256:	514eef525b97f3e00ff6f4bc60955c0fe0a5ff74d5996b448e80e6eef699c5ed
Infos:

Detection

RedLine

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Allocates memory with a write watch (potentially for evading sandboxes)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

I2ECXQvrEh.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\I2ECXQvrEh.exe" MD5: D36E2F2A3AAE17357BD7DBE542209BE1)

cleanup

Malware Configuration

Threatname: RedLine

{
  "C2 url": [
    "65.21.195.97:20775"
  ],
  "Bot Id": "",
  "Authorization Header": "e5c6983e0421121d00a30a756e57fc3e"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1fb54:$pat14: , CommandLine: 0x19966:$v2_1: ListOfProcesses 0x18e6a:$v4_3: base64str 0x18e37:$v4_4: stringKey 0x18e74:$v4_5: BytesToStringConverted 0x18e5f:$v4_6: FromBase64 0x196c0:$v4_8: procName 0x16522:$v5_7: RecordHeaderField 0x1645e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Process Memory Space: I2ECXQvrEh.exe PID: 5436	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.I2ECXQvrEh.exe.3d55530.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1dd54:$pat14: , CommandLine: 0x17b66:$v2_1: ListOfProcesses 0x1706a:$v4_3: base64str 0x17037:$v4_4: stringKey 0x17074:$v4_5: BytesToStringConverted 0x1705f:$v4_6: FromBase64 0x178c0:$v4_8: procName 0x14722:$v5_7: RecordHeaderField 0x1465e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.I2ECXQvrEh.exe.b63e88.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2c10ee8.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2a2f3ee.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1dd54:$pat14: , CommandLine: 0x17b66:$v2_1: ListOfProcesses 0x1706a:$v4_3: base64str 0x17037:$v4_4: stringKey 0x17074:$v4_5: BytesToStringConverted 0x1705f:$v4_6: FromBase64 0x178c0:$v4_8: procName 0x14722:$v5_7: RecordHeaderField 0x1465e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.3d56418.5.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2a302d6.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2c10ee8.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2a2f3ee.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1fb54:$pat14: , CommandLine: 0x19966:$v2_1: ListOfProcesses 0x18e6a:$v4_3: base64str 0x18e37:$v4_4: stringKey 0x18e74:$v4_5: BytesToStringConverted 0x18e5f:$v4_6: FromBase64 0x196c0:$v4_8: procName 0x16522:$v5_7: RecordHeaderField 0x1645e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.3d76550.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.I2ECXQvrEh.exe.b63e88.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2c10000.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1dd54:$pat14: , CommandLine: 0x17b66:$v2_1: ListOfProcesses 0x1706a:$v4_3: base64str 0x17037:$v4_4: stringKey 0x17074:$v4_5: BytesToStringConverted 0x1705f:$v4_6: FromBase64 0x178c0:$v4_8: procName 0x14722:$v5_7: RecordHeaderField 0x1465e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2a302d6.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.5210000.8.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.5210000.8.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ce6c:$pat14: , CommandLine: 0x16c7e:$v2_1: ListOfProcesses 0x16182:$v4_3: base64str 0x1614f:$v4_4: stringKey 0x1618c:$v4_5: BytesToStringConverted 0x16177:$v4_6: FromBase64 0x169d8:$v4_8: procName 0x1383a:$v5_7: RecordHeaderField 0x13776:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.2c10000.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1fb54:$pat14: , CommandLine: 0x19966:$v2_1: ListOfProcesses 0x18e6a:$v4_3: base64str 0x18e37:$v4_4: stringKey 0x18e74:$v4_5: BytesToStringConverted 0x18e5f:$v4_6: FromBase64 0x196c0:$v4_8: procName 0x16522:$v5_7: RecordHeaderField 0x1645e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.3d76550.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.3d56418.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ec6c:$pat14: , CommandLine: 0x3eda4:$pat14: , CommandLine: 0x18a7e:$v2_1: ListOfProcesses 0x38bb6:$v2_1: ListOfProcesses 0x17f82:$v4_3: base64str 0x380ba:$v4_3: base64str 0x17f4f:$v4_4: stringKey 0x38087:$v4_4: stringKey 0x17f8c:$v4_5: BytesToStringConverted 0x380c4:$v4_5: BytesToStringConverted 0x17f77:$v4_6: FromBase64 0x380af:$v4_6: FromBase64 0x187d8:$v4_8: procName 0x38910:$v4_8: procName 0x1563a:$v5_7: RecordHeaderField 0x35772:$v5_7: RecordHeaderField 0x15576:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT 0x356ae:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.2.I2ECXQvrEh.exe.3d55530.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1fb54:$pat14: , CommandLine: 0x3fc8c:$pat14: , CommandLine: 0x19966:$v2_1: ListOfProcesses 0x39a9e:$v2_1: ListOfProcesses 0x18e6a:$v4_3: base64str 0x38fa2:$v4_3: base64str 0x18e37:$v4_4: stringKey 0x38f6f:$v4_4: stringKey 0x18e74:$v4_5: BytesToStringConverted 0x38fac:$v4_5: BytesToStringConverted 0x18e5f:$v4_6: FromBase64 0x38f97:$v4_6: FromBase64 0x196c0:$v4_8: procName 0x397f8:$v4_8: procName 0x16522:$v5_7: RecordHeaderField 0x3665a:$v5_7: RecordHeaderField 0x1645e:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT 0x36596:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 13 entries

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: I2ECXQvrEh.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: I2ECXQvrEh.exe

Virustotal: Detection: 49%

Perma Link

Machine Learning detection for sample

Source: I2ECXQvrEh.exe

Joe Sandbox ML: detected

Source: 0.2.I2ECXQvrEh.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 0.0.I2ECXQvrEh.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Source: 0.3.I2ECXQvrEh.exe.b63e88.0.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["65.21.195.97:20775"], "Bot Id": "", "Authorization Header": "e5c6983e0421121d00a30a756e57fc3e"}

Source: I2ECXQvrEh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb=S source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: I2ECXQvrEh.exe, 00000000.00000003.250167143.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb@ source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.3:49690 -> 65.21.195.97:20775

Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97
Source: unknown	TCP traffic detected without corresponding DNS query: 65.21.195.97

Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty(
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.I2ECXQvrEh.exe.3d55530.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.I2ECXQvrEh.exe.b63e88.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2c10ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2a2f3ee.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.3d56418.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2a302d6.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2c10ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2a2f3ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.3d76550.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.I2ECXQvrEh.exe.b63e88.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2c10000.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2a302d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.5210000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.5210000.8.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.2c10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.3d76550.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.3d56418.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.I2ECXQvrEh.exe.3d55530.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

PE file contains section with special chars

Source: I2ECXQvrEh.exe	Static PE information: section name: ~o
Source: I2ECXQvrEh.exe	Static PE information: section name: ~o

Source: I2ECXQvrEh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.I2ECXQvrEh.exe.3d55530.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.I2ECXQvrEh.exe.b63e88.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2c10ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2a2f3ee.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.3d56418.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2a302d6.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2c10ee8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2a2f3ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.3d76550.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.I2ECXQvrEh.exe.b63e88.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2c10000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2a302d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.5210000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.5210000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.2c10000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.3d76550.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.3d56418.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.I2ECXQvrEh.exe.3d55530.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: I2ECXQvrEh.exe, 00000000.00000003.250167143.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000003.250167143.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000000.248326971.00000000008F3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWDZHLHJ.EXE .ZZU: vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSturdy.exe4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs I2ECXQvrEh.exe
Source: I2ECXQvrEh.exe	Binary or memory string: OriginalFilenameWDZHLHJ.EXE .ZZU: vs I2ECXQvrEh.exe

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: msvcr120_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: msvcp120_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00440740	0_2_00440740
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00402F89	0_2_00402F89

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: String function: 0043C508 appears 35 times

Source: I2ECXQvrEh.exe

Virustotal: Detection: 49%

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Code function: 0_2_00401AD3 CreateToolhelp32Snapshot,

0_2_00401AD3

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Command line argument: 08A

0_2_00413780

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/1

Source: I2ECXQvrEh.exe

Static file information: File size 5191168 > 1048576

Source: I2ECXQvrEh.exe	Static PE information: Raw size of ~o is bigger than: 0x100000 < 0x2f6c00
Source: I2ECXQvrEh.exe	Static PE information: Raw size of ~o is bigger than: 0x100000 < 0x1d5a00

Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb=S source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: I2ECXQvrEh.exe, 00000000.00000003.250167143.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb@ source: I2ECXQvrEh.exe, 00000000.00000002.517071220.0000000000B82000.00000004.00000020.00020000.00000000.sdmp

Source: I2ECXQvrEh.exe

Static PE information: real checksum: 0x4fd75e should be: 0x4f3a8b

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00430056 push ebp; ret	0_2_00430057
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00428054 push edi; ret	0_2_00428055
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00428070 push ebp; ret	0_2_006F9A50
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004300DC push edi; ret	0_2_00611DEA
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0043009A push edi; ret	0_2_005ABA76
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042E0A5 push ebp; ret	0_2_005D3670
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042C142 push edi; ret	0_2_0048DA48
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00426141 push edi; ret	0_2_005F35FF
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00427158 push edi; ret	0_2_005BBBE0
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00426191 push ebp; ret	0_2_00710302
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004261BB push ebp; ret	0_2_004261BC
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00426241 push edi; ret	0_2_0061DE78
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0040E21D push ecx; ret	0_2_0040E230
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042B2D5 push ebp; ret	0_2_00638102
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00428284 push edi; ret	0_2_00428298
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00427360 push edi; ret	0_2_006F831E
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004266F2 push edi; ret	0_2_0055393C
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042E316 push ebp; ret	0_2_0042E323
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042D337 push edi; ret	0_2_0054A160
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042F33B push ss; ret	0_2_0042F33F
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042D3D9 push edi; ret	0_2_0042D3DA
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004273DD push edi; ret	0_2_004273DF
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042B3F0 push edi; ret	0_2_005F04FD
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042D3B2 push edi; ret	0_2_006B7769
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042B44F push ebp; ret	0_2_006C1B70
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042746C push edi; ret	0_2_0042746D
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042D4D1 push ebp; ret	0_2_006FAAC9
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042B4F8 push ebp; ret	0_2_006DBF5C
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_004314A5 push ebp; ret	0_2_004314A6
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_00431540 push edi; ret	0_2_00714D59
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Code function: 0_2_0042E549 push edi; ret	0_2_00705E75

Source: I2ECXQvrEh.exe	Static PE information: section name: ~o
Source: I2ECXQvrEh.exe	Static PE information: section name: ~o

Source: initial sample

Static PE information: section where entry point is pointing to: ~o

Source: initial sample

Static PE information: section name: ~o entropy: 7.5426359164944214

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: AE0005 value: E9 FB BF DD 76	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 778BC000 value: E9 0A 40 22 89	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: AF0008 value: E9 AB E0 E0 76	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 778FE0B0 value: E9 60 1F 1F 89	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 26B0005 value: E9 CB 5A 25 72	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 74905AD0 value: E9 3A A5 DA 8D	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 26C0005 value: E9 5B B0 26 72	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 7492B060 value: E9 AA 4F D9 8D	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 26D0005 value: E9 DB F8 5D 74	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 76CAF8E0 value: E9 2A 07 A2 8B	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 26E0005 value: E9 FB 42 5F 74	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory written: PID: 5436 base: 76CD4300 value: E9 0A BD A0 8B	Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	RDTSC instruction interceptor: First address: 0000000000534F2C second address: 0000000000534F33 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 pop ecx 0x00000004 setns ah 0x00000007 rdtsc
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	RDTSC instruction interceptor: First address: 00000000005A98F8 second address: 00000000005A9909 instructions: 0x00000000 rdtsc 0x00000002 bswap eax 0x00000004 pop ecx 0x00000005 sar ebp, FFFFFFB1h 0x00000008 rol dl, cl 0x0000000a pop ebp 0x0000000b sub dx, bp 0x0000000e bswap edx 0x00000010 popfd 0x00000011 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: I2ECXQvrEh.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Code function: 0_2_0042FE12 rdtsc

0_2_0042FE12

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Process information queried: ProcessInformation

Jump to behavior

Source: I2ECXQvrEh.exe, 00000000.00000002.516930734.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Code function: 0_2_0042FE12 rdtsc

0_2_0042FE12

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\I2ECXQvrEh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\I2ECXQvrEh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: I2ECXQvrEh.exe PID: 5436, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: I2ECXQvrEh.exe PID: 5436, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Credential API Hooking	211 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	112 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
I2ECXQvrEh.exe	49%	Virustotal		Browse
I2ECXQvrEh.exe	100%	Avira	HEUR/AGEN.1210626
I2ECXQvrEh.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.I2ECXQvrEh.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
0.0.I2ECXQvrEh.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

URLs

Source	Detection	Scanner	Label
http://tempuri.org/Entity/Id1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2	0%	URL Reputation	safe
http://tempuri.org/Entity/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id3Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/Entity/Id1	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	I2ECXQvrEh.exe, 00000000.00000002.517895349.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518872444.0000000003D55000.00000004.00000800.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000003.250029631.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, I2ECXQvrEh.exe, 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id3Response	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty(	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/actor/next	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	I2ECXQvrEh.exe, 00000000.00000002.518369130.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.21.195.97	unknown	United States		199592	CP-ASDE	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	695059
Start date and time:	2022-09-01 09:38:35 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	I2ECXQvrEh (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 97.8% (good quality ratio 88.3%) Quality average: 62% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 80% Number of executed functions: 22 Number of non-executed functions: 38
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.649939403559833
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	I2ECXQvrEh.exe
File size:	5191168
MD5:	d36e2f2a3aae17357bd7dbe542209be1
SHA1:	ac8541f0030d7cdecba68ac5615d325c7d92bb2c
SHA256:	514eef525b97f3e00ff6f4bc60955c0fe0a5ff74d5996b448e80e6eef699c5ed
SHA512:	c849d941c26a24f681cd43cb289674f247f8443cbe8a4d6d581ee7eda66786e763256a583e4c07c02403efc7b6c1290e38fe1ca1b5648ab69521b17bc1e3de23
SSDEEP:	98304:5nh5SyRWXJHazQVs7/2zAAvnkZgE1eqxzQXZFUGMFoZY9TMD:5hdMJHaUV2/XAsqEgqxzUcxoZYy
TLSH:	A736126322A65160E4E98439C93BFD7472F6162F8B8198FAB5BDFDC019219D1F323643
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t..P..........#..........V......Uu9...........@...........................O.....^.O....................................

File Icon


Icon Hash:	3080888c8c868010

Static PE Info

General

Entrypoint:	0x797555
Entrypoint Section:	~o
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	172750858dcc0719eed08c952858023c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push 4DDEDBE8h
call 00007F9178FFD842h
dec eax
ror eax, 02h
jmp 00007F9178EB7719h
mov eax, dword ptr [ebp+00h]
test edi, 5A164EFEh
mov cl, byte ptr [ebp+04h]
clc
test bp, cx
lea ebp, dword ptr [ebp-00000002h]
test sp, ax
cmp dh, bh
shr eax, cl
bswap ecx
mov dword ptr [ebp+04h], eax
movzx cx, dh
pushfd
movzx cx, cl
pop dword ptr [ebp+00h]
lea esi, dword ptr [esi-00000004h]
sal cl, cl
rcl ch, cl
mov ecx, 507F0EDEh
mov ecx, dword ptr [esi]
clc
cmc
stc
xor ecx, ebx
stc
cmp bh, 00000072h
neg ecx
cmp dx, 20B2h
add ecx, 47060AA1h
stc
cmc
rol ecx, 1
cmp ebp, 592E7281h
cmc
neg ecx
cmp al, CAh
test bp, cx
xor ebx, ecx
cmc
cmp dh, FFFFFFCFh
clc
add edi, ecx
jmp 00007F9179029B99h
inc edx
stc
not edx
clc
bswap edx
xor edx, 1F977F82h
test edi, ebp
xor ebx, edx
jmp 00007F917902EB8Ah
rol edx, 03h
stc
xor ebx, edx
test esp, 36C55428h
clc
stc
add ebp, edx
jmp 00007F9178F956BFh
sub byte ptr [eax], ch
sbb byte ptr [ecx], al
and edx, 0Dh
in al, dx
add byte ptr [esi-010A5B05h], al
and cl, FFFFFFC6h
push cs

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41be1c	0xb4	~o
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4f3000	0x4f22	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1d74fcc0	0x24b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4f2750	0x40	~o
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x46a000	0x70	~o
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19718	0x19800	False	0.5845971200980392	data	6.754440878467088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x6db4	0x6e00	False	0.6004616477272727	data	6.626708362968839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x30c0	0x1600	False	0.3126775568181818	data	3.2625868398009703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
~o	0x26000	0x2f6be0	0x2f6c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
~o	0x31d000	0x1d58a0	0x1d5a00	False	0.9123152407173276	data	7.5426359164944214	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4f3000	0x4f22	0x5000	False	0.22099609375	data	5.021905059798596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4f3130	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_GROUP_ICON	0x4f7358	0x14	data	English	United States
RT_VERSION	0x4f736c	0x3cc	data	English	United States
RT_MANIFEST	0x4f7738	0x7ea	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	RaiseException
ole32.dll	OleInitialize
OLEAUT32.dll	SafeArrayCreate
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetProcessWindowStation
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 09:39:43.493773937 CEST	49690	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:39:46.496673107 CEST	49690	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:39:52.512727976 CEST	49690	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:05.214884043 CEST	49691	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:08.217214108 CEST	49691	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:14.218308926 CEST	49691	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:26.240385056 CEST	49693	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:29.250174999 CEST	49693	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:35.266326904 CEST	49693	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:47.271687984 CEST	49694	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:50.283426046 CEST	49694	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:40:56.299460888 CEST	49694	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:08.302548885 CEST	49695	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:11.300679922 CEST	49695	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:17.304482937 CEST	49695	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:29.305068016 CEST	49696	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:32.302428007 CEST	49696	20775	192.168.2.3	65.21.195.97
Sep 1, 2022 09:41:38.302870989 CEST	49696	20775	192.168.2.3	65.21.195.97

Statistics

CPU Usage

• I2ECXQvrEh.exe

Click to jump to process

Memory Usage

• I2ECXQvrEh.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: I2ECXQvrEh.exePID: 5436, Parent PID: 5464

Function Logs

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Disassembly

Analysis Process: I2ECXQvrEh.exePID: 5436, Parent PID: 5464COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	252
Total number of Limit Nodes:	42

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00401AD3(void* __eax, char __ebx, intOrPtr* __ecx, intOrPtr* __esi, char _a1, char _a2, char _a3, char _a4, char _a5, char _a6, char _a7, char _a8, char _a9, char _a10, char _a11, char _a12, char _a13, char _a14, char _a15, char _a16, char _a17, char _a18, char _a19, char _a20, char _a21, char _a22, char _a23, char _a24, char _a25, char _a26, char _a27, char _a28, char _a29, char _a30, char _a31, char _a32, char _a33, char _a34, char _a35, char _a36, char _a37, char _a38, char _a39, char _a40, char _a68, char _a76, char _a84, char _a85, char _a86, char _a87, char _a88, char _a89, char _a90, char _a91, char _a92, char _a93, char _a94, char _a95, char _a96, char _a97, char _a98, char _a99, char _a100, char _a101, char _a102, char _a103, char _a104, char _a105, char _a106, char _a107, char _a108, char _a109, char _a110, char _a111, char _a112, char _a113, char _a114, char _a115, char _a116, char _a156, char _a164, char _a188, char _a196, char _a308, char _a608, char _a616, char _a624, char _a640, char _a648) {
				char _v0;
				char _v1;
				char _v2;
				char _v3;
				char _v4;
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				void* _t128;
				void* _t130;
				void* _t131;
				void* _t132;
				intOrPtr _t133;
				void* _t134;
				intOrPtr* _t137;
				intOrPtr _t138;
				intOrPtr* _t140;
				intOrPtr* _t144;
				intOrPtr* _t145;
				char _t147;
				intOrPtr* _t149;
				intOrPtr* _t152;
				intOrPtr* _t153;
				intOrPtr _t155;
				intOrPtr* _t158;
				void* _t162;
				void* _t163;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t172;
				void* _t174;

				_t165 = __esi;
				_t149 = __ecx;
				_t147 = __ebx;
				_push(__eax);
				_push(8); // executed
				_t128 = E0040AD88(); // executed
				_t162 = _t128;
				_push( &_a624);
				_push(_t162);
				_a624 = 0x224;
				_a84 = 0xce;
				_a85 = 0x27;
				_a86 = 0x9c;
				_a87 = 0x1a;
				_a88 = 0x95;
				_a89 = 0x2e;
				_a90 = 0x22;
				_a91 = 0x57;
				_a92 = 0x91;
				_a93 = 0x21;
				_a94 = 0x57;
				_a95 = 0x3a;
				_a96 = 0xf8;
				_a97 = 0x98;
				_a98 = 0x5b;
				_a99 = 0xf4;
				_a100 = 0xb5;
				_a101 = 0x87;
				_a102 = 0x7b;
				_a103 = 0xf;
				_a104 = 0xf4;
				_a105 = 0x76;
				_a106 = 0xb9;
				_a107 = 0x34;
				_a108 = 0xbf;
				_a109 = 0x1e;
				_a110 = 0xe7;
				_a111 = 0x78;
				_a112 = 0x98;
				_a113 = 0xe9;
				_a114 = 0x6f;
				_a115 = 0xb4;
				_a116 = __ebx;
				_a8 = 0xc0;
				_a9 = 0x38;
				_a10 = 0x8d;
				_a11 = 0x1f;
				_a12 = 0x8e;
				_a13 = 0x30;
				_a14 = 0x65;
				_a15 = 0x47;
				_a16 = 0xd3;
				_a17 = 0x29;
				_a18 = 0x3b;
				_a19 = 0x56;
				_a20 = 0xf8;
				_a21 = 0x98;
				_a22 = 0x5b;
				_a23 = 0xf4;
				_a24 = 0xb5;
				_a25 = 0x87;
				_a26 = 0x7b;
				_a27 = 0xf;
				_a28 = 0xf4;
				_a29 = 0x76;
				_a30 = 0xb9;
				_a31 = 0x34;
				_a32 = 0xbf;
				_a33 = 0x1e;
				_a34 = 0xe7;
				_a35 = 0x78;
				_a36 = 0x98;
				_a37 = 0xe9;
				_a38 = 0x6f;
				_a39 = 0xb4;
				_a40 = __ebx;
				if(E0040AD82(__ebx, __ecx, __esi) == 0) {
					L37:
					_push(_t162);
					_t130 = E0070FB9F(_t129);
					_push(_t147);
					_push(_t149);
					_t131 = E006E65FD(_t130, _t165);
					_push(0xa);
					_t163 = _t131;
					_v16 = 0xfc;
					_v15 = 0xb;
					_v14 = 0xff;
					_v13 = 0x75;
					_v12 = 0xe7;
					_v11 = 0x44;
					_v10 = 0x4b;
					_v9 = 0x23;
					_v8 = 0xbf;
					_v7 = 0x45;
					_v6 = 0x3b;
					_v5 = 0x56;
					_v4 = 0xf8;
					_v3 = 0x98;
					_v2 = 0x5b;
					_v1 = 0xf4;
					_v0 = 0xb5;
					_a1 = 0x87;
					_a2 = 0x7b;
					_a3 = 0xf;
					_a4 = 0xf4;
					_a5 = 0x76;
					_a6 = 0xb9;
					_a7 = 0x34;
					_a8 = 0xbf;
					_a9 = 0x1e;
					_a10 = 0xe7;
					_a11 = 0x78;
					_a12 = 0x98;
					_a13 = 0xe9;
					_a14 = 0x6f;
					_a15 = 0xb4;
					_a16 = _t147;
					_t132 = E00401650( &_v16,  &_a308);
					_push(_t132);
					_push(_t163);
					_push(_t132); // executed
					_t133 = E005E9093(); // executed
					_t166 = _t133;
					_push(_t166);
					_push(_t163);
					_a24 = _t166;
					_push(_t163); // executed
					_t134 = E005D8C8A(_t133,  &_a308); // executed
					_push(_t134);
					return E00675708(_t134, _t147, _t163);
				}
				_t137 = E00401650( &_a76,  &_a196);
				_t174 = _t172 + 8;
				_t167 = _t137;
				_t158 =  &_a648;
				while(1) {
					_t138 =  *_t158;
					if(_t138 !=  *_t167) {
						break;
					}
					if(_t138 == _t147) {
						L6:
						_t138 = 0;
					} else {
						_t155 =  *((intOrPtr*)(_t158 + 1));
						if(_t155 !=  *((intOrPtr*)(_t167 + 1))) {
							break;
						} else {
							_t158 = _t158 + 2;
							_t167 = _t167 + 2;
							if(_t155 != _t147) {
								continue;
							} else {
								goto L6;
							}
						}
					}
					L8:
					if(_t138 != _t147) {
						_t140 = E00401650( &_v0,  &_a164);
						_t172 = _t174 + 8;
						_t165 = _t140;
						_t152 =  &_a648;
						while(1) {
							_t138 =  *_t152;
							if(_t138 !=  *_t165) {
								break;
							}
							if(_t138 == _t147) {
								L15:
								_t138 = 0;
							} else {
								_t138 =  *((intOrPtr*)(_t152 + 1));
								if(_t138 !=  *((intOrPtr*)(_t165 + 1))) {
									break;
								} else {
									_t152 = _t152 + 2;
									_t165 = _t165 + 2;
									if(_t138 != _t147) {
										continue;
									} else {
										goto L15;
									}
								}
							}
							L17:
							if(_t138 != _t147) {
								_t149 =  &_a616;
								_push(_t149);
								_push(_t162);
								if(E0040AD7C(_t147, _t149, _t165) == 0) {
									goto L37;
								}
								do {
									_t144 = E00401650( &_a68,  &_a188);
									_t172 = _t172 + 8;
									_t165 = _t144;
									_t153 =  &_a640;
									while(1) {
										_t138 =  *_t153;
										if(_t138 !=  *_t165) {
											break;
										}
										if(_t138 == _t147) {
											L25:
											_t138 = 0;
										} else {
											_t138 =  *((intOrPtr*)(_t153 + 1));
											if(_t138 !=  *((intOrPtr*)(_t165 + 1))) {
												break;
											} else {
												_t153 = _t153 + 2;
												_t165 = _t165 + 2;
												if(_t138 != _t147) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										if(_t138 != _t147) {
											_t145 = E00401650( &_v8,  &_a156);
											_t172 = _t172 + 8;
											_t165 = _t145;
											_t149 =  &_a640;
											while(1) {
												_t138 =  *_t149;
												if(_t138 !=  *_t165) {
													break;
												}
												if(_t138 == _t147) {
													L33:
													_t138 = 0;
												} else {
													_t138 =  *((intOrPtr*)(_t149 + 1));
													if(_t138 !=  *((intOrPtr*)(_t165 + 1))) {
														break;
													} else {
														_t149 = _t149 + 2;
														_t165 = _t165 + 2;
														if(_t138 != _t147) {
															continue;
														} else {
															goto L33;
														}
													}
												}
												L35:
												if(_t138 != _t147) {
													goto L36;
												}
												goto L9;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L35;
										}
										goto L9;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L27;
									L36:
									_push( &_a608);
									_push(_t162);
								} while (E0040AD7C(_t147, _t149, _t165) != 0);
								goto L37;
							}
							goto L9;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L17;
					}
					L9:
					_push(_t162);
					_push(_t138);
					E006F4FDA(_t165);
					return 0;
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L8;
			}

0x00401ad3
0x00401ad3
0x00401ad3
0x00401ad3
0x00401ad4
0x00401ad6
0x00401ae2
0x00401ae4
0x00401ae5
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c4f
0x00401dc3
0x00401dc3
0x00401dc5
0x00401dca
0x00401dcb
0x00401dcc
0x00401dd1
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8e
0x00401e8f
0x00401e90
0x00401e91
0x00401e96
0x00401e98
0x00401e99
0x00401e9a
0x00401e9e
0x00401e9f
0x00401ea6
0x00000000
0x00401ea7
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd4
0x00000000
0x00000000
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf7
0x00401cf9
0x00401d00
0x00401d01
0x00401d09
0x00000000
0x00000000
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d34
0x00000000
0x00000000
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d57
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d84
0x00000000
0x00000000
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db4
0x00401db5
0x00401dbb
0x00000000
0x00401d10
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401cf2
0x00401c9c
0x00401c9c
0x00401c9d
0x00401c9e
0x00401caf
0x00401caf
0x00401c93
0x00401c95
0x00000000

Strings

W, xrefs: 00401B23
!, xrefs: 00401B1E
4, xrefs: 00401E55
{, xrefs: 00401B4B
;, xrefs: 00401E14
v, xrefs: 00401E4B
', xrefs: 00401AF6
e, xrefs: 00401BC2
v, xrefs: 00401B5A
0, xrefs: 00401BBD
o, xrefs: 00401E78
x, xrefs: 00401B78
., xrefs: 00401B0A
D, xrefs: 00401DFB
[, xrefs: 00401E28
v, xrefs: 00401C0D
#, xrefs: 00401E05
:, xrefs: 00401B28
V, xrefs: 00401E19
x, xrefs: 00401E69
4, xrefs: 00401C17
W, xrefs: 00401B14
u, xrefs: 00401DF1
E, xrefs: 00401E0F
", xrefs: 00401B0F
4, xrefs: 00401B64
8, xrefs: 00401BA9
K, xrefs: 00401E00
{, xrefs: 00401E3C
o, xrefs: 00401C3A
o, xrefs: 00401B8D
[, xrefs: 00401B37

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID: !$"$#$'$.$0$4$4$4$8$:$;$D$E$K$V$W$W$[$[$e$o$o$o$u$v$v$v$x$x${${
API String ID: 0-1039355532
Opcode ID: 08648e891e027d5a69d4ec5877c5c89bacb8209ecda3499cc3d6cf7e549d823e
Instruction ID: 2661e3868cae704361d004bfa4a7c07e26b3231e0d03598ff2bd1d44969c2037
Opcode Fuzzy Hash: 08648e891e027d5a69d4ec5877c5c89bacb8209ecda3499cc3d6cf7e549d823e
Instruction Fuzzy Hash: BBC11B1104C7C199D3329A3C884865FBFD10BA3368F880B9DF1E95A3E2D769854AC76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401FAC Relevance: 45.6, APIs: 2, Strings: 24, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00401FAC(char __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags, char _a1, char _a2, char _a3, char _a4, char _a5, char _a6, char _a7, char _a8, char _a9, char _a10, char _a11, char _a12, char _a13, char _a14, char _a15, char _a16, char _a17, char _a18, char _a19, char _a20, char _a21, char _a22, char _a23, char _a24, char _a25, char _a26, char _a27, char _a28, char _a29, char _a30, char _a31, char _a32, char _a33, char _a34, char _a35, char _a36, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, intOrPtr _a72, char _a132, intOrPtr _a144, char _a232, char _a288) {
				char _v0;
				char _v1;
				char _v2;
				char _v3;
				char _v4;
				intOrPtr _t78;
				void* _t79;
				void* _t85;
				char _t88;
				intOrPtr _t90;

				_t88 = __ebx;
				_a144 =  *__esi;
				_t78 = E0040B84D(__ebx, __edx, __edi,  *__esi); // executed
				_push(_a72);
				_push(__edi);
				_a56 = _t78;
				_push(__ebx);
				_t79 = E0053E249(_t78);
				_t97 = _a44;
				E0040AC60(_a44,  &_a132, __esi + 4, _t79);
				_t90 = _a52;
				E0040BA30(_a44, __esi, _t88, _t90);
				_a4 = 0xce;
				_a5 = 0x27;
				_a6 = 0x9c;
				_a7 = 0x1a;
				_a8 = 0x95;
				_a9 = 0x21;
				_a10 = 0x2e;
				_a11 = 0xd;
				_a12 = 0xdb;
				_a13 = 0x29;
				_a14 = 0x57;
				_a15 = 0x56;
				_a16 = 0xf8;
				_a17 = 0x98;
				_a18 = 0x5b;
				_a19 = 0xf4;
				_a20 = 0xb5;
				_a21 = 0x87;
				_a22 = 0x7b;
				_a23 = 0xf;
				_a24 = 0xf4;
				_a25 = 0x76;
				_a26 = 0xb9;
				_a27 = 0x34;
				_a28 = 0xbf;
				_a29 = 0x1e;
				_a30 = 0xe7;
				_a31 = 0x78;
				_a32 = 0x98;
				_a33 = 0xe9;
				_a34 = 0x6f;
				_a35 = 0xb4;
				_a36 = _t88;
				_push(E00401650( &_a4,  &_a232));
				_push(_t90); // executed
				_t85 = E00608AE0(_t84, _t97 + 0xe); // executed
				_v4 = 0xe0;
				_v3 = 0x18;
				_v2 = 0xad;
				_v1 = 0x36;
				_v0 = 0x95;
				_a1 = 0x21;
				_a2 = 0x2a;
				_a3 = 0x57;
				_a4 = 0xda;
				_a5 = 0xc;
				_a6 = 0x55;
				_a7 = 0x25;
				_a8 = 0x8c;
				_a9 = 0xf9;
				_a10 = 0x35;
				_a11 = 0x97;
				_a12 = 0xd0;
				_a13 = 0x87;
				_a14 = 0x7b;
				_a15 = 0xf;
				_a16 = 0xf4;
				_a17 = 0x76;
				_a18 = 0xb9;
				_a19 = 0x34;
				_a20 = 0xbf;
				_a21 = 0x1e;
				_a22 = 0xe7;
				_a23 = 0x78;
				_a24 = 0x98;
				_a25 = 0xe9;
				_a26 = 0x6f;
				_a27 = 0xb4;
				_a28 = _t88;
				_push(E00401650( &_v4,  &_a288));
				_push(_t85);
				return E0045A4DB(_t86);
			}

0x00401fac
0x00401faf
0x00401fb6
0x00401fc2
0x00401fc3
0x00401fc4
0x00401fc8
0x00401fc9
0x00401fce
0x00401fe0
0x00401fe5
0x00401fec
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020ad
0x004020ae
0x004020af
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x0040216f
0x00402170
0x00000000

APIs

_malloc.LIBCMT ref: 00401FB6

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

_memset.LIBCMT ref: 00401FEC

Strings

o, xrefs: 00402159
5, xrefs: 00402109
), xrefs: 0040202E
!, xrefs: 004020CF
o, xrefs: 00402097
v, xrefs: 0040212C
x, xrefs: 0040214A
W, xrefs: 004020E6
{, xrefs: 0040205B
U, xrefs: 004020F5
4, xrefs: 00402136
4, xrefs: 00402074
', xrefs: 00402006
!, xrefs: 0040201A
v, xrefs: 0040206A
[, xrefs: 00402047
*, xrefs: 004020E1
6, xrefs: 004020C5
., xrefs: 0040201F
W, xrefs: 00402033
%, xrefs: 004020FA
{, xrefs: 0040211D
x, xrefs: 00402088
V, xrefs: 00402038

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: AllocateHeap_malloc_memset
String ID: !$!$%$'$)$*$.$4$4$5$6$U$V$W$W$[$o$o$v$v$x$x${${
API String ID: 2365696598-103817319
Opcode ID: bf320bee95a86180922fbadd2ed61ece3823b422c4a836ce4088a384da7d60f0
Instruction ID: 811a3958bac1da19117f04430696ac818f0c658c27a29a968190e6ee35246d3c
Opcode Fuzzy Hash: bf320bee95a86180922fbadd2ed61ece3823b422c4a836ce4088a384da7d60f0
Instruction Fuzzy Hash: B751DB2100C7C2DDD362D67C884864FBFD55BA7228F481B8DF1E51A2E2C3AA8509C777

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004019F0(void* __edx, void* __eflags) {
				char _v912;
				char _v1140;
				char _v1141;
				char _v1142;
				char _v1143;
				char _v1144;
				char _v1145;
				char _v1146;
				char _v1147;
				char _v1148;
				char _v1149;
				char _v1150;
				char _v1151;
				char _v1152;
				char _v1153;
				char _v1154;
				char _v1155;
				char _v1156;
				char _v1157;
				char _v1158;
				char _v1159;
				char _v1160;
				char _v1161;
				char _v1162;
				char _v1163;
				char _v1164;
				char _v1165;
				char _v1166;
				char _v1167;
				char _v1168;
				char _v1169;
				char _v1170;
				char _v1171;
				char _v1172;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				void* _t48;
				void* _t50;
				void* _t58;

				_t58 = __eflags;
				_t47 = __edx;
				_push(_t50);
				_push(_t48);
				_push(0);
				_push(__edx); // executed
				E006096FD(_t36); // executed
				_v1172 = 0xe0;
				_v1171 = 0x3b;
				_v1170 = 0x8d;
				_v1169 = 0x2a;
				_v1168 = 0xa2;
				_v1167 = 0x2a;
				_v1166 = 0x2a;
				_v1165 = 0x41;
				_v1164 = 0xd3;
				_v1163 = 0x20;
				_v1162 = 0x64;
				_v1161 = 6;
				_v1160 = 0x8a;
				_v1159 = 0xf7;
				_v1158 = 0x3d;
				_v1157 = 0x9d;
				_v1156 = 0xd9;
				_v1155 = 0xee;
				_v1154 = 0x15;
				_v1153 = 0x68;
				_v1152 = 0xf4;
				_v1151 = 0x76;
				_v1150 = 0xb9;
				_v1149 = 0x34;
				_v1148 = 0xbf;
				_v1147 = 0x1e;
				_v1146 = 0xe7;
				_v1145 = 0x78;
				_v1144 = 0x98;
				_v1143 = 0xe9;
				_v1142 = 0x6f;
				_v1141 = 0xb4;
				_v1140 = 0;
				_push(E00401650( &_v1172,  &_v912));
				if(E0040B99E(0, _t47, _t48, _t50, _t58) != 0x41b2a0) {
					return E0064750C(_t40, 0, _t47, _t48);
				}
				__eflags = 0;
				return 0;
			}

0x004019f0
0x004019f0
0x004019f8
0x004019f9
0x004019fc
0x004019fd
0x004019fe
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401ac7
0x00000000
0x00401acd
0x0040248d
0x00402496

APIs

_getenv.LIBCMT ref: 00401ABA

Strings

A, xrefs: 00401A33
*, xrefs: 00401A2E
x, xrefs: 00401A97
d, xrefs: 00401A42
v, xrefs: 00401A79
h, xrefs: 00401A6F
o, xrefs: 00401AA6
, xrefs: 00401A3D
*, xrefs: 00401A29
*, xrefs: 00401A1F
4, xrefs: 00401A83
=, xrefs: 00401A56
;, xrefs: 00401A15

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: _getenv
String ID: $*$*$*$4$;$=$A$d$h$o$v$x
API String ID: 3834326495-747063073
Opcode ID: bd19b626aae868f62a9bcc5ca0cef219ea2b572497218d14ca99077c73717cac
Instruction ID: c0040f5fde89cda5e7939e591bfc59a1191b36c8323c5497634e108528d88881
Opcode Fuzzy Hash: bd19b626aae868f62a9bcc5ca0cef219ea2b572497218d14ca99077c73717cac
Instruction Fuzzy Hash: 9421FC1000C7C299D322D67D588864FAFC54BA726CF485B9DF1E56A2E2D7698209C37B

Uniqueness

Uniqueness Score: -1.00%

Function 0043A697 Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0043A697(void* __ebx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t3;
				intOrPtr _t5;
				void* _t12;
				void* _t18;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t37;
				void* _t38;
				void* _t41;
				void* _t44;
				intOrPtr _t46;

				_t40 = __edx;
				_t30 = __ebx;
				_t3 = _a8;
				_push(_t44);
				_push(_t41);
				if(_t3 != 1) {
					__eflags = _t3;
					if(_t3 != 0) {
						__eflags = _t3 - 2;
						if(_t3 != 2) {
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								E0043BD4A(0, _t44, 0);
							}
							goto L26;
						} else {
							E0043BA30();
							_t46 = E0043E152(__ebx, 1, 0x214);
							__eflags = _t46;
							if(_t46 != 0) {
								_push(_t46);
								_push( *0x44b6a8);
								__eflags =  *((intOrPtr*)(E0043B9B5(__ebx, __edx,  *0x44e4cc)))();
								if(__eflags != 0) {
									_push(0);
									_t12 = E0043BAA1(_t30, __edx, 0, _t46, __eflags);
									_t37 = _t46;
									return E0042C857(_t12, _t37);
								}
								_push(_t46);
								E0043AEA4(_t30, __edx, 0, _t46, __eflags);
							}
							goto L2;
						}
					} else {
						__eflags =  *0x44e470; // 0x1
						if(__eflags <= 0) {
							goto L2;
						} else {
							 *0x44e470 =  *0x44e470 - 1;
							__eflags =  *0x44e51c; // 0x0
							if(__eflags == 0) {
								E0043E4A2();
							}
							__eflags = _a12;
							if(_a12 == 0) {
								E0043E753(_t30);
								E0043BA64(_t30, _t40);
								E0043EC87(_t30, 0, _t44);
							}
							goto L26;
						}
					}
				} else {
					_t18 = E0043EC57(_t3); // executed
					_pop(_t38);
					if(_t18 != 0) {
						_t19 = E0043BDB8(__ebx, _t38, __edx);
						__eflags = _t19;
						if(_t19 != 0) {
							_t20 = E0043EC0B();
							_push(__ebx);
							 *0x450118 = E005B7596(_t20, _t44);
							 *0x44e474 = E0043EAD4(_t30, _t44); // executed
							_t23 = E0043E4FF(_t30, __edx, _t41, _t44, __eflags); // executed
							__eflags = _t23;
							if(_t23 >= 0) {
								_t24 = E0043EA19(_t30, _t38, _t40, _t41, _t44);
								__eflags = _t24;
								if(_t24 < 0) {
									L11:
									E0043E753(_t30);
									goto L6;
								} else {
									_t28 = E0043E7A1(_t30, _t38, _t40);
									__eflags = _t28;
									if(_t28 < 0) {
										goto L11;
									} else {
										_t29 = E0043E2DB(0);
										__eflags = _t29;
										if(_t29 != 0) {
											goto L11;
										} else {
											 *0x44e470 =  *0x44e470 + 1;
											L26:
											_t5 = 1;
											__eflags = 1;
										}
									}
								}
							} else {
								L6:
								E0043BA64(_t30, _t40);
								goto L4;
							}
						} else {
							L4:
							E0043EC87(_t30, _t41, _t44);
							goto L2;
						}
					} else {
						L2:
						_t5 = 0;
					}
				}
				return _t5;
				goto L28;
			}

0x0043a697
0x0043a697
0x0043a69c
0x0043a69f
0x0043a6a0
0x0043a6a4
0x0043a724
0x0043a726
0x0043a759
0x0043a75c
0x0043a7b7
0x0043a7ba
0x0043a7bd
0x0043a7c2
0x00000000
0x0043a75e
0x0043a75e
0x0043a76f
0x0043a773
0x0043a775
0x0043a77b
0x0043a77c
0x0043a790
0x0043a792
0x0043a794
0x0043a796
0x0043a79c
0x00000000
0x0043a79d
0x0043a7ab
0x0043a7ac
0x0043a7b1
0x00000000
0x0043a775
0x0043a728
0x0043a728
0x0043a72e
0x00000000
0x0043a730
0x0043a730
0x0043a736
0x0043a73c
0x0043a73e
0x0043a73e
0x0043a743
0x0043a746
0x0043a748
0x0043a74d
0x0043a752
0x0043a752
0x00000000
0x0043a746
0x0043a72e
0x0043a6a6
0x0043a6a7
0x0043a6ac
0x0043a6af
0x0043a6b8
0x0043a6bd
0x0043a6bf
0x0043a6c8
0x0043a6cd
0x0043a6d3
0x0043a6dd
0x0043a6e2
0x0043a6e7
0x0043a6e9
0x0043a6f2
0x0043a6f7
0x0043a6f9
0x0043a71b
0x0043a71b
0x00000000
0x0043a6fb
0x0043a6fb
0x0043a700
0x0043a702
0x00000000
0x0043a704
0x0043a706
0x0043a70c
0x0043a70e
0x00000000
0x0043a710
0x0043a710
0x0043a7c3
0x0043a7c5
0x0043a7c5
0x0043a7c5
0x0043a70e
0x0043a702
0x0043a6eb
0x0043a6eb
0x0043a6eb
0x00000000
0x0043a6eb
0x0043a6c1
0x0043a6c1
0x0043a6c1
0x00000000
0x0043a6c1
0x0043a6b1
0x0043a6b1
0x0043a6b1
0x0043a6b1
0x0043a6af
0x0043a7c9
0x00000000

APIs

__RTC_Initialize.LIBCMT ref: 0043A6C8
__mtterm.LIBCMT ref: 0043A6EB

Part of subcall function 0043BA64: TlsFree.KERNEL32(00000005,0043A752), ref: 0043BA8F

__setenvp.LIBCMT ref: 0043A6FB
__cinit.LIBCMT ref: 0043A706
__mtterm.LIBCMT ref: 0043A74D
___set_flsgetvalue.LIBCMT ref: 0043A75E

Part of subcall function 0043BA30: TlsGetValue.KERNEL32(?,0043A763), ref: 0043BA39
Part of subcall function 0043BA30: TlsSetValue.KERNEL32(00000000,0043A763), ref: 0043BA5A

Part of subcall function 0043E152: __calloc_impl.LIBCMT ref: 0043E163

__freeptd.LIBCMT ref: 0043A7BD

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value__mtterm$FreeInitialize___set_flsgetvalue__calloc_impl__cinit__freeptd__setenvp
String ID:
API String ID: 3546094511-0
Opcode ID: 1d28b42b27b2afebaa4a7563bd8cc235e26b22b2a94a51e8f1c6d6f040a441d5
Instruction ID: 70f5d41bb0e3cc0f1c40b6a48e9dcdc327f14b6879285dab8655bdbc3a13676b
Opcode Fuzzy Hash: 1d28b42b27b2afebaa4a7563bd8cc235e26b22b2a94a51e8f1c6d6f040a441d5
Instruction Fuzzy Hash: 4B21A135186611659A2173B35C83A6F2268EF9D768F20342FF5C5C02D2EF2DC86259AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041046E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0041046E(intOrPtr _a4) {
				intOrPtr* _t8;
				intOrPtr _t10;
				void* _t11;

				if(TlsGetValue( *0x4227d4) == 0) {
					L4:
					_push(L"KERNEL32.DLL");
					return E006C0D2A(_t5, _t11);
				}
				_t5 =  *0x4227d0; // 0x6
				if(_t5 == 0xffffffff) {
					goto L4;
				}
				_push(_t5);
				_t5 =  *(TlsGetValue( *0x4227d4))();
				if(_t5 == 0) {
					goto L4;
				}
				_t8 =  *((intOrPtr*)(_t5 + 0x1f8));
				if(_t8 != 0) {
					_t10 =  *_t8(_a4); // executed
					_a4 = _t10;
				}
				return _a4;
			}

0x00410484
0x004104a7
0x004104ac
0x00000000
0x004104ad
0x00410486
0x0041048e
0x00000000
0x00000000
0x00410490
0x00410499
0x0041049d
0x00000000
0x00000000
0x0041049f
0x004104d0
0x004104d5
0x004104d7
0x004104d7
0x004104df

APIs

TlsGetValue.KERNEL32(00000000,?,0040D232,0040AFB2,?,?,?,0040D29E,0040AFB2,00421200,0000000C,0040D2CA,0040AFB2,?,0040AFB2), ref: 00410480
TlsGetValue.KERNEL32(00000006,?,0040D232,0040AFB2,?,?,?,0040D29E,0040AFB2,00421200,0000000C,0040D2CA,0040AFB2,?,0040AFB2), ref: 00410497
RtlEncodePointer.NTDLL(0040AFB2,?,0040D232,0040AFB2,?,?,?,0040D29E,0040AFB2,00421200,0000000C,0040D2CA,0040AFB2,?,0040AFB2), ref: 004104D5

Strings

KERNEL32.DLL, xrefs: 004104A7, 004104AC

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value$EncodePointer
String ID: KERNEL32.DLL
API String ID: 2264855619-2576044830
Opcode ID: 60fa63c300b081f63e320aefe0ccfc72dad2f05bfbe4cb3573646af5e8e9e49c
Instruction ID: be61d9395a25edaf936315f07218d12f55943552c8e71a79be896a5636255d5b
Opcode Fuzzy Hash: 60fa63c300b081f63e320aefe0ccfc72dad2f05bfbe4cb3573646af5e8e9e49c
Instruction Fuzzy Hash: 15F08230100115EB8B219B69DD40DEA3EA9EF803607844072F91DD7660DB74DDC28B98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B93A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0043B93A(intOrPtr _a4) {
				intOrPtr* _t8;
				intOrPtr _t10;
				void* _t11;
				void* _t12;

				if(TlsGetValue( *0x44b6ac) == 0) {
					L4:
					_push(L"KERNEL32.DLL");
					return E0054A24F(_t5, _t11, _t12);
				}
				_t5 =  *0x44b6a8; // 0x5
				if(_t5 == 0xffffffff) {
					goto L4;
				}
				_push(_t5);
				_t5 =  *(TlsGetValue( *0x44b6ac))();
				if(_t5 == 0) {
					goto L4;
				}
				_t8 =  *((intOrPtr*)(_t5 + 0x1f8));
				if(_t8 != 0) {
					_t10 =  *_t8(_a4); // executed
					_a4 = _t10;
				}
				return _a4;
			}

0x0043b950
0x0043b973
0x0043b978
0x00000000
0x0043b979
0x0043b952
0x0043b95a
0x00000000
0x00000000
0x0043b95c
0x0043b965
0x0043b969
0x00000000
0x00000000
0x0043b96b
0x0043b99c
0x0043b9a1
0x0043b9a3
0x0043b9a3
0x0043b9ab

APIs

TlsGetValue.KERNEL32(00000000,?,0043C27E,0043950C,?,?,?,0043C2EA,0043950C,00448DC8,0000000C,0043C316,0043950C,?,0043950C), ref: 0043B94C
TlsGetValue.KERNEL32(00000005,?,0043C27E,0043950C,?,?,?,0043C2EA,0043950C,00448DC8,0000000C,0043C316,0043950C,?,0043950C), ref: 0043B963
RtlEncodePointer.NTDLL(0043950C,?,0043C27E,0043950C,?,?,?,0043C2EA,0043950C,00448DC8,0000000C,0043C316,0043950C,?,0043950C), ref: 0043B9A1

Strings

KERNEL32.DLL, xrefs: 0043B973, 0043B978

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value$EncodePointer
String ID: KERNEL32.DLL
API String ID: 2264855619-2576044830
Opcode ID: 618e7da5f09acce08f10a8aab5e8d9030f7f3e17ff4f72b7edae13a3da113dae
Instruction ID: 9f0563957f1277bac1b5af2f1a5f818b4092aa89de5b915b9887decc88a3d0d8
Opcode Fuzzy Hash: 618e7da5f09acce08f10a8aab5e8d9030f7f3e17ff4f72b7edae13a3da113dae
Instruction Fuzzy Hash: DCF05E74504115AA8B105B25DC01B9A3F98EF8A3A0B055132EE18D6260DB35DE1286DE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EB9 Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00401EB9(void* __eax, signed int __ebx, void* __edx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a28, char _a32, intOrPtr _a40, signed int _a44, intOrPtr _a48, signed int _a52, intOrPtr _a68, signed int _a72, signed int _a80, intOrPtr _a124) {
				void* _t27;
				signed int _t28;
				void* _t29;
				signed int _t30;
				signed int _t32;
				void* _t34;
				void* _t37;
				void* _t38;
				intOrPtr _t40;
				signed int _t43;
				signed int _t46;
				signed int _t58;
				intOrPtr _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t69;
				void* _t77;

				_t69 = __eflags;
				_t65 = __ebp;
				_t63 = __edi;
				_t43 = __ebx;
				_t27 = E0040B84D(__ebx, __edx, __edi, __eax); // executed
				_push(0x40022);
				_t64 = _t27; // executed
				_t28 = E0040AF66(__ebx, __edx, __edi, _t69); // executed
				_t67 = _t66 + 8;
				_a52 = _t28;
				_t70 = _t28 - __ebx;
				if(_t28 == __ebx) {
					_a80 = __ebx;
				} else {
					E0040BA30(__edi, _t28, __ebx, 0x40022);
					_t67 = _t67 + 0xc;
					_a80 = _a52;
				}
				_t29 = E00401300(_a80);
				_t58 = _a72;
				_push(_t58);
				_push(_t63);
				_push(_t58);
				_t30 = E0068FA27(_t29, _t58, _t70);
				_a52 = _t30;
				asm("cdq");
				_t32 = _t30 + (_t58 & 0x000003ff) >> 0xa;
				if(_t32 > _t43) {
					_t62 = _a48;
					_a40 = _t62;
					_a124 = _t64 - _t62;
					_a44 = _t32;
					do {
						_t40 = _a40;
						_push(_a124 + _t40);
						_push(0x400);
						_push(_t40);
						E00401560(_t43, _a68);
						_a28 = _a28 + 0x400;
						_t17 =  &_a32;
						 *_t17 = _a32 - 1;
					} while ( *_t17 != 0);
				}
				_t46 = _a52 & 0x800003ff;
				if(_t46 < 0) {
					_t46 = (_t46 - 0x00000001 | 0xfffffc00) + 1;
				}
				if(_t46 > _t43) {
					_t37 = _a52 - _t46;
					_push(_t37 + _t64);
					_push(_t46);
					_t38 = _t37 + _a48;
					_t77 = _t38;
					_push(_t38);
					E00401560(_t43, _a68);
				}
				_t34 = E0040BA30(_t63, _a48, _t43, _a52);
				_push(_t65);
				return E00569127(_t34, _t77);
			}

0x00401eb9
0x00401eb9
0x00401eb9
0x00401eb9
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f00
0x00401f01
0x00401f02
0x00401f03
0x00401f08
0x00401f0c
0x00401f15
0x00401f1a
0x00401f1c
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa5
0x00401fab

APIs

_malloc.LIBCMT ref: 00401EBA

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

_memset.LIBCMT ref: 00401EDD
_memset.LIBCMT ref: 00401F9D

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: _malloc_memset$AllocateHeap
String ID:
API String ID: 3465003713-0
Opcode ID: 15ea7375467bad3c27e0af30f2fb7b5fb40dbce213f987bd0695f131b9736585
Instruction ID: f2720e61a658d8849ac373bb4309f46f00a6f1504b7a6408ff0d0afee68baf09
Opcode Fuzzy Hash: 15ea7375467bad3c27e0af30f2fb7b5fb40dbce213f987bd0695f131b9736585
Instruction Fuzzy Hash: 48213DB1608341AFC358EB64C89592FB7E9FFC4704F44893DF68697291D678DC008B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0040AF66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				signed int _t19;
				signed int _t24;
				void* _t28;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t44;
				void* _t46;
				void* _t50;

				_t39 = __edi;
				_t38 = __edx;
				_t28 = __ebx;
				_t44 = _t50;
				while(1) {
					_t14 = E0040B84D(_t28, _t38, _t39, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39(_t38, _t39, 0x423484,  &_v16, 0x420fa4);
						asm("int3");
						_t46 = _t44;
						_push(_t46);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t39, 0x423484);
						_t41 = _v4;
						__eflags = _t41;
						if(_t41 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t41);
								goto L16;
							} else {
								E0040D6E0(_t28, _t38, _t39, _t41, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t41);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t41);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									_push(0);
									_push( *0x4234b4);
									_push(_t19);
									_t19 = E0066A606(_t19);
									__eflags = _t19;
									if(_t19 == 0) {
										return E005BB7E2(E0040BFC1());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					goto L20;
				}
				return _t14;
				goto L20;
			}

0x0040af66
0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b715
0x0040b717
0x0040b71d
0x0040b71e
0x0040b723
0x0040b725
0x00000000
0x0040b72e
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 832318072-0
Opcode ID: b345fa5dd82e9b4f5c74ef0e5f3feb58fb763bf4bd372753273fca7b37c13978
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: b345fa5dd82e9b4f5c74ef0e5f3feb58fb763bf4bd372753273fca7b37c13978
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 004394C0 Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E004394C0(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v20;
				signed short* _v24;
				void* _t9;
				signed int _t10;
				signed short* _t14;
				void* _t19;
				signed int _t23;
				void* _t26;
				intOrPtr _t27;
				void* _t28;

				_t28 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				while(1) {
					_t9 = E0043C36F(_t19, _t26, _t28, _a4); // executed
					if(_t9 != 0) {
						break;
					}
					_t10 = E0043C448(_a4);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x44e46c & 0x00000001;
						if(( *0x44e46c & 0x00000001) == 0) {
							 *0x44e46c =  *0x44e46c | 0x00000001;
							__eflags =  *0x44e46c;
							E004394A5(0x44e460);
							E0043C309( *0x44e46c, 0x4452a0);
						}
						E00431430( &_v20, 0x44e460);
						E0043A9D8(_t19, _t28, 0x44e460,  &_v20, 0x449230);
						asm("int3");
						_t14 = _v24;
						_t27 = _v20;
						while(1) {
							_t23 =  *_t14 & 0x0000ffff;
							__eflags = _t23;
							if(_t23 == 0) {
								break;
							}
							__eflags = _t23 - _t27;
							if(_t23 != _t27) {
								_t14 =  &(_t14[1]);
								__eflags = _t14;
								continue;
							}
							L12:
							return _t14;
							goto L13;
						}
						__eflags =  *_t14 - _t27;
						if( *_t14 != _t27) {
							__eflags = 0;
							return 0;
						}
						goto L12;
					} else {
						continue;
					}
					L13:
				}
				return _t9;
				goto L13;
			}

0x004394c0
0x004394c0
0x004394c0
0x004394d7
0x004394da
0x004394e2
0x00000000
0x00000000
0x004394cd
0x004394d3
0x004394d5
0x004394e6
0x004394f2
0x004394f4
0x004394f4
0x004394fd
0x00439507
0x0043950c
0x00439511
0x0043951f
0x00439524
0x0043952a
0x0043952d
0x0043953a
0x0043953a
0x0043953d
0x00439540
0x00000000
0x00000000
0x00439533
0x00439536
0x00439539
0x00439539
0x00000000
0x00439539
0x0043954a
0x0043954a
0x00000000
0x0043954a
0x00439542
0x00439545
0x00439547
0x00000000
0x00439547
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004394d5
0x004394e5
0x00000000

APIs

_malloc.LIBCMT ref: 004394DA

Part of subcall function 0043C36F: __FF_MSGBANNER.LIBCMT ref: 0043C392
Part of subcall function 0043C36F: __NMSG_WRITE.LIBCMT ref: 0043C399
Part of subcall function 0043C36F: RtlAllocateHeap.NTDLL(00000000,004394D0), ref: 0043C3E6

std::bad_alloc::bad_alloc.LIBCMT ref: 004394FD

Part of subcall function 004394A5: std::exception::exception.LIBCMT ref: 004394B1

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID:
API String ID: 3447465555-0
Opcode ID: 4ec9e1b6041c9628ce750c799d5c75a5ef0975d32dce22628522b389e8499060
Instruction ID: c616e69cebb12267cb196661a49c342c4a0b0426f86075831298f7d14eb6f9de
Opcode Fuzzy Hash: 4ec9e1b6041c9628ce750c799d5c75a5ef0975d32dce22628522b389e8499060
Instruction Fuzzy Hash: EF014732404208769F147B62E81266A3768AB2D72CF60E06BF84592191EBEC9D81C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E152 Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0043E152(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t4;
				signed int _t7;
				void* _t8;
				void* _t9;
				signed int _t10;
				void* _t12;
				void* _t15;
				void* _t16;

				_t8 = __ebx;
				_t10 = 0;
				while(1) {
					_push(0);
					_push(_a8);
					_push(_a4);
					_t4 = E00442EA9(_t8, _t9, _t10, 0); // executed
					_t9 = _t4;
					_t12 = _t12 + 0xc;
					if(_t9 != 0) {
						break;
					}
					_t15 =  *0x44e4ec - _t4; // 0x0
					if(_t15 > 0) {
						_push(_t10);
						E005AC682(_t4);
						_t3 = _t10 + 0x3e8; // 0x3e8
						_t7 = _t3;
						_t16 = _t7 -  *0x44e4ec; // 0x0
						if(_t16 > 0) {
							_t7 = _t7 | 0xffffffff;
						}
						_t10 = _t7;
						if(_t7 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t9;
			}

0x0043e152
0x0043e159
0x0043e15b
0x0043e15b
0x0043e15d
0x0043e160
0x0043e163
0x0043e168
0x0043e16a
0x0043e16f
0x00000000
0x00000000
0x0043e171
0x0043e177
0x0043e179
0x0043e17b
0x0043e180
0x0043e180
0x0043e186
0x0043e18c
0x0043e18e
0x0043e18e
0x0043e191
0x0043e196
0x00000000
0x00000000
0x0043e196
0x00000000
0x0043e177
0x0043e19d

APIs

__calloc_impl.LIBCMT ref: 0043E163

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __calloc_impl
String ID:
API String ID: 2175177749-0
Opcode ID: ae9743769b0205c34b5d14a14456ba3459f6215113fa4323b400baa838eb590b
Instruction ID: e2010799ec3a31ef4f133a465bd49fedff27dc61c6903060726823c5a09f4728
Opcode Fuzzy Hash: ae9743769b0205c34b5d14a14456ba3459f6215113fa4323b400baa838eb590b
Instruction Fuzzy Hash: 4FE0E53554111466CB30A67B9C00A8B3F5ADBC13B1F110332FA3CC22D0D67598418698

Uniqueness

Uniqueness Score: -1.00%

Function 00411CE8 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00411CE8(void* __ebx, void* __edi, void* __esi) {
				void* _t4;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t11;
				void* _t13;
				void* _t17;
				void* _t19;

				_t11 = __esi;
				_t9 = __edi;
				_t8 = __ebx;
				_t4 = __esi + 0x3e8;
				_t17 = _t4 -  *0x423974; // 0x0
				if(_t17 > 0) {
					__eflags = __eax;
				}
				_t11 = _t4;
				__eflags = _t4 - 0xffffffff;
				if(__eflags != 0) {
					_push(0);
					_push( *((intOrPtr*)(_t13 + 0xc)));
					_push( *((intOrPtr*)(_t13 + 8)));
					_t5 = E0040E231(_t8, _t9, _t11, _t17); // executed
					_t9 = _t5;
					if(_t9 != 0) {
						goto L6;
					} else {
						_t19 =  *0x423974 - _t5; // 0x0
						if(_t19 <= 0) {
							goto L6;
						} else {
							_push(_t11);
							return E006B7517(_t5, _t9);
						}
					}
				} else {
					L6:
					return _t9;
				}
			}

0x00411ce8
0x00411ce8
0x00411ce8
0x00411ce8
0x00411cee
0x00411cf4
0x00411cf6
0x00411cf6
0x00411cf9
0x00411cfb
0x00411cfe
0x00411cc3
0x00411cc5
0x00411cc8
0x00411ccb
0x00411cd0
0x00411cd7
0x00000000
0x00411cd9
0x00411cd9
0x00411cdf
0x00000000
0x00411ce1
0x00411ce1
0x00411ce7
0x00411ce7
0x00411cdf
0x00411d00
0x00411d00
0x00411d05
0x00411d05

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c0ddf2585af1a555aee112ae1de6393932176b4cd3f292a7f754f704c39561
Instruction ID: 1aa9006096a3dcdbc94ab9cb7f59bda86ceb688690bd7133914bae25a79d745e
Opcode Fuzzy Hash: 64c0ddf2585af1a555aee112ae1de6393932176b4cd3f292a7f754f704c39561
Instruction Fuzzy Hash: 60E09276A4040056CA316B34FC007DD36959BC13B2F500B76FA38C62F0E6799AD14648

Uniqueness

Uniqueness Score: -1.00%

Function 00411CBA Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00411CBA(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t3;
				void* _t7;
				void* _t8;
				void* _t20;

				_push(_t7);
				_push(0);
				_push(_a8);
				_push(_a4);
				_t3 = E0040E231(__ebx, _t7, 0, 0); // executed
				_t8 = _t3;
				if(_t8 != 0) {
					L4:
					return _t8;
				} else {
					_t20 =  *0x423974 - _t3; // 0x0
					if(_t20 <= 0) {
						goto L4;
					} else {
						_push(0);
						return E006B7517(_t3, _t8);
					}
				}
			}

0x00411cc0
0x00411cc3
0x00411cc5
0x00411cc8
0x00411ccb
0x00411cd0
0x00411cd7
0x00411d00
0x00411d05
0x00411cd9
0x00411cd9
0x00411cdf
0x00000000
0x00411ce1
0x00411ce1
0x00411ce7
0x00411ce7
0x00411cdf

APIs

__calloc_impl.LIBCMT ref: 00411CCB

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __calloc_impl
String ID:
API String ID: 2175177749-0
Opcode ID: 3c318ffa8caa1094effda38d93105623274e4b1b5fe4f066010288d0bbea47e2
Instruction ID: 981ebf3dcb509c58260759eadbc3f901f07da8bca254c717b9c68a75e6baeb97
Opcode Fuzzy Hash: 3c318ffa8caa1094effda38d93105623274e4b1b5fe4f066010288d0bbea47e2
Instruction Fuzzy Hash: 19E0C23664111432CB312AB7BC01BCF3E5ADBC17F2F540036FE0C96221D93999928299

Uniqueness

Uniqueness Score: -1.00%

Function 00411C9C Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00411C9C(void* __ebx, void* __edi, void* __esi) {
				void* _t3;
				void* _t4;
				void* _t7;
				void* _t9;
				void* _t10;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t18;

				_t12 = __esi;
				_t10 = __edi;
				_t7 = __ebx;
				_t3 = __esi + 0x3e8;
				_t16 = _t3 -  *0x423974; // 0x0
				if(_t16 > 0) {
					__eax = __eax | 0xffffffff;
				}
				_t12 = _t3;
				if(_t3 != 0xffffffff) {
					_t4 = E0040B84D(_t7, _t9, _t10,  *((intOrPtr*)(_t14 + 8))); // executed
					_t10 = _t4;
					if(_t10 == 0) {
						_t18 =  *0x423974 - _t4; // 0x0
						if(_t18 > 0) {
							_push(_t12);
							return E0042EA68(_t4, _t9);
						}
					}
				}
				return _t10;
			}

0x00411c9c
0x00411c9c
0x00411c9c
0x00411c9c
0x00411ca2
0x00411ca8
0x00411caa
0x00411caa
0x00411cad
0x00411cb2
0x00411c81
0x00411c86
0x00411c8b
0x00411c8d
0x00411c93
0x00411c95
0x00000000
0x00411c96
0x00411c93
0x00411c8b
0x00411cb9

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0699dc078100b10eedb25af61671551520f536de0736a778c16b6b5e7c877527
Instruction ID: 2c9167ad002530150bb5670396ae61d7ffb0cd21eceb10d02624bb6eb9dcc63e
Opcode Fuzzy Hash: 0699dc078100b10eedb25af61671551520f536de0736a778c16b6b5e7c877527
Instruction Fuzzy Hash: D6E08676F40410468A317B79E8404ED77659AC33B53500777E278C22F0F7388DC1468C

Uniqueness

Uniqueness Score: -1.00%

Function 00411C75 Relevance: 1.5, APIs: 1, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00411C75(void* __ebx, intOrPtr _a4) {
				void* __edi;
				void* _t2;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t20;

				_push(_t8);
				_t2 = E0040B84D(__ebx, _t7, _t8, _a4); // executed
				_t9 = _t2;
				if(_t9 == 0) {
					_t20 =  *0x423974 - _t2; // 0x0
					if(_t20 > 0) {
						_push(0);
						return E0042EA68(_t2, _t7);
					}
				}
				return _t9;
			}

0x00411c7b
0x00411c81
0x00411c86
0x00411c8b
0x00411c8d
0x00411c93
0x00411c95
0x00000000
0x00411c96
0x00411c93
0x00411cb9

APIs

_malloc.LIBCMT ref: 00411C81

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 0951d8541b762d99fd8121f430cc1a53cb3eecb632865de58c20c2a0d3264bac
Instruction ID: 3b2a4d0d8753ecff403080e9c9e95231590b631f36de0ec728d41e1990ff24e1
Opcode Fuzzy Hash: 0951d8541b762d99fd8121f430cc1a53cb3eecb632865de58c20c2a0d3264bac
Instruction Fuzzy Hash: 2ED05B37745114664B217767A8008DB7E5DD5C36F53550137F51CD22119A384D4181DD

Uniqueness

Uniqueness Score: -1.00%

Function 0274D668 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0575164ae0ba48688d56262e620c2deb2d532c6a4b45b23fbdc9623ba11f85
Instruction ID: 6871d439bedbbc2048bce8824aded5f22acd279104131e58308c90d994c9fb94
Opcode Fuzzy Hash: 1f0575164ae0ba48688d56262e620c2deb2d532c6a4b45b23fbdc9623ba11f85
Instruction Fuzzy Hash: CB2149B5504244EFDB25CF10D9C4F26BFA5FB88354F24C5ADE9494B246C736D806CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0274D754 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f801728e9b114a3d90b11e35abc6c8779a93af991327328d28e8f72648c36f7c
Instruction ID: 9ebbe336a3a9572a1e7f68ee342e53fca4be7498649ae151bce4249fd4aad4d1
Opcode Fuzzy Hash: f801728e9b114a3d90b11e35abc6c8779a93af991327328d28e8f72648c36f7c
Instruction Fuzzy Hash: 9B2137B1504244EFDB25CF10D9C0F2ABFA5FB88724F20C579E9455B246C736D816CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0274D663 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15531061ace5ef6762c26d0370a9fc83298621a86ed2a5015559066ed43e760
Instruction ID: 008023745b353152c6d394a1462f1b523d6a800ecd0741872731a8abbab1f6ba
Opcode Fuzzy Hash: c15531061ace5ef6762c26d0370a9fc83298621a86ed2a5015559066ed43e760
Instruction Fuzzy Hash: C4119076504280DFCB26CF10D9C4F5ABF72FB88324F2486A9D8454B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0274D74F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15531061ace5ef6762c26d0370a9fc83298621a86ed2a5015559066ed43e760
Instruction ID: a71a3336121dc74df0f33119be78e5f1e723ade8afbe97050b5eba644a347432
Opcode Fuzzy Hash: c15531061ace5ef6762c26d0370a9fc83298621a86ed2a5015559066ed43e760
Instruction Fuzzy Hash: 5511E676904280CFCF22CF10D9C4B26BF71FB84724F24C6A9D8450B656C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0274D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe3baf7a1e065252fe6ac81c3358379d3500474f7e12139a4a9166c69c67792
Instruction ID: 1deb8a7dccc5a5087cd3c9f859a50097558090aed94c3642f6b8838684e2ef41
Opcode Fuzzy Hash: 2fe3baf7a1e065252fe6ac81c3358379d3500474f7e12139a4a9166c69c67792
Instruction Fuzzy Hash: 3101DB715083449AE7308F25CCC4B67FB98EF41668F08C15AED855F256C779A845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0274D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15488e3092ac6bbd13d9dde6ea6f5060c24d8d1df4a2b8b24693fba12559747f
Instruction ID: e755de21c9ae1ff7abe054888b5e9d4602ecbafc2449adc190f14c5a86d3084a
Opcode Fuzzy Hash: 15488e3092ac6bbd13d9dde6ea6f5060c24d8d1df4a2b8b24693fba12559747f
Instruction Fuzzy Hash: 7A010C7140D3C49ED7128B258894B62BFB4EF43624F1981DBE9848F2A7C3699849D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0274D25B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5e96b004eb514757a35d9866df0680f1f6fde3227f851df9589634702e2aba
Instruction ID: f900b8db2f51cb113f15ab74062421cf825b838a3f8dab7ca51d36879c1ffb87
Opcode Fuzzy Hash: eb5e96b004eb514757a35d9866df0680f1f6fde3227f851df9589634702e2aba
Instruction Fuzzy Hash: BAF0F976200604AF97208F0AD885C27FBA9EFC5774755C55AE8499B712C771EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0274D24C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.517444376.000000000274D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0274D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_274d000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b642d5f9c0f266d351f7380ae485ca272996988d6a4415275c50c4002c173d4
Instruction ID: d2321bb9c7d4ca822fe9cbccca043562818db4f43081161434136e888044ecb2
Opcode Fuzzy Hash: 8b642d5f9c0f266d351f7380ae485ca272996988d6a4415275c50c4002c173d4
Instruction Fuzzy Hash: A4F0E775104A80AFD7258F16C994C23BFB9EF866607198589E8899B362C671FC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00408C60(signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16, signed int* _a20, signed short* _a24) {
				short _v30;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				signed int _v100;
				signed short* _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed short _v122;
				signed int _v123;
				char _v124;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				void* _t216;
				signed int _t217;
				signed int _t219;
				intOrPtr _t220;
				signed int _t223;
				signed short _t225;
				signed int _t226;
				signed int _t228;
				signed int _t233;
				signed int _t240;
				signed int _t248;
				signed int _t251;
				void* _t254;
				signed int _t260;
				intOrPtr* _t261;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				short _t270;
				intOrPtr* _t281;
				signed char _t285;
				signed int _t297;
				signed int _t299;
				intOrPtr _t305;
				signed int _t308;
				signed int _t309;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t327;
				signed int _t333;
				signed int _t336;
				char _t337;
				intOrPtr* _t340;
				signed int* _t343;
				signed int _t344;
				signed short* _t345;
				signed int _t348;
				intOrPtr* _t349;
				signed short* _t350;
				intOrPtr _t351;
				intOrPtr _t352;
				signed int _t353;
				void* _t354;

				_t354 =  &_v124;
				_t308 = _a12;
				_t352 = _a8;
				_v64 = 0xbadbad;
				_v60 = 0 << 0x10;
				_v56 = 0 << 0x10;
				_v52 = 0 << 0x10;
				_v48 = 0 << 0x10;
				_v44 = 0 << 0x10;
				_v40 = 0 << 0x10;
				_v36 = 0 << 0x10;
				_t211 = 0;
				if(_t308 > 0) {
					do {
						 *((short*)(_t354 + 0x48 + ( *(_t352 + _t211 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t354 + 0x48 + ( *(_t352 + _t211 * 2) & 0x0000ffff) * 2)) + 1;
						_t211 = _t211 + 1;
					} while (_t211 < _t308);
				}
				_t343 = _a20;
				_t212 =  *_t343;
				_v120 = _t212;
				_t263 = 0xf;
				while( *((short*)(_t354 + 0x48 + _t263 * 2)) == 0) {
					_t263 = _t263 - 1;
					if(_t263 >= 1) {
						continue;
					}
					break;
				}
				_v112 = _t263;
				if(_t212 > _t263) {
					_v120 = _t263;
				}
				if(_t263 != 0) {
					_t344 = 1;
					while(1) {
						__eflags =  *((short*)(_t354 + 0x48 + _t344 * 2));
						if( *((short*)(_t354 + 0x48 + _t344 * 2)) != 0) {
							break;
						}
						__eflags =  *((short*)(_t354 + 0x4a + _t344 * 2));
						if( *((short*)(_t354 + 0x4a + _t344 * 2)) != 0) {
							_t344 = _t344 + 1;
						} else {
							__eflags =  *((short*)(_t354 + 0x4c + _t344 * 2));
							if( *((short*)(_t354 + 0x4c + _t344 * 2)) != 0) {
								_t344 = _t344 + 2;
							} else {
								__eflags =  *((short*)(_t354 + 0x4e + _t344 * 2));
								if( *((short*)(_t354 + 0x4e + _t344 * 2)) != 0) {
									_t344 = _t344 + 3;
								} else {
									__eflags =  *((short*)(_t354 + 0x50 + _t344 * 2));
									if( *((short*)(_t354 + 0x50 + _t344 * 2)) != 0) {
										_t344 = _t344 + 4;
										__eflags = _t344;
									} else {
										_t344 = _t344 + 5;
										__eflags = _t344 - 0xf;
										if(_t344 <= 0xf) {
											continue;
										} else {
										}
									}
								}
							}
						}
						break;
					}
					__eflags = _v120 - _t344;
					if(_v120 < _t344) {
						_v120 = _t344;
					}
					_t309 = 1;
					_t213 = 1;
					while(1) {
						_t309 = _t309 + _t309 - ( *(_t354 + 0x48 + _t213 * 2) & 0x0000ffff);
						__eflags = _t309;
						if(_t309 < 0) {
							break;
						}
						_t213 = _t213 + 1;
						__eflags = _t213 - 0xf;
						if(_t213 <= 0xf) {
							continue;
						} else {
							_t333 = _a4;
							__eflags = _t309;
							if(_t309 <= 0) {
								L32:
								_v30 = 0;
								_t216 = 2;
								do {
									_t270 =  *((intOrPtr*)(_t354 + _t216 + 0x6c)) +  *((intOrPtr*)(_t354 + _t216 + 0x4c));
									_t216 = _t216 + 2;
									 *((short*)(_t354 + _t216 + 0x6c)) = _t270;
									__eflags = _t216 - 0x1e;
								} while (_t216 < 0x1e);
								_t264 = _a12;
								_t217 = 0;
								__eflags = _t264;
								if(_t264 > 0) {
									do {
										__eflags =  *(_t352 + _t217 * 2);
										if( *(_t352 + _t217 * 2) != 0) {
											 *(_a24 + ( *(_t354 + 0x6c + ( *(_t352 + _t217 * 2) & 0x0000ffff) * 2) & 0x0000ffff) * 2) = _t217;
											_t327 =  *(_t352 + _t217 * 2) & 0x0000ffff;
											_t75 = _t354 + 0x6c + _t327 * 2;
											 *_t75 =  *(_t354 + 0x6c + _t327 * 2) + 1;
											__eflags =  *_t75;
										}
										_t217 = _t217 + 1;
										__eflags = _t217 - _t264;
									} while (_t217 < _t264);
								}
								_t219 = _t333;
								__eflags = _t219;
								if(_t219 == 0) {
									_t220 = _a24;
									_v88 = _t220;
									_v96 = 0x13;
									goto L43;
								} else {
									__eflags = _t219 == 1;
									if(_t219 == 1) {
										_v88 = 0x41e28e;
										_t220 = 0x41e2ce;
										_v96 = 0x100;
										L43:
										_v92 = _t220;
									} else {
										_v88 = 0x41e510;
										_v92 = 0x41e550;
										_v96 = 0xffffffff;
									}
								}
								_v108 =  *_a16;
								_t223 = 1 << _v120;
								_v84 = 0xffffffff;
								_t353 = 0;
								_t265 = 0;
								_t97 = _t223 - 1; // 0x0
								_v116 = _t344;
								_v80 = 1;
								_v100 = 1;
								_v76 = _t97;
								__eflags = _t333 - 1;
								if(_t333 != 1) {
									L46:
									_v104 = _a24;
									while(1) {
										L47:
										_t345 = _v104;
										_t225 =  *_t345 & 0x0000ffff;
										_v123 = _v116 - _t265;
										__eflags = (_t225 & 0x0000ffff) - _v96;
										if(__eflags >= 0) {
											if(__eflags <= 0) {
												__eflags = 0;
												_v124 = 0x60;
												_v122 = 0;
											} else {
												_t254 = ( *_t345 & 0x0000ffff) + ( *_t345 & 0x0000ffff);
												_v124 =  *((intOrPtr*)(_t254 + _v92));
												_v122 =  *((intOrPtr*)(_t254 + _v88));
											}
										} else {
											_v124 = 0;
											_v122 = _t225;
										}
										_t226 = _v80;
										_v72 = _t226;
										_t336 = (_t353 >> _t265) + _t226;
										__eflags = _t336;
										_t281 = _v108 + _t336 * 4;
										_t337 = _v124;
										do {
											L53:
											_t226 = _t226 - 1;
											_t281 = _t281 - 4;
											 *_t281 = _t337;
											__eflags = _t226;
										} while (_t226 != 0);
										_t316 = _v116;
										_t228 = 1 << _t316 - 1;
										__eflags = _t353 & 0x00000001;
										if((_t353 & 0x00000001) != 0) {
											do {
												_t228 = _t228 >> 1;
												__eflags = _t353 & _t228;
											} while ((_t353 & _t228) != 0);
										}
										__eflags = _t228;
										if(_t228 == 0) {
											_t353 = 0;
											__eflags = 0;
										} else {
											_t132 = _t228 - 1; // 0x0
											_t353 = (_t132 & _t353) + _t228;
										}
										_v104 =  &(_v104[1]);
										 *(_t354 + 0x4c + _t316 * 2) =  *(_t354 + 0x4c + _t316 * 2) + 0xffff;
										__eflags =  *(_t354 + 0x4c + _t316 * 2) & 0x0000ffff;
										if(( *(_t354 + 0x4c + _t316 * 2) & 0x0000ffff) != 0) {
											L62:
											__eflags = _t316 - _v120;
											if(_t316 <= _v120) {
												L47:
												_t345 = _v104;
												_t225 =  *_t345 & 0x0000ffff;
												_v123 = _v116 - _t265;
												__eflags = (_t225 & 0x0000ffff) - _v96;
												if(__eflags >= 0) {
													if(__eflags <= 0) {
														__eflags = 0;
														_v124 = 0x60;
														_v122 = 0;
													} else {
														_t254 = ( *_t345 & 0x0000ffff) + ( *_t345 & 0x0000ffff);
														_v124 =  *((intOrPtr*)(_t254 + _v92));
														_v122 =  *((intOrPtr*)(_t254 + _v88));
													}
												} else {
													_v124 = 0;
													_v122 = _t225;
												}
												_t226 = _v80;
												_v72 = _t226;
												_t336 = (_t353 >> _t265) + _t226;
												__eflags = _t336;
												_t281 = _v108 + _t336 * 4;
												_t337 = _v124;
												goto L53;
											} else {
												L63:
												_t348 = _v76 & _t353;
												_v68 = _t348;
												__eflags = _t348 - _v84;
												if(_t348 == _v84) {
													continue;
												} else {
													L64:
													__eflags = _t265;
													if(_t265 == 0) {
														_t265 = _v120;
													}
													_v108 = _v108 + _v72 * 4;
													_t285 = _v116 - _t265;
													_t318 = _t265 + _t285;
													_t233 = 1 << _t285;
													__eflags = _t318 - _v112;
													if(_t318 < _v112) {
														_t350 = _t354 + 0x4c + _t318 * 2;
														while(1) {
															_t240 = _t233 - ( *_t350 & 0x0000ffff);
															__eflags = _t240;
															if(_t240 <= 0) {
																break;
															}
															_t318 = _t318 + 1;
															_t285 = _t285 + 1;
															_t350 =  &(_t350[1]);
															_t233 = _t240 + _t240;
															__eflags = _t318 - _v112;
															if(_t318 < _v112) {
																continue;
															}
															break;
														}
														_t348 = _v68;
													}
													_v100 = _v100 + 1;
													__eflags = _a4 - 1;
													_v80 = 1 << _t285;
													if(_a4 != 1) {
														L73:
														_t319 = _t348;
														_t349 = _a16;
														 *( *_t349 + _t319 * 4) = _t285;
														 *((char*)( *_t349 + 1 + _t319 * 4)) = _v120;
														_v84 = _t319;
														 *((short*)( *_t349 + 2 + _t319 * 4)) = _v108 -  *_t349 >> 2;
														continue;
														do {
															do {
																goto L47;
															} while (_t316 <= _v120);
															goto L63;
														} while (_t348 == _v84);
														goto L64;
													} else {
														__eflags = _v100 - 0x5b0;
														if(_v100 >= 0x5b0) {
															goto L84;
														} else {
															goto L73;
														}
													}
												}
											}
										} else {
											__eflags = _t316 - _v112;
											if(_t316 == _v112) {
												_t340 = _a16;
												_v124 = 0x40;
												_v123 = _t316 - _t265;
												_v122 = 0;
												__eflags = _t353;
												if(_t353 != 0) {
													_t351 = _v108;
													do {
														__eflags = _t265;
														if(_t265 != 0) {
															__eflags = (_v76 & _t353) - _v84;
															if((_v76 & _t353) != _v84) {
																_t251 = _v120;
																_t351 =  *_t340;
																_t265 = 0;
																__eflags = 0;
																_v116 = _t251;
																_v123 = _t251;
																_t316 = _t251;
															}
														}
														 *((intOrPtr*)(_t351 + (_t353 >> _t265) * 4)) = _v124;
														_t248 = 1 << _t316 - 1;
														__eflags = _t353 & 0x00000001;
														if((_t353 & 0x00000001) != 0) {
															do {
																_t248 = _t248 >> 1;
																__eflags = _t353 & _t248;
															} while ((_t353 & _t248) != 0);
														}
														__eflags = _t248;
														if(_t248 != 0) {
															goto L82;
														}
														goto L83;
														L82:
														_t203 = _t248 - 1; // 0x0
														_t297 = (_t203 & _t353) + _t248;
														__eflags = _t297;
														_t353 = _t297;
													} while (_t297 != 0);
												}
												L83:
												 *_t340 =  *_t340 + _v100 * 4;
												 *_a20 = _v120;
												__eflags = 0;
												return 0;
											} else {
												_t299 =  *(_a8 + ( *_v104 & 0x0000ffff) * 2) & 0x0000ffff;
												_v116 = _t299;
												_t316 = _t299;
												goto L62;
											}
										}
										goto L85;
									}
								} else {
									__eflags = _t223 - 0x5b0;
									if(_t223 >= 0x5b0) {
										L84:
										return 1;
									} else {
										goto L46;
									}
								}
							} else {
								__eflags = _t333;
								if(_t333 == 0) {
									L30:
									_t260 = _t213 | 0xffffffff;
									__eflags = _t260;
									return _t260;
								} else {
									__eflags = _t263 - 1;
									if(_t263 == 1) {
										goto L32;
									} else {
										goto L30;
									}
								}
							}
						}
						goto L85;
					}
					_t214 = _t213 | 0xffffffff;
					__eflags = _t214;
					return _t214;
				} else {
					_t261 = _a16;
					_v122 = 0;
					_v124 = 0x40;
					_v123 = 1;
					_t305 = _v124;
					 *((intOrPtr*)( *_t261)) = _t305;
					 *_t261 =  *_t261 + 4;
					 *((intOrPtr*)( *_t261)) = _t305;
					 *_t261 =  *_t261 + 4;
					 *_t343 = 1;
					return 0;
				}
				L85:
			}

0x00408c60
0x00408c63
0x00408c78
0x00408c7f
0x00408c83
0x00408c87
0x00408c8b
0x00408c8f
0x00408c93
0x00408c97
0x00408c9b
0x00408c9f
0x00408ca4
0x00408cb0
0x00408cb5
0x00408cbe
0x00408cbf
0x00408cb0
0x00408cc3
0x00408cca
0x00408ccc
0x00408cd0
0x00408cd5
0x00408cdd
0x00408ce1
0x00000000
0x00000000
0x00000000
0x00408ce1
0x00408ce3
0x00408ce9
0x00408ceb
0x00408ceb
0x00408cf1
0x00408d2c
0x00408d31
0x00408d31
0x00408d37
0x00000000
0x00000000
0x00408d39
0x00408d3f
0x00408d63
0x00408d41
0x00408d41
0x00408d47
0x00408d66
0x00408d49
0x00408d49
0x00408d4f
0x00408d6b
0x00408d51
0x00408d51
0x00408d57
0x00408d70
0x00408d70
0x00408d59
0x00408d59
0x00408d5c
0x00408d5f
0x00000000
0x00000000
0x00408d61
0x00408d5f
0x00408d57
0x00408d4f
0x00408d47
0x00000000
0x00408d3f
0x00408d73
0x00408d77
0x00408d79
0x00408d79
0x00408d7d
0x00408d82
0x00408d84
0x00408d8b
0x00408d8b
0x00408d8d
0x00000000
0x00000000
0x00408d8f
0x00408d90
0x00408d93
0x00000000
0x00408d95
0x00408d96
0x00408d9d
0x00408d9f
0x00408dbf
0x00408dc1
0x00408dc6
0x00408dd0
0x00408dd5
0x00408dda
0x00408ddd
0x00408de2
0x00408de2
0x00408de7
0x00408dee
0x00408df0
0x00408df2
0x00408df4
0x00408df4
0x00408dfa
0x00408e0d
0x00408e11
0x00408e16
0x00408e16
0x00408e16
0x00408e1b
0x00408e1f
0x00408e20
0x00408e20
0x00408df4
0x00408e26
0x00408e26
0x00408e2e
0x00408e6d
0x00408e74
0x00408e78
0x00000000
0x00408e30
0x00408e30
0x00408e33
0x00408e55
0x00408e5e
0x00408e63
0x00408e80
0x00408e80
0x00408e35
0x00408e35
0x00408e3d
0x00408e45
0x00408e45
0x00408e33
0x00408e8d
0x00408e9a
0x00408e9c
0x00408ea0
0x00408ea2
0x00408ea4
0x00408ea7
0x00408eab
0x00408eaf
0x00408eb3
0x00408eb7
0x00408eba
0x00408ec7
0x00408ece
0x00408ed2
0x00408ed2
0x00408ed6
0x00408eda
0x00408ee3
0x00408eea
0x00408eec
0x00408efa
0x00408f1b
0x00408f1d
0x00408f22
0x00408efc
0x00408f03
0x00408f10
0x00408f14
0x00408f14
0x00408eee
0x00408eee
0x00408ef3
0x00408ef3
0x00408f2b
0x00408f42
0x00408f4d
0x00408f4d
0x00408f4f
0x00408f52
0x00408f56
0x00408f56
0x00408f56
0x00408f58
0x00408f5a
0x00408f5c
0x00408f5c
0x00408f60
0x00408f6c
0x00408f6e
0x00408f70
0x00408f72
0x00408f72
0x00408f74
0x00408f74
0x00408f72
0x00408f78
0x00408f7a
0x00408f87
0x00408f87
0x00408f7c
0x00408f7c
0x00408f83
0x00408f83
0x00408f89
0x00408f93
0x00408f9d
0x00408fa0
0x00408fc4
0x00408fc4
0x00408fc8
0x00408ed2
0x00408ed6
0x00408eda
0x00408ee3
0x00408eea
0x00408eec
0x00408efa
0x00408f1b
0x00408f1d
0x00408f22
0x00408efc
0x00408f03
0x00408f10
0x00408f14
0x00408f14
0x00408eee
0x00408eee
0x00408ef3
0x00408ef3
0x00408f2b
0x00408f42
0x00408f4d
0x00408f4d
0x00408f4f
0x00408f52
0x00000000
0x00408fce
0x00408fce
0x00408fd2
0x00408fd4
0x00408fd8
0x00408fdc
0x00000000
0x00408fe2
0x00408fe2
0x00408fe2
0x00408fe4
0x00408fe6
0x00408fe6
0x00408ff5
0x00408ffd
0x00409004
0x00409007
0x00409009
0x0040900d
0x0040900f
0x00409013
0x00409016
0x00409018
0x0040901a
0x00000000
0x00000000
0x0040901c
0x0040901d
0x0040901e
0x00409021
0x00409023
0x00409027
0x00000000
0x00000000
0x00000000
0x00409027
0x00409029
0x00409029
0x00409034
0x00409038
0x00409040
0x00409044
0x00409054
0x00409054
0x00409056
0x0040905f
0x00409068
0x00409077
0x0040907b
0x00409080
0x00408ed2
0x00408ed2
0x00000000
0x00000000
0x00000000
0x00408ed2
0x00000000
0x00409046
0x00409046
0x0040904e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040904e
0x00409044
0x00408fdc
0x00408fa2
0x00408fa2
0x00408fa6
0x00409085
0x00409092
0x00409097
0x0040909b
0x004090a0
0x004090a2
0x004090a4
0x004090a8
0x004090a8
0x004090aa
0x004090b2
0x004090b6
0x004090b8
0x004090bc
0x004090be
0x004090be
0x004090c0
0x004090c4
0x004090c8
0x004090c8
0x004090b6
0x004090d4
0x004090df
0x004090e1
0x004090e3
0x004090e5
0x004090e5
0x004090e7
0x004090e7
0x004090e5
0x004090eb
0x004090ed
0x00000000
0x00000000
0x00000000
0x004090ef
0x004090ef
0x004090f4
0x004090f4
0x004090f6
0x004090f6
0x004090a8
0x004090fa
0x0040910c
0x00409115
0x00409117
0x0040911d
0x00408fac
0x00408fba
0x00408fbe
0x00408fc2
0x00000000
0x00408fc2
0x00408fa6
0x00000000
0x00408fa0
0x00408ebc
0x00408ebc
0x00408ec1
0x0040911e
0x0040912a
0x00000000
0x00000000
0x00000000
0x00408ec1
0x00408da1
0x00408da1
0x00408da3
0x00408daa
0x00408dad
0x00408dad
0x00408db4
0x00408da5
0x00408da5
0x00408da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00408da8
0x00408da3
0x00408d9f
0x00000000
0x00408d93
0x00408db7
0x00408db7
0x00408dbe
0x00408cf3
0x00408cf3
0x00408cfc
0x00408d03
0x00408d08
0x00408d0d
0x00408d11
0x00408d13
0x00408d18
0x00408d1a
0x00408d1d
0x00408d2b
0x00408d2b
0x00000000

Strings

@, xrefs: 00408D03
PA, xrefs: 00408E3D
@, xrefs: 00409092

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID: @$@$PA
API String ID: 0-3039612711
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0042FE12 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

W, xrefs: 0042FE88

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 14c77668fcfb763e543661e4d926c8701f18c4f3653c5753ec6a7548b2edb193
Instruction ID: 201bc2feb11c340e78142b68d2b08f84b2ef22b468dfc660e12002626cb50d3d
Opcode Fuzzy Hash: 14c77668fcfb763e543661e4d926c8701f18c4f3653c5753ec6a7548b2edb193
Instruction Fuzzy Hash: 1D11EF72118762DEC7268F3898541D5FFC1AF51310BA446AFC0DE8B1A2F264854FC380

Uniqueness

Uniqueness Score: -1.00%

Function 00407C3F Relevance: .8, Instructions: 783
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00407C3F(unsigned int __ebx, signed char* __edx, signed int* __edi, signed int __esi) {
				signed int _t623;
				signed int _t626;
				signed char** _t637;
				signed int _t645;
				signed int _t649;
				signed int _t654;
				signed int _t657;
				signed int _t660;
				signed int _t662;
				signed int _t665;
				signed char _t771;
				signed char _t776;
				signed char _t778;
				signed int _t783;
				signed int _t785;
				signed int _t792;
				signed int _t795;
				signed int _t799;
				signed int _t803;
				signed int _t805;
				signed int _t813;
				unsigned int _t814;
				signed int _t815;
				signed int _t816;
				void* _t824;
				unsigned int _t828;
				unsigned int _t829;
				intOrPtr _t961;
				signed char _t962;
				signed char _t968;
				signed char _t974;
				signed char* _t989;
				signed char* _t998;
				signed int* _t1018;
				signed int _t1023;
				signed char** _t1025;
				signed char* _t1029;
				void* _t1032;
				void* _t1036;

				L0:
				while(1) {
					L0:
					_t1023 = __esi;
					_t1018 = __edi;
					_t989 = __edx;
					_t814 = __ebx;
					if(__esi >= 0xe) {
						goto L154;
					}
					L152:
					while(__edx != 0) {
						__eax =  *__ebp & 0x000000ff;
						__eax = ( *__ebp & 0x000000ff) << __cl;
						__edx = __edx - 1;
						__esi = __esi + 8;
						__ebp =  &(__ebp[1]);
						__ebx = __ebx + __eax;
						 *(__esp + 0x10) = __edx;
						if(__esi < 0xe) {
							continue;
						} else {
							goto L154;
						}
						L321:
					}
					L303:
					_t637 =  *(_t1036 + 0x40);
					_t637[3] =  *(_t1036 + 0x24);
					_t637[4] =  *(_t1036 + 0x18);
					 *_t637 = _t1029;
					_t637[1] = _t998;
					_t1018[0xe] = _t814;
					_t1018[0xf] = _t1023;
					if(_t1018[0xa] != 0 ||  *_t1018 < 0x18 &&  *(_t1036 + 0x28) != _t637[4]) {
						L306:
						if(E004072B0( *(_t1036 + 0x28),  *(_t1036 + 0x40)) == 0) {
							goto L309;
						} else {
							L307:
							 *_t1018 = 0x1c;
							L308:
							return 0xfffffffc;
						}
					} else {
						L309:
						_t1025 =  *(_t1036 + 0x40);
						_t1032 =  *((intOrPtr*)(_t1036 + 0x38)) - _t1025[1];
						_t824 =  *(_t1036 + 0x28) - _t1025[4];
						_t1025[2] =  &(_t1025[2][_t1032]);
						_t1025[5] =  &(_t1025[5][_t824]);
						_t1018[7] = _t1018[7] + _t824;
						if(_t1018[2] != 0 && _t824 != 0) {
							_push(_t824);
							if(_t1018[4] == 0) {
								_push(_t1025[3] - _t824);
								_push(_t1018[6]);
								_t649 = E004024A0();
							} else {
								_push(_t1025[3] - _t824);
								_push(_t1018[6]);
								_t649 = E00403080();
							}
							_t1018[6] = _t649;
							_t1036 = _t1036 + 0xc;
							_t1025[0xc] = _t649;
						}
						asm("sbb edx, edx");
						_t1025[0xb] = ( ~(_t1018[1]) & 0x00000040) + ((0 |  *_t1018 != 0x0000000b) - 0x00000001 & 0x00000080) + _t1018[0xf];
						if(_t1032 != 0 || _t824 != 0) {
							L317:
							if( *((intOrPtr*)(_t1036 + 0x44)) != 4) {
								L320:
								return  *(_t1036 + 0x30);
							} else {
								goto L318;
							}
						} else {
							L318:
							_t645 =  *(_t1036 + 0x30);
							if(_t645 != 0) {
								L297:
								return _t645;
							} else {
								L319:
								return 0xfffffffb;
							}
						}
					}
					goto L321;
					L154:
					_t815 = _t814 >> 5;
					_t1018[0x18] = (_t814 & 0x0000001f) + 0x101;
					_t816 = _t815 >> 5;
					_t626 = (_t815 & 0x0000001f) + 1;
					_t814 = _t816 >> 4;
					_t1023 = _t1023 - 0xe;
					_t1018[0x19] = _t626;
					_t1018[0x17] = (_t816 & 0x0000000f) + 4;
					if(_t1018[0x18] > 0x11e || _t626 > 0x1e) {
						L26:
						( *(_t1036 + 0x40))[6] = 0x41d338;
						goto L294;
					} else {
						L156:
						_t1018[0x1a] = 0;
						 *_t1018 = 0x10;
						L157:
						if(_t1018[0x1a] >= _t1018[0x17]) {
							L163:
							while(_t1018[0x1a] < 0x13) {
								L165:
								 *((short*)(_t1018 + 0x70 + ( *(0x41e468 + _t1018[0x1a] * 2) & 0x0000ffff) * 2)) = 0;
								_t1018[0x1a] = _t1018[0x1a] + 1;
							}
							L166:
							_t654 =  &(_t1018[0x14c]);
							_t1018[0x1b] = _t654;
							_t1018[0x13] = _t654;
							_t1018[0x15] = 7;
							_t657 = E00408C60(0,  &(_t1018[0x1c]), 0x13,  &(_t1018[0x1b]),  &(_t1018[0x15]),  &(_t1018[0xbc]));
							_t998 =  *(_t1036 + 0x28);
							_t1036 = _t1036 + 0x18;
							 *(_t1036 + 0x30) = _t657;
							if(_t657 != 0) {
								L293:
								( *(_t1036 + 0x40))[6] = 0x41d338;
								goto L294;
							} else {
								L167:
								_t1018[0x1a] = _t657;
								 *_t1018 = 0x11;
								L168:
								if(_t1018[0x1a] >= _t1018[0x19] + _t1018[0x18]) {
									L201:
									if( *_t1018 == 0x1b) {
										goto L295;
									} else {
										L202:
										_t660 =  &(_t1018[0x14c]);
										_t1018[0x1b] = _t660;
										_t1018[0x13] = _t660;
										_t1018[0x15] = 9;
										_t662 = E00408C60(1,  &(_t1018[0x1c]), _t1018[0x18],  &(_t1018[0x1b]),  &(_t1018[0x15]),  &(_t1018[0xbc]));
										_t1036 = _t1036 + 0x18;
										 *(_t1036 + 0x30) = _t662;
										if(_t662 == 0) {
											L204:
											_t1018[0x14] = _t1018[0x1b];
											_t1018[0x16] = 6;
											_t665 = E00408C60(2, _t1018 + 0x70 + _t1018[0x18] * 2, _t1018[0x19],  &(_t1018[0x1b]),  &(_t1018[0x16]),  &(_t1018[0xbc]));
											_t998 =  *(_t1036 + 0x28);
											_t1036 = _t1036 + 0x18;
											 *(_t1036 + 0x30) = _t665;
											if(_t665 == 0) {
												L206:
												 *_t1018 = 0x12;
												goto L207;
											} else {
												L205:
												( *(_t1036 + 0x40))[6] = 0x41d338;
												goto L294;
											}
										} else {
											L203:
											_t998 =  *(_t1036 + 0x10);
											( *(_t1036 + 0x40))[6] = 0x41d338;
											L294:
											 *_t1018 = 0x1b;
											while(1) {
												L295:
												_t623 =  *_t1018;
												if(_t623 > 0x1c) {
													break;
												}
												L1:
												switch( *((intOrPtr*)(_t623 * 4 +  &M004087C4))) {
													case 0:
														L2:
														if(_t1018[2] != 0) {
															L4:
															if(_t1023 >= 0x10) {
																L8:
																if((_t1018[2] & 0x00000002) == 0 || _t814 != 0x8b1f) {
																	_t628 = _t1018[8];
																	_t1018[4] = 0;
																	if(_t628 != 0) {
																		 *((intOrPtr*)(_t628 + 0x30)) = 0xffffffff;
																	}
																	L13:
																	if((_t1018[2] & 0x00000001) == 0 || (((_t814 & 0x000000ff) << 8) + (_t814 >> 8)) % 0x1f != 0) {
																		( *(_t1036 + 0x40))[6] = 0x41d338;
																		goto L294;
																	} else {
																		L15:
																		if((_t814 & 0x0000000f) == 8) {
																			L17:
																			_t814 = _t814 >> 4;
																			_t848 = (_t814 & 0x0000000f) + 8;
																			_t1023 = _t1023 - 4;
																			if(_t848 <= _t1018[9]) {
																				_push(0);
																				_push(0);
																				_push(0);
																				_t1018[5] = 1 << _t848;
																				_t633 = E004024A0();
																				_t998 =  *(_t1036 + 0x1c);
																				_t1018[6] = _t633;
																				 *( *((intOrPtr*)(_t1036 + 0x4c)) + 0x30) = _t633;
																				 *_t1018 =  !(_t814 >> 8) & 0x00000002 | 0x00000009;
																				_t1036 = _t1036 + 0xc;
																				_t814 = 0;
																				_t1023 = 0;
																			} else {
																				_t998 =  *(_t1036 + 0x10);
																				goto L293;
																			}
																		} else {
																			_t998 =  *(_t1036 + 0x10);
																			( *(_t1036 + 0x40))[6] = 0x41d338;
																			goto L294;
																		}
																	}
																} else {
																	_t1018[6] = E00403080(0, 0, 0);
																	 *(_t1036 + 0x2c) = 0x1f;
																	 *(_t1036 + 0x2d) = 0x8b;
																	_t636 = E00403080(_t1018[6], _t1036 + 0x2c, 2);
																	_t998 =  *(_t1036 + 0x28);
																	_t1036 = _t1036 + 0x18;
																	_t814 = 0;
																	_t1018[6] = _t636;
																	_t1023 = 0;
																	 *_t1018 = 1;
																}
																goto L295;
															} else {
																L6:
																while(_t998 != 0) {
																	_t652 = ( *_t1029 & 0x000000ff) << _t1023;
																	_t998 = _t998 - 1;
																	_t1023 = _t1023 + 8;
																	_t1029 =  &(_t1029[1]);
																	_t814 = _t814 + _t652;
																	 *(_t1036 + 0x10) = _t998;
																	if(_t1023 < 0x10) {
																		continue;
																	} else {
																		goto L8;
																	}
																	goto L321;
																}
																goto L303;
															}
														} else {
															 *_t1018 = 0xc;
															goto L295;
														}
														goto L321;
													case 1:
														L21:
														if(__esi >= 0x10) {
															L24:
															 *(__edi + 0x10) = __ebx;
															if(__bl != 8) {
																goto L293;
															} else {
																L25:
																if((__ebx & 0x0000e000) == 0) {
																	L27:
																	__eax =  *(__edi + 0x20);
																	if(__eax != 0) {
																		__ebx = __ebx >> 8;
																		__ecx = __ebx >> 0x00000008 & 0x00000001;
																		 *__eax = __ebx >> 0x00000008 & 0x00000001;
																	}
																	if(( *(__edi + 0x10) & 0x00000200) != 0) {
																		 *(__esp + 0x1c) = __bl;
																		__ebx = __ebx >> 8;
																		__edx = __esp + 0x20;
																		 *(__esp + 0x21) = __bl;
																		__eax =  *(__edi + 0x18);
																		__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
																		__edx =  *(__esp + 0x1c);
																		 *(__edi + 0x18) = __eax;
																	}
																	__ebx = 0;
																	__esi = 0;
																	 *__edi = 2;
																	goto L34;
																} else {
																	goto L26;
																}
															}
														} else {
															L22:
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																 *(__esp + 0x10) = __edx;
																if(__esi < 0x10) {
																	continue;
																} else {
																	goto L24;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 2:
														L32:
														if(__esi >= 0x20) {
															L36:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																 *(__eax + 4) = __ebx;
															}
															if(( *(__edi + 0x10) & 0x00000200) != 0) {
																 *(__esp + 0x1c) = __bl;
																__ecx = __ebx;
																__edx = __ebx;
																__ecx = __ebx >> 8;
																__edx = __ebx >> 0x10;
																__ebx = __ebx >> 0x18;
																__eax = __esp + 0x20;
																 *(__esp + 0x21) = __cl;
																 *((char*)(__esp + 0x22)) = __dl;
																 *(__esp + 0x23) = __bl;
																__ecx =  *(__edi + 0x18);
																__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 4);
																__edx =  *(__esp + 0x1c);
																 *(__edi + 0x18) = __eax;
															}
															__ebx = 0;
															__esi = 0;
															 *__edi = 3;
															goto L43;
														} else {
															L33:
															L34:
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																 *(__esp + 0x10) = __edx;
																if(__esi < 0x20) {
																	continue;
																} else {
																	goto L36;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 3:
														L41:
														if(__esi >= 0x10) {
															L45:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																__ebx = __ebx & 0x000000ff;
																 *(__eax + 8) = __ebx & 0x000000ff;
																__ecx =  *(__edi + 0x20);
																__eax = __ebx;
																__eax = __ebx >> 8;
																 *( *(__edi + 0x20) + 0xc) = __eax;
															}
															if(( *(__edi + 0x10) & 0x00000200) != 0) {
																 *(__esp + 0x1c) = __bl;
																__ebx = __ebx >> 8;
																__edx = __esp + 0x20;
																 *(__esp + 0x21) = __bl;
																__eax =  *(__edi + 0x18);
																__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
																__edx =  *(__esp + 0x1c);
																 *(__edi + 0x18) = __eax;
															}
															__ebx = 0;
															__esi = 0;
															 *__edi = 4;
															goto L50;
														} else {
															L42:
															L43:
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																 *(__esp + 0x10) = __edx;
																if(__esi < 0x10) {
																	continue;
																} else {
																	goto L45;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 4:
														L50:
														if(( *(__edi + 0x10) & 0x00000400) == 0) {
															L59:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																 *(__eax + 0x10) = 0;
															}
															goto L61;
														} else {
															L51:
															if(__esi >= 0x10) {
																L54:
																__eax =  *(__edi + 0x20);
																 *(__edi + 0x40) = __ebx;
																if(__eax != 0) {
																	 *(__eax + 0x14) = __ebx;
																}
																if(( *(__edi + 0x10) & 0x00000200) != 0) {
																	 *(__esp + 0x1c) = __bl;
																	__ebx = __ebx >> 8;
																	__ecx = __esp + 0x20;
																	 *(__esp + 0x21) = __bl;
																	__edx =  *(__edi + 0x18);
																	__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
																	__edx =  *(__esp + 0x1c);
																	 *(__edi + 0x18) = __eax;
																}
																__ebx = 0;
																__esi = 0;
																L61:
																 *__edi = 5;
																goto L62;
															} else {
																L52:
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebp =  &(__ebp[1]);
																	__ebx = __ebx + __eax;
																	 *(__esp + 0x10) = __edx;
																	if(__esi < 0x10) {
																		continue;
																	} else {
																		goto L54;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 5:
														L62:
														if(( *(__edi + 0x10) & 0x00000400) == 0) {
															L75:
															 *(__edi + 0x40) = 0;
															 *__edi = 6;
															goto L76;
														} else {
															L63:
															__eax =  *(__edi + 0x40);
															 *(__esp + 0x14) = __eax;
															if(__eax > __edx) {
																__eax = __edx;
																 *(__esp + 0x14) = __edx;
															}
															if(__eax != 0) {
																__ecx =  *(__edi + 0x20);
																if(__ecx != 0) {
																	__ecx =  *(__ecx + 0x10);
																	 *(__esp + 0x34) = __ecx;
																	if(__ecx != 0) {
																		 *(__edi + 0x20) =  *( *(__edi + 0x20) + 0x14);
																		__ecx =  *( *(__edi + 0x20) + 0x14) -  *(__edi + 0x40);
																		__edx =  *(__edi + 0x20);
																		__edx =  *( *(__edi + 0x20) + 0x18);
																		 *(__esp + 0x20) = __ecx;
																		if(__ecx > __edx) {
																			__eax = __edx;
																		}
																		__edx =  *(__esp + 0x34);
																		__eax =  *(__esp + 0x24);
																		__edx =  *(__esp + 0x34) +  *(__esp + 0x24);
																		__eax = E0040B350(__ebx, __edi, __esi,  *(__esp + 0x34) +  *(__esp + 0x24), __ebp,  *(__esp + 0x24));
																		__eax =  *(__esp + 0x20);
																		__edx =  *(__esp + 0x1c);
																	}
																}
																if(( *(__edi + 0x10) & 0x00000200) != 0) {
																	__ecx =  *(__esp + 0x14);
																	__edx =  *(__edi + 0x18);
																	__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
																	__edx =  *(__esp + 0x1c);
																	 *(__edi + 0x18) = __eax;
																	__eax =  *(__esp + 0x20);
																}
																__edx = __edx - __eax;
																__ebp =  &(__ebp[__eax]);
																 *(__edi + 0x40) =  *(__edi + 0x40) - __eax;
																 *(__esp + 0x10) = __edx;
															}
															if( *(__edi + 0x40) != 0) {
																goto L303;
															} else {
																goto L75;
															}
														}
														goto L321;
													case 6:
														L76:
														if(( *(__edi + 0x10) & 0x00000800) == 0) {
															L89:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																 *(__eax + 0x1c) = 0;
															}
															goto L91;
														} else {
															L77:
															if(__edx == 0) {
																goto L303;
															} else {
																L78:
																__eax = 0;
																while(1) {
																	L79:
																	__ecx = __ebp[__eax] & 0x000000ff;
																	 *(__esp + 0x14) = __eax;
																	__eax =  *(__edi + 0x20);
																	 *(__esp + 0x20) = __ecx;
																	if(__eax != 0) {
																		__ecx =  *(__eax + 0x1c);
																		 *(__esp + 0x34) = __ecx;
																		if(__ecx != 0) {
																			__ecx =  *(__edi + 0x40);
																			if(__ecx <  *((intOrPtr*)(__eax + 0x20))) {
																				__edx =  *(__esp + 0x34);
																				 *((char*)( *(__esp + 0x34) + __ecx)) =  *(__esp + 0x20);
																				 *(__edi + 0x40) =  *(__edi + 0x40) + 1;
																				__edx =  *(__esp + 0x10);
																			}
																		}
																	}
																	if( *(__esp + 0x20) == 0) {
																		break;
																	}
																	L84:
																	__eax =  *(__esp + 0x14);
																	if(__eax < __edx) {
																		continue;
																	}
																	break;
																}
																L85:
																if(( *(__edi + 0x10) & 0x00000200) != 0) {
																	__ecx =  *(__esp + 0x14);
																	__edx =  *(__edi + 0x18);
																	__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
																	__edx =  *(__esp + 0x1c);
																	 *(__edi + 0x18) = __eax;
																}
																__eax =  *(__esp + 0x14);
																__edx = __edx - __eax;
																__ebp =  &(__ebp[__eax]);
																 *(__esp + 0x10) = __edx;
																if( *(__esp + 0x20) != 0) {
																	goto L303;
																} else {
																	L88:
																	L91:
																	 *(__edi + 0x40) = 0;
																	 *__edi = 7;
																	goto L92;
																}
															}
														}
														goto L321;
													case 7:
														L92:
														if(( *(__edi + 0x10) & 0x00001000) == 0) {
															L105:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																 *(__eax + 0x24) = 0;
															}
															goto L107;
														} else {
															L93:
															if(__edx == 0) {
																goto L303;
															} else {
																L94:
																__eax = 0;
																while(1) {
																	L95:
																	__ecx = __ebp[__eax] & 0x000000ff;
																	 *(__esp + 0x14) = __eax;
																	__eax =  *(__edi + 0x20);
																	 *(__esp + 0x20) = __ecx;
																	if(__eax != 0) {
																		__ecx =  *(__eax + 0x24);
																		 *(__esp + 0x34) = __ecx;
																		if(__ecx != 0) {
																			__ecx =  *(__edi + 0x40);
																			if(__ecx <  *((intOrPtr*)(__eax + 0x28))) {
																				__edx =  *(__esp + 0x34);
																				 *((char*)( *(__esp + 0x34) + __ecx)) =  *(__esp + 0x20);
																				 *(__edi + 0x40) =  *(__edi + 0x40) + 1;
																				__edx =  *(__esp + 0x10);
																			}
																		}
																	}
																	if( *(__esp + 0x20) == 0) {
																		break;
																	}
																	L100:
																	__eax =  *(__esp + 0x14);
																	if(__eax < __edx) {
																		continue;
																	}
																	break;
																}
																L101:
																if(( *(__edi + 0x10) & 0x00000200) != 0) {
																	__ecx =  *(__esp + 0x14);
																	__edx =  *(__edi + 0x18);
																	__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
																	__edx =  *(__esp + 0x1c);
																	 *(__edi + 0x18) = __eax;
																}
																__eax =  *(__esp + 0x14);
																__edx = __edx - __eax;
																__ebp =  &(__ebp[__eax]);
																 *(__esp + 0x10) = __edx;
																if( *(__esp + 0x20) != 0) {
																	goto L303;
																} else {
																	L104:
																	L107:
																	 *__edi = 8;
																	goto L108;
																}
															}
														}
														goto L321;
													case 8:
														L108:
														if(( *(__edi + 0x10) & 0x00000200) == 0) {
															L115:
															__eax =  *(__edi + 0x20);
															if(__eax != 0) {
																 *(__edi + 0x10) =  *(__edi + 0x10) >> 9;
																__ecx =  *(__edi + 0x10) >> 0x00000009 & 0x00000001;
																 *(__eax + 0x2c) =  *(__edi + 0x10) >> 0x00000009 & 0x00000001;
																__edx =  *(__edi + 0x20);
																 *( *(__edi + 0x20) + 0x30) = 1;
															}
															__eax = E00403080(0, 0, 0);
															__ecx =  *(__esp + 0x4c);
															__edx =  *(__esp + 0x1c);
															 *(__edi + 0x18) = __eax;
															 *( *(__esp + 0x4c) + 0x30) = __eax;
															 *__edi = 0xb;
															goto L295;
														} else {
															L109:
															if(__esi >= 0x10) {
																L112:
																__ecx =  *(__edi + 0x18) & 0x0000ffff;
																if(__ebx == ( *(__edi + 0x18) & 0x0000ffff)) {
																	L114:
																	__ebx = 0;
																	__esi = 0;
																	goto L115;
																} else {
																	L113:
																	__eax =  *(__esp + 0x40);
																	 *(__eax + 0x18) = 0x41d338;
																	goto L294;
																}
																goto L295;
															} else {
																L110:
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebp =  &(__ebp[1]);
																	__ebx = __ebx + __eax;
																	 *(__esp + 0x10) = __edx;
																	if(__esi < 0x10) {
																		continue;
																	} else {
																		goto L112;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 9:
														L118:
														if(__esi >= 0x20) {
															L122:
															__ebx = __ebx & 0x0000ff00;
															__ebx = __ebx << 0x10;
															__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10);
															__ebx = __ebx >> 8;
															__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10) << 8;
															__eax = __ebx >> 0x00000008 & 0x0000ff00;
															__ecx = ((__ebx & 0x0000ff00) + (__ebx << 0x10) << 8) + (__ebx >> 0x00000008 & 0x0000ff00);
															__eax = __ecx + __ebx;
															__ecx =  *(__esp + 0x40);
															 *(__edi + 0x18) = __eax;
															 *( *(__esp + 0x40) + 0x30) = __eax;
															__ebx = 0;
															__esi = 0;
															 *__edi = 0xa;
															goto L123;
														} else {
															L119:
															L120:
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																 *(__esp + 0x10) = __edx;
																if(__esi < 0x20) {
																	continue;
																} else {
																	goto L122;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 0xa:
														L123:
														if( *((intOrPtr*)(__edi + 0xc)) == 0) {
															L298:
															__eax =  *(__esp + 0x40);
															__ecx =  *(__esp + 0x24);
															 *(__eax + 0xc) =  *(__esp + 0x24);
															__ecx =  *(__esp + 0x18);
															 *__eax = __ebp;
															 *(__eax + 0x10) =  *(__esp + 0x18);
															 *(__eax + 4) = __edx;
															 *(__edi + 0x3c) = __esi;
															_pop(__esi);
															_pop(__ebp);
															 *(__edi + 0x38) = __ebx;
															_pop(__ebx);
															__eax = 2;
															_pop(__edi);
															__esp = __esp + 0x2c;
															return 2;
														} else {
															L124:
															_push(0);
															_push(0);
															_push(0);
															__eax = E004024A0();
															__edx =  *(__esp + 0x4c);
															 *(__edi + 0x18) = __eax;
															 *( *(__esp + 0x4c) + 0x30) = __eax;
															__edx =  *(__esp + 0x1c);
															__esp = __esp + 0xc;
															 *__edi = 0xb;
															goto L125;
														}
														goto L321;
													case 0xb:
														L125:
														if( *((intOrPtr*)(__esp + 0x44)) == 5) {
															goto L303;
														} else {
															goto L126;
														}
														goto L321;
													case 0xc:
														L126:
														if( *(__edi + 4) == 0) {
															L128:
															if(__esi >= 3) {
																L132:
																__ecx = __ebx;
																__ebx = __ebx >> 1;
																__eax = __ebx;
																__ecx = __ecx & 0x00000001;
																__eax = __ebx & 0x00000003;
																__esi = __esi - 1;
																 *(__edi + 4) = __ecx;
																if(__eax > 3) {
																	L138:
																	__ebx = __ebx >> 2;
																	__esi = __esi - 2;
																} else {
																	L133:
																	switch( *((intOrPtr*)(__eax * 4 +  &M00408838))) {
																		case 0:
																			L134:
																			__ebx = __ebx >> 2;
																			 *__edi = 0xd;
																			__esi = __esi - 2;
																			goto L295;
																		case 1:
																			L135:
																			__eax = __edi;
																			__eax = E00407290(__edi);
																			__ebx = __ebx >> 2;
																			 *__edi = 0x12;
																			__esi = __esi - 2;
																			goto L295;
																		case 2:
																			L136:
																			__ebx = __ebx >> 2;
																			 *__edi = 0xf;
																			__esi = __esi - 2;
																			goto L295;
																		case 3:
																			L137:
																			__eax =  *(__esp + 0x40);
																			 *(__eax + 0x18) = 0x41d338;
																			 *__edi = 0x1b;
																			goto L138;
																	}
																}
																goto L295;
															} else {
																L129:
																L130:
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebp =  &(__ebp[1]);
																	__ebx = __ebx + __eax;
																	 *(__esp + 0x10) = __edx;
																	if(__esi < 3) {
																		continue;
																	} else {
																		goto L132;
																	}
																	goto L321;
																}
																goto L303;
															}
														} else {
															L127:
															__esi = __esi & 0x00000007;
															__ebx = __ebx >> __cl;
															__esi = __esi - (__esi & 0x00000007);
															 *__edi = 0x18;
															goto L295;
														}
														goto L321;
													case 0xd:
														L139:
														__esi = __esi & 0x00000007;
														__esi = __esi - (__esi & 0x00000007);
														__ebx = __ebx >> __cl;
														if(__esi >= 0x20) {
															L142:
															__ecx = __ebx;
															__eax = __ebx;
															__ecx =  !__ebx;
															__eax = __ebx & 0x0000ffff;
															__ecx =  !__ebx >> 0x10;
															if(__eax ==  !__ebx >> 0x10) {
																L144:
																__ebx = 0;
																 *(__edi + 0x40) = __eax;
																__esi = 0;
																 *__edi = 0xe;
																goto L145;
															} else {
																L143:
																__eax =  *(__esp + 0x40);
																 *(__eax + 0x18) = 0x41d338;
																goto L294;
															}
														} else {
															L140:
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																 *(__esp + 0x10) = __edx;
																if(__esi < 0x20) {
																	continue;
																} else {
																	goto L142;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 0xe:
														L145:
														__eax =  *(__edi + 0x40);
														 *(__esp + 0x14) = __eax;
														if(__eax == 0) {
															goto L224;
														} else {
															L146:
															if(__eax > __edx) {
																__eax = __edx;
																 *(__esp + 0x14) = __edx;
															}
															__ecx =  *(__esp + 0x18);
															if(__eax > __ecx) {
																__eax = __ecx;
																 *(__esp + 0x14) = __eax;
															}
															if(__eax == 0) {
																goto L303;
															} else {
																L151:
																__ecx =  *(__esp + 0x14);
																__edx =  *(__esp + 0x24);
																__eax = E0040B350(__ebx, __edi, __esi,  *(__esp + 0x24), __ebp,  *(__esp + 0x14));
																__eax =  *(__esp + 0x20);
																 *(__esp + 0x1c) =  *(__esp + 0x1c) - __eax;
																 *(__esp + 0x24) =  *(__esp + 0x24) - __eax;
																 *(__esp + 0x30) =  *(__esp + 0x30) + __eax;
																__edx =  *(__esp + 0x1c);
																__ebp =  &(__ebp[__eax]);
																 *(__edi + 0x40) =  *(__edi + 0x40) - __eax;
																goto L295;
															}
														}
														goto L321;
													case 0xf:
														goto L0;
													case 0x10:
														goto L157;
													case 0x11:
														goto L168;
													case 0x12:
														L207:
														if(_t998 < 6 ||  *(_t1036 + 0x18) < 0x102) {
															L210:
															_t671 =  *(_t1018[0x13] + ((0x00000001 << _t1018[0x15]) - 0x00000001 & _t814) * 4);
															 *(_t1036 + 0x14) = _t671;
															if((_t671 >> 0x00000008 & 0x000000ff) <= _t1023) {
																L214:
																if(_t671 == 0 || (_t671 & 0x000000f0) != 0) {
																	L221:
																	_t864 = _t671 >> 0x00000008 & 0x000000ff;
																	_t814 = _t814 >> _t864;
																	_t1023 = _t1023 - _t864;
																	 *(_t1036 + 0x20) = _t864;
																	_t1018[0x10] = _t671 >> 0x10;
																	if(_t671 != 0) {
																		L223:
																		if((_t671 & 0x00000020) == 0) {
																			L225:
																			if((_t671 & 0x00000040) == 0) {
																				L227:
																				_t1018[0x12] = _t671 & 0xf;
																				 *_t1018 = 0x13;
																				goto L228;
																			} else {
																				L226:
																				( *(_t1036 + 0x40))[6] = 0x41d338;
																				goto L294;
																			}
																		} else {
																			L224:
																			 *_t1018 = 0xb;
																			goto L295;
																		}
																	} else {
																		L222:
																		 *_t1018 = 0x17;
																		goto L295;
																	}
																} else {
																	L216:
																	_t928 = _t671 >> 8;
																	 *(_t1036 + 0x34) = _t928;
																	 *(_t1036 + 0x20) = _t928 & 0x000000ff;
																	 *(_t1036 + 0x2c) = _t671;
																	_t738 =  *(_t1018[0x13] + ((((0x00000001 << (_t671 & 0x000000ff) +  *(_t1036 + 0x20)) - 0x00000001 & _t814) >>  *(_t1036 + 0x20)) + ( *(_t1036 + 0x14) >> 0x10)) * 4);
																	 *(_t1036 + 0x14) = _t738;
																	if((_t738 >> 0x00000008 & 0x000000ff) + ( *(_t1036 + 0x34) & 0x000000ff) <= _t1023) {
																		L220:
																		_t937 =  *(_t1036 + 0x2d) & 0x000000ff;
																		_t671 =  *(_t1036 + 0x14);
																		_t814 = _t814 >> _t937;
																		_t1023 = _t1023 - _t937;
																		goto L221;
																	} else {
																		L217:
																		L218:
																		while(_t998 != 0) {
																			_t743 = ( *_t1029 & 0x000000ff) << _t1023;
																			_t939 =  *(_t1036 + 0x2c);
																			_t998 = _t998 - 1;
																			_t1023 = _t1023 + 8;
																			_t814 = _t814 + _t743;
																			_t744 = _t939 & 0x000000ff;
																			 *(_t1036 + 0x20) = _t744;
																			_t1029 =  &(_t1029[1]);
																			 *(_t1036 + 0x10) = _t998;
																			 *(_t1036 + 0x14) = 1;
																			if(( *(_t1018[0x13] + ((((0x00000001 << (_t939 & 0x000000ff) + _t744) - 0x00000001 & _t814) >>  *(_t1036 + 0x20)) + ( *(_t1036 + 0x2e) & 0x0000ffff)) * 4) >> 0x00000008 & 0x000000ff) +  *(_t1036 + 0x20) > _t1023) {
																				continue;
																			} else {
																				goto L220;
																			}
																			goto L321;
																		}
																		goto L303;
																	}
																}
															} else {
																L211:
																L212:
																while(_t998 != 0) {
																	_t756 = ( *_t1029 & 0x000000ff) << _t1023;
																	_t998 = _t998 - 1;
																	_t1023 = _t1023 + 8;
																	_t814 = _t814 + _t756;
																	_t1029 =  &(_t1029[1]);
																	 *(_t1036 + 0x10) = _t998;
																	_t671 =  *(_t1018[0x13] + ((0x00000001 << _t1018[0x15]) - 0x00000001 & _t814) * 4);
																	 *(_t1036 + 0x14) = 1;
																	if(0xad > _t1023) {
																		continue;
																	} else {
																		goto L214;
																	}
																	goto L321;
																}
																goto L303;
															}
														} else {
															L209:
															_t761 =  *(_t1036 + 0x40);
															_t761[4] =  *(_t1036 + 0x18);
															_t761[3] =  *(_t1036 + 0x24);
															_push( *(_t1036 + 0x28));
															 *_t761 = _t1029;
															_t761[1] =  *(_t1036 + 0x10);
															_push(_t761);
															_t1018[0xe] = _t814;
															_t1018[0xf] = _t1023;
															E00406CA0();
															_t763 =  *(_t1036 + 0x48);
															_t1029 =  *_t763;
															_t764 = _t763[1];
															_t814 = _t1018[0xe];
															_t1023 = _t1018[0xf];
															 *(_t1036 + 0x20) = _t763[4];
															_t1036 = _t1036 + 8;
															 *(_t1036 + 0x24) = _t763[3];
															 *(_t1036 + 0x10) = _t764;
															_t998 = _t764;
															goto L295;
														}
														goto L321;
													case 0x13:
														L228:
														_t672 = _t1018[0x12];
														if(_t672 == 0) {
															L234:
															 *_t1018 = 0x14;
															goto L235;
														} else {
															L229:
															if(_t1023 >= _t672) {
																L233:
																_t925 = _t1018[0x12];
																_t1018[0x10] = _t1018[0x10] + ((0x00000001 << _t925) - 0x00000001 & _t814);
																_t814 = _t814 >> _t925;
																_t1023 = _t1023 - _t925;
																goto L234;
															} else {
																L230:
																L231:
																while(_t998 != 0) {
																	_t729 = ( *_t1029 & 0x000000ff) << _t1023;
																	_t998 = _t998 - 1;
																	_t1023 = _t1023 + 8;
																	_t1029 =  &(_t1029[1]);
																	_t814 = _t814 + _t729;
																	 *(_t1036 + 0x10) = _t998;
																	if(_t1023 < _t1018[0x12]) {
																		continue;
																	} else {
																		goto L233;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 0x14:
														L235:
														_t678 =  *((intOrPtr*)(_t1018[0x14] + ((0x00000001 << _t1018[0x16]) - 0x00000001 & _t814) * 4));
														 *(_t1036 + 0x14) = _t678;
														if((_t678 >> 0x00000008 & 0x000000ff) <= _t1023) {
															L239:
															if((_t678 & 0x000000f0) != 0) {
																L244:
																_t876 = _t678 >> 0x00000008 & 0x000000ff;
																_t814 = _t814 >> _t876;
																_t1023 = _t1023 - _t876;
																 *(_t1036 + 0x20) = _t876;
																if((_t678 & 0x00000040) == 0) {
																	L246:
																	_t1018[0x11] = _t678 >> 0x10;
																	_t1018[0x12] = _t678 & 0xf;
																	 *_t1018 = 0x15;
																	goto L247;
																} else {
																	L245:
																	( *(_t1036 + 0x40))[6] = 0x41d338;
																	goto L294;
																}
															} else {
																L240:
																_t902 = _t678 >> 8;
																 *(_t1036 + 0x34) = _t902;
																 *(_t1036 + 0x20) = _t902 & 0x000000ff;
																 *(_t1036 + 0x2c) = _t678;
																_t701 =  *(_t1018[0x14] + ((((0x00000001 << (_t678 & 0x000000ff) +  *(_t1036 + 0x20)) - 0x00000001 & _t814) >>  *(_t1036 + 0x20)) + ( *(_t1036 + 0x14) >> 0x10)) * 4);
																 *(_t1036 + 0x14) = _t701;
																if((_t701 >> 0x00000008 & 0x000000ff) + ( *(_t1036 + 0x34) & 0x000000ff) <= _t1023) {
																	L243:
																	_t911 =  *(_t1036 + 0x2d) & 0x000000ff;
																	_t678 =  *(_t1036 + 0x14);
																	_t814 = _t814 >> _t911;
																	_t1023 = _t1023 - _t911;
																	goto L244;
																} else {
																	L241:
																	while(_t998 != 0) {
																		_t706 = ( *_t1029 & 0x000000ff) << _t1023;
																		_t913 =  *(_t1036 + 0x2c);
																		_t998 = _t998 - 1;
																		_t1023 = _t1023 + 8;
																		_t814 = _t814 + _t706;
																		_t707 = _t913 & 0x000000ff;
																		 *(_t1036 + 0x20) = _t707;
																		_t1029 =  &(_t1029[1]);
																		 *(_t1036 + 0x10) = _t998;
																		 *(_t1036 + 0x14) = 1;
																		if(( *(_t1018[0x14] + ((((0x00000001 << (_t913 & 0x000000ff) + _t707) - 0x00000001 & _t814) >>  *(_t1036 + 0x20)) + ( *(_t1036 + 0x2e) & 0x0000ffff)) * 4) >> 0x00000008 & 0x000000ff) +  *(_t1036 + 0x20) > _t1023) {
																			continue;
																		} else {
																			goto L243;
																		}
																		goto L321;
																	}
																	goto L303;
																}
															}
														} else {
															L236:
															L237:
															while(_t998 != 0) {
																_t719 = ( *_t1029 & 0x000000ff) << _t1023;
																_t998 = _t998 - 1;
																_t1023 = _t1023 + 8;
																_t814 = _t814 + _t719;
																_t1029 =  &(_t1029[1]);
																 *(_t1036 + 0x10) = _t998;
																_t678 =  *(_t1018[0x14] + ((0x00000001 << _t1018[0x16]) - 0x00000001 & _t814) * 4);
																 *(_t1036 + 0x14) = 1;
																if(0xad > _t1023) {
																	continue;
																} else {
																	goto L239;
																}
																goto L321;
															}
															goto L303;
														}
														goto L321;
													case 0x15:
														L247:
														_t681 = _t1018[0x12];
														if(_t681 == 0) {
															L252:
															if(_t1018[0x11] <= _t1018[0xb] -  *(_t1036 + 0x18) +  *(_t1036 + 0x28)) {
																L254:
																 *_t1018 = 0x16;
																goto L255;
															} else {
																L253:
																( *(_t1036 + 0x40))[6] = 0x41d338;
																goto L294;
															}
														} else {
															L248:
															if(_t1023 >= _t681) {
																L251:
																_t899 = _t1018[0x12];
																_t1018[0x11] = _t1018[0x11] + ((0x00000001 << _t899) - 0x00000001 & _t814);
																_t814 = _t814 >> _t899;
																_t1023 = _t1023 - _t899;
																goto L252;
															} else {
																L249:
																while(_t998 != 0) {
																	_t692 = ( *_t1029 & 0x000000ff) << _t1023;
																	_t998 = _t998 - 1;
																	_t1023 = _t1023 + 8;
																	_t1029 =  &(_t1029[1]);
																	_t814 = _t814 + _t692;
																	 *(_t1036 + 0x10) = _t998;
																	if(_t1023 < _t1018[0x12]) {
																		continue;
																	} else {
																		goto L251;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 0x16:
														L255:
														if( *(_t1036 + 0x18) == 0) {
															goto L303;
														} else {
															L256:
															_t883 =  *(_t1036 + 0x28) -  *(_t1036 + 0x18);
															_t682 = _t1018[0x11];
															if(_t682 <= _t883) {
																L262:
																_t683 = _t1018[0x10];
																 *(_t1036 + 0x2c) =  *(_t1036 + 0x24) - _t682;
																 *(_t1036 + 0x34) = _t683;
																goto L263;
															} else {
																L257:
																_t685 = _t682 - _t883;
																_t892 = _t1018[0xc];
																 *(_t1036 + 0x14) = _t685;
																if(_t685 <= _t892) {
																	_t895 = _t1018[0xd] - _t685 + _t1018[0xc];
																	_t683 =  *(_t1036 + 0x14);
																} else {
																	_t683 = _t685 - _t892;
																	 *(_t1036 + 0x14) = _t683;
																	_t895 = _t1018[0xd] + _t1018[0xa] - _t683;
																}
																 *(_t1036 + 0x2c) = _t895;
																_t896 = _t1018[0x10];
																 *(_t1036 + 0x34) = _t896;
																if(_t683 > _t896) {
																	L261:
																	_t683 = _t896;
																	L263:
																	 *(_t1036 + 0x14) = _t683;
																}
															}
															L264:
															_t886 =  *(_t1036 + 0x18);
															if(_t683 > _t886) {
																_t683 = _t886;
																 *(_t1036 + 0x14) = _t683;
															}
															 *(_t1036 + 0x18) = _t886 - _t683;
															_t684 =  *(_t1036 + 0x24);
															_t1018[0x10] =  *(_t1036 + 0x34) - _t683;
															do {
																L267:
																 *(_t1036 + 0x2c) =  *(_t1036 + 0x2c) + 1;
																 *_t684 =  *( *(_t1036 + 0x2c));
																_t684 =  &(_t684[1]);
																_t534 = _t1036 + 0x14;
																 *_t534 =  *(_t1036 + 0x14) - 1;
															} while ( *_t534 != 0);
															 *(_t1036 + 0x24) = _t684;
															if(_t1018[0x10] == 0) {
																 *_t1018 = 0x12;
															}
															goto L295;
														}
														goto L321;
													case 0x17:
														L270:
														if( *(__esp + 0x18) == 0) {
															goto L303;
														} else {
															L271:
															__eax =  *(__esp + 0x24);
															__cl =  *(__edi + 0x40);
															 *__eax = __cl;
															__eax = __eax + 1;
															 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
															 *(__esp + 0x24) = __eax;
															 *__edi = 0x12;
															goto L295;
														}
														goto L321;
													case 0x18:
														L272:
														if( *((intOrPtr*)(__edi + 8)) == 0) {
															L286:
															 *__edi = 0x19;
															goto L287;
														} else {
															L273:
															if(__esi >= 0x20) {
																L276:
																__eax =  *(__esp + 0x28);
																__eax =  *(__esp + 0x28) -  *(__esp + 0x18);
																__ecx =  *(__esp + 0x40);
																 *((intOrPtr*)( *(__esp + 0x40) + 0x14)) =  *((intOrPtr*)( *(__esp + 0x40) + 0x14)) + __eax;
																 *((intOrPtr*)(__edi + 0x1c)) =  *((intOrPtr*)(__edi + 0x1c)) + __eax;
																 *(__esp + 0x28) = __eax;
																if(__eax != 0) {
																	__ecx =  *(__esp + 0x24);
																	__edx =  *(__edi + 0x18);
																	_push(__eax);
																	_push(__ecx);
																	_push( *(__edi + 0x18));
																	if( *(__edi + 0x10) == 0) {
																		__eax = E004024A0();
																	} else {
																		__eax = E00403080();
																	}
																	__ecx =  *(__esp + 0x4c);
																	__edx =  *(__esp + 0x1c);
																	 *(__edi + 0x18) = __eax;
																	__esp = __esp + 0xc;
																	 *(__ecx + 0x30) = __eax;
																}
																__eax =  *(__esp + 0x18);
																 *(__esp + 0x28) =  *(__esp + 0x18);
																__eax = __ebx;
																if( *(__edi + 0x10) == 0) {
																	__eax = __eax & 0x0000ff00;
																	__ebx = __ebx << 0x10;
																	__eax = __eax + (__ebx << 0x10);
																	__ebx = __ebx >> 8;
																	__ecx = __ebx >> 0x00000008 & 0x0000ff00;
																	__eax = __eax << 8;
																	__eax = __eax + (__ebx >> 0x00000008 & 0x0000ff00);
																	__ebx = __ebx >> 0x18;
																	__eax = __eax + (__ebx >> 0x18);
																}
																if(__eax ==  *(__edi + 0x18)) {
																	L285:
																	__ebx = 0;
																	__esi = 0;
																	goto L286;
																} else {
																	L284:
																	__eax =  *(__esp + 0x40);
																	 *(__eax + 0x18) = 0x41d338;
																	goto L294;
																}
															} else {
																L274:
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebp =  &(__ebp[1]);
																	__ebx = __ebx + __eax;
																	 *(__esp + 0x10) = __edx;
																	if(__esi < 0x20) {
																		continue;
																	} else {
																		goto L276;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 0x19:
														L287:
														if( *((intOrPtr*)(__edi + 8)) == 0 ||  *(__edi + 0x10) == 0) {
															L300:
															 *__edi = 0x1a;
															goto L301;
														} else {
															L289:
															if(__esi >= 0x20) {
																L292:
																if(__ebx ==  *((intOrPtr*)(__edi + 0x1c))) {
																	L299:
																	__ebx = 0;
																	__esi = 0;
																	goto L300;
																} else {
																	goto L293;
																}
															} else {
																L290:
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebp =  &(__ebp[1]);
																	__ebx = __ebx + __eax;
																	 *(__esp + 0x10) = __edx;
																	if(__esi < 0x20) {
																		continue;
																	} else {
																		goto L292;
																	}
																	goto L321;
																}
																goto L303;
															}
														}
														goto L321;
													case 0x1a:
														L301:
														 *(__esp + 0x30) = 1;
														goto L303;
													case 0x1b:
														L302:
														 *(__esp + 0x30) = 0xfffffffd;
														goto L303;
													case 0x1c:
														goto L308;
												}
											}
											L296:
											_t645 = 0xfffffffe;
											goto L297;
										}
									}
								} else {
									do {
										L169:
										_t771 =  *(_t1018[0x13] + ((0x00000001 << _t1018[0x15]) - 0x00000001 & _t814) * 4);
										 *(_t1036 + 0x14) = 1;
										if(0xad <= _t1023) {
											L172:
											if(_t771 >> 0x10 >= 0x10) {
												L178:
												_t961 =  *((intOrPtr*)(_t1036 + 0x16));
												if(_t961 != 0x10) {
													L185:
													_t962 = _t771 & 0x000000ff;
													 *(_t1036 + 0x2c) = _t962;
													if(_t961 != 0x11) {
														L191:
														if(_t1023 >= _t962 + 7) {
															L194:
															_t828 = _t814 >> _t962;
															 *(_t1036 + 0x14) = (_t828 & 0x0000007f) + 0xb;
															_t814 = _t828 >> 7;
															_t776 = 0xfffffff9;
															goto L195;
														} else {
															L192:
															while(_t998 != 0) {
																_t785 = ( *_t1029 & 0x000000ff) << _t1023;
																_t962 =  *(_t1036 + 0x2c);
																_t998 = _t998 - 1;
																_t1023 = _t1023 + 8;
																_t814 = _t814 + _t785;
																_t1029 =  &(_t1029[1]);
																 *(_t1036 + 0x10) = _t998;
																if(_t1023 < _t962 + 7) {
																	continue;
																} else {
																	goto L194;
																}
																goto L321;
															}
															goto L303;
														}
													} else {
														L186:
														if(_t1023 >= _t962 + 3) {
															L190:
															_t829 = _t814 >> _t962;
															 *(_t1036 + 0x14) = (_t829 & 0x00000007) + 3;
															_t814 = _t829 >> 3;
															_t776 = 0xfffffffd;
															L195:
															_t1023 = _t1023 + _t776 - _t962;
															_t778 =  *(_t1036 + 0x14);
															 *(_t1036 + 0x20) = 0;
															goto L196;
														} else {
															L187:
															L188:
															while(_t998 != 0) {
																_t792 = ( *_t1029 & 0x000000ff) << _t1023;
																_t962 =  *(_t1036 + 0x2c);
																_t998 = _t998 - 1;
																_t1023 = _t1023 + 8;
																_t814 = _t814 + _t792;
																_t1029 =  &(_t1029[1]);
																 *(_t1036 + 0x10) = _t998;
																if(_t1023 < _t962 + 3) {
																	continue;
																} else {
																	goto L190;
																}
																goto L321;
															}
															goto L303;
														}
													}
												} else {
													L179:
													_t968 = _t771 & 0x000000ff;
													 *(_t1036 + 0x2c) = _t968;
													if(_t1023 >= _t968 + 2) {
														L183:
														_t795 = _t1018[0x1a];
														_t814 = _t814 >> _t968;
														_t1023 = _t1023 - _t968;
														if(_t795 == 0) {
															goto L293;
														} else {
															L184:
															_t778 = (_t814 & 0x00000003) + 3;
															_t814 = _t814 >> 2;
															 *(_t1036 + 0x20) =  *(_t1018 + 0x6e + _t795 * 2) & 0x0000ffff;
															 *(_t1036 + 0x14) = _t778;
															_t1023 = _t1023 - 2;
															L196:
															if(_t1018[0x1a] + _t778 > _t1018[0x19] + _t1018[0x18]) {
																goto L26;
															} else {
																L197:
																if( *(_t1036 + 0x14) != 0) {
																	L198:
																	_t783 =  *(_t1036 + 0x20);
																	do {
																		L199:
																		 *(_t1036 + 0x14) =  *(_t1036 + 0x14) - 1;
																		 *(_t1018 + 0x70 + _t1018[0x1a] * 2) = _t783;
																		_t1018[0x1a] = _t1018[0x1a] + 1;
																	} while ( *(_t1036 + 0x14) != 0);
																}
																goto L200;
															}
														}
													} else {
														L180:
														L181:
														while(_t998 != 0) {
															_t799 = ( *_t1029 & 0x000000ff) << _t1023;
															_t968 =  *(_t1036 + 0x2c);
															_t998 = _t998 - 1;
															_t1023 = _t1023 + 8;
															_t814 = _t814 + _t799;
															_t1029 =  &(_t1029[1]);
															 *(_t1036 + 0x10) = _t998;
															if(_t1023 < _t968 + 2) {
																continue;
															} else {
																goto L183;
															}
															goto L321;
														}
														goto L303;
													}
												}
											} else {
												L173:
												if(_t1023 >= (_t771 >> 0x00000008 & 0x000000ff)) {
													L177:
													_t974 = _t771 & 0x000000ff;
													_t814 = _t814 >> _t974;
													_t1023 = _t1023 - _t974;
													 *(_t1018 + 0x70 + _t1018[0x1a] * 2) =  *((intOrPtr*)(_t1036 + 0x16));
													_t1018[0x1a] = _t1018[0x1a] + 1;
													goto L200;
												} else {
													L174:
													L175:
													while(_t998 != 0) {
														_t803 = ( *_t1029 & 0x000000ff) << _t1023;
														_t998 = _t998 - 1;
														_t1023 = _t1023 + 8;
														_t1029 =  &(_t1029[1]);
														_t814 = _t814 + _t803;
														_t771 =  *(_t1036 + 0x14);
														 *(_t1036 + 0x10) = _t998;
														if(_t1023 < (_t771 & 0x000000ff)) {
															continue;
														} else {
															goto L177;
														}
														goto L321;
													}
													goto L303;
												}
											}
										} else {
											L170:
											while(_t998 != 0) {
												_t805 = ( *_t1029 & 0x000000ff) << _t1023;
												_t998 = _t998 - 1;
												_t1023 = _t1023 + 8;
												_t814 = _t814 + _t805;
												_t1029 =  &(_t1029[1]);
												 *(_t1036 + 0x10) = _t998;
												_t771 =  *(_t1018[0x13] + ((0x00000001 << _t1018[0x15]) - 0x00000001 & _t814) * 4);
												 *(_t1036 + 0x14) = 1;
												if(0xad > _t1023) {
													continue;
												} else {
													goto L172;
												}
												goto L321;
											}
											goto L303;
										}
										goto L321;
										L200:
									} while (_t1018[0x1a] < _t1018[0x19] + _t1018[0x18]);
									goto L201;
								}
							}
						} else {
							L158:
							do {
								L159:
								if(_t1023 >= 3) {
									goto L162;
								} else {
									L160:
									while(_t989 != 0) {
										_t813 = ( *_t1029 & 0x000000ff) << _t1023;
										_t989 = _t989 - 1;
										_t1023 = _t1023 + 8;
										_t1029 =  &(_t1029[1]);
										_t814 = _t814 + _t813;
										 *(_t1036 + 0x10) = _t989;
										if(_t1023 < 3) {
											continue;
										} else {
											goto L162;
										}
										goto L321;
									}
									goto L303;
								}
								goto L321;
								L162:
								 *((short*)(_t1018 + 0x70 + ( *(0x41e468 + _t1018[0x1a] * 2) & 0x0000ffff) * 2)) = _t814 & 0x00000007;
								_t1018[0x1a] = _t1018[0x1a] + 1;
								_t814 = _t814 >> 3;
								_t1023 = _t1023 - 3;
							} while (_t1018[0x1a] < _t1018[0x17]);
							goto L163;
						}
					}
					goto L321;
				}
			}

0x00407c3f
0x00407c3f
0x00407c3f
0x00407c3f
0x00407c3f
0x00407c3f
0x00407c3f
0x00407c42
0x00000000
0x00000000
0x00000000
0x00407c44
0x00407c4c
0x00407c52
0x00407c54
0x00407c55
0x00407c58
0x00407c59
0x00407c5b
0x00407c62
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c62
0x004086b9
0x004086b9
0x004086c1
0x004086c8
0x004086cb
0x004086cd
0x004086d4
0x004086d7
0x004086da
0x004086ea
0x004086f9
0x00000000
0x004086fb
0x004086fb
0x004086fb
0x00408701
0x0040870d
0x0040870d
0x0040870e
0x0040870e
0x0040870e
0x00408716
0x0040871d
0x00408720
0x00408723
0x00408726
0x0040872d
0x00408737
0x00408738
0x00408753
0x00408754
0x00408755
0x0040873a
0x00408742
0x00408743
0x00408744
0x00408744
0x0040875a
0x0040875d
0x00408760
0x00408760
0x00408768
0x00408780
0x00408785
0x0040878b
0x00408790
0x004087ab
0x004087b6
0x00000000
0x00000000
0x00000000
0x00408792
0x00408792
0x00408792
0x00408798
0x0040866b
0x00408672
0x0040879e
0x0040879e
0x004087aa
0x004087aa
0x00408798
0x00408785
0x00000000
0x00407c64
0x00407c69
0x00407c74
0x00407c77
0x00407c82
0x00407c86
0x00407c89
0x00407c93
0x00407c96
0x00407c99
0x004075ab
0x004075af
0x00000000
0x00407ca8
0x00407ca8
0x00407ca8
0x00407caf
0x00407cb5
0x00407cbb
0x00407d0b
0x00407d13
0x00407d20
0x00407d2d
0x00407d32
0x00407d35
0x00407d3a
0x00407d3a
0x00407d43
0x00407d45
0x00407d54
0x00407d62
0x00407d67
0x00407d6b
0x00407d6e
0x00407d74
0x0040864a
0x0040864e
0x00000000
0x00407d7a
0x00407d7a
0x00407d7a
0x00407d7d
0x00407d83
0x00407d8c
0x00407fb5
0x00407fb8
0x00000000
0x00407fbe
0x00407fbe
0x00407fbe
0x00407fc7
0x00407fd0
0x00407fe2
0x00407fe8
0x00407fed
0x00407ff0
0x00407ff6
0x0040800c
0x00408012
0x00408024
0x00408035
0x0040803a
0x0040803e
0x00408041
0x00408047
0x00408059
0x00408059
0x00000000
0x00408049
0x00408049
0x0040804d
0x00000000
0x0040804d
0x00407ff8
0x00407ff8
0x00407ffc
0x00408000
0x00408655
0x00408655
0x0040865b
0x0040865b
0x0040865b
0x00408660
0x00000000
0x00000000
0x00407420
0x00407420
0x00000000
0x00407427
0x0040742b
0x00407438
0x0040743b
0x00407460
0x00407464
0x004074af
0x004074b2
0x004074bb
0x004074bd
0x004074bd
0x004074c4
0x004074c8
0x00407562
0x00000000
0x004074e8
0x004074e8
0x004074f0
0x00407506
0x00407506
0x0040750e
0x00407511
0x00407517
0x00407529
0x0040752b
0x0040752d
0x0040752f
0x00407532
0x0040753b
0x0040754a
0x0040754d
0x00407550
0x00407552
0x00407555
0x00407557
0x00407519
0x00407519
0x00000000
0x00407519
0x004074f2
0x004074f6
0x004074fa
0x00000000
0x004074fa
0x004074f0
0x0040746e
0x00407479
0x00407482
0x00407487
0x00407491
0x00407496
0x0040749a
0x0040749d
0x0040749f
0x004074a2
0x004074a4
0x004074a4
0x00000000
0x00407440
0x00000000
0x00407440
0x0040744e
0x00407450
0x00407451
0x00407454
0x00407455
0x00407457
0x0040745e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040745e
0x00000000
0x00407440
0x0040742d
0x0040742d
0x00000000
0x0040742d
0x00000000
0x00000000
0x00407572
0x00407575
0x00407597
0x00407597
0x0040759d
0x00000000
0x004075a3
0x004075a3
0x004075a9
0x004075bb
0x004075bb
0x004075c0
0x004075c4
0x004075c7
0x004075ca
0x004075ca
0x004075d3
0x004075d5
0x004075d9
0x004075de
0x004075e2
0x004075e6
0x004075eb
0x004075f0
0x004075f7
0x004075f7
0x004075fa
0x004075fc
0x004075fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004075a9
0x00407577
0x00000000
0x00407577
0x0040757f
0x00407583
0x00407585
0x00407587
0x00407588
0x0040758b
0x0040758c
0x0040758e
0x00407595
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407595
0x00000000
0x00407577
0x00000000
0x00000000
0x00407606
0x00407609
0x00407630
0x00407630
0x00407635
0x00407637
0x00407637
0x00407641
0x00407643
0x00407647
0x00407649
0x0040764b
0x0040764e
0x00407651
0x00407656
0x0040765a
0x0040765e
0x00407662
0x00407666
0x0040766b
0x00407670
0x00407677
0x00407677
0x0040767a
0x0040767c
0x0040767e
0x00000000
0x0040760b
0x0040760b
0x00000000
0x00407610
0x00407618
0x0040761c
0x0040761e
0x00407620
0x00407621
0x00407624
0x00407625
0x00407627
0x0040762e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762e
0x00000000
0x00407610
0x00000000
0x00000000
0x00407686
0x00407689
0x004076b0
0x004076b0
0x004076b5
0x004076b9
0x004076bf
0x004076c2
0x004076c5
0x004076c7
0x004076ca
0x004076ca
0x004076d4
0x004076d6
0x004076da
0x004076df
0x004076e3
0x004076e7
0x004076ec
0x004076f1
0x004076f8
0x004076f8
0x004076fb
0x004076fd
0x004076ff
0x00000000
0x0040768b
0x0040768b
0x00000000
0x00407690
0x00407698
0x0040769c
0x0040769e
0x004076a0
0x004076a1
0x004076a4
0x004076a5
0x004076a7
0x004076ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004076ae
0x00000000
0x00407690
0x00000000
0x00000000
0x00407705
0x0040770c
0x00407774
0x00407774
0x00407779
0x0040777b
0x0040777b
0x00000000
0x0040770e
0x0040770e
0x00407711
0x00407733
0x00407733
0x00407736
0x0040773b
0x0040773d
0x0040773d
0x00407747
0x00407749
0x0040774d
0x00407752
0x00407756
0x0040775a
0x0040775f
0x00407764
0x0040776b
0x0040776b
0x0040776e
0x00407770
0x00407782
0x00407782
0x00000000
0x00407713
0x00000000
0x00407713
0x0040771b
0x0040771f
0x00407721
0x00407723
0x00407724
0x00407727
0x00407728
0x0040772a
0x00407731
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407731
0x00000000
0x00407713
0x00407711
0x00000000
0x00000000
0x00407788
0x0040778f
0x00407833
0x00407833
0x0040783a
0x00000000
0x00407795
0x00407795
0x00407795
0x00407798
0x0040779e
0x004077a0
0x004077a2
0x004077a2
0x004077a8
0x004077aa
0x004077af
0x004077b1
0x004077b4
0x004077ba
0x004077bf
0x004077c2
0x004077c5
0x004077c8
0x004077cb
0x004077d3
0x004077d9
0x004077d9
0x004077db
0x004077e0
0x004077e4
0x004077e8
0x004077ed
0x004077f1
0x004077f5
0x004077ba
0x004077ff
0x00407801
0x00407805
0x0040780b
0x00407810
0x00407814
0x00407817
0x0040781b
0x0040781e
0x00407820
0x00407822
0x00407825
0x00407825
0x0040782d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040782d
0x00000000
0x00000000
0x00407840
0x00407847
0x004078da
0x004078da
0x004078df
0x004078e1
0x004078e1
0x00000000
0x0040784d
0x0040784d
0x0040784f
0x00000000
0x00407855
0x00407855
0x00407855
0x00407857
0x00407857
0x00407857
0x0040785c
0x00407860
0x00407863
0x00407869
0x0040786b
0x0040786e
0x00407874
0x00407876
0x0040787c
0x0040787e
0x00407886
0x00407889
0x0040788c
0x0040788c
0x0040787c
0x00407874
0x00407895
0x00000000
0x00000000
0x00407897
0x00407897
0x0040789d
0x00000000
0x00000000
0x00000000
0x0040789d
0x0040789f
0x004078a6
0x004078a8
0x004078ac
0x004078b2
0x004078b7
0x004078be
0x004078be
0x004078c1
0x004078c5
0x004078c7
0x004078ce
0x004078d2
0x00000000
0x004078d8
0x004078d8
0x004078e8
0x004078e8
0x004078ef
0x00000000
0x004078ef
0x004078d2
0x0040784f
0x00000000
0x00000000
0x004078f5
0x004078fc
0x00407993
0x00407993
0x00407998
0x0040799a
0x0040799a
0x00000000
0x00407902
0x00407902
0x00407904
0x00000000
0x0040790a
0x0040790a
0x0040790a
0x00407910
0x00407910
0x00407910
0x00407915
0x00407919
0x0040791c
0x00407922
0x00407924
0x00407927
0x0040792d
0x0040792f
0x00407935
0x00407937
0x0040793f
0x00407942
0x00407945
0x00407945
0x00407935
0x0040792d
0x0040794e
0x00000000
0x00000000
0x00407950
0x00407950
0x00407956
0x00000000
0x00000000
0x00000000
0x00407956
0x00407958
0x0040795f
0x00407961
0x00407965
0x0040796b
0x00407970
0x00407977
0x00407977
0x0040797a
0x0040797e
0x00407980
0x00407987
0x0040798b
0x00000000
0x00407991
0x00407991
0x004079a1
0x004079a1
0x00000000
0x004079a1
0x0040798b
0x00407904
0x00000000
0x00000000
0x004079a7
0x004079ae
0x004079f1
0x004079f1
0x004079f6
0x004079fb
0x004079fe
0x00407a01
0x00407a04
0x00407a07
0x00407a07
0x00407a14
0x00407a19
0x00407a1d
0x00407a21
0x00407a24
0x00407a2a
0x00000000
0x004079b0
0x004079b0
0x004079b3
0x004079d5
0x004079d5
0x004079db
0x004079ed
0x004079ed
0x004079ef
0x00000000
0x004079dd
0x004079dd
0x004079dd
0x004079e1
0x00000000
0x004079e1
0x00000000
0x004079b5
0x00000000
0x004079b5
0x004079bd
0x004079c1
0x004079c3
0x004079c5
0x004079c6
0x004079c9
0x004079ca
0x004079cc
0x004079d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004079d3
0x00000000
0x004079b5
0x004079b3
0x00000000
0x00000000
0x00407a35
0x00407a38
0x00407a60
0x00407a62
0x00407a6a
0x00407a6d
0x00407a71
0x00407a74
0x00407a77
0x00407a7c
0x00407a81
0x00407a84
0x00407a88
0x00407a8b
0x00407a8e
0x00407a90
0x00407a92
0x00000000
0x00407a40
0x00000000
0x00000000
0x00407a40
0x00407a48
0x00407a4c
0x00407a4e
0x00407a50
0x00407a51
0x00407a54
0x00407a55
0x00407a57
0x00407a5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a5e
0x00000000
0x00407a40
0x00000000
0x00000000
0x00407a98
0x00407a9c
0x00408673
0x00408673
0x00408677
0x0040867b
0x0040867e
0x00408682
0x00408684
0x00408687
0x0040868a
0x0040868d
0x0040868e
0x0040868f
0x00408692
0x00408693
0x00408698
0x00408699
0x0040869c
0x00407aa2
0x00407aa2
0x00407aa2
0x00407aa4
0x00407aa6
0x00407aa8
0x00407aad
0x00407ab1
0x00407ab4
0x00407ab7
0x00407abb
0x00407abe
0x00000000
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407acf
0x00407ad3
0x00407ae9
0x00407aec
0x00407b10
0x00407b10
0x00407b12
0x00407b14
0x00407b16
0x00407b19
0x00407b1c
0x00407b1d
0x00407b23
0x00407b77
0x00407b77
0x00407b7a
0x00407b25
0x00407b25
0x00407b25
0x00000000
0x00407b2c
0x00407b2c
0x00407b2f
0x00407b35
0x00000000
0x00000000
0x00407b3d
0x00407b3d
0x00407b3f
0x00407b44
0x00407b47
0x00407b4d
0x00000000
0x00000000
0x00407b55
0x00407b55
0x00407b58
0x00407b5e
0x00000000
0x00000000
0x00407b66
0x00407b66
0x00407b6a
0x00407b71
0x00000000
0x00000000
0x00407b25
0x00000000
0x00407af0
0x00000000
0x00000000
0x00407af0
0x00407af8
0x00407afc
0x00407afe
0x00407b00
0x00407b01
0x00407b04
0x00407b05
0x00407b07
0x00407b0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0e
0x00000000
0x00407af0
0x00407ad5
0x00407ad5
0x00407ad7
0x00407ada
0x00407adc
0x00407ade
0x00000000
0x00407ade
0x00000000
0x00000000
0x00407b82
0x00407b84
0x00407b87
0x00407b89
0x00407b8e
0x00407bb0
0x00407bb0
0x00407bb2
0x00407bb4
0x00407bb6
0x00407bbb
0x00407bc0
0x00407bd2
0x00407bd2
0x00407bd4
0x00407bd7
0x00407bd9
0x00000000
0x00407bc2
0x00407bc2
0x00407bc2
0x00407bc6
0x00000000
0x00407bc6
0x00407b90
0x00000000
0x00407b90
0x00407b98
0x00407b9c
0x00407b9e
0x00407ba0
0x00407ba1
0x00407ba4
0x00407ba5
0x00407ba7
0x00407bae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407bae
0x00000000
0x00407b90
0x00000000
0x00000000
0x00407bdf
0x00407bdf
0x00407be2
0x00407be8
0x00000000
0x00407bee
0x00407bee
0x00407bf0
0x00407bf2
0x00407bf4
0x00407bf4
0x00407bf8
0x00407bfe
0x00407c00
0x00407c02
0x00407c02
0x00407c08
0x00000000
0x00407c0e
0x00407c0e
0x00407c0e
0x00407c12
0x00407c19
0x00407c1e
0x00407c22
0x00407c26
0x00407c2a
0x00407c2e
0x00407c35
0x00407c37
0x00000000
0x00407c37
0x00407c08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040805f
0x00408062
0x004080c5
0x004080d7
0x004080e2
0x004080e8
0x0040812e
0x00408130
0x004081f7
0x004081fc
0x004081ff
0x00408201
0x00408203
0x0040820c
0x00408211
0x0040821e
0x00408220
0x0040822d
0x0040822f
0x00408241
0x00408247
0x0040824a
0x00000000
0x00408231
0x00408231
0x00408235
0x00000000
0x00408235
0x00408222
0x00408222
0x00408222
0x00000000
0x00408222
0x00408213
0x00408213
0x00408213
0x00000000
0x00408213
0x0040813e
0x0040813e
0x00408140
0x00408143
0x0040814a
0x00408155
0x00408177
0x0040817f
0x0040818d
0x004081ea
0x004081ea
0x004081ef
0x004081f3
0x004081f5
0x00000000
0x00408190
0x00000000
0x00000000
0x00408190
0x0040819e
0x004081a0
0x004081a4
0x004081a5
0x004081a8
0x004081aa
0x004081ad
0x004081c1
0x004081c2
0x004081d8
0x004081e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004081e8
0x00000000
0x00408190
0x0040818d
0x004080f0
0x00000000
0x00000000
0x004080f0
0x004080fe
0x00408103
0x00408104
0x00408107
0x00408113
0x00408114
0x0040811b
0x00408126
0x0040812c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040812c
0x00000000
0x004080f0
0x0040806e
0x0040806e
0x0040806e
0x0040807a
0x00408081
0x00408088
0x00408089
0x0040808b
0x0040808e
0x0040808f
0x00408092
0x00408095
0x0040809a
0x004080a4
0x004080a6
0x004080a9
0x004080ac
0x004080af
0x004080b3
0x004080b6
0x004080ba
0x004080be
0x00000000
0x004080be
0x00000000
0x00000000
0x00408250
0x00408250
0x00408255
0x00408294
0x00408294
0x00000000
0x00408257
0x00408257
0x00408259
0x00408280
0x00408280
0x0040828d
0x00408290
0x00408292
0x00000000
0x0040825b
0x0040825b
0x00000000
0x00408260
0x0040826e
0x00408270
0x00408271
0x00408274
0x00408275
0x00408277
0x0040827e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827e
0x00000000
0x00408260
0x00408259
0x00000000
0x00000000
0x0040829a
0x004082ac
0x004082b7
0x004082bd
0x004082fe
0x00408300
0x004083be
0x004083c3
0x004083c6
0x004083c8
0x004083ca
0x004083d0
0x004083e2
0x004083ed
0x004083f0
0x004083f3
0x00000000
0x004083d2
0x004083d2
0x004083d6
0x00000000
0x004083d6
0x00408306
0x00408306
0x00408308
0x0040830b
0x00408312
0x0040831d
0x0040833f
0x00408347
0x00408355
0x004083b1
0x004083b1
0x004083b6
0x004083ba
0x004083bc
0x00000000
0x00408357
0x00000000
0x00408357
0x00408365
0x00408367
0x0040836b
0x0040836c
0x0040836f
0x00408371
0x00408374
0x00408388
0x00408389
0x0040839f
0x004083af
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004083af
0x00000000
0x00408357
0x00408355
0x004082c0
0x00000000
0x00000000
0x004082c0
0x004082ce
0x004082d3
0x004082d4
0x004082d7
0x004082e3
0x004082e4
0x004082eb
0x004082f6
0x004082fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004082fc
0x00000000
0x004082c0
0x00000000
0x00000000
0x004083f9
0x004083f9
0x004083fe
0x00408438
0x00408446
0x00408458
0x00408458
0x00000000
0x00408448
0x00408448
0x0040844c
0x00000000
0x0040844c
0x00408400
0x00408400
0x00408402
0x00408424
0x00408424
0x00408431
0x00408434
0x00408436
0x00000000
0x00408404
0x00000000
0x00408404
0x00408412
0x00408414
0x00408415
0x00408418
0x00408419
0x0040841b
0x00408422
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408422
0x00000000
0x00408404
0x00408402
0x00000000
0x00000000
0x0040845e
0x00408463
0x00000000
0x00408469
0x00408469
0x0040846d
0x00408471
0x00408476
0x004084b4
0x004084ba
0x004084bd
0x004084c1
0x00000000
0x00408478
0x00408478
0x00408478
0x0040847a
0x0040847d
0x00408483
0x0040849a
0x0040849d
0x00408485
0x00408485
0x0040848d
0x00408491
0x00408491
0x004084a1
0x004084a5
0x004084a8
0x004084ae
0x004084b0
0x004084b0
0x004084c5
0x004084c5
0x004084c5
0x004084ae
0x004084c9
0x004084c9
0x004084cf
0x004084d1
0x004084d3
0x004084d3
0x004084d9
0x004084e3
0x004084e7
0x004084f0
0x004084f0
0x004084f6
0x004084fa
0x004084fc
0x004084fd
0x004084fd
0x004084fd
0x00408508
0x0040850c
0x00408512
0x00408512
0x00000000
0x0040850c
0x00000000
0x00000000
0x0040851d
0x00408522
0x00000000
0x00408528
0x00408528
0x00408528
0x0040852c
0x0040852f
0x00408531
0x00408532
0x00408536
0x0040853a
0x00000000
0x0040853a
0x00000000
0x00000000
0x00408545
0x00408549
0x00408606
0x00408606
0x00000000
0x0040854f
0x0040854f
0x00408552
0x00408574
0x00408574
0x00408578
0x0040857c
0x00408580
0x00408583
0x00408586
0x0040858c
0x0040858e
0x00408592
0x00408595
0x0040859c
0x0040859d
0x0040859e
0x004085a7
0x004085a0
0x004085a0
0x004085a0
0x004085ac
0x004085b0
0x004085b4
0x004085b7
0x004085ba
0x004085ba
0x004085c1
0x004085c5
0x004085c9
0x004085cb
0x004085cd
0x004085d4
0x004085d7
0x004085db
0x004085de
0x004085e4
0x004085e7
0x004085eb
0x004085ee
0x004085ee
0x004085f3
0x00408602
0x00408602
0x00408604
0x00000000
0x004085f5
0x004085f5
0x004085f5
0x004085f9
0x00000000
0x004085f9
0x00408554
0x00000000
0x00408554
0x0040855c
0x00408560
0x00408562
0x00408564
0x00408565
0x00408568
0x00408569
0x0040856b
0x00408572
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408572
0x00000000
0x00408554
0x00408552
0x00000000
0x00000000
0x0040860c
0x00408610
0x004086a1
0x004086a1
0x00000000
0x00408620
0x00408620
0x00408623
0x00408645
0x00408648
0x0040869d
0x0040869d
0x0040869f
0x00000000
0x00000000
0x00000000
0x00000000
0x00408625
0x00000000
0x00408625
0x0040862d
0x00408631
0x00408633
0x00408635
0x00408636
0x00408639
0x0040863a
0x0040863c
0x00408643
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408643
0x00000000
0x00408625
0x00408623
0x00000000
0x00000000
0x004086a7
0x004086a7
0x00000000
0x00000000
0x004086b1
0x004086b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00407420
0x00408666
0x00408666
0x00000000
0x00408666
0x00407ff6
0x00407d92
0x00407d92
0x00407d92
0x00407da2
0x00407dad
0x00407db3
0x00407df3
0x00407dfb
0x00407e52
0x00407e52
0x00407e5b
0x00407ec5
0x00407ec9
0x00407ecc
0x00407ed0
0x00407f1e
0x00407f23
0x00407f4b
0x00407f4b
0x00407f55
0x00407f59
0x00407f5c
0x00000000
0x00407f25
0x00000000
0x00407f25
0x00407f33
0x00407f35
0x00407f39
0x00407f3a
0x00407f3d
0x00407f42
0x00407f43
0x00407f49
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f49
0x00000000
0x00407f25
0x00407ed2
0x00407ed2
0x00407ed7
0x00407f06
0x00407f06
0x00407f10
0x00407f14
0x00407f17
0x00407f61
0x00407f63
0x00407f65
0x00407f69
0x00000000
0x00407ee0
0x00000000
0x00000000
0x00407ee0
0x00407eee
0x00407ef0
0x00407ef4
0x00407ef5
0x00407ef8
0x00407efd
0x00407efe
0x00407f04
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f04
0x00000000
0x00407ee0
0x00407ed7
0x00407e5d
0x00407e5d
0x00407e5d
0x00407e63
0x00407e69
0x00407e96
0x00407e96
0x00407e99
0x00407e9b
0x00407e9f
0x00000000
0x00407ea5
0x00407ea5
0x00407eaf
0x00407eb2
0x00407eb5
0x00407eb9
0x00407ebd
0x00407f71
0x00407f7e
0x00000000
0x00407f84
0x00407f84
0x00407f89
0x00407f8b
0x00407f8b
0x00407f90
0x00407f90
0x00407f93
0x00407f97
0x00407f9c
0x00407f9f
0x00407f90
0x00000000
0x00407f89
0x00407f7e
0x00407e6b
0x00407e6b
0x00000000
0x00407e70
0x00407e7e
0x00407e80
0x00407e84
0x00407e85
0x00407e88
0x00407e8d
0x00407e8e
0x00407e94
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e94
0x00000000
0x00407e70
0x00407e69
0x00407dfd
0x00407dfd
0x00407e07
0x00407e36
0x00407e36
0x00407e3c
0x00407e3e
0x00407e45
0x00407e4a
0x00000000
0x00407e10
0x00000000
0x00000000
0x00407e10
0x00407e1e
0x00407e20
0x00407e21
0x00407e24
0x00407e25
0x00407e27
0x00407e2e
0x00407e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e34
0x00000000
0x00407e10
0x00407e07
0x00407db5
0x00000000
0x00407db5
0x00407dc3
0x00407dc8
0x00407dc9
0x00407dcc
0x00407dd8
0x00407dd9
0x00407de0
0x00407deb
0x00407df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407df1
0x00000000
0x00407db5
0x00000000
0x00407fa6
0x00407fac
0x00000000
0x00407d92
0x00407d8c
0x00407cc0
0x00000000
0x00407cc0
0x00407cc0
0x00407cc3
0x00000000
0x00407cc5
0x00000000
0x00407cc5
0x00407cd3
0x00407cd5
0x00407cd6
0x00407cd9
0x00407cda
0x00407cdc
0x00407ce3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ce3
0x00000000
0x00407cc5
0x00000000
0x00407ce5
0x00407cf5
0x00407cfa
0x00407d00
0x00407d03
0x00407d06
0x00000000
0x00407cc0
0x00407cbb
0x00000000
0x00407c99

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004073A0 Relevance: .6, Instructions: 633
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E004073A0() {
				signed char** _t638;
				signed int _t640;
				signed int _t641;
				unsigned int _t667;
				signed char* _t680;
				signed char* _t696;
				signed int* _t714;
				signed int _t716;
				signed char* _t723;
				void* _t730;

				_t638 =  *(_t730 + 4);
				if(_t638 == 0) {
					L330:
					return 0xfffffffe;
				} else {
					_t714 = _t638[7];
					if(_t714 == 0 || _t638[3] == 0 ||  *_t638 == 0 && _t638[1] != 0) {
						goto L330;
					} else {
						if( *_t714 == 0xb) {
							 *_t714 = 0xc;
						}
						_t696 = _t638[1];
						_t667 = _t714[0xe];
						_t723 =  *_t638;
						 *(_t730 + 0x20) = _t638[3];
						_t680 = _t638[4];
						_t640 =  *_t714;
						_t716 = _t714[0xf];
						 *(_t730 + 0x18) = _t680;
						 *(_t730 + 0x10) = _t696;
						 *(_t730 + 0x38) = _t696;
						 *(_t730 + 0x28) = _t680;
						 *(_t730 + 0x30) = 0;
						if(_t640 > 0x1c) {
							L305:
							_t641 = 0xfffffffe;
							goto L306;
						} else {
							do {
								switch( *((intOrPtr*)(_t640 * 4 +  &M004087C4))) {
									case 0:
										if(_t714[2] != 0) {
											if(_t716 >= 0x10) {
												L16:
												if((_t714[2] & 0x00000002) == 0 || _t667 != 0x8b1f) {
													_t642 = _t714[8];
													_t714[4] = 0;
													if(_t642 != 0) {
														 *((intOrPtr*)(_t642 + 0x30)) = 0xffffffff;
													}
													if((_t714[2] & 0x00000001) == 0 || (((_t667 & 0x000000ff) << 8) + (_t667 >> 8)) % 0x1f != 0) {
														( *(_t730 + 0x40))[6] = 0x41d338;
														goto L303;
													} else {
														if((_t667 & 0x0000000f) == 8) {
															_t667 = _t667 >> 4;
															_t693 = (_t667 & 0x0000000f) + 8;
															_t716 = _t716 - 4;
															if(_t693 <= _t714[9]) {
																_push(0);
																_push(0);
																_push(0);
																_t714[5] = 1 << _t693;
																_t647 = E004024A0();
																_t705 =  *(_t730 + 0x1c);
																_t714[6] = _t647;
																 *( *((intOrPtr*)(_t730 + 0x4c)) + 0x30) = _t647;
																 *_t714 =  !(_t667 >> 8) & 0x00000002 | 0x00000009;
																_t730 = _t730 + 0xc;
																_t667 = 0;
																_t716 = 0;
															} else {
																_t705 =  *(_t730 + 0x10);
																goto L302;
															}
														} else {
															_t705 =  *(_t730 + 0x10);
															( *(_t730 + 0x40))[6] = 0x41d338;
															goto L303;
														}
													}
												} else {
													_t714[6] = E00403080(0, 0, 0);
													 *((char*)(_t730 + 0x2c)) = 0x1f;
													 *((char*)(_t730 + 0x2d)) = 0x8b;
													_t650 = E00403080(_t714[6], _t730 + 0x2c, 2);
													_t705 =  *(_t730 + 0x28);
													_t730 = _t730 + 0x18;
													_t667 = 0;
													_t714[6] = _t650;
													_t716 = 0;
													 *_t714 = 1;
												}
												goto L304;
											} else {
												while(_t705 != 0) {
													_t665 = ( *_t723 & 0x000000ff) << _t716;
													_t705 = _t705 - 1;
													_t716 = _t716 + 8;
													_t723 =  &(_t723[1]);
													_t667 = _t667 + _t665;
													 *(_t730 + 0x10) = _t705;
													if(_t716 < 0x10) {
														continue;
													} else {
														goto L16;
													}
													goto L331;
												}
												goto L312;
											}
										} else {
											 *_t714 = 0xc;
											goto L304;
										}
										goto L331;
									case 1:
										if(__esi >= 0x10) {
											L32:
											 *(__edi + 0x10) = __ebx;
											if(__bl != 8) {
												goto L302;
											} else {
												if((__ebx & 0x0000e000) == 0) {
													__eax =  *(__edi + 0x20);
													if(__eax != 0) {
														__ebx = __ebx >> 8;
														__ecx = __ebx >> 0x00000008 & 0x00000001;
														 *__eax = __ebx >> 0x00000008 & 0x00000001;
													}
													if(( *(__edi + 0x10) & 0x00000200) != 0) {
														 *(__esp + 0x1c) = __bl;
														__ebx = __ebx >> 8;
														__edx = __esp + 0x20;
														 *(__esp + 0x21) = __bl;
														__eax =  *(__edi + 0x18);
														__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
														__edx =  *(__esp + 0x1c);
														 *(__edi + 0x18) = __eax;
													}
													__ebx = 0;
													__esi = 0;
													 *__edi = 2;
													goto L42;
												} else {
													goto L34;
												}
											}
										} else {
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0x10) {
													continue;
												} else {
													goto L32;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 2:
										if(__esi >= 0x20) {
											L44:
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												 *(__eax + 4) = __ebx;
											}
											if(( *(__edi + 0x10) & 0x00000200) != 0) {
												 *(__esp + 0x1c) = __bl;
												__ecx = __ebx;
												__edx = __ebx;
												__ecx = __ebx >> 8;
												__edx = __ebx >> 0x10;
												__ebx = __ebx >> 0x18;
												__eax = __esp + 0x20;
												 *(__esp + 0x21) = __cl;
												 *((char*)(__esp + 0x22)) = __dl;
												 *(__esp + 0x23) = __bl;
												__ecx =  *(__edi + 0x18);
												__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 4);
												__edx =  *(__esp + 0x1c);
												 *(__edi + 0x18) = __eax;
											}
											__ebx = 0;
											__esi = 0;
											 *__edi = 3;
											goto L51;
										} else {
											L42:
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L44;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 3:
										if(__esi >= 0x10) {
											L53:
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												__ebx = __ebx & 0x000000ff;
												 *(__eax + 8) = __ebx & 0x000000ff;
												__ecx =  *(__edi + 0x20);
												__eax = __ebx;
												__eax = __ebx >> 8;
												 *( *(__edi + 0x20) + 0xc) = __eax;
											}
											if(( *(__edi + 0x10) & 0x00000200) != 0) {
												 *(__esp + 0x1c) = __bl;
												__ebx = __ebx >> 8;
												__edx = __esp + 0x20;
												 *(__esp + 0x21) = __bl;
												__eax =  *(__edi + 0x18);
												__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
												__edx =  *(__esp + 0x1c);
												 *(__edi + 0x18) = __eax;
											}
											__ebx = 0;
											__esi = 0;
											 *__edi = 4;
											goto L58;
										} else {
											L51:
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0x10) {
													continue;
												} else {
													goto L53;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 4:
										L58:
										if(( *(__edi + 0x10) & 0x00000400) == 0) {
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												 *(__eax + 0x10) = 0;
											}
											goto L69;
										} else {
											if(__esi >= 0x10) {
												L62:
												__eax =  *(__edi + 0x20);
												 *(__edi + 0x40) = __ebx;
												if(__eax != 0) {
													 *(__eax + 0x14) = __ebx;
												}
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													 *(__esp + 0x1c) = __bl;
													__ebx = __ebx >> 8;
													__ecx = __esp + 0x20;
													 *(__esp + 0x21) = __bl;
													__edx =  *(__edi + 0x18);
													__eax = E00403080( *(__edi + 0x18), __esp + 0x20, 2);
													__edx =  *(__esp + 0x1c);
													 *(__edi + 0x18) = __eax;
												}
												__ebx = 0;
												__esi = 0;
												L69:
												 *__edi = 5;
												goto L70;
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi < 0x10) {
														continue;
													} else {
														goto L62;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 5:
										L70:
										if(( *(__edi + 0x10) & 0x00000400) == 0) {
											L83:
											 *(__edi + 0x40) = 0;
											 *__edi = 6;
											goto L84;
										} else {
											__eax =  *(__edi + 0x40);
											 *(__esp + 0x14) = __eax;
											if(__eax > __edx) {
												__eax = __edx;
												 *(__esp + 0x14) = __edx;
											}
											if(__eax != 0) {
												__ecx =  *(__edi + 0x20);
												if(__ecx != 0) {
													__ecx =  *(__ecx + 0x10);
													 *(__esp + 0x34) = __ecx;
													if(__ecx != 0) {
														 *(__edi + 0x20) =  *( *(__edi + 0x20) + 0x14);
														__ecx =  *( *(__edi + 0x20) + 0x14) -  *(__edi + 0x40);
														__edx =  *(__edi + 0x20);
														__edx =  *( *(__edi + 0x20) + 0x18);
														 *(__esp + 0x20) = __ecx;
														if(__ecx > __edx) {
															__eax = __edx;
														}
														__edx =  *(__esp + 0x34);
														__eax =  *(__esp + 0x24);
														__edx =  *(__esp + 0x34) +  *(__esp + 0x24);
														__eax = E0040B350(__ebx, __edi, __esi,  *(__esp + 0x34) +  *(__esp + 0x24), __ebp,  *(__esp + 0x24));
														__eax =  *(__esp + 0x20);
														__edx =  *(__esp + 0x1c);
													}
												}
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													__ecx =  *(__esp + 0x14);
													__edx =  *(__edi + 0x18);
													__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
													__edx =  *(__esp + 0x1c);
													 *(__edi + 0x18) = __eax;
													__eax =  *(__esp + 0x20);
												}
												__edx = __edx - __eax;
												__ebp =  &(__ebp[__eax]);
												 *(__edi + 0x40) =  *(__edi + 0x40) - __eax;
												 *(__esp + 0x10) = __edx;
											}
											if( *(__edi + 0x40) != 0) {
												goto L312;
											} else {
												goto L83;
											}
										}
										goto L331;
									case 6:
										L84:
										if(( *(__edi + 0x10) & 0x00000800) == 0) {
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												 *(__eax + 0x1c) = 0;
											}
											goto L99;
										} else {
											if(__edx == 0) {
												goto L312;
											} else {
												__eax = 0;
												while(1) {
													__ecx = __ebp[__eax] & 0x000000ff;
													 *(__esp + 0x14) = __eax;
													__eax =  *(__edi + 0x20);
													 *(__esp + 0x20) = __ecx;
													if(__eax != 0) {
														__ecx =  *(__eax + 0x1c);
														 *(__esp + 0x34) = __ecx;
														if(__ecx != 0) {
															__ecx =  *(__edi + 0x40);
															if(__ecx <  *((intOrPtr*)(__eax + 0x20))) {
																__edx =  *(__esp + 0x34);
																__al =  *(__esp + 0x20);
																 *( *(__esp + 0x34) + __ecx) = __al;
																 *(__edi + 0x40) =  *(__edi + 0x40) + 1;
																__edx =  *(__esp + 0x10);
															}
														}
													}
													if( *(__esp + 0x20) == 0) {
														break;
													}
													__eax =  *(__esp + 0x14);
													if(__eax < __edx) {
														continue;
													}
													break;
												}
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													__ecx =  *(__esp + 0x14);
													__edx =  *(__edi + 0x18);
													__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
													__edx =  *(__esp + 0x1c);
													 *(__edi + 0x18) = __eax;
												}
												__eax =  *(__esp + 0x14);
												__edx = __edx - __eax;
												__ebp =  &(__ebp[__eax]);
												 *(__esp + 0x10) = __edx;
												if( *(__esp + 0x20) != 0) {
													goto L312;
												} else {
													L99:
													 *(__edi + 0x40) = 0;
													 *__edi = 7;
													goto L100;
												}
											}
										}
										goto L331;
									case 7:
										L100:
										if(( *(__edi + 0x10) & 0x00001000) == 0) {
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												 *(__eax + 0x24) = 0;
											}
											goto L115;
										} else {
											if(__edx == 0) {
												goto L312;
											} else {
												__eax = 0;
												while(1) {
													__ecx = __ebp[__eax] & 0x000000ff;
													 *(__esp + 0x14) = __eax;
													__eax =  *(__edi + 0x20);
													 *(__esp + 0x20) = __ecx;
													if(__eax != 0) {
														__ecx =  *(__eax + 0x24);
														 *(__esp + 0x34) = __ecx;
														if(__ecx != 0) {
															__ecx =  *(__edi + 0x40);
															if(__ecx <  *((intOrPtr*)(__eax + 0x28))) {
																__edx =  *(__esp + 0x34);
																__al =  *(__esp + 0x20);
																 *( *(__esp + 0x34) + __ecx) = __al;
																 *(__edi + 0x40) =  *(__edi + 0x40) + 1;
																__edx =  *(__esp + 0x10);
															}
														}
													}
													if( *(__esp + 0x20) == 0) {
														break;
													}
													__eax =  *(__esp + 0x14);
													if(__eax < __edx) {
														continue;
													}
													break;
												}
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													__ecx =  *(__esp + 0x14);
													__edx =  *(__edi + 0x18);
													__eax = E00403080( *(__edi + 0x18), __ebp,  *(__esp + 0x14));
													__edx =  *(__esp + 0x1c);
													 *(__edi + 0x18) = __eax;
												}
												__eax =  *(__esp + 0x14);
												__edx = __edx - __eax;
												__ebp =  &(__ebp[__eax]);
												 *(__esp + 0x10) = __edx;
												if( *(__esp + 0x20) != 0) {
													goto L312;
												} else {
													L115:
													 *__edi = 8;
													goto L116;
												}
											}
										}
										goto L331;
									case 8:
										L116:
										if(( *(__edi + 0x10) & 0x00000200) == 0) {
											L123:
											__eax =  *(__edi + 0x20);
											if(__eax != 0) {
												 *(__edi + 0x10) =  *(__edi + 0x10) >> 9;
												__ecx =  *(__edi + 0x10) >> 0x00000009 & 0x00000001;
												 *(__eax + 0x2c) =  *(__edi + 0x10) >> 0x00000009 & 0x00000001;
												__edx =  *(__edi + 0x20);
												 *( *(__edi + 0x20) + 0x30) = 1;
											}
											__eax = E00403080(0, 0, 0);
											__ecx =  *(__esp + 0x4c);
											__edx =  *(__esp + 0x1c);
											 *(__edi + 0x18) = __eax;
											 *( *(__esp + 0x4c) + 0x30) = __eax;
											 *__edi = 0xb;
											goto L304;
										} else {
											if(__esi >= 0x10) {
												L120:
												__ecx =  *(__edi + 0x18) & 0x0000ffff;
												if(__ebx == ( *(__edi + 0x18) & 0x0000ffff)) {
													__ebx = 0;
													__esi = 0;
													goto L123;
												} else {
													__eax =  *(__esp + 0x40);
													 *(__eax + 0x18) = 0x41d338;
													goto L303;
												}
												goto L304;
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi < 0x10) {
														continue;
													} else {
														goto L120;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 9:
										if(__esi >= 0x20) {
											L130:
											__ebx = __ebx & 0x0000ff00;
											__ebx = __ebx << 0x10;
											__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10);
											__ebx = __ebx >> 8;
											__ecx = (__ebx & 0x0000ff00) + (__ebx << 0x10) << 8;
											__eax = __ebx >> 0x00000008 & 0x0000ff00;
											__ecx = ((__ebx & 0x0000ff00) + (__ebx << 0x10) << 8) + (__ebx >> 0x00000008 & 0x0000ff00);
											__eax = __ecx + __ebx;
											__ecx =  *(__esp + 0x40);
											 *(__edi + 0x18) = __eax;
											 *( *(__esp + 0x40) + 0x30) = __eax;
											__ebx = 0;
											__esi = 0;
											 *__edi = 0xa;
											goto L131;
										} else {
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L130;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 0xa:
										L131:
										if( *((intOrPtr*)(__edi + 0xc)) == 0) {
											__eax =  *(__esp + 0x40);
											__ecx =  *(__esp + 0x24);
											 *(__eax + 0xc) =  *(__esp + 0x24);
											__ecx =  *(__esp + 0x18);
											 *__eax = __ebp;
											 *(__eax + 0x10) =  *(__esp + 0x18);
											 *(__eax + 4) = __edx;
											 *(__edi + 0x3c) = __esi;
											_pop(__esi);
											_pop(__ebp);
											 *(__edi + 0x38) = __ebx;
											_pop(__ebx);
											__eax = 2;
											return 2;
										} else {
											_push(0);
											_push(0);
											_push(0);
											__eax = E004024A0();
											__edx =  *(__esp + 0x4c);
											 *(__edi + 0x18) = __eax;
											 *( *(__esp + 0x4c) + 0x30) = __eax;
											__edx =  *(__esp + 0x1c);
											__esp = __esp + 0xc;
											 *__edi = 0xb;
											goto L133;
										}
										goto L331;
									case 0xb:
										L133:
										if( *((intOrPtr*)(__esp + 0x44)) == 5) {
											goto L312;
										} else {
											goto L134;
										}
										goto L331;
									case 0xc:
										L134:
										if( *(__edi + 4) == 0) {
											if(__esi >= 3) {
												L140:
												__ecx = __ebx;
												__ebx = __ebx >> 1;
												__eax = __ebx;
												__ecx = __ecx & 0x00000001;
												__eax = __ebx & 0x00000003;
												__esi = __esi - 1;
												 *(__edi + 4) = __ecx;
												if(__eax > 3) {
													L146:
													__ebx = __ebx >> 2;
													__esi = __esi - 2;
												} else {
													switch( *((intOrPtr*)(__eax * 4 +  &M00408838))) {
														case 0:
															__ebx = __ebx >> 2;
															 *__edi = 0xd;
															__esi = __esi - 2;
															goto L304;
														case 1:
															__eax = __edi;
															__eax = E00407290(__edi);
															__ebx = __ebx >> 2;
															 *__edi = 0x12;
															__esi = __esi - 2;
															goto L304;
														case 2:
															__ebx = __ebx >> 2;
															 *__edi = 0xf;
															__esi = __esi - 2;
															goto L304;
														case 3:
															__eax =  *(__esp + 0x40);
															 *(__eax + 0x18) = 0x41d338;
															 *__edi = 0x1b;
															goto L146;
													}
												}
												goto L304;
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi < 3) {
														continue;
													} else {
														goto L140;
													}
													goto L331;
												}
												goto L312;
											}
										} else {
											__esi = __esi & 0x00000007;
											__ebx = __ebx >> __cl;
											__esi = __esi - (__esi & 0x00000007);
											 *__edi = 0x18;
											goto L304;
										}
										goto L331;
									case 0xd:
										__esi = __esi & 0x00000007;
										__esi = __esi - (__esi & 0x00000007);
										__ebx = __ebx >> __cl;
										if(__esi >= 0x20) {
											L150:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx =  !__ebx;
											__eax = __ebx & 0x0000ffff;
											__ecx =  !__ebx >> 0x10;
											if(__eax ==  !__ebx >> 0x10) {
												__ebx = 0;
												 *(__edi + 0x40) = __eax;
												__esi = 0;
												 *__edi = 0xe;
												goto L153;
											} else {
												__eax =  *(__esp + 0x40);
												 *(__eax + 0x18) = 0x41d338;
												goto L303;
											}
										} else {
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L150;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 0xe:
										L153:
										__eax =  *(__edi + 0x40);
										 *(__esp + 0x14) = __eax;
										if(__eax == 0) {
											goto L233;
										} else {
											if(__eax > __edx) {
												__eax = __edx;
												 *(__esp + 0x14) = __edx;
											}
											__ecx =  *(__esp + 0x18);
											if(__eax > __ecx) {
												__eax = __ecx;
												 *(__esp + 0x14) = __eax;
											}
											if(__eax == 0) {
												goto L312;
											} else {
												__ecx =  *(__esp + 0x14);
												__edx =  *(__esp + 0x24);
												__eax = E0040B350(__ebx, __edi, __esi,  *(__esp + 0x24), __ebp,  *(__esp + 0x14));
												__eax =  *(__esp + 0x20);
												 *(__esp + 0x1c) =  *(__esp + 0x1c) - __eax;
												 *(__esp + 0x24) =  *(__esp + 0x24) - __eax;
												 *(__esp + 0x30) =  *(__esp + 0x30) + __eax;
												__edx =  *(__esp + 0x1c);
												__ebp =  &(__ebp[__eax]);
												 *(__edi + 0x40) =  *(__edi + 0x40) - __eax;
												goto L304;
											}
										}
										goto L331;
									case 0xf:
										if(__esi >= 0xe) {
											L163:
											__ecx = __ebx;
											__ecx = __ebx & 0x0000001f;
											__ebx = __ebx >> 5;
											__ecx = __ecx + 0x101;
											__eax = __ebx;
											 *(__edi + 0x60) = __ecx;
											__ebx = __ebx >> 5;
											__ecx = __ebx;
											__eax = __eax & 0x0000001f;
											__ecx = __ebx & 0x0000000f;
											__eax = __eax + 1;
											__ecx = (__ebx & 0x0000000f) + 4;
											__ebx = __ebx >> 4;
											__esi = __esi - 0xe;
											 *(__edi + 0x64) = __eax;
											 *(__edi + 0x5c) = __ecx;
											if( *(__edi + 0x60) > 0x11e || __eax > 0x1e) {
												goto L34;
											} else {
												 *(__edi + 0x68) = 0;
												 *__edi = 0x10;
												goto L166;
											}
										} else {
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebp =  &(__ebp[1]);
												__ebx = __ebx + __eax;
												 *(__esp + 0x10) = __edx;
												if(__esi < 0xe) {
													continue;
												} else {
													goto L163;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 0x10:
										L166:
										__ecx =  *(__edi + 0x68);
										if( *(__edi + 0x68) >=  *(__edi + 0x5c)) {
											L172:
											__eax = 0x13;
											while( *(__edi + 0x68) < 0x13) {
												__edx =  *(__edi + 0x68);
												__ecx =  *(0x41e468 +  *(__edi + 0x68) * 2) & 0x0000ffff;
												__edx = 0;
												 *((short*)(__edi + 0x70 + ( *(0x41e468 +  *(__edi + 0x68) * 2) & 0x0000ffff) * 2)) = __dx;
												 *(__edi + 0x68) =  *(__edi + 0x68) + 1;
											}
											__eax = __edi + 0x530;
											__ecx = __edi + 0x6c;
											 *(__edi + 0x6c) = __eax;
											 *(__edi + 0x4c) = __eax;
											__edx = __edi + 0x2f0;
											__eax = __edi + 0x54;
											 *(__edi + 0x54) = 7;
											__eax = __edi + 0x70;
											__eax = E00408C60(0, __edi + 0x70, 0x13, __edi + 0x6c, __edi + 0x70, __edi + 0x2f0);
											__edx =  *(__esp + 0x28);
											 *(__esp + 0x30) = __eax;
											if(__eax != 0) {
												goto L302;
											} else {
												 *(__edi + 0x68) = __eax;
												 *__edi = 0x11;
												goto L177;
											}
										} else {
											do {
												if(__esi >= 3) {
													goto L171;
												} else {
													while(__edx != 0) {
														__eax =  *__ebp & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebp & 0x000000ff) << __cl;
														__edx = __edx - 1;
														__esi = __esi + 8;
														__ebp =  &(__ebp[1]);
														__ebx = __ebx + __eax;
														 *(__esp + 0x10) = __edx;
														if(__esi < 3) {
															continue;
														} else {
															goto L171;
														}
														goto L331;
													}
													goto L312;
												}
												goto L331;
												L171:
												__eax =  *(__edi + 0x68);
												__eax =  *(0x41e468 +  *(__edi + 0x68) * 2) & 0x0000ffff;
												__ebx = __ebx & 0x00000007;
												 *((short*)(__edi + 0x70 + __eax * 2)) = __cx;
												 *(__edi + 0x68) =  *(__edi + 0x68) + 1;
												__ecx =  *(__edi + 0x68);
												__ebx = __ebx >> 3;
												__esi = __esi - 3;
											} while ( *(__edi + 0x68) <  *(__edi + 0x5c));
											goto L172;
										}
										goto L331;
									case 0x11:
										L177:
										__eax =  *(__edi + 0x64);
										__eax =  *(__edi + 0x64) +  *(__edi + 0x60);
										if( *(__edi + 0x68) >= __eax) {
											L210:
											if( *__edi == 0x1b) {
												goto L304;
											} else {
												__eax = __edi + 0x530;
												__ecx = __edi + 0x6c;
												 *(__edi + 0x6c) = __eax;
												__edx = __edi + 0x2f0;
												 *(__edi + 0x4c) = __eax;
												__eax = __edi + 0x54;
												__ecx =  *(__edi + 0x60);
												__edx = __edi + 0x70;
												 *(__edi + 0x54) = 9;
												__eax = E00408C60(1, __edi + 0x70,  *(__edi + 0x60),  *(__edi + 0x60), __edi + 0x54, __edi + 0x2f0);
												 *(__esp + 0x30) = __eax;
												if(__eax == 0) {
													__edx =  *(__edi + 0x6c);
													__ecx = __edi + 0x6c;
													 *(__edi + 0x50) =  *(__edi + 0x6c);
													__edx = __edi + 0x2f0;
													__eax = __edi + 0x58;
													__ecx =  *(__edi + 0x60);
													 *(__edi + 0x58) = 6;
													__eax =  *(__edi + 0x64);
													__edx = __edi + 0x70 +  *(__edi + 0x60) * 2;
													__eax = E00408C60(2, __edi + 0x70 +  *(__edi + 0x60) * 2,  *(__edi + 0x64), __edi + 0x6c,  *(__edi + 0x64), __edi + 0x2f0);
													__edx =  *(__esp + 0x28);
													 *(__esp + 0x30) = __eax;
													if(__eax == 0) {
														 *__edi = 0x12;
														goto L216;
													} else {
														__eax =  *(__esp + 0x40);
														 *(__eax + 0x18) = 0x41d338;
														goto L303;
													}
												} else {
													__eax =  *(__esp + 0x40);
													__edx =  *(__esp + 0x10);
													 *(__eax + 0x18) = 0x41d338;
													goto L303;
												}
											}
										} else {
											do {
												__ecx =  *(__edi + 0x54);
												1 = 1 << __cl;
												__ecx =  *(__edi + 0x4c);
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
												__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
												1 = 1 >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__esp + 0x14) = 1;
												if((__cl & 0x000000ff) <= __esi) {
													L181:
													__eax = __eax >> 0x10;
													if(__eax >> 0x10 >= 0x10) {
														__cx =  *((intOrPtr*)(__esp + 0x16));
														if(__cx != 0x10) {
															__ecx = __ah & 0x000000ff;
															 *(__esp + 0x2c) = __ecx;
															if(__cx != 0x11) {
																__eax = __ecx + 7;
																if(__esi >= __eax) {
																	L203:
																	__ebx = __ebx >> __cl;
																	__ebx = __ebx & 0x0000007f;
																	__eax = (__ebx & 0x0000007f) + 0xb;
																	 *(__esp + 0x14) = (__ebx & 0x0000007f) + 0xb;
																	__ebx = __ebx >> 7;
																	__eax = 0xfffffff9;
																	goto L204;
																} else {
																	while(__edx != 0) {
																		__eax =  *__ebp & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__ebp & 0x000000ff) << __cl;
																		__ecx =  *(__esp + 0x2c);
																		__edx = __edx - 1;
																		__esi = __esi + 8;
																		__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
																		__eax = __ecx + 7;
																		__ebp =  &(__ebp[1]);
																		 *(__esp + 0x10) = __edx;
																		if(__esi < __eax) {
																			continue;
																		} else {
																			goto L203;
																		}
																		goto L331;
																	}
																	goto L312;
																}
															} else {
																__eax = __ecx + 3;
																if(__esi >= __eax) {
																	L199:
																	__ebx = __ebx >> __cl;
																	__ebx = __ebx & 0x00000007;
																	__eax = (__ebx & 0x00000007) + 3;
																	 *(__esp + 0x14) = (__ebx & 0x00000007) + 3;
																	__ebx = __ebx >> 3;
																	__eax = 0xfffffffd;
																	L204:
																	__esi = __esi + __eax;
																	__eax =  *(__esp + 0x14);
																	 *(__esp + 0x20) = 0;
																	goto L205;
																} else {
																	while(__edx != 0) {
																		__eax =  *__ebp & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__ebp & 0x000000ff) << __cl;
																		__ecx =  *(__esp + 0x2c);
																		__edx = __edx - 1;
																		__esi = __esi + 8;
																		__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
																		__eax = __ecx + 3;
																		__ebp =  &(__ebp[1]);
																		 *(__esp + 0x10) = __edx;
																		if(__esi < __eax) {
																			continue;
																		} else {
																			goto L199;
																		}
																		goto L331;
																	}
																	goto L312;
																}
															}
														} else {
															__ecx = __ah & 0x000000ff;
															__eax = __ecx + 2;
															 *(__esp + 0x2c) = __ecx;
															if(__esi >= __eax) {
																L192:
																__eax =  *(__edi + 0x68);
																__ebx = __ebx >> __cl;
																__esi = __esi - __ecx;
																if(__eax == 0) {
																	goto L302;
																} else {
																	__ecx =  *(__edi + 0x6e + __eax * 2) & 0x0000ffff;
																	__ebx = __ebx & 0x00000003;
																	__eax = (__ebx & 0x00000003) + 3;
																	__ebx = __ebx >> 2;
																	 *(__esp + 0x20) = __ecx;
																	 *(__esp + 0x14) = __eax;
																	__esi = __esi - 2;
																	L205:
																	__ecx =  *(__edi + 0x68);
																	__ecx =  *(__edi + 0x68) + __eax;
																	 *(__edi + 0x64) =  *(__edi + 0x64) +  *(__edi + 0x60);
																	if(__ecx >  *(__edi + 0x64) +  *(__edi + 0x60)) {
																		L34:
																		__eax =  *(__esp + 0x40);
																		 *(__eax + 0x18) = 0x41d338;
																		goto L303;
																	} else {
																		if( *(__esp + 0x14) != 0) {
																			__eax =  *(__esp + 0x20);
																			do {
																				__ecx =  *(__edi + 0x68);
																				 *(__esp + 0x14) =  *(__esp + 0x14) - 1;
																				 *((short*)(__edi + 0x70 +  *(__edi + 0x68) * 2)) = __ax;
																				 *(__edi + 0x68) =  *(__edi + 0x68) + 1;
																			} while ( *(__esp + 0x14) != 0);
																		}
																		goto L209;
																	}
																}
															} else {
																while(__edx != 0) {
																	__eax =  *__ebp & 0x000000ff;
																	__ecx = __esi;
																	__eax = ( *__ebp & 0x000000ff) << __cl;
																	__ecx =  *(__esp + 0x2c);
																	__edx = __edx - 1;
																	__esi = __esi + 8;
																	__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
																	__eax = __ecx + 2;
																	__ebp =  &(__ebp[1]);
																	 *(__esp + 0x10) = __edx;
																	if(__esi < __eax) {
																		continue;
																	} else {
																		goto L192;
																	}
																	goto L331;
																}
																goto L312;
															}
														}
													} else {
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														if(__esi >= (__cl & 0x000000ff)) {
															L186:
															__ecx = __ah & 0x000000ff;
															__eax =  *(__edi + 0x68);
															__ebx = __ebx >> __cl;
															__esi = __esi - (__ah & 0x000000ff);
															__cx =  *((intOrPtr*)(__esp + 0x16));
															 *((short*)(__edi + 0x70 +  *(__edi + 0x68) * 2)) = __cx;
															 *(__edi + 0x68) =  *(__edi + 0x68) + 1;
															goto L209;
														} else {
															while(__edx != 0) {
																__eax =  *__ebp & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebp & 0x000000ff) << __cl;
																__edx = __edx - 1;
																__esi = __esi + 8;
																__ebp =  &(__ebp[1]);
																__ebx = __ebx + __eax;
																__eax =  *(__esp + 0x14);
																__ecx = __ah & 0x000000ff;
																 *(__esp + 0x10) = __edx;
																if(__esi < (__ah & 0x000000ff)) {
																	continue;
																} else {
																	goto L186;
																}
																goto L331;
															}
															goto L312;
														}
													}
												} else {
													while(__edx != 0) {
														__eax =  *__ebp & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebp & 0x000000ff) << __cl;
														__ecx =  *(__edi + 0x54);
														__edx = __edx - 1;
														__esi = __esi + 8;
														__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
														1 = 1 << __cl;
														__ecx =  *(__edi + 0x4c);
														__ebp =  &(__ebp[1]);
														 *(__esp + 0x10) = __edx;
														(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
														__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
														1 = 1 >> 8;
														__ecx = __cl & 0x000000ff;
														 *(__esp + 0x14) = 1;
														if((__cl & 0x000000ff) > __esi) {
															continue;
														} else {
															goto L181;
														}
														goto L331;
													}
													goto L312;
												}
												goto L331;
												L209:
												__eax =  *(__edi + 0x64);
												__eax =  *(__edi + 0x64) +  *(__edi + 0x60);
											} while ( *(__edi + 0x68) < __eax);
											goto L210;
										}
										goto L331;
									case 0x12:
										L216:
										if(__edx < 6 ||  *(__esp + 0x18) < 0x102) {
											__ecx =  *(__edi + 0x54);
											1 = 1 << __cl;
											(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
											__ecx = (0x00000001 << __cl) - 0x00000001 & __ebx;
											__eax =  *(__edi + 0x4c);
											__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											 *(__esp + 0x14) = __eax;
											if((__cl & 0x000000ff) <= __esi) {
												L223:
												if(__al == 0 || (__al & 0x000000f0) != 0) {
													L230:
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													__ebx = __ebx >> __cl;
													__esi = __esi - __ecx;
													 *(__esp + 0x20) = __ecx;
													__eax = __eax >> 0x10;
													 *(__edi + 0x40) = __eax >> 0x10;
													if(__al != 0) {
														if((__al & 0x00000020) == 0) {
															if((__al & 0x00000040) == 0) {
																__al & 0x000000ff = __al & 0xf;
																 *(__edi + 0x48) = __al & 0xf;
																 *__edi = 0x13;
																goto L237;
															} else {
																__eax =  *(__esp + 0x40);
																 *(__eax + 0x18) = 0x41d338;
																goto L303;
															}
														} else {
															L233:
															 *__edi = 0xb;
															goto L304;
														}
													} else {
														 *__edi = 0x17;
														goto L304;
													}
												} else {
													__eax = __eax >> 8;
													 *(__esp + 0x34) = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__esp + 0x20) = __cl & 0x000000ff;
													__al & 0x000000ff = (__al & 0x000000ff) +  *(__esp + 0x20);
													 *(__esp + 0x2c) = __eax;
													1 = 1 << __cl;
													__ecx =  *(__esp + 0x20);
													(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
													__eax = ((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl;
													 *(__esp + 0x14) =  *(__esp + 0x14) >> 0x10;
													__eax = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10);
													__ecx = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10);
													__eax =  *(__edi + 0x4c);
													__eax =  *( *(__edi + 0x4c) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10)) * 4);
													__ecx =  *(__esp + 0x34) & 0x000000ff;
													 *(__esp + 0x14) = __eax;
													__eax = __al & 0x000000ff;
													__eax = (__al & 0x000000ff) + ( *(__esp + 0x34) & 0x000000ff);
													if(__eax <= __esi) {
														L229:
														__ecx =  *(__esp + 0x2d) & 0x000000ff;
														__eax =  *(__esp + 0x14);
														__ebx = __ebx >> __cl;
														__esi = __esi - ( *(__esp + 0x2d) & 0x000000ff);
														goto L230;
													} else {
														while(__edx != 0) {
															__eax =  *__ebp & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebp & 0x000000ff) << __cl;
															__ecx =  *(__esp + 0x2c);
															__edx = __edx - 1;
															__esi = __esi + 8;
															__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
															__eax = __ch & 0x000000ff;
															 *(__esp + 0x20) = __eax;
															__cl & 0x000000ff = (__cl & 0x000000ff) + __eax;
															1 = 1 << __cl;
															__ecx =  *(__esp + 0x20);
															__ebp =  &(__ebp[1]);
															 *(__esp + 0x10) = __edx;
															(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
															__eax = ((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl;
															__ecx =  *(__esp + 0x2e) & 0x0000ffff;
															__eax = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff);
															__ecx =  *(__edi + 0x4c);
															__eax =  *( *(__edi + 0x4c) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff)) * 4);
															 *(__esp + 0x14) = 1;
															 *( *(__edi + 0x4c) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff)) * 4) >> 8 = __al & 0x000000ff;
															__eax = (__al & 0x000000ff) +  *(__esp + 0x20);
															if(__eax > __esi) {
																continue;
															} else {
																goto L229;
															}
															goto L331;
														}
														goto L312;
													}
												}
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__ecx =  *(__edi + 0x54);
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
													1 = 1 << __cl;
													__ecx =  *(__edi + 0x4c);
													__ebp =  &(__ebp[1]);
													 *(__esp + 0x10) = __edx;
													(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
													__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
													1 = 1 >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__esp + 0x14) = 1;
													if((__cl & 0x000000ff) > __esi) {
														continue;
													} else {
														goto L223;
													}
													goto L331;
												}
												goto L312;
											}
										} else {
											__eax =  *(__esp + 0x40);
											__edx =  *(__esp + 0x18);
											__ecx =  *(__esp + 0x24);
											 *(__eax + 0x10) =  *(__esp + 0x18);
											__edx =  *(__esp + 0x28);
											 *(__eax + 0xc) =  *(__esp + 0x24);
											__ecx =  *(__esp + 0x10);
											_push( *(__esp + 0x28));
											 *__eax = __ebp;
											 *(__eax + 4) = __ecx;
											_push(__eax);
											 *(__edi + 0x38) = __ebx;
											 *(__edi + 0x3c) = __esi;
											__eax = E00406CA0();
											__eax =  *(__esp + 0x48);
											__edx =  *(__eax + 0x10);
											__ecx =  *(__eax + 0xc);
											__ebp =  *__eax;
											__eax =  *(__eax + 4);
											__ebx =  *(__edi + 0x38);
											__esi =  *(__edi + 0x3c);
											 *(__esp + 0x20) = __edx;
											__esp = __esp + 8;
											 *(__esp + 0x24) = __ecx;
											 *(__esp + 0x10) = __eax;
											__edx = __eax;
											goto L304;
										}
										goto L331;
									case 0x13:
										L237:
										__eax =  *(__edi + 0x48);
										if(__eax == 0) {
											L243:
											 *__edi = 0x14;
											goto L244;
										} else {
											if(__esi >= __eax) {
												L242:
												__ecx =  *(__edi + 0x48);
												1 = 1 << __cl;
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
												 *(__edi + 0x40) =  *(__edi + 0x40) + ((0x00000001 << __cl) - 0x00000001 & __ebx);
												__ebx = __ebx >> __cl;
												__esi = __esi -  *(__edi + 0x48);
												goto L243;
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi <  *(__edi + 0x48)) {
														continue;
													} else {
														goto L242;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 0x14:
										L244:
										__ecx =  *(__edi + 0x58);
										1 = 1 << __cl;
										(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
										__ecx = (0x00000001 << __cl) - 0x00000001 & __ebx;
										__eax =  *(__edi + 0x50);
										__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
										__eax = __eax >> 8;
										__ecx = __cl & 0x000000ff;
										 *(__esp + 0x14) = __eax;
										if((__cl & 0x000000ff) <= __esi) {
											L248:
											if((__al & 0x000000f0) != 0) {
												L253:
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__ebx = __ebx >> __cl;
												__esi = __esi - __ecx;
												 *(__esp + 0x20) = __ecx;
												if((__al & 0x00000040) == 0) {
													__ecx = __eax;
													__eax = __al & 0x000000ff;
													__ecx = __ecx >> 0x10;
													__eax = __al & 0xf;
													 *(__edi + 0x44) = __ecx;
													 *(__edi + 0x48) = __al & 0xf;
													 *__edi = 0x15;
													goto L256;
												} else {
													__eax =  *(__esp + 0x40);
													 *(__eax + 0x18) = 0x41d338;
													goto L303;
												}
											} else {
												__eax = __eax >> 8;
												 *(__esp + 0x34) = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__esp + 0x20) = __cl & 0x000000ff;
												__al & 0x000000ff = (__al & 0x000000ff) +  *(__esp + 0x20);
												 *(__esp + 0x2c) = __eax;
												1 = 1 << __cl;
												__ecx =  *(__esp + 0x20);
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
												__eax = ((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl;
												 *(__esp + 0x14) =  *(__esp + 0x14) >> 0x10;
												__eax = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10);
												__ecx = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10);
												__eax =  *(__edi + 0x50);
												__eax =  *( *(__edi + 0x50) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x14) >> 0x10)) * 4);
												__ecx =  *(__esp + 0x34) & 0x000000ff;
												 *(__esp + 0x14) = __eax;
												__eax = __al & 0x000000ff;
												__eax = (__al & 0x000000ff) + ( *(__esp + 0x34) & 0x000000ff);
												if(__eax <= __esi) {
													L252:
													__ecx =  *(__esp + 0x2d) & 0x000000ff;
													__eax =  *(__esp + 0x14);
													__ebx = __ebx >> __cl;
													__esi = __esi - ( *(__esp + 0x2d) & 0x000000ff);
													goto L253;
												} else {
													while(__edx != 0) {
														__eax =  *__ebp & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebp & 0x000000ff) << __cl;
														__ecx =  *(__esp + 0x2c);
														__edx = __edx - 1;
														__esi = __esi + 8;
														__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
														__eax = __ch & 0x000000ff;
														 *(__esp + 0x20) = __eax;
														__cl & 0x000000ff = (__cl & 0x000000ff) + __eax;
														1 = 1 << __cl;
														__ecx =  *(__esp + 0x20);
														__ebp =  &(__ebp[1]);
														 *(__esp + 0x10) = __edx;
														(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
														__eax = ((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl;
														__ecx =  *(__esp + 0x2e) & 0x0000ffff;
														__eax = (((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff);
														__ecx =  *(__edi + 0x50);
														__eax =  *( *(__edi + 0x50) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff)) * 4);
														 *(__esp + 0x14) = 1;
														 *( *(__edi + 0x50) + ((((0x00000001 << __cl) - 0x00000001 & __ebx) >> __cl) + ( *(__esp + 0x2e) & 0x0000ffff)) * 4) >> 8 = __al & 0x000000ff;
														__eax = (__al & 0x000000ff) +  *(__esp + 0x20);
														if(__eax > __esi) {
															continue;
														} else {
															goto L252;
														}
														goto L331;
													}
													goto L312;
												}
											}
										} else {
											while(__edx != 0) {
												__eax =  *__ebp & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebp & 0x000000ff) << __cl;
												__ecx =  *(__edi + 0x58);
												__edx = __edx - 1;
												__esi = __esi + 8;
												__ebx = __ebx + (( *__ebp & 0x000000ff) << __cl);
												1 = 1 << __cl;
												__ecx =  *(__edi + 0x50);
												__ebp =  &(__ebp[1]);
												 *(__esp + 0x10) = __edx;
												(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __ebx;
												__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __ebx) * 4);
												1 = 1 >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__esp + 0x14) = 1;
												if((__cl & 0x000000ff) > __esi) {
													continue;
												} else {
													goto L248;
												}
												goto L331;
											}
											goto L312;
										}
										goto L331;
									case 0x15:
										L256:
										__eax =  *(__edi + 0x48);
										if(__eax == 0) {
											L261:
											 *((intOrPtr*)(__edi + 0x2c)) =  *((intOrPtr*)(__edi + 0x2c)) -  *(__esp + 0x18);
											__ecx =  *((intOrPtr*)(__edi + 0x2c)) -  *(__esp + 0x18) +  *(__esp + 0x28);
											if( *(__edi + 0x44) <=  *((intOrPtr*)(__edi + 0x2c)) -  *(__esp + 0x18) +  *(__esp + 0x28)) {
												 *__edi = 0x16;
												goto L264;
											} else {
												__eax =  *(__esp + 0x40);
												 *(__eax + 0x18) = 0x41d338;
												goto L303;
											}
										} else {
											if(__esi >= __eax) {
												L260:
												__ecx =  *(__edi + 0x48);
												1 = 1 << __cl;
												__eax = (1 << __cl) - 1;
												__eax = (0x00000001 << __cl) - 0x00000001 & __ebx;
												 *(__edi + 0x44) =  *(__edi + 0x44) + __eax;
												__ebx = __ebx >> __cl;
												__esi = __esi -  *(__edi + 0x48);
												goto L261;
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi <  *(__edi + 0x48)) {
														continue;
													} else {
														goto L260;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 0x16:
										L264:
										if( *(__esp + 0x18) == 0) {
											goto L312;
										} else {
											__ecx =  *(__esp + 0x28);
											__ecx =  *(__esp + 0x28) -  *(__esp + 0x18);
											__eax =  *(__edi + 0x44);
											if(__eax <= __ecx) {
												__ecx =  *(__esp + 0x24);
												__ecx =  *(__esp + 0x24) - __eax;
												__eax =  *(__edi + 0x40);
												 *(__esp + 0x2c) = __ecx;
												 *(__esp + 0x34) = __eax;
												goto L272;
											} else {
												__eax = __eax - __ecx;
												__ecx =  *(__edi + 0x30);
												 *(__esp + 0x14) = __eax;
												if(__eax <= __ecx) {
													 *((intOrPtr*)(__edi + 0x34)) =  *((intOrPtr*)(__edi + 0x34)) - __eax;
													__ecx =  *((intOrPtr*)(__edi + 0x34)) - __eax +  *(__edi + 0x30);
													__eax =  *(__esp + 0x14);
												} else {
													__eax = __eax - __ecx;
													 *((intOrPtr*)(__edi + 0x34)) =  *((intOrPtr*)(__edi + 0x34)) +  *((intOrPtr*)(__edi + 0x28));
													 *(__esp + 0x14) = __eax;
													__ecx =  *((intOrPtr*)(__edi + 0x34)) +  *((intOrPtr*)(__edi + 0x28)) - __eax;
												}
												 *(__esp + 0x2c) = __ecx;
												__ecx =  *(__edi + 0x40);
												 *(__esp + 0x34) = __ecx;
												if(__eax > __ecx) {
													__eax = __ecx;
													L272:
													 *(__esp + 0x14) = __eax;
												}
											}
											__ecx =  *(__esp + 0x18);
											if(__eax > __ecx) {
												__eax = __ecx;
												 *(__esp + 0x14) = __eax;
											}
											 *(__esp + 0x18) = __ecx;
											__ecx =  *(__esp + 0x34);
											__ecx =  *(__esp + 0x34) - __eax;
											__eax =  *(__esp + 0x24);
											 *(__edi + 0x40) = __ecx;
											do {
												__ecx =  *(__esp + 0x2c);
												__cl =  *( *(__esp + 0x2c));
												 *(__esp + 0x2c) =  *(__esp + 0x2c) + 1;
												 *__eax = __cl;
												__eax = __eax + 1;
												_t549 = __esp + 0x14;
												 *_t549 =  *(__esp + 0x14) - 1;
											} while ( *_t549 != 0);
											 *(__esp + 0x24) = __eax;
											if( *(__edi + 0x40) == 0) {
												 *__edi = 0x12;
											}
											goto L304;
										}
										goto L331;
									case 0x17:
										if( *(__esp + 0x18) == 0) {
											goto L312;
										} else {
											__eax =  *(__esp + 0x24);
											__cl =  *(__edi + 0x40);
											 *__eax = __cl;
											__eax = __eax + 1;
											 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
											 *(__esp + 0x24) = __eax;
											 *__edi = 0x12;
											goto L304;
										}
										goto L331;
									case 0x18:
										if( *((intOrPtr*)(__edi + 8)) == 0) {
											L295:
											 *__edi = 0x19;
											goto L296;
										} else {
											if(__esi >= 0x20) {
												L285:
												__eax =  *(__esp + 0x28);
												__eax =  *(__esp + 0x28) -  *(__esp + 0x18);
												__ecx =  *(__esp + 0x40);
												 *((intOrPtr*)( *(__esp + 0x40) + 0x14)) =  *((intOrPtr*)( *(__esp + 0x40) + 0x14)) + __eax;
												 *((intOrPtr*)(__edi + 0x1c)) =  *((intOrPtr*)(__edi + 0x1c)) + __eax;
												 *(__esp + 0x28) = __eax;
												if(__eax != 0) {
													__ecx =  *(__esp + 0x24);
													__edx =  *(__edi + 0x18);
													_push(__eax);
													_push(__ecx);
													_push( *(__edi + 0x18));
													if( *(__edi + 0x10) == 0) {
														__eax = E004024A0();
													} else {
														__eax = E00403080();
													}
													__ecx =  *(__esp + 0x4c);
													__edx =  *(__esp + 0x1c);
													 *(__edi + 0x18) = __eax;
													__esp = __esp + 0xc;
													 *(__ecx + 0x30) = __eax;
												}
												__eax =  *(__esp + 0x18);
												 *(__esp + 0x28) =  *(__esp + 0x18);
												__eax = __ebx;
												if( *(__edi + 0x10) == 0) {
													__eax = __eax & 0x0000ff00;
													__ebx = __ebx << 0x10;
													__eax = __eax + (__ebx << 0x10);
													__ebx = __ebx >> 8;
													__ecx = __ebx >> 0x00000008 & 0x0000ff00;
													__eax = __eax << 8;
													__eax = __eax + (__ebx >> 0x00000008 & 0x0000ff00);
													__ebx = __ebx >> 0x18;
													__eax = __eax + (__ebx >> 0x18);
												}
												if(__eax ==  *(__edi + 0x18)) {
													__ebx = 0;
													__esi = 0;
													goto L295;
												} else {
													__eax =  *(__esp + 0x40);
													 *(__eax + 0x18) = 0x41d338;
													goto L303;
												}
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi < 0x20) {
														continue;
													} else {
														goto L285;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 0x19:
										L296:
										if( *((intOrPtr*)(__edi + 8)) == 0 ||  *(__edi + 0x10) == 0) {
											L309:
											 *__edi = 0x1a;
											goto L310;
										} else {
											if(__esi >= 0x20) {
												L301:
												if(__ebx ==  *((intOrPtr*)(__edi + 0x1c))) {
													__ebx = 0;
													__esi = 0;
													goto L309;
												} else {
													L302:
													( *(_t730 + 0x40))[6] = 0x41d338;
													L303:
													 *_t714 = 0x1b;
													goto L304;
												}
											} else {
												while(__edx != 0) {
													__eax =  *__ebp & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebp & 0x000000ff) << __cl;
													__edx = __edx - 1;
													__esi = __esi + 8;
													__ebp =  &(__ebp[1]);
													__ebx = __ebx + __eax;
													 *(__esp + 0x10) = __edx;
													if(__esi < 0x20) {
														continue;
													} else {
														goto L301;
													}
													goto L331;
												}
												goto L312;
											}
										}
										goto L331;
									case 0x1a:
										L310:
										 *(__esp + 0x30) = 1;
										goto L312;
									case 0x1b:
										 *(__esp + 0x30) = 0xfffffffd;
										L312:
										_t651 =  *(_t730 + 0x40);
										_t651[3] =  *(_t730 + 0x24);
										_t651[4] =  *(_t730 + 0x18);
										 *_t651 = _t723;
										_t651[1] = _t705;
										_t714[0xe] = _t667;
										_t714[0xf] = _t716;
										if(_t714[0xa] != 0 ||  *_t714 < 0x18 &&  *(_t730 + 0x28) != _t651[4]) {
											if(E004072B0( *(_t730 + 0x28),  *(_t730 + 0x40)) == 0) {
												goto L318;
											} else {
												 *_t714 = 0x1c;
												goto L317;
											}
										} else {
											L318:
											_t718 =  *(_t730 + 0x40);
											_t726 =  *(_t730 + 0x38) - _t718[1];
											_t675 =  *(_t730 + 0x28) - _t718[4];
											_t718[2] =  &(_t718[2][_t726]);
											_t718[5] =  &(_t718[5][_t675]);
											_t714[7] = _t714[7] + _t675;
											if(_t714[2] != 0 && _t675 != 0) {
												_push(_t675);
												if(_t714[4] == 0) {
													_push(_t718[3] - _t675);
													_push(_t714[6]);
													_t662 = E004024A0();
												} else {
													_push(_t718[3] - _t675);
													_push(_t714[6]);
													_t662 = E00403080();
												}
												_t714[6] = _t662;
												_t730 = _t730 + 0xc;
												_t718[0xc] = _t662;
											}
											asm("sbb edx, edx");
											_t718[0xb] = ( ~(_t714[1]) & 0x00000040) + ((0 |  *_t714 != 0x0000000b) - 0x00000001 & 0x00000080) + _t714[0xf];
											if(_t726 != 0 || _t675 != 0) {
												if( *((intOrPtr*)(_t730 + 0x44)) != 4) {
													return  *(_t730 + 0x30);
												} else {
													goto L327;
												}
											} else {
												L327:
												_t641 =  *(_t730 + 0x30);
												if(_t641 != 0) {
													L306:
													return _t641;
												} else {
													return 0xfffffffb;
												}
											}
										}
										goto L331;
									case 0x1c:
										L317:
										return 0xfffffffc;
										goto L331;
								}
								L304:
								_t640 =  *_t714;
							} while (_t640 <= 0x1c);
							goto L305;
						}
					}
				}
				L331:
			}

0x004073a0
0x004073aa
0x004087b7
0x004087c0
0x004073b0
0x004073b0
0x004073b5
0x00000000
0x004073d4
0x004073d7
0x004073d9
0x004073d9
0x004073e2
0x004073e6
0x004073ea
0x004073ec
0x004073f0
0x004073f3
0x004073f6
0x004073f9
0x004073fd
0x00407401
0x00407405
0x00407409
0x00407414
0x00408666
0x00408666
0x00000000
0x00407420
0x00407420
0x00407420
0x00000000
0x0040742b
0x0040743b
0x00407460
0x00407464
0x004074af
0x004074b2
0x004074bb
0x004074bd
0x004074bd
0x004074c8
0x00407562
0x00000000
0x004074e8
0x004074f0
0x00407506
0x0040750e
0x00407511
0x00407517
0x00407529
0x0040752b
0x0040752d
0x0040752f
0x00407532
0x0040753b
0x0040754a
0x0040754d
0x00407550
0x00407552
0x00407555
0x00407557
0x00407519
0x00407519
0x00000000
0x00407519
0x004074f2
0x004074f6
0x004074fa
0x00000000
0x004074fa
0x004074f0
0x0040746e
0x00407479
0x00407482
0x00407487
0x00407491
0x00407496
0x0040749a
0x0040749d
0x0040749f
0x004074a2
0x004074a4
0x004074a4
0x00000000
0x00407440
0x00407440
0x0040744e
0x00407450
0x00407451
0x00407454
0x00407455
0x00407457
0x0040745e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040745e
0x00000000
0x00407440
0x0040742d
0x0040742d
0x00000000
0x0040742d
0x00000000
0x00000000
0x00407575
0x00407597
0x00407597
0x0040759d
0x00000000
0x004075a3
0x004075a9
0x004075bb
0x004075c0
0x004075c4
0x004075c7
0x004075ca
0x004075ca
0x004075d3
0x004075d5
0x004075d9
0x004075de
0x004075e2
0x004075e6
0x004075eb
0x004075f0
0x004075f7
0x004075f7
0x004075fa
0x004075fc
0x004075fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004075a9
0x00407577
0x00407577
0x0040757f
0x00407583
0x00407585
0x00407587
0x00407588
0x0040758b
0x0040758c
0x0040758e
0x00407595
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407595
0x00000000
0x00407577
0x00000000
0x00000000
0x00407609
0x00407630
0x00407630
0x00407635
0x00407637
0x00407637
0x00407641
0x00407643
0x00407647
0x00407649
0x0040764b
0x0040764e
0x00407651
0x00407656
0x0040765a
0x0040765e
0x00407662
0x00407666
0x0040766b
0x00407670
0x00407677
0x00407677
0x0040767a
0x0040767c
0x0040767e
0x00000000
0x0040760b
0x00000000
0x00407610
0x00407618
0x0040761c
0x0040761e
0x00407620
0x00407621
0x00407624
0x00407625
0x00407627
0x0040762e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762e
0x00000000
0x00407610
0x00000000
0x00000000
0x00407689
0x004076b0
0x004076b0
0x004076b5
0x004076b9
0x004076bf
0x004076c2
0x004076c5
0x004076c7
0x004076ca
0x004076ca
0x004076d4
0x004076d6
0x004076da
0x004076df
0x004076e3
0x004076e7
0x004076ec
0x004076f1
0x004076f8
0x004076f8
0x004076fb
0x004076fd
0x004076ff
0x00000000
0x0040768b
0x00000000
0x00407690
0x00407698
0x0040769c
0x0040769e
0x004076a0
0x004076a1
0x004076a4
0x004076a5
0x004076a7
0x004076ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004076ae
0x00000000
0x00407690
0x00000000
0x00000000
0x00407705
0x0040770c
0x00407774
0x00407779
0x0040777b
0x0040777b
0x00000000
0x0040770e
0x00407711
0x00407733
0x00407733
0x00407736
0x0040773b
0x0040773d
0x0040773d
0x00407747
0x00407749
0x0040774d
0x00407752
0x00407756
0x0040775a
0x0040775f
0x00407764
0x0040776b
0x0040776b
0x0040776e
0x00407770
0x00407782
0x00407782
0x00000000
0x00407713
0x00407713
0x0040771b
0x0040771f
0x00407721
0x00407723
0x00407724
0x00407727
0x00407728
0x0040772a
0x00407731
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407731
0x00000000
0x00407713
0x00407711
0x00000000
0x00000000
0x00407788
0x0040778f
0x00407833
0x00407833
0x0040783a
0x00000000
0x00407795
0x00407795
0x00407798
0x0040779e
0x004077a0
0x004077a2
0x004077a2
0x004077a8
0x004077aa
0x004077af
0x004077b1
0x004077b4
0x004077ba
0x004077bf
0x004077c2
0x004077c5
0x004077c8
0x004077cb
0x004077d3
0x004077d9
0x004077d9
0x004077db
0x004077e0
0x004077e4
0x004077e8
0x004077ed
0x004077f1
0x004077f5
0x004077ba
0x004077ff
0x00407801
0x00407805
0x0040780b
0x00407810
0x00407814
0x00407817
0x0040781b
0x0040781e
0x00407820
0x00407822
0x00407825
0x00407825
0x0040782d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040782d
0x00000000
0x00000000
0x00407840
0x00407847
0x004078da
0x004078df
0x004078e1
0x004078e1
0x00000000
0x0040784d
0x0040784f
0x00000000
0x00407855
0x00407855
0x00407857
0x00407857
0x0040785c
0x00407860
0x00407863
0x00407869
0x0040786b
0x0040786e
0x00407874
0x00407876
0x0040787c
0x0040787e
0x00407882
0x00407886
0x00407889
0x0040788c
0x0040788c
0x0040787c
0x00407874
0x00407895
0x00000000
0x00000000
0x00407897
0x0040789d
0x00000000
0x00000000
0x00000000
0x0040789d
0x004078a6
0x004078a8
0x004078ac
0x004078b2
0x004078b7
0x004078be
0x004078be
0x004078c1
0x004078c5
0x004078c7
0x004078ce
0x004078d2
0x00000000
0x004078d8
0x004078e8
0x004078e8
0x004078ef
0x00000000
0x004078ef
0x004078d2
0x0040784f
0x00000000
0x00000000
0x004078f5
0x004078fc
0x00407993
0x00407998
0x0040799a
0x0040799a
0x00000000
0x00407902
0x00407904
0x00000000
0x0040790a
0x0040790a
0x00407910
0x00407910
0x00407915
0x00407919
0x0040791c
0x00407922
0x00407924
0x00407927
0x0040792d
0x0040792f
0x00407935
0x00407937
0x0040793b
0x0040793f
0x00407942
0x00407945
0x00407945
0x00407935
0x0040792d
0x0040794e
0x00000000
0x00000000
0x00407950
0x00407956
0x00000000
0x00000000
0x00000000
0x00407956
0x0040795f
0x00407961
0x00407965
0x0040796b
0x00407970
0x00407977
0x00407977
0x0040797a
0x0040797e
0x00407980
0x00407987
0x0040798b
0x00000000
0x00407991
0x004079a1
0x004079a1
0x00000000
0x004079a1
0x0040798b
0x00407904
0x00000000
0x00000000
0x004079a7
0x004079ae
0x004079f1
0x004079f1
0x004079f6
0x004079fb
0x004079fe
0x00407a01
0x00407a04
0x00407a07
0x00407a07
0x00407a14
0x00407a19
0x00407a1d
0x00407a21
0x00407a24
0x00407a2a
0x00000000
0x004079b0
0x004079b3
0x004079d5
0x004079d5
0x004079db
0x004079ed
0x004079ef
0x00000000
0x004079dd
0x004079dd
0x004079e1
0x00000000
0x004079e1
0x00000000
0x004079b5
0x004079b5
0x004079bd
0x004079c1
0x004079c3
0x004079c5
0x004079c6
0x004079c9
0x004079ca
0x004079cc
0x004079d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004079d3
0x00000000
0x004079b5
0x004079b3
0x00000000
0x00000000
0x00407a38
0x00407a60
0x00407a62
0x00407a6a
0x00407a6d
0x00407a71
0x00407a74
0x00407a77
0x00407a7c
0x00407a81
0x00407a84
0x00407a88
0x00407a8b
0x00407a8e
0x00407a90
0x00407a92
0x00000000
0x00407a40
0x00407a40
0x00407a48
0x00407a4c
0x00407a4e
0x00407a50
0x00407a51
0x00407a54
0x00407a55
0x00407a57
0x00407a5e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a5e
0x00000000
0x00407a40
0x00000000
0x00000000
0x00407a98
0x00407a9c
0x00408673
0x00408677
0x0040867b
0x0040867e
0x00408682
0x00408684
0x00408687
0x0040868a
0x0040868d
0x0040868e
0x0040868f
0x00408692
0x00408693
0x0040869c
0x00407aa2
0x00407aa2
0x00407aa4
0x00407aa6
0x00407aa8
0x00407aad
0x00407ab1
0x00407ab4
0x00407ab7
0x00407abb
0x00407abe
0x00000000
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407acf
0x00407ad3
0x00407aec
0x00407b10
0x00407b10
0x00407b12
0x00407b14
0x00407b16
0x00407b19
0x00407b1c
0x00407b1d
0x00407b23
0x00407b77
0x00407b77
0x00407b7a
0x00407b25
0x00407b25
0x00000000
0x00407b2c
0x00407b2f
0x00407b35
0x00000000
0x00000000
0x00407b3d
0x00407b3f
0x00407b44
0x00407b47
0x00407b4d
0x00000000
0x00000000
0x00407b55
0x00407b58
0x00407b5e
0x00000000
0x00000000
0x00407b66
0x00407b6a
0x00407b71
0x00000000
0x00000000
0x00407b25
0x00000000
0x00407af0
0x00407af0
0x00407af8
0x00407afc
0x00407afe
0x00407b00
0x00407b01
0x00407b04
0x00407b05
0x00407b07
0x00407b0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0e
0x00000000
0x00407af0
0x00407ad5
0x00407ad7
0x00407ada
0x00407adc
0x00407ade
0x00000000
0x00407ade
0x00000000
0x00000000
0x00407b84
0x00407b87
0x00407b89
0x00407b8e
0x00407bb0
0x00407bb0
0x00407bb2
0x00407bb4
0x00407bb6
0x00407bbb
0x00407bc0
0x00407bd2
0x00407bd4
0x00407bd7
0x00407bd9
0x00000000
0x00407bc2
0x00407bc2
0x00407bc6
0x00000000
0x00407bc6
0x00407b90
0x00407b90
0x00407b98
0x00407b9c
0x00407b9e
0x00407ba0
0x00407ba1
0x00407ba4
0x00407ba5
0x00407ba7
0x00407bae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407bae
0x00000000
0x00407b90
0x00000000
0x00000000
0x00407bdf
0x00407bdf
0x00407be2
0x00407be8
0x00000000
0x00407bee
0x00407bf0
0x00407bf2
0x00407bf4
0x00407bf4
0x00407bf8
0x00407bfe
0x00407c00
0x00407c02
0x00407c02
0x00407c08
0x00000000
0x00407c0e
0x00407c0e
0x00407c12
0x00407c19
0x00407c1e
0x00407c22
0x00407c26
0x00407c2a
0x00407c2e
0x00407c35
0x00407c37
0x00000000
0x00407c37
0x00407c08
0x00000000
0x00000000
0x00407c42
0x00407c64
0x00407c64
0x00407c66
0x00407c69
0x00407c6c
0x00407c72
0x00407c74
0x00407c77
0x00407c7a
0x00407c7c
0x00407c7f
0x00407c82
0x00407c83
0x00407c86
0x00407c89
0x00407c93
0x00407c96
0x00407c99
0x00000000
0x00407ca8
0x00407ca8
0x00407caf
0x00000000
0x00407caf
0x00407c44
0x00407c44
0x00407c4c
0x00407c50
0x00407c52
0x00407c54
0x00407c55
0x00407c58
0x00407c59
0x00407c5b
0x00407c62
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c62
0x00000000
0x00407c44
0x00000000
0x00000000
0x00407cb5
0x00407cb5
0x00407cbb
0x00407d0b
0x00407d0b
0x00407d13
0x00407d20
0x00407d23
0x00407d2b
0x00407d2d
0x00407d32
0x00407d35
0x00407d3a
0x00407d40
0x00407d43
0x00407d45
0x00407d48
0x00407d4f
0x00407d54
0x00407d5c
0x00407d62
0x00407d67
0x00407d6e
0x00407d74
0x00000000
0x00407d7a
0x00407d7a
0x00407d7d
0x00000000
0x00407d7d
0x00407cc0
0x00407cc0
0x00407cc3
0x00000000
0x00407cc5
0x00407cc5
0x00407ccd
0x00407cd1
0x00407cd3
0x00407cd5
0x00407cd6
0x00407cd9
0x00407cda
0x00407cdc
0x00407ce3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ce3
0x00000000
0x00407cc5
0x00000000
0x00407ce5
0x00407ce5
0x00407ce8
0x00407cf2
0x00407cf5
0x00407cfa
0x00407cfd
0x00407d00
0x00407d03
0x00407d06
0x00000000
0x00407cc0
0x00000000
0x00000000
0x00407d83
0x00407d83
0x00407d86
0x00407d8c
0x00407fb5
0x00407fb8
0x00000000
0x00407fbe
0x00407fbe
0x00407fc4
0x00407fc7
0x00407fc9
0x00407fd0
0x00407fd3
0x00407fd8
0x00407fdc
0x00407fe2
0x00407fe8
0x00407ff0
0x00407ff6
0x0040800c
0x0040800f
0x00408012
0x00408015
0x0040801c
0x00408021
0x00408024
0x0040802a
0x0040802e
0x00408035
0x0040803a
0x00408041
0x00408047
0x00408059
0x00000000
0x00408049
0x00408049
0x0040804d
0x00000000
0x0040804d
0x00407ff8
0x00407ff8
0x00407ffc
0x00408000
0x00000000
0x00408000
0x00407ff6
0x00407d92
0x00407d92
0x00407d92
0x00407d9a
0x00407d9c
0x00407da0
0x00407da2
0x00407da7
0x00407daa
0x00407dad
0x00407db3
0x00407df3
0x00407df5
0x00407dfb
0x00407e52
0x00407e5b
0x00407ec9
0x00407ecc
0x00407ed0
0x00407f1e
0x00407f23
0x00407f4b
0x00407f4b
0x00407f4f
0x00407f52
0x00407f55
0x00407f59
0x00407f5c
0x00000000
0x00407f25
0x00407f25
0x00407f2d
0x00407f31
0x00407f33
0x00407f35
0x00407f39
0x00407f3a
0x00407f3d
0x00407f3f
0x00407f42
0x00407f43
0x00407f49
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f49
0x00000000
0x00407f25
0x00407ed2
0x00407ed2
0x00407ed7
0x00407f06
0x00407f06
0x00407f0a
0x00407f0d
0x00407f10
0x00407f14
0x00407f17
0x00407f61
0x00407f63
0x00407f65
0x00407f69
0x00000000
0x00407ee0
0x00407ee0
0x00407ee8
0x00407eec
0x00407eee
0x00407ef0
0x00407ef4
0x00407ef5
0x00407ef8
0x00407efa
0x00407efd
0x00407efe
0x00407f04
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f04
0x00000000
0x00407ee0
0x00407ed7
0x00407e5d
0x00407e5d
0x00407e60
0x00407e63
0x00407e69
0x00407e96
0x00407e96
0x00407e99
0x00407e9b
0x00407e9f
0x00000000
0x00407ea5
0x00407ea5
0x00407eac
0x00407eaf
0x00407eb2
0x00407eb5
0x00407eb9
0x00407ebd
0x00407f71
0x00407f71
0x00407f74
0x00407f79
0x00407f7e
0x004075ab
0x004075ab
0x004075af
0x00000000
0x00407f84
0x00407f89
0x00407f8b
0x00407f90
0x00407f90
0x00407f93
0x00407f97
0x00407f9c
0x00407f9f
0x00407f90
0x00000000
0x00407f89
0x00407f7e
0x00407e6b
0x00407e70
0x00407e78
0x00407e7c
0x00407e7e
0x00407e80
0x00407e84
0x00407e85
0x00407e88
0x00407e8a
0x00407e8d
0x00407e8e
0x00407e94
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e94
0x00000000
0x00407e70
0x00407e69
0x00407dfd
0x00407dff
0x00407e02
0x00407e07
0x00407e36
0x00407e36
0x00407e39
0x00407e3c
0x00407e3e
0x00407e40
0x00407e45
0x00407e4a
0x00000000
0x00407e10
0x00407e10
0x00407e18
0x00407e1c
0x00407e1e
0x00407e20
0x00407e21
0x00407e24
0x00407e25
0x00407e27
0x00407e2b
0x00407e2e
0x00407e34
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e34
0x00000000
0x00407e10
0x00407e07
0x00407db5
0x00407db5
0x00407dbd
0x00407dc1
0x00407dc3
0x00407dc5
0x00407dc8
0x00407dc9
0x00407dcc
0x00407dd3
0x00407dd5
0x00407dd8
0x00407dd9
0x00407dde
0x00407de0
0x00407de5
0x00407de8
0x00407deb
0x00407df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407df1
0x00000000
0x00407db5
0x00000000
0x00407fa6
0x00407fa6
0x00407fa9
0x00407fac
0x00000000
0x00407d92
0x00000000
0x00000000
0x0040805f
0x00408062
0x004080c5
0x004080cd
0x004080d0
0x004080d2
0x004080d4
0x004080d7
0x004080dc
0x004080df
0x004080e2
0x004080e8
0x0040812e
0x00408130
0x004081f7
0x004081f9
0x004081fc
0x004081ff
0x00408201
0x00408203
0x00408209
0x0040820c
0x00408211
0x00408220
0x0040822f
0x00408244
0x00408247
0x0040824a
0x00000000
0x00408231
0x00408231
0x00408235
0x00000000
0x00408235
0x00408222
0x00408222
0x00408222
0x00000000
0x00408222
0x00408213
0x00408213
0x00000000
0x00408213
0x0040813e
0x00408140
0x00408143
0x00408147
0x0040814a
0x00408151
0x00408155
0x0040815e
0x00408160
0x00408165
0x00408167
0x0040816d
0x00408170
0x00408172
0x00408174
0x00408177
0x0040817a
0x0040817f
0x00408186
0x00408189
0x0040818d
0x004081ea
0x004081ea
0x004081ef
0x004081f3
0x004081f5
0x00000000
0x00408190
0x00408190
0x00408198
0x0040819c
0x0040819e
0x004081a0
0x004081a4
0x004081a5
0x004081a8
0x004081aa
0x004081ad
0x004081b4
0x004081bb
0x004081bd
0x004081c1
0x004081c2
0x004081c7
0x004081c9
0x004081cb
0x004081d0
0x004081d2
0x004081d5
0x004081d8
0x004081df
0x004081e2
0x004081e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004081e8
0x00000000
0x00408190
0x0040818d
0x004080f0
0x004080f0
0x004080f8
0x004080fc
0x004080fe
0x00408100
0x00408103
0x00408104
0x00408107
0x0040810e
0x00408110
0x00408113
0x00408114
0x00408119
0x0040811b
0x00408120
0x00408123
0x00408126
0x0040812c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040812c
0x00000000
0x004080f0
0x0040806e
0x0040806e
0x00408072
0x00408076
0x0040807a
0x0040807d
0x00408081
0x00408084
0x00408088
0x00408089
0x0040808b
0x0040808e
0x0040808f
0x00408092
0x00408095
0x0040809a
0x0040809e
0x004080a1
0x004080a4
0x004080a6
0x004080a9
0x004080ac
0x004080af
0x004080b3
0x004080b6
0x004080ba
0x004080be
0x00000000
0x004080be
0x00000000
0x00000000
0x00408250
0x00408250
0x00408255
0x00408294
0x00408294
0x00000000
0x00408257
0x00408259
0x00408280
0x00408280
0x00408288
0x0040828b
0x0040828d
0x00408290
0x00408292
0x00000000
0x0040825b
0x00408260
0x00408268
0x0040826c
0x0040826e
0x00408270
0x00408271
0x00408274
0x00408275
0x00408277
0x0040827e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827e
0x00000000
0x00408260
0x00408259
0x00000000
0x00000000
0x0040829a
0x0040829a
0x004082a2
0x004082a5
0x004082a7
0x004082a9
0x004082ac
0x004082b1
0x004082b4
0x004082b7
0x004082bd
0x004082fe
0x00408300
0x004083be
0x004083c0
0x004083c3
0x004083c6
0x004083c8
0x004083ca
0x004083d0
0x004083e2
0x004083e4
0x004083e7
0x004083ea
0x004083ed
0x004083f0
0x004083f3
0x00000000
0x004083d2
0x004083d2
0x004083d6
0x00000000
0x004083d6
0x00408306
0x00408308
0x0040830b
0x0040830f
0x00408312
0x00408319
0x0040831d
0x00408326
0x00408328
0x0040832d
0x0040832f
0x00408335
0x00408338
0x0040833a
0x0040833c
0x0040833f
0x00408342
0x00408347
0x0040834e
0x00408351
0x00408355
0x004083b1
0x004083b1
0x004083b6
0x004083ba
0x004083bc
0x00000000
0x00408357
0x00408357
0x0040835f
0x00408363
0x00408365
0x00408367
0x0040836b
0x0040836c
0x0040836f
0x00408371
0x00408374
0x0040837b
0x00408382
0x00408384
0x00408388
0x00408389
0x0040838e
0x00408390
0x00408392
0x00408397
0x00408399
0x0040839c
0x0040839f
0x004083a6
0x004083a9
0x004083af
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004083af
0x00000000
0x00408357
0x00408355
0x004082c0
0x004082c0
0x004082c8
0x004082cc
0x004082ce
0x004082d0
0x004082d3
0x004082d4
0x004082d7
0x004082de
0x004082e0
0x004082e3
0x004082e4
0x004082e9
0x004082eb
0x004082f0
0x004082f3
0x004082f6
0x004082fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004082fc
0x00000000
0x004082c0
0x00000000
0x00000000
0x004083f9
0x004083f9
0x004083fe
0x00408438
0x0040843b
0x0040843f
0x00408446
0x00408458
0x00000000
0x00408448
0x00408448
0x0040844c
0x00000000
0x0040844c
0x00408400
0x00408402
0x00408424
0x00408424
0x0040842c
0x0040842e
0x0040842f
0x00408431
0x00408434
0x00408436
0x00000000
0x00408404
0x00408404
0x0040840c
0x00408410
0x00408412
0x00408414
0x00408415
0x00408418
0x00408419
0x0040841b
0x00408422
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408422
0x00000000
0x00408404
0x00408402
0x00000000
0x00000000
0x0040845e
0x00408463
0x00000000
0x00408469
0x00408469
0x0040846d
0x00408471
0x00408476
0x004084b4
0x004084b8
0x004084ba
0x004084bd
0x004084c1
0x00000000
0x00408478
0x00408478
0x0040847a
0x0040847d
0x00408483
0x00408498
0x0040849a
0x0040849d
0x00408485
0x00408485
0x0040848a
0x0040848d
0x00408491
0x00408491
0x004084a1
0x004084a5
0x004084a8
0x004084ae
0x004084b0
0x004084c5
0x004084c5
0x004084c5
0x004084ae
0x004084c9
0x004084cf
0x004084d1
0x004084d3
0x004084d3
0x004084d9
0x004084dd
0x004084e1
0x004084e3
0x004084e7
0x004084f0
0x004084f0
0x004084f4
0x004084f6
0x004084fa
0x004084fc
0x004084fd
0x004084fd
0x004084fd
0x00408508
0x0040850c
0x00408512
0x00408512
0x00000000
0x0040850c
0x00000000
0x00000000
0x00408522
0x00000000
0x00408528
0x00408528
0x0040852c
0x0040852f
0x00408531
0x00408532
0x00408536
0x0040853a
0x00000000
0x0040853a
0x00000000
0x00000000
0x00408549
0x00408606
0x00408606
0x00000000
0x0040854f
0x00408552
0x00408574
0x00408574
0x00408578
0x0040857c
0x00408580
0x00408583
0x00408586
0x0040858c
0x0040858e
0x00408592
0x00408595
0x0040859c
0x0040859d
0x0040859e
0x004085a7
0x004085a0
0x004085a0
0x004085a0
0x004085ac
0x004085b0
0x004085b4
0x004085b7
0x004085ba
0x004085ba
0x004085c1
0x004085c5
0x004085c9
0x004085cb
0x004085cd
0x004085d4
0x004085d7
0x004085db
0x004085de
0x004085e4
0x004085e7
0x004085eb
0x004085ee
0x004085ee
0x004085f3
0x00408602
0x00408604
0x00000000
0x004085f5
0x004085f5
0x004085f9
0x00000000
0x004085f9
0x00408554
0x00408554
0x0040855c
0x00408560
0x00408562
0x00408564
0x00408565
0x00408568
0x00408569
0x0040856b
0x00408572
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408572
0x00000000
0x00408554
0x00408552
0x00000000
0x00000000
0x0040860c
0x00408610
0x004086a1
0x004086a1
0x00000000
0x00408620
0x00408623
0x00408645
0x00408648
0x0040869d
0x0040869f
0x00000000
0x0040864a
0x0040864a
0x0040864e
0x00408655
0x00408655
0x00000000
0x00408655
0x00408625
0x00408625
0x0040862d
0x00408631
0x00408633
0x00408635
0x00408636
0x00408639
0x0040863a
0x0040863c
0x00408643
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408643
0x00000000
0x00408625
0x00408623
0x00000000
0x00000000
0x004086a7
0x004086a7
0x00000000
0x00000000
0x004086b1
0x004086b9
0x004086b9
0x004086c1
0x004086c8
0x004086cb
0x004086cd
0x004086d4
0x004086d7
0x004086da
0x004086f9
0x00000000
0x004086fb
0x004086fb
0x00000000
0x004086fb
0x0040870e
0x0040870e
0x0040870e
0x00408716
0x0040871d
0x00408720
0x00408723
0x00408726
0x0040872d
0x00408737
0x00408738
0x00408753
0x00408754
0x00408755
0x0040873a
0x00408742
0x00408743
0x00408744
0x00408744
0x0040875a
0x0040875d
0x00408760
0x00408760
0x00408768
0x00408780
0x00408785
0x00408790
0x004087b6
0x00000000
0x00000000
0x00000000
0x00408792
0x00408792
0x00408792
0x00408798
0x0040866b
0x00408672
0x0040879e
0x004087aa
0x004087aa
0x00408798
0x00408785
0x00000000
0x00000000
0x00408701
0x0040870d
0x00000000
0x00000000
0x0040865b
0x0040865b
0x0040865d
0x00000000
0x00407420
0x00407414
0x004073b5
0x00000000

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: .4, Instructions: 401
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406CA0() {
				intOrPtr _t153;
				unsigned int _t157;
				unsigned int _t160;
				intOrPtr _t172;
				signed int _t174;
				signed char _t180;
				signed int _t181;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				intOrPtr _t190;
				unsigned int _t192;
				char _t198;
				char _t199;
				char _t202;
				unsigned int _t217;
				intOrPtr* _t221;
				intOrPtr _t222;
				signed char _t230;
				intOrPtr* _t232;
				signed char _t237;
				unsigned int _t245;
				intOrPtr _t248;
				intOrPtr _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				signed char _t263;
				signed char _t269;
				signed int _t280;
				signed int _t284;
				intOrPtr _t285;
				signed char _t288;
				signed char _t290;
				unsigned int _t297;
				char _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t318;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				char* _t331;
				char* _t333;
				char* _t334;
				char* _t335;
				signed char* _t337;
				void* _t341;
				unsigned int _t342;
				void* _t345;
				void* _t346;
				intOrPtr _t347;
				signed char* _t348;
				void* _t349;

				_t221 =  *((intOrPtr*)(_t349 + 0x50));
				_t153 =  *((intOrPtr*)(_t221 + 0x1c));
				_t217 =  *(_t153 + 0x38);
				_t337 =  *_t221 - 1;
				 *((intOrPtr*)(_t349 + 0x14)) =  *((intOrPtr*)(_t221 + 4)) + _t337 - 5;
				_t222 =  *((intOrPtr*)(_t221 + 0x10));
				_t331 =  *((intOrPtr*)(_t221 + 0xc)) - 1;
				 *((intOrPtr*)(_t349 + 0x38)) = _t222 -  *(_t349 + 0x54) + _t331;
				 *((intOrPtr*)(_t349 + 0x2c)) = _t222 + _t331 - 0x101;
				 *((intOrPtr*)(_t349 + 0x28)) =  *((intOrPtr*)(_t153 + 0x28));
				 *((intOrPtr*)(_t349 + 0x3c)) =  *((intOrPtr*)(_t153 + 0x2c));
				 *((intOrPtr*)(_t349 + 0x44)) =  *((intOrPtr*)(_t153 + 0x30));
				 *((intOrPtr*)(_t349 + 0x40)) =  *((intOrPtr*)(_t153 + 0x34));
				 *((intOrPtr*)(_t349 + 0x20)) =  *((intOrPtr*)(_t153 + 0x4c));
				 *((intOrPtr*)(_t349 + 0x24)) =  *((intOrPtr*)(_t153 + 0x50));
				 *((intOrPtr*)(_t349 + 0x18)) = _t153;
				_t326 =  *(_t153 + 0x3c);
				 *(_t349 + 0x54) = 1;
				_t280 = (1 <<  *(_t153 + 0x54)) - 1;
				 *(_t349 + 0x10) = _t337;
				 *(_t349 + 0x48) = 1;
				 *(_t349 + 0x30) = ( *(_t349 + 0x54) <<  *(_t153 + 0x58)) - 1;
				L1:
				while(1) {
					if(_t326 < 0xf) {
						_t174 = (_t337[1] & 0x000000ff) << _t326;
						_t337 =  &(_t337[2]);
						_t329 = _t326 + 8;
						 *(_t349 + 0x10) = _t337;
						_t217 = _t217 + _t174 + (( *_t337 & 0x000000ff) << _t329);
						_t326 = _t329 + 8;
					}
					_t157 =  *( *((intOrPtr*)(_t349 + 0x20)) + (_t280 & _t217) * 4);
					_t230 = _t157 >> 0x00000008 & 0x000000ff;
					_t284 = _t157 & 0x000000ff;
					_t217 = _t217 >> _t230;
					_t326 = _t326 - _t230;
					if(_t284 == 0) {
						L7:
						_t331 = _t331 + 1;
						 *_t331 = _t157 >> 0x10;
						L46:
						_t285 =  *((intOrPtr*)(_t349 + 0x14));
						if(_t337 >= _t285 || _t331 >=  *((intOrPtr*)(_t349 + 0x2c))) {
							L59:
							_t160 = _t326 >> 3;
							_t338 = _t337 - _t160;
							_t327 = _t326 - _t160 + _t160 + _t160 + _t160 + _t160 + _t160 + _t160 + _t160;
							_t232 =  *((intOrPtr*)(_t349 + 0x50));
							_t144 = _t338 + 1; // -1
							 *_t232 = _t144;
							 *((intOrPtr*)(_t232 + 0xc)) = _t331 + 1;
							 *((intOrPtr*)(_t232 + 0x10)) =  *((intOrPtr*)(_t349 + 0x2c)) - _t331 + 0x101;
							_t172 =  *((intOrPtr*)(_t349 + 0x18));
							 *((intOrPtr*)(_t232 + 4)) = _t285 - _t337 - _t160 + 5;
							 *(_t172 + 0x3c) = _t327;
							 *(_t172 + 0x38) = _t217 & (0x00000001 << _t327) - 0x00000001;
							return _t172;
						} else {
							_t280 =  *(_t349 + 0x48);
							continue;
						}
					}
					while((_t284 & 0x00000010) == 0) {
						if((_t284 & 0x00000040) != 0) {
							if((_t284 & 0x00000020) == 0) {
								L57:
								 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x50)) + 0x18)) = 0x41d338;
								 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x18)))) = 0x1b;
								L58:
								_t285 =  *((intOrPtr*)(_t349 + 0x14));
								goto L59;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x18)))) = 0xb;
							goto L58;
						}
						 *(_t349 + 0x54) = 1;
						_t157 =  *( *((intOrPtr*)(_t349 + 0x20)) + ((( *(_t349 + 0x54) << _t284) - 0x00000001 & _t217) + (_t157 >> 0x10)) * 4);
						_t269 = _t157 >> 0x00000008 & 0x000000ff;
						_t284 = _t157 & 0x000000ff;
						_t217 = _t217 >> _t269;
						_t326 = _t326 - _t269;
						if(_t284 != 0) {
							continue;
						}
						goto L7;
					}
					_t288 = _t284 & 0x0000000f;
					 *(_t349 + 0x54) = _t157 >> 0x10;
					if(_t288 != 0) {
						_t263 = _t288;
						 *(_t349 + 0x54) =  *(_t349 + 0x54) + ((0x00000001 << _t263) - 0x00000001 & _t217);
						_t217 = _t217 >> _t263;
						_t326 = _t326 - _t288;
					}
					if(_t326 < 0xf) {
						_t318 = _t337[1] & 0x000000ff;
						_t348 =  &(_t337[1]);
						_t337 =  &(_t348[1]);
						_t328 = _t326 + 8;
						 *(_t349 + 0x10) = _t337;
						_t217 = _t217 + (_t318 << _t326) + ((_t348[1] & 0x000000ff) << _t328);
						_t326 = _t328 + 8;
					}
					_t290 =  *( *((intOrPtr*)(_t349 + 0x24)) + ( *(_t349 + 0x30) & _t217) * 4);
					_t237 = _t290 >> 0x00000008 & 0x000000ff;
					_t180 = _t290 & 0x000000ff;
					_t217 = _t217 >> _t237;
					_t326 = _t326 - _t237;
					 *(_t349 + 0x1c) = _t290;
					if((_t180 & 0x00000010) != 0) {
						L17:
						_t181 = _t180 & 0x0000000f;
						 *(_t349 + 0x1c) = _t290 >> 0x10;
						if(_t326 < _t181) {
							_t309 = _t337[1] & 0x000000ff;
							_t337 =  &(_t337[1]);
							_t310 = _t309 << _t326;
							_t326 = _t326 + 8;
							 *(_t349 + 0x10) = _t337;
							_t217 = _t217 + _t310;
							if(_t326 < _t181) {
								_t311 = _t337[1] & 0x000000ff;
								_t337 =  &(_t337[1]);
								 *(_t349 + 0x10) = _t337;
								_t217 = _t217 + (_t311 << _t326);
								_t326 = _t326 + 8;
							}
						}
						_t326 = _t326 - _t181;
						_t297 =  *(_t349 + 0x1c) + ((0x00000001 << _t181) - 0x00000001 & _t217);
						_t183 = _t331 -  *((intOrPtr*)(_t349 + 0x38));
						_t217 = _t217 >> _t181;
						 *(_t349 + 0x1c) = _t297;
						if(_t297 <= _t183) {
							_t185 = _t331 - _t297;
							do {
								_t186 = _t185 + 1;
								 *((char*)(_t331 + 1)) =  *(_t185 + 1) & 0x000000ff;
								_t187 = _t186 + 1;
								_t333 = _t331 + 2;
								 *_t333 =  *((intOrPtr*)(_t186 + 1));
								_t185 = _t187 + 1;
								_t331 = _t333 + 1;
								 *_t331 =  *(_t187 + 1) & 0x000000ff;
								_t245 =  *(_t349 + 0x54) - 3;
								 *(_t349 + 0x54) = _t245;
							} while (_t245 > 2);
							if(_t245 != 0) {
								_t188 = _t185 + 1;
								_t331 = _t331 + 1;
								 *_t331 =  *(_t185 + 1);
								if(_t245 > 1) {
									_t331 = _t331 + 1;
									 *_t331 =  *((intOrPtr*)(_t188 + 1));
								}
							}
							goto L46;
						} else {
							_t341 = _t297 - _t183;
							if(_t341 >  *((intOrPtr*)(_t349 + 0x3c))) {
								_t337 =  *(_t349 + 0x10);
								 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x50)) + 0x18)) = 0x41d338;
								 *((intOrPtr*)( *((intOrPtr*)(_t349 + 0x18)))) = 0x1b;
								goto L58;
							}
							_t190 =  *((intOrPtr*)(_t349 + 0x44));
							_t248 =  *((intOrPtr*)(_t349 + 0x40)) - 1;
							 *((intOrPtr*)(_t349 + 0x34)) = _t248;
							if(_t190 != 0) {
								if(_t190 >= _t341) {
									_t249 = _t248 + _t190 - _t341;
									if(_t341 >=  *(_t349 + 0x54)) {
										L39:
										_t192 =  *(_t349 + 0x54);
										if(_t192 <= 2) {
											L42:
											_t342 =  *(_t349 + 0x54);
											if(_t342 != 0) {
												_t250 = _t249 + 1;
												_t331 = _t331 + 1;
												 *_t331 =  *(_t249 + 1);
												if(_t342 > 1) {
													_t331 = _t331 + 1;
													 *_t331 =  *((intOrPtr*)(_t250 + 1));
												}
											}
											_t337 =  *(_t349 + 0x10);
											goto L46;
										}
										_t107 = _t192 - 3; // -2
										_t345 = (0xaaaaaaab * _t107 >> 0x20 >> 1) + 1;
										do {
											 *(_t349 + 0x54) =  *(_t349 + 0x54) - 3;
											_t251 = _t249 + 1;
											_t334 = _t331 + 1;
											 *_t334 =  *(_t249 + 1) & 0x000000ff;
											_t252 = _t251 + 1;
											_t335 = _t334 + 1;
											 *_t335 =  *((intOrPtr*)(_t251 + 1));
											_t249 = _t252 + 1;
											_t331 = _t335 + 1;
											_t345 = _t345 - 1;
											 *_t331 =  *(_t252 + 1) & 0x000000ff;
										} while (_t345 != 0);
										goto L42;
									}
									 *(_t349 + 0x54) =  *(_t349 + 0x54) - _t341;
									do {
										_t198 =  *(_t249 + 1);
										_t249 = _t249 + 1;
										_t331 = _t331 + 1;
										_t341 = _t341 - 1;
										 *_t331 = _t198;
									} while (_t341 != 0);
									L38:
									_t249 = _t331 - _t297;
									goto L39;
								}
								_t346 = _t341 - _t190;
								_t249 = _t248 + _t190 - _t341 +  *((intOrPtr*)(_t349 + 0x28));
								if(_t346 >=  *(_t349 + 0x54)) {
									goto L39;
								}
								 *(_t349 + 0x54) =  *(_t349 + 0x54) - _t346;
								do {
									_t308 =  *(_t249 + 1);
									_t249 = _t249 + 1;
									_t331 = _t331 + 1;
									_t346 = _t346 - 1;
									 *_t331 = _t308;
								} while (_t346 != 0);
								_t249 =  *((intOrPtr*)(_t349 + 0x34));
								if(_t190 >=  *(_t349 + 0x54)) {
									goto L39;
								}
								 *(_t349 + 0x54) =  *(_t349 + 0x54) - _t190;
								_t347 = _t190;
								do {
									_t199 =  *(_t249 + 1);
									_t249 = _t249 + 1;
									_t331 = _t331 + 1;
									_t347 = _t347 - 1;
									 *_t331 = _t199;
								} while (_t347 != 0);
								_t249 = _t331 -  *(_t349 + 0x1c);
								goto L39;
							}
							_t249 = _t248 +  *((intOrPtr*)(_t349 + 0x28)) - _t341;
							if(_t341 >=  *(_t349 + 0x54)) {
								goto L39;
							}
							 *(_t349 + 0x54) =  *(_t349 + 0x54) - _t341;
							do {
								_t202 =  *(_t249 + 1);
								_t249 = _t249 + 1;
								_t331 = _t331 + 1;
								_t341 = _t341 - 1;
								 *_t331 = _t202;
							} while (_t341 != 0);
							goto L38;
						}
					} else {
						while((_t180 & 0x00000040) == 0) {
							_t290 =  *( *((intOrPtr*)(_t349 + 0x24)) + (((0x00000001 << _t180) - 0x00000001 & _t217) + ( *(_t349 + 0x1e) & 0x0000ffff)) * 4);
							_t180 = _t290 & 0x000000ff;
							_t217 = _t217 >> 0xad;
							_t326 = _t326 - 0xad;
							 *(_t349 + 0x1c) = 1;
							if((_t180 & 0x00000010) == 0) {
								continue;
							}
							goto L17;
						}
						goto L57;
					}
				}
			}

0x00406ca7
0x00406cab
0x00406cb1
0x00406cb6
0x00406cbb
0x00406cc2
0x00406ccb
0x00406cd5
0x00406cdc
0x00406ce3
0x00406cea
0x00406cf1
0x00406cf8
0x00406cff
0x00406d03
0x00406d14
0x00406d18
0x00406d1b
0x00406d29
0x00406d2a
0x00406d2e
0x00406d33
0x00000000
0x00406d37
0x00406d3a
0x00406d43
0x00406d45
0x00406d46
0x00406d53
0x00406d57
0x00406d59
0x00406d59
0x00406d62
0x00406d6a
0x00406d6d
0x00406d70
0x00406d72
0x00406d76
0x00406db9
0x00406db9
0x00406dbd
0x00406fef
0x00406fef
0x00406ff5
0x00407097
0x00407099
0x0040709c
0x004070a4
0x004070af
0x004070bb
0x004070be
0x004070c3
0x004070d1
0x004070d4
0x004070d8
0x004070db
0x004070e1
0x004070e8
0x00407005
0x00407005
0x00000000
0x00407005
0x00406ff5
0x00406d78
0x00406d80
0x00407070
0x0040707e
0x00407086
0x0040708d
0x00407093
0x00407093
0x00000000
0x00407093
0x00407076
0x00000000
0x00407076
0x00406d8b
0x00406da3
0x00406dab
0x00406dae
0x00406db1
0x00406db3
0x00406db7
0x00000000
0x00000000
0x00000000
0x00406db7
0x00406dc7
0x00406dca
0x00406dce
0x00406de6
0x00406df2
0x00406df6
0x00406df8
0x00406df8
0x00406dfd
0x00406dff
0x00406e03
0x00406e0a
0x00406e0d
0x00406e16
0x00406e1a
0x00406e1c
0x00406e1c
0x00406e29
0x00406e31
0x00406e34
0x00406e37
0x00406e39
0x00406e3b
0x00406e41
0x00406e7c
0x00406e7f
0x00406e82
0x00406e88
0x00406e8a
0x00406e8e
0x00406e91
0x00406e93
0x00406e96
0x00406e9a
0x00406e9e
0x00406ea0
0x00406ea4
0x00406ea9
0x00406ead
0x00406eaf
0x00406eaf
0x00406e9e
0x00406ebd
0x00406ec8
0x00406ece
0x00406ed2
0x00406ed4
0x00406eda
0x00407010
0x00407012
0x00407016
0x00407017
0x0040701e
0x0040701f
0x00407020
0x00407026
0x00407027
0x00407028
0x0040702e
0x00407031
0x00407035
0x0040703c
0x00407041
0x00407042
0x00407043
0x00407048
0x0040704d
0x0040704e
0x0040704e
0x00407048
0x00000000
0x00406ee0
0x00406ee2
0x00406ee8
0x0040705a
0x0040705e
0x00407065
0x00000000
0x00407065
0x00406ef2
0x00406ef6
0x00406ef7
0x00406efd
0x00406f25
0x00406f76
0x00406f7c
0x00406f92
0x00406f92
0x00406f99
0x00406fd1
0x00406fd1
0x00406fd7
0x00406fdc
0x00406fdd
0x00406fde
0x00406fe3
0x00406fe8
0x00406fe9
0x00406fe9
0x00406fe3
0x00406feb
0x00000000
0x00406feb
0x00406f9b
0x00406fa9
0x00406fb0
0x00406fb4
0x00406fb9
0x00406fba
0x00406fbb
0x00406fc0
0x00406fc1
0x00406fc2
0x00406fc8
0x00406fc9
0x00406fca
0x00406fcd
0x00406fcd
0x00000000
0x00406fb0
0x00406f7e
0x00406f82
0x00406f82
0x00406f85
0x00406f86
0x00406f87
0x00406f8a
0x00406f8a
0x00406f8e
0x00406f90
0x00000000
0x00406f90
0x00406f2f
0x00406f31
0x00406f37
0x00000000
0x00000000
0x00406f39
0x00406f40
0x00406f40
0x00406f43
0x00406f44
0x00406f45
0x00406f48
0x00406f48
0x00406f4c
0x00406f54
0x00000000
0x00000000
0x00406f56
0x00406f5a
0x00406f60
0x00406f60
0x00406f63
0x00406f64
0x00406f65
0x00406f68
0x00406f68
0x00406f6e
0x00000000
0x00406f6e
0x00406f05
0x00406f0b
0x00000000
0x00000000
0x00406f11
0x00406f15
0x00406f15
0x00406f18
0x00406f19
0x00406f1a
0x00406f1d
0x00406f1d
0x00000000
0x00406f21
0x00406e43
0x00406e43
0x00406e62
0x00406e6d
0x00406e70
0x00406e72
0x00406e74
0x00406e7a
0x00000000
0x00000000
0x00000000
0x00406e7a
0x00000000
0x00406e43
0x00406e41

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402B90 Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00402B90(unsigned int __eax, signed char __ecx, unsigned int __edx) {
				signed int* _t89;
				signed char* _t90;
				signed int* _t98;
				signed int* _t100;
				signed int* _t102;
				signed int* _t103;
				signed char _t154;
				unsigned int _t164;
				signed int _t190;
				signed int _t208;
				signed int _t212;
				unsigned int _t264;
				unsigned int _t266;

				_t154 = __ecx;
				_t266 = __edx;
				_t208 =  !(((__eax & 0x0000ff00) + (__eax << 0x10) << 8) + (__eax >> 0x00000008 & 0x0000ff00) + (__eax >> 0x18));
				if(__edx != 0) {
					while((_t154 & 0x00000003) != 0) {
						_t208 = _t208 << 0x00000008 ^  *(0x41c2b0 + (_t208 >> 0x00000018 ^  *_t154 & 0x000000ff) * 4);
						_t154 = _t154 + 1;
						_t266 = _t266 - 1;
						if(_t266 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				_t89 = _t154 - 4;
				if(_t266 >= 0x20) {
					_t264 = _t266 >> 5;
					do {
						_t214 = _t208 ^ _t89[1];
						_t98 =  &(_t89[2]);
						_t172 =  *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98;
						_t100 =  &(_t98[2]);
						_t223 =  *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4);
						_t102 =  &(_t100[2]);
						_t181 =  *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8);
						_t103 =  &(_t102[1]);
						_t190 =  *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t181 >> 0x18) * 4) ^  *(0x41c2b0 + (_t181 & 0x000000ff) * 4) ^  *(_t103 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t181 >> 0x18) * 4) ^  *(0x41c2b0 + (_t181 & 0x000000ff) * 4) ^  *(_t103 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + ((_t208 ^ _t89[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + ((_t208 ^ _t89[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t214 >> 0x18) * 4) ^  *(0x41c2b0 + (_t214 & 0x000000ff) * 4) ^  *_t98) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t172 >> 0x18) * 4) ^  *(0x41c2b0 + (_t172 & 0x000000ff) * 4) ^  *(_t100 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t223 >> 0x18) * 4) ^  *(0x41c2b0 + (_t223 & 0x000000ff) * 4) ^  *(_t102 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t181 >> 0x18) * 4) ^  *(0x41c2b0 + (_t181 & 0x000000ff) * 4) ^  *(_t103 - 8)) >> 0x18) * 4) ^  *(0x41c2b0 + (_t232 & 0x000000ff) * 4) ^  *(_t103 - 4);
						_t89 =  &(_t103[1]);
						_t241 =  *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4);
						_t266 = _t266 - 0x20;
						_t208 =  *(0x41cab0 + (( *(0x41cab0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t241 >> 0x18) * 4) ^  *(0x41c2b0 + (_t241 & 0x000000ff) * 4) ^  *_t89) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t241 >> 0x18) * 4) ^  *(0x41c2b0 + (_t241 & 0x000000ff) * 4) ^  *_t89) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (( *(0x41cab0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (( *(0x41cab0 + (_t190 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t190 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t190 >> 0x18) * 4) ^  *(0x41c2b0 + (_t190 & 0x000000ff) * 4) ^  *(_t89 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t241 >> 0x18) * 4) ^  *(0x41c2b0 + (_t241 & 0x000000ff) * 4) ^  *_t89) >> 0x18) * 4) ^  *(0x41c2b0 + (_t199 & 0x000000ff) * 4);
						_t264 = _t264 - 1;
					} while (_t264 != 0);
				}
				if(_t266 >= 4) {
					_t164 = _t266 >> 2;
					do {
						_t212 = _t208 ^ _t89[1];
						_t89 =  &(_t89[1]);
						_t266 = _t266 - 4;
						_t164 = _t164 - 1;
						_t208 =  *(0x41cab0 + (_t212 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41c6b0 + (_t212 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41ceb0 + (_t212 >> 0x18) * 4) ^  *(0x41c2b0 + (_t212 & 0x000000ff) * 4);
					} while (_t164 != 0);
				}
				_t90 =  &(_t89[1]);
				if(_t266 != 0) {
					do {
						_t208 = _t208 << 0x00000008 ^  *(0x41c2b0 + (_t208 >> 0x00000018 ^  *_t90 & 0x000000ff) * 4);
						_t90 =  &(_t90[1]);
						_t266 = _t266 - 1;
					} while (_t266 != 0);
				}
				return (( !_t208 & 0x0000ff00) + ( !_t208 << 0x10) << 8) + ( !_t208 >> 0x00000008 & 0x0000ff00) + (_t209 >> 0x18);
			}

0x00402b90
0x00402b91
0x00402bb8
0x00402bbc
0x00402bc0
0x00402bd2
0x00402bd9
0x00402bda
0x00402bdd
0x00000000
0x00000000
0x00000000
0x00402bdd
0x00402bc0
0x00402bdf
0x00402be0
0x00402be6
0x00402bee
0x00402bf1
0x00402bf1
0x00402c34
0x00402c37
0x00402c79
0x00402c7c
0x00402cbf
0x00402cc2
0x00402cc5
0x00402d45
0x00402d85
0x00402d88
0x00402d8b
0x00402e03
0x00402e0a
0x00402e0a
0x00402bf1
0x00402e16
0x00402e1a
0x00402e20
0x00402e20
0x00402e23
0x00402e63
0x00402e66
0x00402e69
0x00402e69
0x00402e20
0x00402e6d
0x00402e73
0x00402e75
0x00402e82
0x00402e89
0x00402e8a
0x00402e8a
0x00402e75
0x00402eb6

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Uniqueness

Uniqueness Score: -1.00%

Function 004028B0 Relevance: .2, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004028B0(signed int __eax, signed char __ecx, unsigned int __edx) {
				signed int _t87;
				signed int _t90;
				signed int _t119;
				signed char _t175;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t182;
				unsigned int _t188;
				unsigned int _t238;
				unsigned int _t239;

				_t175 = __ecx;
				_t239 = __edx;
				_t87 =  !__eax;
				if(__edx != 0) {
					while((_t175 & 0x00000003) != 0) {
						_t87 = _t87 >> 0x00000008 ^  *(0x41b2b0 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t239 = _t239 - 1;
						if(_t239 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				if(_t239 >= 0x20) {
					_t238 = _t239 >> 5;
					do {
						_t92 = _t87 ^  *_t175;
						_t177 = _t175 + 8;
						_t196 =  *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4);
						_t179 = _t177 + 8;
						_t101 =  *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8);
						_t181 = _t179 + 8;
						_t214 =  *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x18) * 4) ^  *(0x41beb0 + (_t110 & 0x000000ff) * 4) ^  *(_t181 - 4);
						_t182 = _t181 + 4;
						_t119 =  *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x18) * 4) ^  *(0x41beb0 + (_t110 & 0x000000ff) * 4) ^  *(_t181 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t92 >> 0x18) * 4) ^  *(0x41beb0 + (_t92 & 0x000000ff) * 4) ^  *(_t177 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t196 >> 0x18) * 4) ^  *(0x41beb0 + (_t196 & 0x000000ff) * 4) ^  *(_t179 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t101 >> 0x18) * 4) ^  *(0x41beb0 + (_t101 & 0x000000ff) * 4) ^  *(_t181 - 0xc)) >> 0x18) * 4) ^  *(0x41beb0 + (_t205 & 0x000000ff) * 4) ^  *(_t181 - 8)) >> 0x18) * 4) ^  *(0x41beb0 + (_t110 & 0x000000ff) * 4) ^  *(_t181 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t214 >> 0x18) * 4) ^  *(0x41beb0 + (_t214 & 0x000000ff) * 4) ^  *(_t182 - 4);
						_t175 = _t182 + 4;
						_t239 = _t239 - 0x20;
						_t87 =  *(0x41b6b0 + (( *(0x41b6b0 + (_t119 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (_t119 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t119 >> 0x18) * 4) ^  *(0x41beb0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (( *(0x41b6b0 + (_t119 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (_t119 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t119 >> 0x18) * 4) ^  *(0x41beb0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (( *(0x41b6b0 + (_t119 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (_t119 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t119 >> 0x18) * 4) ^  *(0x41beb0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x18) * 4) ^  *(0x41beb0 + (_t223 & 0x000000ff) * 4);
						_t238 = _t238 - 1;
					} while (_t238 != 0);
				}
				if(_t239 >= 4) {
					_t188 = _t239 >> 2;
					do {
						_t90 = _t87 ^  *_t175;
						_t175 = _t175 + 4;
						_t239 = _t239 - 4;
						_t188 = _t188 - 1;
						_t87 =  *(0x41b6b0 + (_t90 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41bab0 + (_t90 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x41b2b0 + (_t90 >> 0x18) * 4) ^  *(0x41beb0 + (_t90 & 0x000000ff) * 4);
					} while (_t188 != 0);
				}
				if(_t239 != 0) {
					do {
						_t87 = _t87 >> 0x00000008 ^  *(0x41b2b0 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t239 = _t239 - 1;
					} while (_t239 != 0);
				}
				return  !_t87;
			}

0x004028b0
0x004028b1
0x004028b3
0x004028b7
0x004028c0
0x004028d3
0x004028da
0x004028db
0x004028de
0x00000000
0x00000000
0x00000000
0x004028de
0x004028c0
0x004028e0
0x004028e5
0x004028ed
0x004028f0
0x004028f0
0x00402931
0x00402934
0x00402976
0x00402979
0x004029bb
0x00402a3c
0x00402a7b
0x00402a7e
0x00402a81
0x00402ac0
0x00402afb
0x00402b02
0x00402b02
0x004028f0
0x00402b0e
0x00402b12
0x00402b15
0x00402b15
0x00402b17
0x00402b56
0x00402b59
0x00402b5c
0x00402b5c
0x00402b15
0x00402b64
0x00402b70
0x00402b7e
0x00402b85
0x00402b86
0x00402b86
0x00402b70
0x00402b8e

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Uniqueness

Uniqueness Score: -1.00%

Function 00401650 Relevance: .1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401650(signed char* _a4, intOrPtr _a8) {
				char _v4;
				signed char _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed char _v9;
				signed char _v10;
				signed char _v11;
				signed char _v12;
				signed char _v13;
				signed char _v14;
				signed char _v15;
				signed char _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed char _v27;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed char _v32;
				signed char _v33;
				signed char _v34;
				signed char _v35;
				signed char _v36;
				void* __esi;
				signed char* _t68;
				intOrPtr _t72;
				void* _t137;
				intOrPtr _t138;

				_t68 = _a4;
				_v36 =  *_t68 & 0x000000ff ^ 0x000000a3;
				_v35 = _t68[1] & 0x000000ff ^ 0x00000054;
				_v34 =  !(_t68[2] & 0x000000ff);
				_v33 = _t68[3] & 0x000000ff ^ 0x00000075;
				_v32 = _t68[4] & 0x000000ff ^ 0x000000e7;
				_v31 = _t68[5] & 0x000000ff ^ 0x00000044;
				_v30 = _t68[6] & 0x000000ff ^ 0x0000004b;
				_v29 = _t68[7] & 0x000000ff ^ 0x00000023;
				_v28 = _t68[8] & 0x000000ff ^ 0x000000bf;
				_v27 = _t68[9] & 0x000000ff ^ 0x00000045;
				_v26 = _t68[0xa] & 0x000000ff ^ 0x0000003b;
				_v25 = _t68[0xb] & 0x000000ff ^ 0x00000056;
				_v24 = _t68[0xc] & 0x000000ff ^ 0x000000f8;
				_v23 = _t68[0xd] & 0x000000ff ^ 0x00000098;
				_v22 = _t68[0xe] & 0x000000ff ^ 0x0000005b;
				_v21 = _t68[0xf] & 0x000000ff ^ 0x000000f4;
				_v20 = _t68[0x10] & 0x000000ff ^ 0x000000b5;
				_v19 = _t68[0x11] & 0x000000ff ^ 0x00000087;
				_v18 = _t68[0x12] & 0x000000ff ^ 0x0000007b;
				_v17 = _t68[0x13] & 0x000000ff ^ 0x0000000f;
				_v16 = _t68[0x14] & 0x000000ff ^ 0x000000f4;
				_v15 = _t68[0x15] & 0x000000ff ^ 0x00000076;
				_v14 = _t68[0x16] & 0x000000ff ^ 0x000000b9;
				_v13 = _t68[0x17] & 0x000000ff ^ 0x00000034;
				_v12 = _t68[0x18] & 0x000000ff ^ 0x000000bf;
				_v11 = _t68[0x19] & 0x000000ff ^ 0x0000001e;
				_t138 = _a8;
				_v10 = _t68[0x1a] & 0x000000ff ^ 0x000000e7;
				_v9 = _t68[0x1b] & 0x000000ff ^ 0x00000078;
				_v8 = _t68[0x1c] & 0x000000ff ^ 0x00000098;
				_v7 = _t68[0x1d] & 0x000000ff ^ 0x000000e9;
				_v6 = _t68[0x1e] & 0x000000ff ^ 0x0000006f;
				_v5 = _t68[0x1f] & 0x000000ff ^ 0x000000b4;
				_v4 = 0;
				E0040B350(_t72, _t137, _t138, _t138,  &_v36, 0x20);
				return _t138;
			}

0x00401654
0x00401665
0x0040166d
0x0040167a
0x00401682
0x00401690
0x00401698
0x004016a6
0x004016ae
0x004016bc
0x004016c4
0x004016d2
0x004016da
0x004016e8
0x004016f0
0x004016fe
0x00401706
0x00401714
0x0040171c
0x0040172a
0x00401732
0x00401740
0x00401748
0x00401756
0x0040175e
0x0040176c
0x00401774
0x0040177c
0x00401786
0x0040178e
0x0040179c
0x004017a4
0x004017ba
0x004017be
0x004017c2
0x004017c7
0x004017d5

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Uniqueness

Uniqueness Score: -1.00%

Function 00402F20 Relevance: .1, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00402F20(signed int _a4, signed int _a8, signed int _a12) {
				char _v128;
				char _v256;
				void* __ebx;
				signed int _t37;
				signed int _t42;
				signed int _t43;
				signed int _t48;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int* _t55;
				signed int* _t56;
				signed int* _t57;
				signed int* _t58;
				signed int _t59;
				signed int _t60;
				void* _t62;
				void* _t64;
				signed int _t66;
				signed int _t68;
				void* _t69;

				_t69 =  &_v256;
				if(_a12 != 0) {
					_t52 = 1;
					_v256 = 0xedb88320;
					_t37 = 1;
					do {
						 *(_t69 + _t37 * 4) = _t52;
						_t37 = _t37 + 1;
						_t52 = _t52 + _t52;
						__eflags = _t37 - 0x20;
					} while (_t37 < 0x20);
					E00402EE0( &_v128,  &_v256);
					E00402EE0( &_v256,  &_v128);
					_t42 = _a4;
					do {
						_t62 = 0;
						do {
							_t53 =  *(_t69 + _t62 + 0xc);
							_t66 = 0;
							_t57 =  &_v256;
							__eflags = _t53;
							while(_t53 != 0) {
								__eflags = _t53 & 0x00000001;
								if((_t53 & 0x00000001) != 0) {
									_t66 = _t66 ^  *_t57;
									__eflags = _t66;
								}
								_t53 = _t53 >> 1;
								_t57 =  &(_t57[1]);
								__eflags = _t53;
							}
							 *(_t69 + _t62 + 0x8c) = _t66;
							_t62 = _t62 + 4;
							__eflags = _t62 - 0x80;
						} while (_t62 < 0x80);
						_t48 = _a12;
						__eflags = _t48 & 0x00000001;
						if(__eflags != 0) {
							_t60 = 0;
							_t56 =  &_v128;
							__eflags = _t42;
							while(__eflags != 0) {
								__eflags = _t42 & 0x00000001;
								if((_t42 & 0x00000001) != 0) {
									_t60 = _t60 ^  *_t56;
									__eflags = _t60;
								}
								_t42 = _t42 >> 1;
								_t56 =  &(_t56[1]);
								__eflags = _t42;
							}
							_t42 = _t60;
						}
						_t49 = _t48 >> 1;
						if(__eflags != 0) {
							_t64 = 0;
							do {
								_t54 =  *(_t69 + _t64 + 0x8c);
								_t68 = 0;
								_t58 =  &_v128;
								__eflags = _t54;
								while(_t54 != 0) {
									__eflags = _t54 & 0x00000001;
									if((_t54 & 0x00000001) != 0) {
										_t68 = _t68 ^  *_t58;
										__eflags = _t68;
									}
									_t54 = _t54 >> 1;
									_t58 =  &(_t58[1]);
									__eflags = _t54;
								}
								 *(_t69 + _t64 + 0xc) = _t68;
								_t64 = _t64 + 4;
								__eflags = _t64 - 0x80;
							} while (_t64 < 0x80);
							__eflags = _t49 & 0x00000001;
							if(__eflags != 0) {
								_t59 = 0;
								_t55 =  &_v256;
								__eflags = _t42;
								while(__eflags != 0) {
									__eflags = _t42 & 0x00000001;
									if((_t42 & 0x00000001) != 0) {
										_t59 = _t59 ^  *_t55;
										__eflags = _t59;
									}
									_t42 = _t42 >> 1;
									_t55 =  &(_t55[1]);
									__eflags = _t42;
								}
								_t42 = _t59;
							}
							goto L32;
						}
						break;
						L32:
						_a12 = _t49 >> 1;
					} while (__eflags != 0);
					_t43 = _t42 ^ _a8;
					__eflags = _t43;
					return _t43;
				} else {
					return _a4;
				}
			}

0x00402f20
0x00402f2e
0x00402f3e
0x00402f43
0x00402f4a
0x00402f50
0x00402f50
0x00402f53
0x00402f54
0x00402f56
0x00402f56
0x00402f69
0x00402f79
0x00402f7e
0x00402f85
0x00402f85
0x00402f90
0x00402f90
0x00402f94
0x00402f96
0x00402f9a
0x00402f9c
0x00402fa0
0x00402fa3
0x00402fa5
0x00402fa5
0x00402fa5
0x00402fa7
0x00402fa9
0x00402fac
0x00402fac
0x00402fb0
0x00402fb7
0x00402fba
0x00402fba
0x00402fc2
0x00402fc9
0x00402fcc
0x00402fce
0x00402fd0
0x00402fd7
0x00402fd9
0x00402fe0
0x00402fe2
0x00402fe4
0x00402fe4
0x00402fe4
0x00402fe6
0x00402fe8
0x00402feb
0x00402feb
0x00402fef
0x00402fef
0x00402ff1
0x00402ff3
0x00402ff5
0x00403000
0x00403000
0x00403007
0x00403009
0x00403010
0x00403012
0x00403014
0x00403017
0x00403019
0x00403019
0x00403019
0x0040301b
0x0040301d
0x00403020
0x00403020
0x00403024
0x00403028
0x0040302b
0x0040302b
0x00403033
0x00403036
0x00403038
0x0040303a
0x0040303e
0x00403040
0x00403042
0x00403044
0x00403046
0x00403046
0x00403046
0x00403048
0x0040304a
0x0040304d
0x0040304d
0x00403051
0x00403051
0x00000000
0x00403036
0x00000000
0x00403053
0x00403055
0x00403055
0x00403062
0x00403062
0x00403072
0x00402f30
0x00402f3d
0x00402f3d

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Uniqueness

Uniqueness Score: -1.00%

Function 00402F89 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00402F89(signed int __eax, void* __edi, char _a12, char _a140, signed int _a276, signed int _a280) {
				signed int _t28;
				signed int _t30;
				signed int _t31;
				unsigned int _t34;
				unsigned int _t35;
				signed int* _t36;
				signed int* _t37;
				signed int* _t38;
				signed int* _t39;
				signed int _t40;
				signed int _t41;
				void* _t43;
				void* _t45;
				signed int _t46;
				signed int _t48;
				void* _t49;
				signed int _t60;
				signed int _t70;

				_t28 = __eax;
				while(1) {
					_t34 =  *(_t49 + _t43 + 0xc);
					_t46 = 0;
					_t38 =  &_a12;
					if(_t34 != 0) {
					}
					L3:
					do {
						if((_t34 & 0x00000001) != 0) {
							_t46 = _t46 ^  *_t38;
						}
						_t34 = _t34 >> 1;
						_t38 =  &(_t38[1]);
					} while (_t34 != 0);
					L7:
					 *(_t49 + _t43 + 0x8c) = _t46;
					_t43 = _t43 + 4;
					if(_t43 < 0x80) {
						do {
							_t34 =  *(_t49 + _t43 + 0xc);
							_t46 = 0;
							_t38 =  &_a12;
							if(_t34 != 0) {
							}
							goto L7;
						} while (_t43 < 0x80);
					}
					_t30 = _a280;
					if((_t30 & 0x00000001) != 0) {
						_t41 = 0;
						_t37 =  &_a140;
						if(_t28 != 0) {
							do {
								if((_t28 & 0x00000001) != 0) {
									_t41 = _t41 ^  *_t37;
								}
								_t28 = _t28 >> 1;
								_t37 =  &(_t37[1]);
								_t60 = _t28;
							} while (_t60 != 0);
						}
						_t28 = _t41;
					}
					_t31 = _t30 >> 1;
					if(_t60 != 0) {
						_t45 = 0;
						do {
							_t35 =  *(_t49 + _t45 + 0x8c);
							_t48 = 0;
							_t39 =  &_a140;
							while(_t35 != 0) {
								if((_t35 & 0x00000001) != 0) {
									_t48 = _t48 ^  *_t39;
								}
								_t35 = _t35 >> 1;
								_t39 =  &(_t39[1]);
							}
							 *(_t49 + _t45 + 0xc) = _t48;
							_t45 = _t45 + 4;
						} while (_t45 < 0x80);
						if((_t31 & 0x00000001) != 0) {
							_t40 = 0;
							_t36 =  &_a12;
							if(_t28 != 0) {
								do {
									if((_t28 & 0x00000001) != 0) {
										_t40 = _t40 ^  *_t36;
									}
									_t28 = _t28 >> 1;
									_t36 =  &(_t36[1]);
									_t70 = _t28;
								} while (_t70 != 0);
							}
							_t28 = _t40;
						}
						_a280 = _t31 >> 1;
						if(_t70 != 0) {
							_t43 = 0;
							continue;
						}
					}
					return _t28 ^ _a276;
				}
			}

0x00402f89
0x00402f90
0x00402f90
0x00402f94
0x00402f96
0x00402f9c
0x00402f9c
0x00000000
0x00402fa0
0x00402fa3
0x00402fa5
0x00402fa5
0x00402fa7
0x00402fa9
0x00402fac
0x00402fb0
0x00402fb0
0x00402fb7
0x00402fc0
0x00402f90
0x00402f90
0x00402f94
0x00402f96
0x00402f9c
0x00402f9c
0x00000000
0x00402f9c
0x00402f90
0x00402fc2
0x00402fcc
0x00402fce
0x00402fd0
0x00402fd9
0x00402fe0
0x00402fe2
0x00402fe4
0x00402fe4
0x00402fe6
0x00402fe8
0x00402feb
0x00402feb
0x00402fe0
0x00402fef
0x00402fef
0x00402ff1
0x00402ff3
0x00402ff5
0x00403000
0x00403000
0x00403007
0x00403009
0x00403012
0x00403017
0x00403019
0x00403019
0x0040301b
0x0040301d
0x00403020
0x00403024
0x00403028
0x0040302b
0x00403036
0x00403038
0x0040303a
0x00403040
0x00403042
0x00403044
0x00403046
0x00403046
0x00403048
0x0040304a
0x0040304d
0x0040304d
0x00403042
0x00403051
0x00403051
0x00403055
0x0040305c
0x00402f85
0x00000000
0x00402f85
0x0040305c
0x00403072
0x00403072

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB4B Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040EB4B(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				void* _t5;
				void* _t7;
				void* _t9;
				void* _t10;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t36;

				_t26 = __edi;
				_t22 = __ecx;
				_t20 = __ebx;
				if(__eax == 0) {
					_t17 = E0040EF42(_t25, _t28, 0x2fb, "<program name unknown>");
					_t34 = _t34 + 0xc;
					if(_t17 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0040E61C(__ebx, _t22, _t25, __edi, _t28);
						_t34 = _t34 + 0x14;
					}
				}
				_t5 = E0040EE20(_t28);
				_pop(_t23);
				if(_t5 + 1 <= 0x3c) {
					L6:
					_t29 = 0;
				} else {
					_t23 = 0x42395c - E0040EE20(_t28) + _t28 - 0x3b;
					_t15 = E00411DA6(_t25, E0040EE20(_t28) + _t28 - 0x3b, 0x42395c - E0040EE20(_t28) + _t28 - 0x3b, "...", 3);
					_t34 = _t34 + 0x14;
					if(_t15 == 0) {
						goto L6;
					} else {
						_t29 = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0040E61C(_t20, _t23, _t25, _t26, 0);
						_t34 = _t34 + 0x14;
					}
				}
				_t7 = E00413CE7(_t25, _t26, _t20, "\n\n");
				_t35 = _t34 + 0xc;
				if(_t7 != 0) {
					_push(_t29);
					_push(_t29);
					_push(_t29);
					_push(_t29);
					_push(_t29);
					E0040E61C(_t20, _t23, _t25, _t26, _t29);
					_t35 = _t35 + 0x14;
				}
				_t9 = E00413CE7(_t25, _t26, _t20,  *((intOrPtr*)(0x422394 +  *(_t32 - 4) * 8)));
				_t36 = _t35 + 0xc;
				if(_t9 != 0) {
					_push(_t29);
					_push(_t29);
					_push(_t29);
					_push(_t29);
					_push(_t29);
					E0040E61C(_t20, _t23, _t25, _t26, _t29);
					_t36 = _t36 + 0x14;
				}
				_t10 = E00413B7E(_t25, _t26, "Microsoft Visual C++ Runtime Library", 0x12010);
				return _t10;
			}

0x0040eb4b
0x0040eb4b
0x0040eb4b
0x0040eb4d
0x0040eb5a
0x0040eb5f
0x0040eb64
0x0040eb68
0x0040eb69
0x0040eb6a
0x0040eb6b
0x0040eb6c
0x0040eb6d
0x0040eb72
0x0040eb72
0x0040eb64
0x0040eb76
0x0040eb7c
0x0040eb80
0x0040ebba
0x0040ebba
0x0040eb82
0x0040eb99
0x0040eb9d
0x0040eba2
0x0040eba7
0x00000000
0x0040eba9
0x0040eba9
0x0040ebab
0x0040ebac
0x0040ebad
0x0040ebae
0x0040ebaf
0x0040ebb0
0x0040ebb5
0x0040ebb5
0x0040eba7
0x0040ebc3
0x0040ebc8
0x0040ebcd
0x0040ebcf
0x0040ebd0
0x0040ebd1
0x0040ebd2
0x0040ebd3
0x0040ebd4
0x0040ebd9
0x0040ebd9
0x0040ebe8
0x0040ebed
0x0040ebf2
0x0040ebf4
0x0040ebf5
0x0040ebf6
0x0040ebf7
0x0040ebf8
0x0040ebf9
0x0040ebfe
0x0040ebfe
0x0040ec0c
0x0040ec4c

APIs

_strcpy_s.LIBCMT ref: 0040EB5A
__invoke_watson.LIBCMT ref: 0040EB6D

Part of subcall function 0040E61C: _memset.LIBCMT ref: 0040E644

_strlen.LIBCMT ref: 0040EB76
_strlen.LIBCMT ref: 0040EB83
__invoke_watson.LIBCMT ref: 0040EBB0
_strcat_s.LIBCMT ref: 0040EBC3
__invoke_watson.LIBCMT ref: 0040EBD4
_strcat_s.LIBCMT ref: 0040EBE8
__invoke_watson.LIBCMT ref: 0040EBF9

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0040EC06
<program name unknown>, xrefs: 0040EB4F
..., xrefs: 0040EB94
\9B, xrefs: 0040EB8F

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __invoke_watson$_strcat_s_strlen$_memset_strcpy_s
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$\9B
API String ID: 3570712386-3387272480
Opcode ID: 06d2b621cc9b300c966313b15f957776a291e6205490eb7c9fff434c9247e2ec
Instruction ID: cb6993bc74da45dc02846fe83fa6c1a1929d276571387690253672d07ebaaeaf
Opcode Fuzzy Hash: 06d2b621cc9b300c966313b15f957776a291e6205490eb7c9fff434c9247e2ec
Instruction Fuzzy Hash: 54017CA2E4111131E512B6772D07EAF65188A61788B480C7BFD06B02D3FA6FDA7650EE

Uniqueness

Uniqueness Score: -1.00%

Function 004147EC Relevance: 15.3, APIs: 10, Instructions: 287
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E004147EC(intOrPtr* __ecx, signed int __edx, short* _a4, intOrPtr _a8, int _a12, char* _a16, int _a20, int _a24) {
				signed int _v8;
				char _v28;
				char* _v32;
				signed int _v36;
				char* _v40;
				short* _v44;
				int _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t81;
				intOrPtr _t84;
				short* _t102;
				int _t105;
				signed int _t108;
				void* _t110;
				short* _t111;
				signed int _t113;
				void* _t115;
				short* _t116;
				void* _t124;
				char* _t126;
				void* _t127;
				short* _t128;
				int _t129;
				int _t130;
				int _t134;
				void* _t152;
				short* _t153;
				short* _t155;
				short* _t156;
				intOrPtr* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				signed int _t166;
				short* _t167;
				int _t172;

				_t147 = __edx;
				_t164 = _t166;
				_t167 = _t166 - 0x2c;
				_t81 =  *0x422234; // 0x3100e2c7
				_v8 = _t81 ^ _t166;
				_t126 = __edx;
				_t158 = __ecx;
				_v40 = __edx;
				_v32 = _a16;
				_t172 =  *0x423e70; // 0x0
				if(_t172 == 0) {
					_push(1);
					_push(0x420398);
					_push(1);
					_push(0x420398);
					_push(0);
					_push(0);
					_push(0x420398);
					if(E006961F4(0x420398) == 0) {
						_push(0);
						_t124 = E00643E55(_t123, __ecx, 0);
						__eflags = _t124 - 0x78;
						if(_t124 == 0x78) {
							 *0x423e70 = 2;
						}
					} else {
						 *0x423e70 = 1;
					}
				}
				if(_a12 <= 0) {
					__eflags = _a12 - 0xffffffff;
					if(_a12 >= 0xffffffff) {
						goto L7;
					} else {
						goto L10;
					}
				} else {
					_a12 = E004147CE(_a12);
					L7:
					_t147 = _a20;
					if(_t147 <= 0) {
						__eflags = _t147 - 0xffffffff;
						if(_t147 < 0xffffffff) {
							goto L10;
						} else {
							goto L12;
						}
					} else {
						_t147 = E004147CE(_t147);
						_a20 = _t147;
						L12:
						_t134 =  *0x423e70; // 0x0
						if(_t134 == 2 || _t134 == 0) {
							_t153 = 0;
							_t128 = 0;
							__eflags = _a4;
							if(_a4 == 0) {
								_a4 =  *((intOrPtr*)( *_t158 + 0x14));
							}
							__eflags = _a24 - _t153;
							if(_a24 == _t153) {
								_a24 =  *((intOrPtr*)( *_t158 + 4));
							}
							_t160 = E00417A20(_t128, _t147, _t153, _t158, _a4);
							__eflags = _t160 - 0xffffffff;
							if(_t160 == 0xffffffff) {
								goto L10;
							} else {
								__eflags = _t160 - _a24;
								if(_t160 == _a24) {
									L65:
									_push(_a20);
									_push(_v32);
									_push(_a12);
									_push(_v40);
									_push(_a8);
									_push(_a4);
									_push(_t147);
									_t161 = E004736E0(_t86, _t160);
									__eflags = _t128;
									if(__eflags != 0) {
										_push(_t128);
										E0040B6B5(_t128, _t147, _t153, _t161, __eflags);
										_push(_t153);
										E0040B6B5(_t128, _t147, _t153, _t161, __eflags);
									}
									_t84 = _t161;
								} else {
									_t128 = E00417A69(_t147, _a24, _t160, _v40,  &_a12, 0, 0);
									__eflags = _t128;
									if(_t128 == 0) {
										goto L10;
									} else {
										_t153 = E00417A69(_t147, _a24, _t160, _v32,  &_a20, 0, 0);
										__eflags = _t153;
										if(__eflags != 0) {
											_v40 = _t128;
											_v32 = _t153;
											goto L65;
										} else {
											_push(_t128);
											E0040B6B5(_t128, _t147, _t153, _t160, __eflags);
											goto L10;
										}
									}
								}
							}
						} else {
							_t84 = 1;
							if(_t134 != 1) {
								L10:
								_t84 = 0;
							} else {
								_v44 = 0;
								if(_a24 == 0) {
									_a24 =  *((intOrPtr*)( *_t158 + 4));
								}
								if(_a12 == 0 || _t147 == 0) {
									if(_a12 != _t147) {
										__eflags = _t147 - _t84;
										if(_t147 <= _t84) {
											__eflags = _a12 - _t84;
											if(_a12 <= _t84) {
												_push( &_v28);
												_push(_a24);
												return E00601E76( &_v28, _t147, 0);
											}
											_push(3);
											goto L21;
										}
									} else {
										_push(2);
										L21:
										_pop(_t84);
									}
								} else {
									_t129 = MultiByteToWideChar(_a24, 9, _t126, _a12, 0, 0);
									_v48 = _t129;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L10;
									} else {
										__eflags = _t129;
										if(_t129 <= 0) {
											L37:
											_t31 =  &_v36;
											 *_t31 = _v36 & 0x00000000;
											__eflags =  *_t31;
										} else {
											_t113 = 0xffffffe0;
											_t147 = _t113 % _t129;
											__eflags = _t113 / _t129 - 2;
											if(_t113 / _t129 < 2) {
												goto L37;
											} else {
												_t29 = _t129 + 8; // 0x8
												_t115 = _t129 + _t29;
												__eflags = _t115 - 0x400;
												if(_t115 > 0x400) {
													_t116 = E0040B84D(_t129, _t147, 0x400, _t115);
													__eflags = _t116;
													if(_t116 != 0) {
														 *_t116 = 0xdddd;
														goto L35;
													}
												} else {
													E0040CFB0(_t115);
													_t116 = _t167;
													__eflags = _t116;
													if(_t116 != 0) {
														 *_t116 = 0xcccc;
														L35:
														_t116 =  &(_t116[4]);
														__eflags = _t116;
													}
												}
												_v36 = _t116;
											}
										}
										__eflags = _v36;
										if(_v36 == 0) {
											goto L10;
										} else {
											_t102 = MultiByteToWideChar(_a24, 1, _v40, _a12, _v36, _t129);
											__eflags = _t102;
											if(_t102 != 0) {
												_t130 = MultiByteToWideChar(_a24, 9, _v32, _a20, 0, 0);
												__eflags = _t130;
												if(__eflags != 0) {
													if(__eflags <= 0) {
														L49:
														_t155 = 0;
														__eflags = 0;
														goto L50;
													} else {
														_t108 = 0xffffffe0;
														_t147 = _t108 % _t130;
														__eflags = _t108 / _t130 - 2;
														if(_t108 / _t130 < 2) {
															goto L49;
														} else {
															_t46 = _t130 + 8; // 0x8
															_t110 = _t130 + _t46;
															__eflags = _t110 - 0x400;
															if(_t110 > 0x400) {
																_t111 = E0040B84D(_t130, _t147, 0x400, _t110);
																__eflags = _t111;
																if(_t111 != 0) {
																	 *_t111 = 0xdddd;
																	_t111 =  &(_t111[4]);
																	__eflags = _t111;
																}
																_t155 = _t111;
																goto L50;
															} else {
																E0040CFB0(_t110);
																_t156 = _t167;
																__eflags = _t156;
																if(_t156 != 0) {
																	 *_t156 = 0xcccc;
																	_t155 =  &(_t156[4]);
																	L50:
																	__eflags = _t155;
																	if(_t155 != 0) {
																		_t105 = MultiByteToWideChar(_a24, 1, _v32, _a20, _t155, _t130);
																		__eflags = _t105;
																		if(_t105 != 0) {
																			_push(_t130);
																			_push(_t155);
																			_push(_v48);
																			_push(_v36);
																			_push(_a8);
																			_push(_a4);
																			_push(_t105);
																			_v44 = E006F3057();
																		}
																		E004147AE(_t155);
																	}
																}
															}
														}
													}
												}
											}
											E004147AE(_v36);
											_t84 = _v44;
										}
									}
								}
							}
						}
					}
				}
				_pop(_t152);
				_pop(_t159);
				_pop(_t127);
				return E0040CE09(_t84, _t127, _v8 ^ _t164, _t147, _t152, _t159);
			}

0x004147ec
0x004147ef
0x004147f1
0x004147f4
0x004147fb
0x00414806
0x00414808
0x0041480a
0x0041480d
0x00414810
0x00414816
0x00414818
0x0041481f
0x00414820
0x00414822
0x00414823
0x00414824
0x00414825
0x0041482d
0x0041483b
0x0041483c
0x00414841
0x00414844
0x00414846
0x00414846
0x0041482f
0x0041482f
0x0041482f
0x0041482d
0x00414853
0x0041487b
0x0041487f
0x00000000
0x00000000
0x00000000
0x00000000
0x00414855
0x00414860
0x00414863
0x00414863
0x00414868
0x00414888
0x0041488b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041486a
0x00414873
0x00414876
0x0041488d
0x0041488d
0x00414896
0x00414a95
0x00414a97
0x00414a99
0x00414a9c
0x00414aa3
0x00414aa3
0x00414aa6
0x00414aa9
0x00414ab0
0x00414ab0
0x00414abb
0x00414abe
0x00414ac1
0x00000000
0x00414ac7
0x00414ac7
0x00414aca
0x00414b1c
0x00414b1c
0x00414b1f
0x00414b22
0x00414b25
0x00414b28
0x00414b2b
0x00414b2e
0x00414b34
0x00414b36
0x00414b38
0x00414b3a
0x00414b3b
0x00414b40
0x00414b41
0x00414b47
0x00414b48
0x00414acc
0x00414ae0
0x00414ae5
0x00414ae7
0x00000000
0x00414aed
0x00414b01
0x00414b06
0x00414b08
0x00414b16
0x00414b19
0x00000000
0x00414b0a
0x00414b0a
0x00414b0b
0x00000000
0x00414b10
0x00414b08
0x00414ae7
0x00414aca
0x004148a4
0x004148a6
0x004148a9
0x00414881
0x00414881
0x004148ab
0x004148ab
0x004148b1
0x004148b8
0x004148b8
0x004148be
0x004148cb
0x004148d5
0x004148d7
0x004148dd
0x004148e0
0x004148e9
0x004148ea
0x00000000
0x004148ed
0x004148e2
0x00000000
0x004148e2
0x004148cd
0x004148cd
0x004148cf
0x004148cf
0x004148cf
0x00414962
0x00414975
0x00414977
0x0041497a
0x0041497c
0x00000000
0x00414982
0x00414987
0x00414989
0x004149cb
0x004149cb
0x004149cb
0x004149cb
0x0041498b
0x0041498f
0x00414990
0x00414992
0x00414995
0x00000000
0x00414997
0x00414997
0x00414997
0x0041499b
0x0041499d
0x004149b3
0x004149b9
0x004149bb
0x004149bd
0x00000000
0x004149bd
0x0041499f
0x0041499f
0x004149a4
0x004149a6
0x004149a8
0x004149aa
0x004149c3
0x004149c3
0x004149c3
0x004149c3
0x004149a8
0x004149c6
0x004149c6
0x00414995
0x004149cf
0x004149d3
0x00000000
0x004149d9
0x004149e8
0x004149ea
0x004149ec
0x00414a03
0x00414a05
0x00414a07
0x00414a09
0x00414a4d
0x00414a4d
0x00414a4d
0x00000000
0x00414a0b
0x00414a0f
0x00414a10
0x00414a12
0x00414a15
0x00000000
0x00414a17
0x00414a17
0x00414a17
0x00414a1b
0x00414a1d
0x00414a36
0x00414a3c
0x00414a3e
0x00414a40
0x00414a46
0x00414a46
0x00414a46
0x00414a49
0x00000000
0x00414a1f
0x00414a1f
0x00414a24
0x00414a26
0x00414a28
0x00414a2a
0x00414a30
0x00414a4f
0x00414a4f
0x00414a51
0x00414a60
0x00414a62
0x00414a64
0x00414a66
0x00414a67
0x00414a68
0x00414a6b
0x00414a6e
0x00414a71
0x00414a74
0x00414a7a
0x00414a7a
0x00414a7e
0x00414a83
0x00414a51
0x00414a28
0x00414a1d
0x00414a15
0x00414a09
0x00414a07
0x00414a87
0x00414a8c
0x00414a8f
0x004149d3
0x0041497c
0x004148be
0x004148a9
0x00414896
0x00414868
0x00414b4d
0x00414b4e
0x00414b4f
0x00414b5b

APIs

strncnt.LIBCMT ref: 0041485A
strncnt.LIBCMT ref: 0041486E

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: strncnt
String ID:
API String ID: 1848897525-0
Opcode ID: 2f3568f2f627745aba43e69e41c01c6a3c017f22fb9dd24a3c17ca294ea20e8c
Instruction ID: bbf5ecf5850f3dfa2c1b4a762ae467c565c37b63079245c99bf9d3321aecd98f
Opcode Fuzzy Hash: 2f3568f2f627745aba43e69e41c01c6a3c017f22fb9dd24a3c17ca294ea20e8c
Instruction Fuzzy Hash: C491D771940206ABDF119FA5CC41EEF7AB9EFC4354F24412BF914A6291D739CC91CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 13.8, APIs: 9, Instructions: 338
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E00417081(intOrPtr* __ecx, signed int __edx, signed int _a4, signed int _a8, char* _a12, int _a16, intOrPtr _a20, signed int _a24, int _a28, signed int _a32) {
				signed int _v8;
				short* _v12;
				short* _v16;
				short* _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				signed int _t112;
				intOrPtr _t113;
				signed int _t115;
				signed int _t116;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t124;
				void* _t128;
				signed int _t129;
				signed int _t139;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t149;
				void* _t151;
				signed int _t152;
				signed int* _t156;
				signed int _t159;
				void* _t163;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				void* _t183;
				int _t184;
				signed int _t189;
				void* _t190;
				signed int _t191;
				intOrPtr* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t200;
				signed int _t201;
				signed int _t204;
				signed int _t207;

				_t179 = __edx;
				_t198 = _t200;
				_t201 = _t200 - 0x14;
				_t110 =  *0x422234; // 0x3100e2c7
				_t111 = _t110 ^ _t198;
				_v8 = _t110 ^ _t198;
				_push(_t182);
				_t188 = __ecx;
				_t207 =  *0x423e7c; // 0x1
				if(_t207 != 0) {
					__eflags = _a16;
					if(_a16 > 0) {
						_t178 = _a16;
						_t156 = _a12;
						while(1) {
							_t178 = _t178 - 1;
							__eflags =  *_t156;
							if( *_t156 == 0) {
								break;
							}
							_t156 =  &(_t156[0]);
							__eflags = _t178;
							if(_t178 != 0) {
								continue;
							} else {
								_t178 = _t178 | 0xffffffff;
								__eflags = _t178;
							}
							break;
						}
						_t159 = _a16 - _t178 - 1;
						__eflags = _t159 - _a16;
						if(_t159 < _a16) {
							_t159 = _t159 + 1;
							__eflags = _t159;
						}
						_a16 = _t159;
					}
					_t112 =  *0x423e7c; // 0x1
					__eflags = _t112 - 2;
					if(_t112 == 2) {
						L50:
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t188 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t188 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t188, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_push(_a24);
								_push(_a20);
								_push(_a16);
								_push(_a12);
								_push(_a8);
								_push(_a4);
								_push(_t182);
								_t189 = E005AD1F9(_t113, 0);
								goto L75;
							} else {
								_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
								_t204 = _t201 + 0x18;
								_v16 = _t120;
								__eflags = _t120;
								if(__eflags == 0) {
									goto L55;
								} else {
									_t121 = E0070AAF2(_t120, 0,  &_a16, _t182, __eflags);
									_t122 =  *_t188(_a4, _a8, _t121, _a16, 0, 0, _t179);
									_v12 = _t122;
									__eflags = _t122;
									if(__eflags != 0) {
										if(__eflags <= 0) {
											L68:
											_t182 = 0;
											__eflags = 0;
											goto L69;
										} else {
											__eflags = _t122 - 0xffffffe0;
											if(_t122 > 0xffffffe0) {
												goto L68;
											} else {
												_t128 = _t122 + 8;
												__eflags = _t128 - 0x400;
												if(_t128 > 0x400) {
													_t129 = E0040B84D(0, _t179, _t182, _t128);
													__eflags = _t129;
													if(_t129 != 0) {
														 *_t129 = 0xdddd;
														_t129 = _t129 + 8;
														__eflags = _t129;
													}
													_t182 = _t129;
													goto L69;
												} else {
													E0040CFB0(_t128);
													_t182 = _t204;
													__eflags = _t182;
													if(_t182 == 0) {
														goto L59;
													} else {
														 *_t182 = 0xcccc;
														_t182 = _t182 + 8;
														L69:
														__eflags = _t182;
														if(_t182 == 0) {
															goto L59;
														} else {
															E0040BA30(_t182, _t182, 0, _v12);
															_t124 =  *_t188(_a4, _a8, _v16, _a16, _t182, _v12);
															_v12 = _t124;
															__eflags = _t124;
															if(_t124 != 0) {
																_t191 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
																_v20 = _t191;
																asm("sbb esi, esi");
																_t189 =  ~_t191 & _v12;
																__eflags = _t189;
															} else {
																_t189 = 0;
															}
															E004147AE(_t182);
														}
													}
												}
											}
										}
									} else {
										L59:
										_t189 = 0;
									}
									L75:
									__eflags = _v16;
									if(__eflags != 0) {
										_push(_v16);
										E0040B6B5(0, _t179, _t182, _t189, __eflags);
									}
									_t115 = _v20;
									__eflags = _t115;
									if(_t115 != 0) {
										__eflags = _a20 - _t115;
										if(__eflags != 0) {
											_push(_t115);
											E0040B6B5(0, _t179, _t182, _t189, __eflags);
										}
									}
									_t116 = _t189;
								}
							}
						} else {
							goto L55;
						}
					} else {
						__eflags = _t112;
						if(_t112 == 0) {
							goto L50;
						} else {
							__eflags = _t112 - 1;
							if(_t112 != 1) {
								L55:
								_t116 = 0;
							} else {
								_v12 = 0;
								__eflags = _a28;
								if(_a28 == 0) {
									_a28 =  *((intOrPtr*)( *_t188 + 4));
								}
								__eflags = _a32;
								_t184 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
								__eflags = _t184;
								if(__eflags == 0) {
									goto L55;
								} else {
									if(__eflags <= 0) {
										L25:
										_v16 = 0;
									} else {
										_t149 = 0xffffffe0;
										_t179 = _t149 % _t184;
										__eflags = _t149 / _t184 - 2;
										if(_t149 / _t184 < 2) {
											goto L25;
										} else {
											_t25 = _t184 + 8; // 0x8
											_t151 = _t184 + _t25;
											__eflags = _t151 - 0x400;
											if(_t151 > 0x400) {
												_t152 = E0040B84D(0, _t179, _t184, _t151);
												__eflags = _t152;
												if(_t152 != 0) {
													 *_t152 = 0xdddd;
													goto L23;
												}
											} else {
												E0040CFB0(_t151);
												_t152 = _t201;
												__eflags = _t152;
												if(_t152 != 0) {
													 *_t152 = 0xcccc;
													L23:
													_t152 = _t152 + 8;
													__eflags = _t152;
												}
											}
											_v16 = _t152;
										}
									}
									__eflags = _v16;
									if(_v16 == 0) {
										goto L55;
									} else {
										_t139 = MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t184);
										__eflags = _t139;
										if(_t139 != 0) {
											_pop(_t194);
											E006574E7(_t139, _t194);
											_t174 =  *_t194(_a4, _a8, _v16, _t184, 0, 0);
											_v12 = _t174;
											__eflags = _t174;
											if(_t174 != 0) {
												__eflags = _a8 & 0x00000400;
												if((_a8 & 0x00000400) == 0) {
													__eflags = _t174;
													if(_t174 <= 0) {
														L41:
														_t195 = 0;
														__eflags = 0;
														goto L42;
													} else {
														_t146 = 0xffffffe0;
														_t142 = _t146 / _t174;
														_t179 = _t146 % _t174;
														__eflags = _t146 / _t174 - 2;
														if(_t146 / _t174 < 2) {
															goto L41;
														} else {
															_t52 = _t174 + 8; // 0x8
															_t147 = _t174 + _t52;
															__eflags = _t147 - 0x400;
															if(_t147 > 0x400) {
																_t142 = E0040B84D(0, _t179, _t184, _t147);
																__eflags = _t142;
																if(_t142 != 0) {
																	 *_t142 = 0xdddd;
																	_t142 = _t142 + 8;
																	__eflags = _t142;
																}
																_t195 = _t142;
																goto L42;
															} else {
																_t142 = E0040CFB0(_t147);
																_t196 = _t201;
																__eflags = _t196;
																if(_t196 != 0) {
																	 *_t196 = 0xcccc;
																	_t195 = _t196 + 8;
																	L42:
																	__eflags = _t195;
																	if(_t195 != 0) {
																		_push(_v12);
																		_push(_t195);
																		_push(_t184);
																		_push(_v16);
																		_push(_a8);
																		_push(_a4);
																		_push(_t198);
																		_t143 = E006C6775(_t142, _t179);
																		__eflags = _t143;
																		if(_t143 != 0) {
																			_push(0);
																			_push(0);
																			__eflags = _a24;
																			if(_a24 != 0) {
																				_push(_a24);
																				_push(_a20);
																			} else {
																				_push(0);
																				_push(0);
																			}
																			_push(_v12);
																			_push(_t195);
																			_push(0);
																			_push(_a28);
																			_push(_t184);
																			_v12 = E007129B7(_t143, _t184);
																		}
																		E004147AE(_t195);
																	}
																}
															}
														}
													}
												} else {
													__eflags = _a24;
													if(_a24 != 0) {
														__eflags = _t174 - _a24;
														if(_t174 <= _a24) {
															 *_t194(_a4, _a8, _v16, _t184, _a20, _a24);
														}
													}
												}
											}
										}
										E004147AE(_v16);
										_t116 = _v12;
									}
								}
							}
						}
					}
					_pop(_t183);
					_pop(_t190);
					_pop(_t163);
					__eflags = _v8 ^ _t198;
					return E0040CE09(_t116, _t163, _v8 ^ _t198, _t179, _t183, _t190);
				} else {
					_push(0);
					_push(0);
					_push(1);
					_push(0x420398);
					_push(0x100);
					_push(0);
					return E007193B3(_t111, __edx, __ecx, _t198);
				}
			}

0x00417081
0x00417084
0x00417086
0x00417089
0x0041708e
0x00417090
0x00417097
0x00417098
0x0041709a
0x004170a0
0x004170da
0x004170dd
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e6
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170eb
0x004170ed
0x00000000
0x004170ef
0x004170ef
0x004170ef
0x004170ef
0x00000000
0x004170ed
0x004170f7
0x004170f8
0x004170fb
0x004170fd
0x004170fd
0x004170fd
0x004170fe
0x004170fe
0x00417101
0x00417106
0x00417109
0x004172bb
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173d7
0x004173da
0x004173dd
0x004173e0
0x004173e3
0x004173e6
0x004173e9
0x004173ef
0x00000000
0x004172fc
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00417318
0x00417319
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x00000000
0x0041733c
0x0041733c
0x0041733f
0x00000000
0x00417341
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x0041734b
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00417356
0x00417356
0x0041735c
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x0041737f
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x004173d4
0x0041737d
0x00417354
0x00417349
0x0041733f
0x00417333
0x00417333
0x00417333
0x00417333
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00417412
0x00417316
0x00000000
0x00000000
0x00000000
0x0041710f
0x0041710f
0x00417111
0x00000000
0x00417117
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417120
0x00417120
0x00417123
0x00417126
0x0041712d
0x0041712d
0x00417138
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x0041715f
0x00417163
0x00417164
0x00417166
0x00417169
0x00000000
0x0041716b
0x0041716b
0x0041716b
0x0041716f
0x00417174
0x0041718a
0x00417190
0x00417192
0x00417194
0x00000000
0x00417194
0x00417176
0x00417176
0x0041717b
0x0041717d
0x0041717f
0x00417181
0x0041719a
0x0041719a
0x0041719a
0x0041719a
0x0041717f
0x0041719d
0x0041719d
0x00417169
0x004171a5
0x004171a8
0x00000000
0x004171ae
0x004171bd
0x004171bf
0x004171c1
0x004171c7
0x004171c8
0x004171db
0x004171dd
0x004171e0
0x004171e2
0x004171e8
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00000000
0x0041721e
0x00417222
0x00417223
0x00417223
0x00417225
0x00417228
0x00000000
0x0041722a
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x00417235
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00417240
0x00417246
0x00417265
0x00417265
0x00417267
0x00417269
0x0041726c
0x0041726d
0x0041726e
0x00417271
0x00417274
0x00417277
0x00417278
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x00417292
0x00417295
0x00417296
0x00417297
0x0041729a
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00417267
0x0041723e
0x00417233
0x00417228
0x004171f1
0x004171f1
0x004171f4
0x004171fa
0x004171fd
0x00417213
0x00417213
0x004171fd
0x004171f4
0x004171ef
0x004171e2
0x004172ad
0x004172b2
0x004172b5
0x004171a8
0x00417157
0x0041711a
0x00417111
0x00417417
0x00417418
0x00417419
0x0041741d
0x00417425
0x004170a2
0x004170a2
0x004170a3
0x004170a7
0x004170a8
0x004170ad
0x004170b2
0x004170b8
0x004170b8

APIs

MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 3a19db72180bef6377bf80d8a4e1384c8a09c6eaaeeaa9cf05ad0507c6445e8e
Instruction ID: eaf441be5203c67b828ea762a1c1f7b3391b7ad2038ff01fe9ab69638b5170db
Opcode Fuzzy Hash: 3a19db72180bef6377bf80d8a4e1384c8a09c6eaaeeaa9cf05ad0507c6445e8e
Instruction Fuzzy Hash: 08B1CD7280811ABFCF119FA4CC818EF3BB6EF48354B10456BF915A2250D7398DD2DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415D84 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 333
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00415D84(void* __eax, signed int __ebx, void* __ecx, signed int* __esi) {
				signed int _t102;
				signed int _t106;
				signed int _t110;
				signed int _t115;
				signed int _t117;
				signed int* _t120;
				signed int _t122;
				signed int _t124;
				intOrPtr _t125;
				signed int _t127;
				void* _t131;
				signed int _t135;
				signed int _t138;
				void* _t140;
				signed int _t142;
				void* _t143;
				signed int* _t145;
				signed int _t146;
				signed int _t148;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t156;
				void* _t158;
				intOrPtr* _t159;
				signed int _t160;
				signed char _t166;
				signed int _t196;
				signed int _t199;
				void* _t203;
				signed int _t204;
				signed int* _t205;
				signed int _t207;
				void* _t208;
				void* _t210;
				void* _t216;

				_t205 = __esi;
				_t160 = __ebx;
				if(__eax != __ebx) {
					__eflags = __eax - 2;
					if(__eax != 2) {
						__eflags = __eax - 3;
						if(__eax == 3) {
							_t8 = _t208 - 1;
							 *_t8 =  *(_t208 - 1) | 0x00000008;
							__eflags =  *_t8;
						}
					} else {
						 *(_t208 - 1) =  *(_t208 - 1) | 0x00000040;
					}
					E0041541B( *_t205,  *((intOrPtr*)(_t208 - 0x1c)));
					_t166 =  *(_t208 - 1) | 0x00000001;
					 *( *((intOrPtr*)(0x423f60 + ( *_t205 >> 5) * 4)) + (( *_t205 & 0x0000001f) << 6) + 4) = _t166;
					_t102 =  *_t205;
					_t196 =  *(0x423f60 + (_t102 >> 5) * 4);
					_t19 = ((_t102 & 0x0000001f) << 6) + 0x24; // 0x24
					 *(_t196 + _t19) =  *(_t196 + _t19) & 0x00000080;
					 *(_t208 - 3) = _t166;
					_t21 = _t208 - 3;
					 *_t21 =  *(_t208 - 3) & 0x00000048;
					__eflags =  *_t21;
					 *(_t208 - 1) = _t166;
					if( *_t21 != 0) {
						L19:
						__eflags =  *(_t208 - 1) & 0x00000080;
						if(( *(_t208 - 1) & 0x00000080) == 0) {
							goto L71;
						} else {
							__eflags =  *(_t208 + 0x10) & 0x00074000;
							if(( *(_t208 + 0x10) & 0x00074000) == 0) {
								_t152 =  *(_t208 - 0x20) & 0x00074000;
								__eflags = _t152;
								if(_t152 != 0) {
									_t43 = _t208 + 0x10;
									 *_t43 =  *(_t208 + 0x10) | _t152;
									__eflags =  *_t43;
								} else {
									 *(_t208 + 0x10) =  *(_t208 + 0x10) | 0x00004000;
								}
							}
							_t122 =  *(_t208 + 0x10) & 0x00074000;
							__eflags = _t122 - 0x4000;
							if(_t122 == 0x4000) {
								 *(_t208 - 2) = _t160;
							} else {
								__eflags = _t122 - 0x10000;
								if(_t122 == 0x10000) {
									L32:
									__eflags = ( *(_t208 + 0x10) & 0x00000301) - 0x301;
									if(( *(_t208 + 0x10) & 0x00000301) == 0x301) {
										goto L33;
									}
								} else {
									__eflags = _t122 - 0x14000;
									if(_t122 == 0x14000) {
										goto L32;
									} else {
										__eflags = _t122 - 0x20000;
										if(_t122 == 0x20000) {
											L33:
											 *(_t208 - 2) = 2;
										} else {
											__eflags = _t122 - 0x24000;
											if(_t122 == 0x24000) {
												goto L33;
											} else {
												__eflags = _t122 - 0x40000;
												if(_t122 == 0x40000) {
													L31:
													 *(_t208 - 2) = 1;
												} else {
													__eflags = _t122 - 0x44000;
													if(_t122 == 0x44000) {
														goto L31;
													}
												}
											}
										}
									}
								}
							}
							__eflags =  *(_t208 + 0x10) & 0x00070000;
							if(( *(_t208 + 0x10) & 0x00070000) == 0) {
								goto L71;
							} else {
								__eflags =  *(_t208 - 1) & 0x00000040;
								 *(_t208 - 0x18) = _t160;
								if(( *(_t208 - 1) & 0x00000040) != 0) {
									goto L71;
								} else {
									_t124 =  *(_t208 - 8) & 0xc0000000;
									__eflags = _t124 - 0x40000000;
									if(_t124 == 0x40000000) {
										_t125 =  *((intOrPtr*)(_t208 - 0x14));
										__eflags = _t125 - _t160;
										if(_t125 <= _t160) {
											goto L71;
										} else {
											__eflags = _t125 - 2;
											if(_t125 <= 2) {
												goto L44;
											} else {
												__eflags = _t125 - 4;
												if(_t125 > 4) {
													goto L43;
												} else {
													_t135 = E00414F8F(0xc0000000,  *_t205, _t160, _t160, 2);
													_t210 = _t210 + 0x10;
													__eflags = _t135 | _t196;
													if((_t135 | _t196) == 0) {
														goto L44;
													} else {
														_t138 = E00414F8F(0xc0000000,  *_t205, _t160, _t160, _t160) & _t196;
														__eflags = _t138;
														goto L59;
													}
												}
											}
										}
									} else {
										__eflags = _t124 - 0x80000000;
										if(_t124 == 0x80000000) {
											L49:
											_t140 = E0040FD32(0x74000,  *_t205, _t208 - 0x18, 3);
											__eflags = _t140 - 0xffffffff;
											if(_t140 == 0xffffffff) {
												goto L14;
											} else {
												__eflags = _t140 - 2;
												if(_t140 == 2) {
													L61:
													_t142 =  *(_t208 - 0x18) & 0x0000ffff;
													__eflags = _t142 - 0xfffe;
													if(_t142 != 0xfffe) {
														__eflags = _t142 - 0xfeff;
														if(_t142 != 0xfeff) {
															goto L67;
														} else {
															_t143 = E004118C4(_t196, 0x74000,  *_t205, 2, _t160);
															__eflags = _t143 - 0xffffffff;
															if(_t143 == 0xffffffff) {
																goto L14;
															} else {
																 *(_t208 - 2) = 2;
																goto L71;
															}
														}
													} else {
														E00410A0B( *_t205);
														_t145 = E0040BFC1();
														_t207 = 0x16;
														 *_t145 = _t207;
														_t115 = _t207;
														goto L78;
													}
												} else {
													__eflags = _t140 - 3;
													if(_t140 != 3) {
														L67:
														_t138 = E004118C4(_t196, 0x74000,  *_t205, _t160, _t160);
														L59:
														__eflags = _t138 - 0xffffffff;
														if(_t138 != 0xffffffff) {
															goto L71;
														} else {
															goto L14;
														}
													} else {
														__eflags =  *(_t208 - 0x18) - 0xbfbbef;
														if( *(_t208 - 0x18) != 0xbfbbef) {
															goto L61;
														} else {
															 *(_t208 - 2) = 1;
															goto L71;
														}
													}
												}
											}
										} else {
											__eflags = _t124 - 0xc0000000;
											if(_t124 != 0xc0000000) {
												goto L71;
											} else {
												_t125 =  *((intOrPtr*)(_t208 - 0x14));
												__eflags = _t125 - _t160;
												if(_t125 <= _t160) {
													goto L71;
												} else {
													__eflags = _t125 - 2;
													if(_t125 <= 2) {
														L44:
														_t203 = 0;
														_t127 =  *(_t208 - 2) - 1;
														__eflags = _t127;
														if(__eflags == 0) {
															 *(_t208 - 0x18) = 0xbfbbef;
															 *((intOrPtr*)(_t208 - 0x14)) = 3;
															goto L69;
														} else {
															__eflags = _t127 - 1;
															if(__eflags != 0) {
																goto L71;
															} else {
																 *(_t208 - 0x18) = 0xfeff;
																 *((intOrPtr*)(_t208 - 0x14)) = 2;
																while(1) {
																	L69:
																	_push( *((intOrPtr*)(_t208 - 0x14)) - _t203);
																	_push(_t208 + _t203 - 0x18);
																	_push( *_t205);
																	_t131 = E0040F944(_t160, _t196, _t203, _t205, __eflags);
																	_t210 = _t210 + 0xc;
																	__eflags = _t131 - 0xffffffff;
																	if(_t131 == 0xffffffff) {
																		goto L14;
																	}
																	_t203 = _t203 + _t131;
																	__eflags =  *((intOrPtr*)(_t208 - 0x14)) - _t203;
																	if(__eflags > 0) {
																		continue;
																	} else {
																		goto L71;
																	}
																	goto L79;
																}
																goto L14;
															}
														}
													} else {
														__eflags = _t125 - 4;
														if(_t125 <= 4) {
															_t146 = E00414F8F(0xc0000000,  *_t205, _t160, _t160, 2);
															_t210 = _t210 + 0x10;
															__eflags = _t146 | _t196;
															if((_t146 | _t196) == 0) {
																goto L44;
															} else {
																_t148 = E00414F8F(0xc0000000,  *_t205, _t160, _t160, _t160);
																_t210 = _t210 + 0x10;
																__eflags = (_t148 & _t196) - 0xffffffff;
																if((_t148 & _t196) == 0xffffffff) {
																	goto L14;
																} else {
																	goto L49;
																}
															}
														} else {
															L43:
															__eflags = _t125 - 5;
															if(_t125 != 5) {
																goto L71;
															} else {
																goto L44;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						__eflags = _t166 & 0x00000080;
						if((_t166 & 0x00000080) == 0) {
							L71:
							_t106 =  *_t205;
							_t77 = ((_t106 & 0x0000001f) << 6) + 0x24; // 0x24
							 *( *((intOrPtr*)(0x423f60 + (_t106 >> 5) * 4)) + _t77) =  *( *((intOrPtr*)(0x423f60 + (_t106 >> 5) * 4)) + _t77) ^ ( *( *((intOrPtr*)(0x423f60 + (_t106 >> 5) * 4)) + _t77) ^  *(_t208 - 2)) & 0x0000007f;
							_t110 =  *_t205;
							_t82 = ((_t110 & 0x0000001f) << 6) + 0x24; // 0x48
							 *( *((intOrPtr*)(0x423f60 + (_t110 >> 5) * 4)) + _t82) =  *(_t208 + 0x10) >> 0x00000010 << 0x00000007 |  *( *((intOrPtr*)(0x423f60 + (_t110 >> 5) * 4)) + _t82) & 0x0000007f;
							__eflags =  *(_t208 - 3) - _t160;
							if( *(_t208 - 3) == _t160) {
								__eflags =  *(_t208 + 0x10) & 0x00000008;
								if(( *(_t208 + 0x10) & 0x00000008) != 0) {
									_t117 =  *_t205;
									_t91 = ((_t117 & 0x0000001f) << 6) + 4; // 0x4c
									_t120 =  *((intOrPtr*)(0x423f60 + (_t117 >> 5) * 4)) + _t91;
									 *_t120 =  *_t120 | 0x00000020;
									__eflags =  *_t120;
								}
							}
							__eflags = ( *(_t208 - 8) & 0xc0000000) - 0xc0000000;
							if(( *(_t208 - 8) & 0xc0000000) != 0xc0000000) {
								L77:
								_t115 = _t160;
								goto L78;
							} else {
								__eflags =  *(_t208 + 0x10) & 0x00000001;
								if(( *(_t208 + 0x10) & 0x00000001) == 0) {
									goto L77;
								} else {
									_push( *((intOrPtr*)(_t208 - 0x1c)));
									return E0069AD08(0xc0000000, _t205);
								}
							}
						} else {
							__eflags =  *(_t208 + 0x10) & 0x00000002;
							if(( *(_t208 + 0x10) & 0x00000002) == 0) {
								goto L19;
							} else {
								_t204 = _t199 | 0xffffffff;
								_t153 = E004118C4(_t196, _t204,  *_t205, _t204, 2);
								_t210 = _t210 + 0xc;
								 *(_t208 - 0x18) = _t153;
								__eflags = _t153 - _t204;
								if(_t153 != _t204) {
									 *(_t208 - 4) = _t160;
									_t155 = E0040FD32(_t204,  *_t205, _t208 - 4, 1);
									_t216 = _t210 + 0xc;
									__eflags = _t155;
									if(_t155 != 0) {
										L18:
										_t156 = E004118C4(_t196, _t204,  *_t205, _t160, _t160);
										_t210 = _t216 + 0xc;
										__eflags = _t156 - _t204;
										if(_t156 == _t204) {
											goto L14;
										} else {
											goto L19;
										}
									} else {
										__eflags =  *(_t208 - 4) - 0x1a;
										if(__eflags != 0) {
											goto L18;
										} else {
											asm("cdq");
											_t158 = E00417EE1(_t160, _t166, _t196, _t204, _t205, __eflags,  *_t205,  *(_t208 - 0x18), _t196);
											_t216 = _t216 + 0xc;
											__eflags = _t158 - _t204;
											if(_t158 == _t204) {
												goto L14;
											} else {
												goto L18;
											}
										}
									}
								} else {
									_t159 = E0040BFD4();
									__eflags =  *_t159 - 0x83;
									if( *_t159 == 0x83) {
										goto L19;
									} else {
										L14:
										E00410A0B( *_t205);
										goto L2;
									}
								}
							}
						}
					}
				} else {
					__esi =  *__esi;
					__esi = __esi >> 5;
					__eax =  *(0x423f60 + (__esi >> 5) * 4);
					__esi = __esi & 0x0000001f;
					__eax =  &(__eax[__esi + 4]);
					 *__eax =  *__eax & 0x000000fe;
					_push(__eax);
					__esi = E0070BCB6(__ebx, __ecx, __eflags);
					__eax = E0040BFE7(__esi);
					_push( *((intOrPtr*)(__ebp - 0x1c)));
					_push(__ebx);
					__eax = E004805DC(__eax, __ecx);
					__eflags = __esi - __ebx;
					if(__esi == __ebx) {
						 *(E0040BFC1()) = 0xd;
					}
					L2:
					_t115 =  *(E0040BFC1());
					L78:
					return _t115;
				}
				L79:
			}

0x00415d84
0x00415d84
0x00415d86
0x00415dcc
0x00415dcf
0x00415dd7
0x00415dda
0x00415ddc
0x00415ddc
0x00415ddc
0x00415ddc
0x00415dd1
0x00415dd1
0x00415dd1
0x00415de5
0x00415e03
0x00415e06
0x00415e0a
0x00415e14
0x00415e1e
0x00415e22
0x00415e25
0x00415e28
0x00415e28
0x00415e28
0x00415e2c
0x00415e2f
0x00415eb5
0x00415eb5
0x00415eb9
0x00000000
0x00415ebf
0x00415ec9
0x00415ecc
0x00415ed1
0x00415ed1
0x00415ed3
0x00415eda
0x00415eda
0x00415eda
0x00415ed5
0x00415ed5
0x00415ed5
0x00415ed3
0x00415ee0
0x00415ee2
0x00415ee4
0x00415f2a
0x00415ee6
0x00415ee6
0x00415eeb
0x00415f16
0x00415f20
0x00415f22
0x00000000
0x00000000
0x00415eed
0x00415eed
0x00415ef2
0x00000000
0x00415ef4
0x00415ef4
0x00415ef9
0x00415f24
0x00415f24
0x00415efb
0x00415efb
0x00415f00
0x00000000
0x00415f02
0x00415f02
0x00415f07
0x00415f10
0x00415f10
0x00415f09
0x00415f09
0x00415f0e
0x00000000
0x00000000
0x00415f0e
0x00415f07
0x00415f00
0x00415ef9
0x00415ef2
0x00415eeb
0x00415f2d
0x00415f34
0x00000000
0x00415f3a
0x00415f3a
0x00415f3e
0x00415f41
0x00000000
0x00415f47
0x00415f4f
0x00415f51
0x00415f56
0x00416013
0x00416016
0x00416018
0x00000000
0x0041601e
0x0041601e
0x00416021
0x00000000
0x00416027
0x00416027
0x0041602a
0x00000000
0x00416030
0x00416036
0x0041603b
0x0041603e
0x00416040
0x00000000
0x00416046
0x00416053
0x00416053
0x00000000
0x00416053
0x00416040
0x0041602a
0x00416021
0x00415f5c
0x00415f5c
0x00415f61
0x00415fda
0x00415fe2
0x00415fea
0x00415fed
0x00000000
0x00415ff3
0x00415ff3
0x00415ff6
0x00416063
0x00416066
0x0041606b
0x00416070
0x0041608b
0x00416090
0x00000000
0x00416092
0x00416097
0x0041609f
0x004160a2
0x00000000
0x004160a8
0x004160a8
0x00000000
0x004160a8
0x004160a2
0x00416072
0x00416074
0x0041607a
0x00416081
0x00416082
0x00416084
0x00000000
0x00416084
0x00415ff8
0x00415ff8
0x00415ffb
0x004160ae
0x004160b2
0x00416055
0x00416055
0x00416058
0x00000000
0x0041605e
0x00000000
0x0041605e
0x00416001
0x00416001
0x00416008
0x00000000
0x0041600a
0x0041600a
0x00000000
0x0041600a
0x00416008
0x00415ffb
0x00415ff6
0x00415f63
0x00415f63
0x00415f65
0x00000000
0x00415f6b
0x00415f6b
0x00415f6e
0x00415f70
0x00000000
0x00415f76
0x00415f76
0x00415f79
0x00415f89
0x00415f8d
0x00415f8f
0x00415f8f
0x00415f90
0x004160bc
0x004160c3
0x00000000
0x00415f96
0x00415f96
0x00415f97
0x00000000
0x00415f9d
0x00415f9d
0x00415fa4
0x004160ca
0x004160ca
0x004160cf
0x004160d4
0x004160d5
0x004160d7
0x004160dc
0x004160df
0x004160e2
0x00000000
0x00000000
0x004160e8
0x004160ea
0x004160ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004160ed
0x00000000
0x004160ca
0x00415f97
0x00415f7b
0x00415f7b
0x00415f7e
0x00415fb6
0x00415fbb
0x00415fbe
0x00415fc0
0x00000000
0x00415fc2
0x00415fc7
0x00415fce
0x00415fd1
0x00415fd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00415fd4
0x00415f80
0x00415f80
0x00415f80
0x00415f83
0x00000000
0x00000000
0x00000000
0x00000000
0x00415f83
0x00415f7e
0x00415f79
0x00415f70
0x00415f65
0x00415f61
0x00415f56
0x00415f41
0x00415f34
0x00415e35
0x00415e35
0x00415e38
0x004160ef
0x004160ef
0x00416103
0x0041610f
0x00416111
0x00416125
0x00416139
0x0041613b
0x0041613e
0x00416140
0x00416144
0x00416146
0x0041615a
0x0041615a
0x0041615e
0x0041615e
0x0041615e
0x00416144
0x0041616d
0x0041616f
0x004161ed
0x004161ed
0x00000000
0x00416171
0x00416171
0x00416175
0x00000000
0x00416177
0x00416177
0x0041617f
0x0041617f
0x00416175
0x00415e3e
0x00415e3e
0x00415e42
0x00000000
0x00415e44
0x00415e46
0x00415e4c
0x00415e51
0x00415e54
0x00415e57
0x00415e59
0x00415e7c
0x00415e7f
0x00415e84
0x00415e87
0x00415e89
0x00415ea5
0x00415ea9
0x00415eae
0x00415eb1
0x00415eb3
0x00000000
0x00000000
0x00000000
0x00000000
0x00415e8b
0x00415e8b
0x00415e8f
0x00000000
0x00415e91
0x00415e94
0x00415e99
0x00415e9e
0x00415ea1
0x00415ea3
0x00000000
0x00000000
0x00000000
0x00000000
0x00415ea3
0x00415e8f
0x00415e5b
0x00415e5b
0x00415e60
0x00415e66
0x00000000
0x00415e68
0x00415e68
0x00415e6a
0x00000000
0x00415d6e
0x00415e66
0x00415e59
0x00415e42
0x00415e38
0x00415d88
0x00415d88
0x00415d8c
0x00415d8f
0x00415d96
0x00415d9c
0x00415da0
0x00415da3
0x00415da9
0x00415dac
0x00415db2
0x00415db5
0x00415db6
0x00415dbb
0x00415dbd
0x00415dc4
0x00415dc4
0x00415d6f
0x00415d74
0x004161ef
0x004161f3
0x004161f3
0x00000000

APIs

__dosmaperr.LIBCMT ref: 00415DAC

Strings

H, xrefs: 00415E28
@, xrefs: 00415F3A

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __dosmaperr
String ID: @$H
API String ID: 2332233096-104103126
Opcode ID: b88af319e2f03ae862cd3b96ca5845106f266b3827fc9d0b7d8799fbd7cae0a4
Instruction ID: aaf825a608f008b4fcfa7eb922cb6dde0e2f63f919e31823289b3edbde30b42d
Opcode Fuzzy Hash: b88af319e2f03ae862cd3b96ca5845106f266b3827fc9d0b7d8799fbd7cae0a4
Instruction Fuzzy Hash: 97B12371A04649DAEB219F28C8827FE3BA1DB84318F28456BE550DB392D73DCEC5C749

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t87;
				char* _t89;
				intOrPtr* _t92;
				intOrPtr* _t94;
				signed int _t98;
				signed int _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;

				_t99 = _t98 | 0xffffffff;
				 *((intOrPtr*)(_t101 + 0xc)) = 0;
				_t92 = __eax;
				 *((intOrPtr*)(_t101 + 0x10)) = _t101 + 0x10;
				if( *((intOrPtr*)(_t101 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t94 = E0040B84D(0, __edx, __eax, 0x74);
					_t102 = _t101 + 4;
					if(_t94 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t94 + 0x20)) = 0;
						 *((intOrPtr*)(_t94 + 0x24)) = 0;
						 *((intOrPtr*)(_t94 + 0x28)) = 0;
						 *((intOrPtr*)(_t94 + 0x44)) = 0;
						 *_t94 = 0;
						 *((intOrPtr*)(_t94 + 0x48)) = 0;
						 *((intOrPtr*)(_t94 + 0xc)) = 0;
						 *((intOrPtr*)(_t94 + 0x10)) = 0;
						 *((intOrPtr*)(_t94 + 4)) = 0;
						 *((intOrPtr*)(_t94 + 0x40)) = 0;
						 *((intOrPtr*)(_t94 + 0x38)) = 0;
						 *((intOrPtr*)(_t94 + 0x3c)) = 0;
						 *((intOrPtr*)(_t94 + 0x64)) = 0;
						 *((intOrPtr*)(_t94 + 0x68)) = 0;
						 *(_t94 + 0x6c) = _t99;
						 *((intOrPtr*)(_t94 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t102 + 0x78));
						_t103 = _t102 + 0xc;
						 *((intOrPtr*)(_t94 + 0x50)) = 0;
						 *((intOrPtr*)(_t94 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t92, _t57 - _t87 + 1);
						_t104 = _t103 + 4;
						 *((intOrPtr*)(_t94 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t94);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t104 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t92 == 0x72) {
								 *((char*)(_t94 + 0x5c)) = 0x72;
							}
							_t63 =  *_t92;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t94 + 0x5c)) = 0x77;
							}
							_t64 =  *_t92;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t104 + 0x14));
											 *_t89 = _t64;
											_t88 = _t89 + 1;
											__eflags = _t88;
											 *((intOrPtr*)(_t104 + 0x14)) = _t88;
										} else {
											 *((intOrPtr*)(_t104 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t104 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t104 + 0x10)) = 1;
								}
							} else {
								_t99 = _t64 - 0x30;
							}
							_t92 = _t92 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t88 = _t104 + 0x68;
							if( *((intOrPtr*)(_t104 + 0x14)) != _t104 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t94 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t88, _t92, 0x4000);
									 *((intOrPtr*)(_t94 + 0x44)) = _t66;
									 *_t94 = _t66;
									_t67 = E004071A0(_t94, 0xfffffff1, "1.2.3", 0x38);
									_t105 = _t104 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t94 + 0x44));
										if( *((intOrPtr*)(_t94 + 0x44)) == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t104 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t99);
									_push(_t94);
									_t92 = E00404CE0();
									_t79 = E0040B84D(0, _t88, _t92, 0x4000);
									_t105 = _t104 + 0x24;
									 *((intOrPtr*)(_t94 + 0x48)) = _t79;
									 *((intOrPtr*)(_t94 + 0xc)) = _t79;
									if(_t92 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t94 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1())) = 0;
										_t69 =  *((intOrPtr*)(_t105 + 0x70));
										__eflags = _t69;
										_push(_t105 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t88, _t92, _t94, __eflags);
										} else {
											_push( *((intOrPtr*)(_t105 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t94 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t94 + 0x5c)) - 0x77;
											if( *((char*)(_t94 + 0x5c)) != 0x77) {
												E00405000(_t94, 0);
												_push( *((intOrPtr*)(_t94 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t94 + 0x40)), _t92, _t94, __eflags) -  *((intOrPtr*)(_t94 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t94 + 0x60)) = _t74;
												return _t94;
											} else {
												 *((intOrPtr*)(_t94 + 0x60)) = 0xa;
												return _t94;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t94 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 004108A9 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004108A9(void* __ebx, void* __edx, intOrPtr* __esi) {
				void* __edi;
				intOrPtr _t1;
				void* _t2;
				intOrPtr _t3;
				long _t6;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t34;

				_t30 = __edx;
				_t23 = __ebx;
				_push("FlsAlloc");
				_push(_t31);
				_t1 =  *__esi();
				_push("FlsGetValue");
				_push(_t31);
				 *0x423964 = _t1;
				_t2 =  *__esi();
				_push("FlsSetValue");
				_push(_t31);
				 *0x423968 = _t2;
				_t3 =  *__esi();
				_push("FlsFree");
				_push(_t31);
				 *0x42396c = _t3;
				_t4 =  *__esi();
				_t34 =  *0x41b0d4;
				 *0x423970 = _t4;
				if( *0x423964 == 0 ||  *0x423968 == 0 ||  *0x42396c == 0 || _t4 == 0) {
					 *0x423968 =  *0x41b0cc;
					_t4 =  *0x41b0d8;
					 *0x423964 = E0041055B;
					 *0x42396c = _t34;
					 *0x423970 =  *0x41b0d8;
				}
				_push(_t34);
				_t6 = E0042E73F(_t4);
				 *0x4227d4 = _t6;
				if(_t6 != 0xffffffff && TlsSetValue(_t6,  *0x423968) != 0) {
					E0040EA54();
					 *0x423964 = E0041046E( *0x423964);
					 *0x423968 = E0041046E( *0x423968);
					 *0x42396c = E0041046E( *0x42396c);
					 *0x423970 = E0041046E( *0x423970);
					if(E0040D564() != 0) {
						_push(E0041074F);
						_t17 =  *((intOrPtr*)(E004104E9(_t23, _t31,  *0x423964)))();
						 *0x4227d0 = _t17;
						if(_t17 != 0xffffffff) {
							_t34 = E00411CBA(_t23, 1, 0x214);
							if(_t34 != 0) {
								_push(_t34);
								_push( *0x4227d0);
								_t20 =  *((intOrPtr*)(E004104E9(_t23, _t31,  *0x42396c)))();
								_t47 = _t20;
								if(_t20 != 0) {
									_push(0);
									_t21 = E004105D5(_t23, _t34, _t47);
									_t29 = _t34;
									return E00560075(_t21, _t29, _t30);
								}
							}
						}
					}
					E00410598(_t23, _t30, _t31, _t34);
				}
				__eflags = 0;
				return 0;
			}

0x004108a9
0x004108a9
0x004108a9
0x004108ae
0x004108af
0x004108b1
0x004108b6
0x004108b7
0x004108bc
0x004108be
0x004108c3
0x004108c4
0x004108c9
0x004108cb
0x004108d0
0x004108d1
0x004108d6
0x004108df
0x004108e5
0x004108ea
0x00410907
0x0041090c
0x00410911
0x0041091b
0x00410921
0x00410921
0x00410926
0x00410927
0x0041092c
0x00410934
0x0041094b
0x00410961
0x00410971
0x00410981
0x0041098e
0x0041099a
0x0041099c
0x004109ad
0x004109af
0x004109b7
0x004109c5
0x004109cb
0x004109cd
0x004109ce
0x004109e0
0x004109e2
0x004109e4
0x004109e6
0x004109e9
0x004109ef
0x00000000
0x004109f0
0x004109e4
0x004109cb
0x004109b7
0x00410a01
0x00410a01
0x00410a06
0x00410a0a

APIs

TlsSetValue.KERNEL32(00000000,74CB65A0,?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc), ref: 00410941
__init_pointers.LIBCMT ref: 0041094B

Strings

FlsFree, xrefs: 004108CB
FlsGetValue, xrefs: 004108B1
FlsAlloc, xrefs: 004108A9
FlsSetValue, xrefs: 004108BE

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value__init_pointers
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue
API String ID: 4141801335-1551509285
Opcode ID: ad9b3ab3782ae798cb31ba052ed408c515b464287afcdf2d9dfba47aa59cad81
Instruction ID: f5cd4716a6fa04c49f0a229ffaf88059e06924897e03baa65a1af0feb1a49262
Opcode Fuzzy Hash: ad9b3ab3782ae798cb31ba052ed408c515b464287afcdf2d9dfba47aa59cad81
Instruction Fuzzy Hash: 613158B4703304AAD730AF79AD4569A7AB5AB46355B90043BE400A22F5DBFD85C3CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				char* _t120;
				signed int _t124;
				signed int _t130;
				signed int _t132;
				void* _t133;

				_t124 = __edx;
				_t120 = _a4;
				_t119 = _a8;
				_t130 = 0;
				_v12 = _t120;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					if(_t120 != 0) {
						_t132 = _a20;
						__eflags = _t132;
						if(_t132 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t130, _t120, _t130, _t119);
								_t133 = _t133 + 0xc;
							}
							__eflags = _t132 - _t130;
							if(_t132 == _t130) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t124 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(_a16 > _t94 / _a12) {
									goto L3;
								}
								L13:
								_t130 = _a12 * _a16;
								__eflags =  *(_t132 + 0xc) & 0x0000010c;
								_v20 = _t130;
								_t119 = _t130;
								if(( *(_t132 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t132 + 0x18));
								}
								__eflags = _t130;
								if(_t130 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t132 + 0xc) & 0x0000010c;
										if(( *(_t132 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t119 - _v16;
											if(_t119 < _v16) {
												_t97 = E0040FC07(_t119, _t124, _t132);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t130 - _t119) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(_a8 != 0xffffffff) {
														E0040BA30(_t130, _a4, 0, _a8);
														_t133 = _t133 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1())) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t119, _t124, _t130, _t132);
													goto L5;
												}
												_t122 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t119 = _t119 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t132 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t119 - 0x7fffffff;
												if(_t119 <= 0x7fffffff) {
													_t105 = _t119;
												}
											} else {
												__eflags = _t119 - 0x7fffffff;
												if(_t119 <= 0x7fffffff) {
													_t55 = _t119 % _v16;
													__eflags = _t55;
													_t124 = _t55;
													_t110 = _t119;
												} else {
													_t124 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t124;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t132);
												_pop(_t122);
												_push(_t106);
												_t107 = E004102F4(_t119, _t124, _t130, _t132, __eflags);
												_t133 = _t133 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t132 + 0xc) =  *(_t132 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t132 + 0xc;
													 *_t80 =  *(_t132 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t119 = _t119 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t132 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t130 = _t119;
										__eflags = _t119 - _t113;
										if(_t119 >= _t113) {
											_t130 = _t113;
										}
										__eflags = _t130 - _v8;
										if(_t130 > _v8) {
											_t132 = 0;
											__eflags = _a8 - 0xffffffff;
											if(_a8 != 0xffffffff) {
												E0040BA30(_t130, _a4, 0, _a8);
												_t133 = _t133 + 0xc;
											}
											_t114 = E0040BFC1();
											_push(_t132);
											_push(_t132);
											_push(_t132);
											_push(_t132);
											 *_t114 = 0x22;
											_push(_t132);
											goto L4;
										} else {
											E004103F1(_t119, _t122, _v12, _v8,  *_t132, _t130);
											 *(_t132 + 4) =  *(_t132 + 4) - _t130;
											 *_t132 =  *_t132 + _t130;
											_v12 = _v12 + _t130;
											_t119 = _t119 - _t130;
											_t133 = _t133 + 0x10;
											_v8 = _v8 - _t130;
											_t130 = _v20;
										}
										L39:
										__eflags = _t119;
									} while (_t119 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t124 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1();
					_push(_t130);
					_push(_t130);
					_push(_t130);
					_push(_t130);
					 *_t92 = 0x16;
					_push(_t130);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: _memset$__filbuf__fileno__read_memcpy_s
String ID:
API String ID: 3061097587-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00417A69 Relevance: 9.2, APIs: 6, Instructions: 178
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00417A69(void* __edx, int _a4, intOrPtr _a8, char* _a12, intOrPtr* _a16, int _a20, intOrPtr _a24) {
				signed int _v8;
				char _v28;
				short* _v32;
				short* _v36;
				int _v40;
				char* _v44;
				short* _v48;
				int* _v52;
				int _v56;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t54;
				intOrPtr* _t57;
				short* _t60;
				void* _t62;
				void* _t63;
				int _t67;
				int _t70;
				int _t71;
				int _t76;
				int _t81;
				int _t82;
				void* _t93;
				int _t95;
				signed int _t97;
				int _t98;
				int _t108;

				_t93 = __edx;
				_t54 =  *0x422234; // 0x3100e2c7
				_v8 = _t54 ^ _t97;
				_t82 = _a20;
				_v44 = _a12;
				_t57 = _a16;
				_v52 = _t57;
				_v40 =  *_t57;
				_t59 = _a4;
				_v56 = _t82;
				_v36 = 0;
				_v48 = 0;
				if(_a4 == _a8) {
					L33:
					_t60 = _v36;
					L34:
					return E0040CE09(_t60, _t81, _v8 ^ _t97, _t93, 0, _t95);
				}
				_t62 = E0060326D(_t59, _t82);
				_t63 =  *_t95(_t62,  &_v28, _t82);
				_t81 =  *0x41b008;
				if(_t63 == 0 || _v28 != 1) {
					L13:
					_t95 = MultiByteToWideChar(_a4, 1, _v44, _v40, 0, 0);
					__eflags = _t95;
					if(_t95 != 0) {
						goto L8;
					}
					goto L14;
				} else {
					_push( &_v28);
					_push(_a8);
					if( *_t95() == 0 || _v28 != 1) {
						goto L13;
					} else {
						_t95 = _v40;
						_v48 = 1;
						if(_t95 == 0xffffffff) {
							_t95 = E0040EE20(_v44) + 1;
						}
						_t108 = _t95;
						L8:
						if(_t108 <= 0 || _t95 > 0x7ffffff0) {
							_v32 = 0;
							goto L20;
						} else {
							_t22 = _t95 + 8; // 0x41765d
							_t75 = _t95 + _t22;
							if(_t95 + _t22 > 0x400) {
								_t76 = E0040B84D(_t81, _t93, 0, _t75);
								__eflags = _t76;
								if(_t76 == 0) {
									L18:
									_v32 = _t76;
									L20:
									if(_v32 == 0) {
										L14:
										_t60 = 0;
										goto L34;
									}
									E0040BA30(0, _v32, 0, _t95 + _t95);
									_t67 = MultiByteToWideChar(_a4, 1, _v44, _v40, _v32, _t95);
									if(_t67 == 0) {
										L32:
										E004147AE(_v32);
										goto L33;
									}
									_t81 = _v56;
									if(_t81 == 0) {
										_pop(_t81);
										E00609A40(_t67, _t81, 0, _t95, __eflags);
										__eflags = _v48;
										if(_v48 != 0) {
											L27:
											_t70 = E00411CBA(_t81, 1, _t95);
											_v36 = _t70;
											__eflags = _t70;
											if(_t70 != 0) {
												_t71 =  *_t81(_a8, 0, _v32, _t95, _t70, _t95, 0, 0);
												__eflags = _t71;
												if(__eflags != 0) {
													__eflags = _v40 - 0xffffffff;
													if(_v40 != 0xffffffff) {
														 *_v52 = _t71;
													}
												} else {
													_push(_v36);
													E0040B6B5(_t81, _t93, 0, _t95, __eflags);
													_v36 = 0;
												}
											}
											goto L32;
										}
										_t95 =  *_t81(_a8, 0, _v32, _t95, 0, 0, 0, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										}
										goto L27;
									}
									_push(0);
									_push(0);
									_push(_a24);
									_push(_t81);
									_push(_t95);
									_push(_v32);
									_push(0);
									_push(_a8);
									_push(_t67);
									if(E006A5313(0) != 0) {
										_v36 = _t81;
									}
									goto L32;
								}
								 *_t76 = 0xdddd;
								L17:
								_t76 = _t76 + 8;
								goto L18;
							}
							E0040CFB0(_t75);
							_t76 = _t98;
							if(_t76 == 0) {
								goto L18;
							}
							 *_t76 = 0xcccc;
							goto L17;
						}
					}
				}
			}

0x00417a69
0x00417a71
0x00417a78
0x00417a7e
0x00417a81
0x00417a84
0x00417a88
0x00417a8e
0x00417a91
0x00417a97
0x00417a9a
0x00417a9d
0x00417aa3
0x00417c08
0x00417c08
0x00417c0b
0x00417c1c
0x00417c1c
0x00417aaa
0x00417ab4
0x00417ab6
0x00417abe
0x00417b1e
0x00417b2d
0x00417b2f
0x00417b31
0x00000000
0x00000000
0x00000000
0x00417ac6
0x00417ac9
0x00417aca
0x00417ad1
0x00000000
0x00417ad9
0x00417ad9
0x00417adc
0x00417ae6
0x00417af3
0x00417af3
0x00417af4
0x00417af6
0x00417af6
0x00417b53
0x00000000
0x00417b00
0x00417b00
0x00417b00
0x00417b09
0x00417b3b
0x00417b41
0x00417b43
0x00417b4e
0x00417b4e
0x00417b56
0x00417b59
0x00417b33
0x00417b33
0x00000000
0x00417b33
0x00417b63
0x00417b7a
0x00417b7e
0x00417bff
0x00417c02
0x00000000
0x00417c07
0x00417b80
0x00417b85
0x00417ba4
0x00417ba5
0x00417baa
0x00417bad
0x00417bc3
0x00417bc6
0x00417bcd
0x00417bd0
0x00417bd2
0x00417be0
0x00417be2
0x00417be4
0x00417bf4
0x00417bf8
0x00417bfd
0x00417bfd
0x00417be6
0x00417be6
0x00417be9
0x00417bef
0x00417bef
0x00417be4
0x00000000
0x00417bd2
0x00417bbd
0x00417bbf
0x00417bc1
0x00000000
0x00000000
0x00000000
0x00417bc1
0x00417b87
0x00417b88
0x00417b89
0x00417b8c
0x00417b8d
0x00417b8e
0x00417b91
0x00417b92
0x00417b95
0x00417b9d
0x00417b9f
0x00417b9f
0x00000000
0x00417b9d
0x00417b45
0x00417b4b
0x00417b4b
0x00000000
0x00417b4b
0x00417b0b
0x00417b10
0x00417b14
0x00000000
0x00000000
0x00417b16
0x00000000
0x00417b16
0x00417af6
0x00417ad1

APIs

_strlen.LIBCMT ref: 00417AEB
MultiByteToWideChar.KERNEL32(?,00000001,?,00417655,00000000,00000000,?,00417655,00000001,?,00000000,?,?,?,?,00000000), ref: 00417B2B
_malloc.LIBCMT ref: 00417B3B
_memset.LIBCMT ref: 00417B63
MultiByteToWideChar.KERNEL32(?,00000001,?,00417655,?,00000000,?,?,?,?,?,?,?,00417655,00000001,?), ref: 00417B7A
__freea.LIBCMT ref: 00417C02

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
String ID:
API String ID: 3923921168-0
Opcode ID: f0e15a0f3baf6ab25b9ac2aa71e4b89fdb8159a61957de1544a115bcd60272a4
Instruction ID: eec46208e05f70dd89c66350bd0ff0cedf77c1d59094ebd3b537c07b1756d577
Opcode Fuzzy Hash: f0e15a0f3baf6ab25b9ac2aa71e4b89fdb8159a61957de1544a115bcd60272a4
Instruction Fuzzy Hash: 91517331D08119AFCF219FA5DC40CEFBBB9EF89758F24412AF515B2250D7399981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044296E Relevance: 9.2, APIs: 6, Instructions: 174
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E0044296E(void* __edx, int _a4, intOrPtr _a8, char* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				signed int _v8;
				char _v28;
				short* _v32;
				short* _v36;
				int _v40;
				char* _v44;
				short* _v48;
				int* _v52;
				intOrPtr* _v56;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				intOrPtr* _t56;
				short* _t59;
				void* _t61;
				void* _t62;
				int _t69;
				int _t70;
				int _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t93;
				void* _t96;
				void* _t98;
				intOrPtr* _t99;
				int _t100;
				signed int _t103;
				signed int _t105;
				int _t106;
				int _t117;

				_t93 = __edx;
				_t103 = _t105;
				_t106 = _t105 - 0x34;
				_t53 =  *0x44b8b4; // 0x13e789ea
				_v8 = _t53 ^ _t103;
				_v44 = _a12;
				_t56 = _a16;
				_push(_t80);
				_v52 = _t56;
				_v40 =  *_t56;
				_t58 = _a4;
				_v56 = _a20;
				_v36 = 0;
				_v48 = 0;
				if(_a4 == _a8) {
					L32:
					_t59 = _v36;
					goto L33;
				} else {
					_pop(_t99);
					_t61 = E005B2A80(_t58, _t80, _t99);
					_t87 =  &_v28;
					_t62 =  *_t99(_t61,  &_v28);
					_t82 =  *0x4460a8;
					if(_t62 == 0 || _v28 != 1) {
						L13:
						_t100 = MultiByteToWideChar(_a4, 1, _v44, _v40, 0, 0);
						__eflags = _t100;
						if(_t100 != 0) {
							goto L8;
						} else {
							goto L14;
						}
					} else {
						_push( &_v28);
						_push(_a8);
						if( *_t99() == 0 || _v28 != 1) {
							goto L13;
						} else {
							_t100 = _v40;
							_v48 = 1;
							if(_t100 == 0xffffffff) {
								_t79 = E0043A8F0(_v44);
								_pop(_t87);
								_t100 = _t79 + 1;
							}
							_t117 = _t100;
							L8:
							if(_t117 <= 0 || _t100 > 0x7ffffff0) {
								_v32 = 0;
							} else {
								_t22 = _t100 + 8; // 0x440ef8
								_t74 = _t100 + _t22;
								if(_t100 + _t22 > 0x400) {
									_t75 = E0043C36F(_t82, _t93, 0, _t74);
									_pop(_t87);
									__eflags = _t75;
									if(_t75 != 0) {
										 *_t75 = 0xdddd;
										goto L17;
									}
								} else {
									E00442B30(_t74);
									_t75 = _t106;
									if(_t75 != 0) {
										 *_t75 = 0xcccc;
										L17:
										_t75 = _t75 + 8;
									}
								}
								_v32 = _t75;
							}
							if(_v32 == 0) {
								L14:
								_t59 = 0;
								L33:
								_pop(_t96);
								_pop(_t98);
								_pop(_t81);
								__eflags = _v8 ^ _t103;
								return E0043AE18(_t59, _t81, _v8 ^ _t103, _t93, _t96, _t98);
							} else {
								E0043D9C0(0, _v32, 0, _t100 + _t100);
								if(MultiByteToWideChar(_a4, 1, _v44, _v40, _v32, _t100) == 0) {
									L31:
									E0043D560(_v32);
									goto L32;
								} else {
									_t83 = _v56;
									if(_t83 == 0) {
										_push(_t93);
										E005DB67C(_t66, _t87, _t93);
										__eflags = _v48;
										if(_v48 != 0) {
											L26:
											_t69 = E0043E152(_t83, 1, _t100);
											_v36 = _t69;
											__eflags = _t69;
											if(_t69 != 0) {
												_t70 =  *_t83(_a8, 0, _v32, _t100, _t69, _t100, 0, 0);
												__eflags = _t70;
												if(__eflags != 0) {
													__eflags = _v40 - 0xffffffff;
													if(_v40 != 0xffffffff) {
														 *_v52 = _t70;
													}
												} else {
													_push(_v36);
													E0043AEA4(_t83, _t93, 0, _t100, __eflags);
													_v36 = 0;
												}
											}
										} else {
											_t100 =  *_t83(_a8, 0, _v32, _t100, 0, 0, 0, 0);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
										}
										goto L31;
									} else {
										_push(0);
										_push(0);
										_push(_a24);
										_push(_t83);
										_push(_t100);
										_push(_v32);
										_push(0);
										_push(_a8);
										return E0061C515(_t66);
									}
								}
							}
						}
					}
				}
			}

0x0044296e
0x00442971
0x00442973
0x00442976
0x0044297d
0x00442986
0x00442989
0x0044298c
0x0044298d
0x00442993
0x00442996
0x0044299c
0x0044299f
0x004429a2
0x004429a8
0x00442b0d
0x00442b0d
0x00000000
0x004429ae
0x004429ae
0x004429af
0x004429b4
0x004429b9
0x004429bb
0x004429c3
0x00442a23
0x00442a32
0x00442a34
0x00442a36
0x00000000
0x00000000
0x00000000
0x00000000
0x004429cb
0x004429ce
0x004429cf
0x004429d6
0x00000000
0x004429de
0x004429de
0x004429e1
0x004429eb
0x004429f0
0x004429f7
0x004429f8
0x004429f8
0x004429f9
0x004429fb
0x004429fb
0x00442a58
0x00442a05
0x00442a05
0x00442a05
0x00442a0e
0x00442a40
0x00442a45
0x00442a46
0x00442a48
0x00442a4a
0x00000000
0x00442a4a
0x00442a10
0x00442a10
0x00442a15
0x00442a19
0x00442a1b
0x00442a50
0x00442a50
0x00442a50
0x00442a19
0x00442a53
0x00442a53
0x00442a5e
0x00442a38
0x00442a38
0x00442b10
0x00442b13
0x00442b14
0x00442b15
0x00442b19
0x00442b21
0x00442a60
0x00442a68
0x00442a83
0x00442b04
0x00442b07
0x00000000
0x00442a85
0x00442a85
0x00442a8a
0x00442aa9
0x00442aaa
0x00442aaf
0x00442ab2
0x00442ac8
0x00442acb
0x00442ad2
0x00442ad5
0x00442ad7
0x00442ae5
0x00442ae7
0x00442ae9
0x00442af9
0x00442afd
0x00442b02
0x00442b02
0x00442aeb
0x00442aeb
0x00442aee
0x00442af4
0x00442af4
0x00442ae9
0x00442ab4
0x00442ac2
0x00442ac4
0x00442ac6
0x00000000
0x00000000
0x00442ac6
0x00000000
0x00442a8c
0x00442a8c
0x00442a8d
0x00442a8e
0x00442a91
0x00442a92
0x00442a93
0x00442a96
0x00442a97
0x00442a9f
0x00442a9f
0x00442a8a
0x00442a83
0x00442a5e
0x004429d6
0x004429c3

APIs

_strlen.LIBCMT ref: 004429F0
MultiByteToWideChar.KERNEL32(?,00000001,?,00440EF0,00000000,00000000,?,00440EF0,00000001,00000000,?,?,?,?,?,?), ref: 00442A30
_malloc.LIBCMT ref: 00442A40
_memset.LIBCMT ref: 00442A68
MultiByteToWideChar.KERNEL32(?,00000001,?,00440EF0,00000000,00000000,?,?,?,?,?,?,?,00440EF0,00000001,00000000), ref: 00442A7F

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide$_malloc_memset_strlen
String ID:
API String ID: 4088468251-0
Opcode ID: d53ede33e9817658113416363b5b1b0b5437cae7c42faaab73bafd8c8ce8f4bb
Instruction ID: f612fc89f101133b29b5f930e412456fe8c4d5cef18b7c5de3e8cbe766430d40
Opcode Fuzzy Hash: d53ede33e9817658113416363b5b1b0b5437cae7c42faaab73bafd8c8ce8f4bb
Instruction Fuzzy Hash: E751AC31D00119AEEF21DFA9CD40DEFBBB9EF89320F60411AF814B2250D7799851CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004148F3 Relevance: 9.2, APIs: 6, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004148F3(void* __eax, void* __ebx, void* __edi) {
				void* _t54;
				void* _t57;
				void* _t59;
				void* _t60;
				signed int _t61;

				if(__eax != 0) {
					__eflags =  *(__ebp + 0x10) - __edi;
					if( *(__ebp + 0x10) <= __edi) {
						__eflags =  *(__ebp + 0x18) - __edi;
						if( *(__ebp + 0x18) <= __edi) {
							__esi =  *0x41b008;
							__eax = MultiByteToWideChar( *(__ebp + 0x1c), 9, __ebx,  *(__ebp + 0x10), __edi, __edi);
							__ebx = __eax;
							 *(__ebp - 0x2c) = __ebx;
							__eflags = __ebx - __edi;
							if(__ebx == __edi) {
								goto L1;
							}
							__edi = 0x400;
							__eflags = __ebx;
							if(__ebx <= 0) {
								L32:
								_t22 = __ebp - 0x20;
								 *_t22 =  *(__ebp - 0x20) & 0x00000000;
								__eflags =  *_t22;
								L33:
								__eflags =  *(__ebp - 0x20);
								if( *(__ebp - 0x20) == 0) {
									goto L1;
								}
								__eax = MultiByteToWideChar( *(__ebp + 0x1c), 1,  *(__ebp - 0x24),  *(__ebp + 0x10),  *(__ebp - 0x20), __ebx);
								__eflags = __eax;
								if(__eax == 0) {
									L49:
									__eax = E004147AE( *(__ebp - 0x20));
									__eax =  *(__ebp - 0x28);
									L50:
									_pop(_t59);
									_pop(_t60);
									_pop(_t54);
									return E0040CE09(0, _t54,  *(_t61 - 4) ^ _t61, _t57, _t59, _t60);
								}
								__ebx = MultiByteToWideChar( *(__ebp + 0x1c), 9,  *(__ebp - 0x1c),  *(__ebp + 0x18), 0, 0);
								__eflags = __ebx;
								if(__eflags == 0) {
									goto L49;
								}
								if(__eflags <= 0) {
									L44:
									__edi = 0;
									__eflags = 0;
									L45:
									__eflags = __edi;
									if(__edi != 0) {
										__eax = MultiByteToWideChar( *(__ebp + 0x1c), 1,  *(__ebp - 0x1c),  *(__ebp + 0x18), __edi, __ebx);
										__eflags = __eax;
										if(__eax != 0) {
											_push(__ebx);
											_push(__edi);
											_push( *(__ebp - 0x2c));
											_push( *(__ebp - 0x20));
											_push( *((intOrPtr*)(__ebp + 0xc)));
											_push( *((intOrPtr*)(__ebp + 8)));
											_push(__eax);
											 *(__ebp - 0x28) = E006F3057();
										}
										__eax = E004147AE(__edi);
									}
									goto L49;
								}
								__edx = 0;
								__eax = 0xffffffe0;
								_t33 = __eax % __ebx;
								__eax = __eax / __ebx;
								__edx = _t33;
								__eflags = __eax - 2;
								if(__eax < 2) {
									goto L44;
								}
								_t37 = __ebx + 8; // 0x8
								__eax = __ebx + _t37;
								__eflags = __eax - __edi;
								if(__eax > __edi) {
									__eax = E0040B84D(__ebx, __edx, __edi, __eax);
									__eflags = __eax;
									if(__eax != 0) {
										 *__eax = 0xdddd;
										__eax =  &(__eax[4]);
										__eflags = __eax;
									}
									__edi = __eax;
									goto L45;
								}
								__eax = E0040CFB0(__eax);
								__edi = __esp;
								__eflags = __edi;
								if(__edi == 0) {
									goto L49;
								}
								 *__edi = 0xcccc;
								__edi =  &(__edi[4]);
								goto L45;
							}
							__edx = 0;
							__eax = 0xffffffe0;
							_t16 = __eax % __ebx;
							__eax = __eax / __ebx;
							__edx = _t16;
							__eflags = __eax - 2;
							if(__eax < 2) {
								goto L32;
							}
							_t20 = __ebx + 8; // 0x8
							__eax = __ebx + _t20;
							__eflags = __eax - 0x400;
							if(__eax > 0x400) {
								__eax = E0040B84D(__ebx, __edx, 0x400, __eax);
								__eflags = __eax;
								if(__eax == 0) {
									L31:
									 *(__ebp - 0x20) = __eax;
									goto L33;
								}
								 *__eax = 0xdddd;
								L30:
								__eax =  &(__eax[4]);
								__eflags = __eax;
								goto L31;
							}
							__eax = E0040CFB0(__eax);
							__eax = __esp;
							__eflags = __eax;
							if(__eax == 0) {
								goto L31;
							}
							 *__eax = 0xcccc;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(__ebp - 0x18)) - 2;
						if( *((intOrPtr*)(__ebp - 0x18)) >= 2) {
							__eflags =  *(__ebp - 0x12);
							__eax = __ebp - 0x12;
							if( *(__ebp - 0x12) == 0) {
								goto L15;
							} else {
								goto L17;
							}
							while(1) {
								L17:
								__dl = __eax[0];
								__eflags = __dl;
								if(__dl == 0) {
									goto L15;
								}
								__ecx =  *(__ebp - 0x1c);
								__cl =  *__ecx;
								__eflags = __cl -  *__eax;
								if(__cl <  *__eax) {
									L20:
									__eax =  &(__eax[0]);
									__eax =  &(__eax[0]);
									__eflags =  *__eax;
									if( *__eax != 0) {
										continue;
									}
									goto L15;
								}
								__eflags = __cl - __dl;
								if(__cl <= __dl) {
									L2:
									_push(2);
									L3:
									_pop(__eax);
									goto L50;
								}
								goto L20;
							}
						}
						L15:
						__eax = 0;
						__eax = 1;
						goto L50;
					}
					__eflags =  *((intOrPtr*)(__ebp - 0x18)) - 2;
					if( *((intOrPtr*)(__ebp - 0x18)) < 2) {
						L4:
						_push(3);
						goto L3;
					}
					__eflags =  *(__ebp - 0x12);
					__eax = __ebp - 0x12;
					if( *(__ebp - 0x12) == 0) {
						goto L4;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						__dl = __eax[0];
						__eflags = __dl;
						if(__dl == 0) {
							goto L4;
						}
						__cl =  *__ebx;
						__eflags = __cl -  *__eax;
						if(__cl <  *__eax) {
							L11:
							__eax =  &(__eax[0]);
							__eax =  &(__eax[0]);
							__eflags =  *__eax;
							if( *__eax != 0) {
								continue;
							}
							goto L4;
						}
						__eflags = __cl - __dl;
						if(__cl <= __dl) {
							goto L2;
						}
						goto L11;
					}
					goto L4;
				}
				L1:
				goto L50;
			}

0x004148f5
0x004148f7
0x004148fa
0x00414925
0x00414928
0x00414962
0x00414973
0x00414975
0x00414977
0x0041497a
0x0041497c
0x00000000
0x00000000
0x00414982
0x00414987
0x00414989
0x004149cb
0x004149cb
0x004149cb
0x004149cb
0x004149cf
0x004149cf
0x004149d3
0x00000000
0x00000000
0x004149e8
0x004149ea
0x004149ec
0x00414a84
0x00414a87
0x00414a8c
0x00414b4a
0x00414b4d
0x00414b4e
0x00414b4f
0x00414b5b
0x00414b5b
0x00414a03
0x00414a05
0x00414a07
0x00000000
0x00000000
0x00414a09
0x00414a4d
0x00414a4d
0x00414a4d
0x00414a4f
0x00414a4f
0x00414a51
0x00414a60
0x00414a62
0x00414a64
0x00414a66
0x00414a67
0x00414a68
0x00414a6b
0x00414a6e
0x00414a71
0x00414a74
0x00414a7a
0x00414a7a
0x00414a7e
0x00414a83
0x00000000
0x00414a51
0x00414a0d
0x00414a0f
0x00414a10
0x00414a10
0x00414a10
0x00414a12
0x00414a15
0x00000000
0x00000000
0x00414a17
0x00414a17
0x00414a1b
0x00414a1d
0x00414a36
0x00414a3c
0x00414a3e
0x00414a40
0x00414a46
0x00414a46
0x00414a46
0x00414a49
0x00000000
0x00414a49
0x00414a1f
0x00414a24
0x00414a26
0x00414a28
0x00000000
0x00000000
0x00414a2a
0x00414a30
0x00000000
0x00414a30
0x0041498d
0x0041498f
0x00414990
0x00414990
0x00414990
0x00414992
0x00414995
0x00000000
0x00000000
0x00414997
0x00414997
0x0041499b
0x0041499d
0x004149b3
0x004149b9
0x004149bb
0x004149c6
0x004149c6
0x00000000
0x004149c6
0x004149bd
0x004149c3
0x004149c3
0x004149c3
0x00000000
0x004149c3
0x0041499f
0x004149a4
0x004149a6
0x004149a8
0x00000000
0x00000000
0x004149aa
0x00000000
0x004149aa
0x0041492a
0x0041492e
0x00414938
0x0041493c
0x0041493f
0x00000000
0x00000000
0x00000000
0x00000000
0x00414941
0x00414941
0x00414941
0x00414944
0x00414946
0x00000000
0x00000000
0x00414948
0x0041494b
0x0041494d
0x0041494f
0x00414959
0x00414959
0x0041495a
0x0041495b
0x0041495e
0x00000000
0x00000000
0x00000000
0x00414960
0x00414951
0x00414953
0x004148cd
0x004148cd
0x004148cf
0x004148cf
0x00000000
0x004148cf
0x00000000
0x00414953
0x00414941
0x00414930
0x00414930
0x00414932
0x00000000
0x00414932
0x004148fc
0x00414900
0x004148e2
0x004148e2
0x00000000
0x004148e2
0x00414902
0x00414906
0x00414909
0x00000000
0x00000000
0x00000000
0x00000000
0x0041490b
0x0041490b
0x0041490b
0x0041490e
0x00414910
0x00000000
0x00000000
0x00414912
0x00414914
0x00414916
0x0041491c
0x0041491c
0x0041491d
0x0041491e
0x00414921
0x00000000
0x00000000
0x00000000
0x00414923
0x00414918
0x0041491a
0x00000000
0x00000000
0x00000000
0x0041491a
0x00000000
0x0041490b
0x00414881
0x00000000

APIs

MultiByteToWideChar.KERNEL32(029D1858,00000009,?,000000FF,00000000,00000000,00000000,7FFFFFFF,00000000,?,?,?,00414B8C,029D1858,?,?), ref: 00414973
MultiByteToWideChar.KERNEL32(029D1858,00000001,?,000000FF,00000000,00000000), ref: 004149E8
MultiByteToWideChar.KERNEL32(029D1858,00000009,029D1858,?,00000000,00000000), ref: 00414A01
MultiByteToWideChar.KERNEL32(029D1858,00000001,029D1858,?,00000000,00000000), ref: 00414A60

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: facfc8718d499521125cbba829bc3633b1815aab5378153bc3905be208d83a6b
Instruction ID: 890009aabebddefd780dc551a4636dfabdd5d104b82d9c2fe240ff1468707dab
Opcode Fuzzy Hash: facfc8718d499521125cbba829bc3633b1815aab5378153bc3905be208d83a6b
Instruction Fuzzy Hash: D451F575A1018AAEDF219FA0CC81BEF7B76EFC6354F280017E501A6291D73D88D1D799

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5E5 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0043F5E5(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;

				_push(0x2c);
				_push(0x448f48);
				E0043C508(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0043AD13(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0043BC01(__ecx, _t55) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0043BC01(_t48, _t55) + 0x8c));
				 *((intOrPtr*)(E0043BC01(_t48, _t55) + 0x88)) = _t57;
				 *((intOrPtr*)(E0043BC01(_t48, _t55) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E0043ADB8(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0043F70B(_t48, __edx, _t55, _t57);
				return E0043C54D( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0043f5e5
0x0043f5e7
0x0043f5ec
0x0043f5f1
0x0043f5f3
0x0043f5f6
0x0043f5f9
0x0043f5fc
0x0043f603
0x0043f614
0x0043f622
0x0043f630
0x0043f638
0x0043f646
0x0043f64c
0x0043f653
0x0043f656
0x0043f66c
0x0043f66f
0x0043f6e4
0x0043f6eb
0x0043f6f2
0x0043f6ff

APIs

__CreateFrameInfo.LIBCMT ref: 0043F60D

Part of subcall function 0043AD13: __getptd.LIBCMT ref: 0043AD21
Part of subcall function 0043AD13: __getptd.LIBCMT ref: 0043AD2F

__getptd.LIBCMT ref: 0043F617

Part of subcall function 0043BC01: __amsg_exit.LIBCMT ref: 0043BC11

__getptd.LIBCMT ref: 0043F625
__getptd.LIBCMT ref: 0043F633
__getptd.LIBCMT ref: 0043F63E
_CallCatchBlock2.LIBCMT ref: 0043F664

Part of subcall function 0043ADB8: __CallSettingFrame@12.LIBCMT ref: 0043AE04

Part of subcall function 0043F70B: __getptd.LIBCMT ref: 0043F71A
Part of subcall function 0043F70B: __getptd.LIBCMT ref: 0043F728

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit
String ID:
API String ID: 3688206559-0
Opcode ID: 8506bf5357e1e2cc9adb8306ca48faccf2448b9955624e74b579110acdc9b9a7
Instruction ID: 2df3f1aa1ae5f75edbcc5297098b955ede46506b6cce5d0d2cd30fb9da8e4e7d
Opcode Fuzzy Hash: 8506bf5357e1e2cc9adb8306ca48faccf2448b9955624e74b579110acdc9b9a7
Instruction Fuzzy Hash: 7711C6B1D00209DFDB10EFA5C446BADBBB1FF08318F10906EF814A7251DB399A159F54

Uniqueness

Uniqueness Score: -1.00%

Function 00413E60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00413E60(void* __eax, void* __esi) {
				signed int* _t62;
				char _t64;
				signed char _t65;
				signed int _t75;
				void* _t80;
				void* _t82;
				signed char* _t84;
				signed char* _t85;
				signed int _t86;
				signed char _t89;
				char _t90;
				signed int _t91;
				void* _t97;
				void* _t98;
				signed int _t99;
				void* _t101;

				_t98 = __esi;
				if(__eax == 0) {
					 *(_t99 - 0x51c) = 0xffffff9f;
					_t86 = 0;
					_t45 = _t99 - 0x51c;
					 *_t45 =  *(_t99 - 0x51c) - __esi + 0x11d;
					__eflags =  *_t45;
					do {
						_t62 = _t98 + _t86 + 0x11d;
						_t92 = _t62 +  *(_t99 - 0x51c);
						_t50 = _t92 + 0x20; // 0xffffffbf
						__eflags = _t50 - 0x19;
						if(_t50 > 0x19) {
							__eflags = _t92 - 0x19;
							if(_t92 > 0x19) {
								 *_t62 = 0;
							} else {
								 *(_t98 + _t86 + 0x1d) =  *(_t98 + _t86 + 0x1d) | 0x00000020;
								_t92 = _t86 - 0x20;
								__eflags = _t92;
								goto L22;
							}
						} else {
							 *(_t98 + _t86 + 0x1d) =  *(_t98 + _t86 + 0x1d) | 0x00000010;
							_t92 = _t86 + 0x20;
							L22:
							 *_t62 = _t92;
						}
						_t86 = _t86 + 1;
						__eflags = _t86 - 0x100;
					} while (_t86 < 0x100);
				} else {
					_t64 = 0;
					do {
						 *((char*)(_t99 + _t64 - 0x104)) = _t64;
						_t64 = _t64 + 1;
					} while (_t64 < 0x100);
					_t65 =  *((intOrPtr*)(_t99 - 0x512));
					 *((char*)(_t99 - 0x104)) = 0x20;
					if(_t65 != 0) {
						_t84 = _t99 - 0x511;
						do {
							_t91 = _t65 & 0x000000ff;
							_t76 =  *_t84 & 0x000000ff;
							if(_t91 <= ( *_t84 & 0x000000ff)) {
								_t92 = _t99 + _t91 - 0x104;
								E0040BA30(0x100, _t99 + _t91 - 0x104, 0x20, _t76 - _t91 + 1);
								_t101 = _t101 + 0xc;
							}
							_t85 =  &(_t84[1]);
							_t65 =  *_t85;
							_t84 =  &(_t85[1]);
							_t111 = _t65;
						} while (_t65 != 0);
					}
					E00417625(_t80, _t92, 0x100, _t111, 0, 1, _t99 - 0x104, 0x100, _t99 - 0x504,  *((intOrPtr*)(_t98 + 4)),  *((intOrPtr*)(_t98 + 0xc)), 0);
					E00417426(0, _t92, 0x100, _t111, 0,  *((intOrPtr*)(_t98 + 0xc)), 0x100, _t99 - 0x104, 0x100, _t99 - 0x204, 0x100,  *((intOrPtr*)(_t98 + 4)), 0);
					E00417426(0, _t92, 0x100, _t111, 0,  *((intOrPtr*)(_t98 + 0xc)), 0x200, _t99 - 0x104, 0x100, _t99 - 0x304, 0x100,  *((intOrPtr*)(_t98 + 4)), 0);
					_t75 = 0;
					do {
						_t89 =  *(_t99 + _t75 * 2 - 0x504) & 0x0000ffff;
						if((_t89 & 0x00000001) == 0) {
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) == 0) {
								 *((char*)(_t98 + _t75 + 0x11d)) = 0;
							} else {
								_t33 = _t98 + _t75 + 0x1d;
								 *_t33 =  *(_t98 + _t75 + 0x1d) | 0x00000020;
								__eflags =  *_t33;
								_t90 =  *((intOrPtr*)(_t99 + _t75 - 0x304));
								goto L13;
							}
						} else {
							 *(_t98 + _t75 + 0x1d) =  *(_t98 + _t75 + 0x1d) | 0x00000010;
							_t90 =  *((intOrPtr*)(_t99 + _t75 - 0x204));
							L13:
							 *((char*)(_t98 + _t75 + 0x11d)) = _t90;
						}
						_t75 = _t75 + 1;
					} while (_t75 < 0x100);
				}
				_pop(_t97);
				_pop(_t82);
				return E0040CE09(_t62, _t82,  *(_t99 - 4) ^ _t99, _t92, _t97, _t98);
			}

0x00413e60
0x00413e67
0x00413f6e
0x00413f78
0x00413f7a
0x00413f7a
0x00413f7a
0x00413f80
0x00413f86
0x00413f8d
0x00413f8f
0x00413f92
0x00413f95
0x00413fa3
0x00413fa6
0x00413fb6
0x00413fa8
0x00413fa8
0x00413faf
0x00413faf
0x00000000
0x00413faf
0x00413f97
0x00413f97
0x00413f9e
0x00413fb2
0x00413fb2
0x00413fb2
0x00413fb9
0x00413fba
0x00413fba
0x00413e6d
0x00413e6d
0x00413e6f
0x00413e6f
0x00413e76
0x00413e77
0x00413e7b
0x00413e81
0x00413e8a
0x00413e8c
0x00413e92
0x00413e92
0x00413e95
0x00413e9a
0x00413ea0
0x00413eaa
0x00413eaf
0x00413eaf
0x00413eb2
0x00413eb3
0x00413eb5
0x00413eb6
0x00413eb6
0x00413e92
0x00413ed5
0x00413ef5
0x00413f1a
0x00413f22
0x00413f24
0x00413f24
0x00413f2f
0x00413f3f
0x00413f42
0x00413f59
0x00413f44
0x00413f44
0x00413f44
0x00413f44
0x00413f49
0x00000000
0x00413f49
0x00413f31
0x00413f31
0x00413f36
0x00413f50
0x00413f50
0x00413f50
0x00413f61
0x00413f62
0x00413f66
0x00413fc1
0x00413fc4
0x00413fcb

APIs

_memset.LIBCMT ref: 00413EAA
___crtGetStringTypeA.LIBCMT ref: 00413ED5
___crtLCMapStringA.LIBCMT ref: 00413EF5
___crtLCMapStringA.LIBCMT ref: 00413F1A

Strings

, xrefs: 00413E81

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: String___crt$Type_memset
String ID:
API String ID: 1957702402-3916222277
Opcode ID: 916957da387fcabe4d3f0db4627a24b2ab70b8eea8ee344a6acc7f1e113fdff3
Instruction ID: 9508438be18372857f1b82b29a4a6c12f312e0ff170467280b057728dc5c4e2b
Opcode Fuzzy Hash: 916957da387fcabe4d3f0db4627a24b2ab70b8eea8ee344a6acc7f1e113fdff3
Instruction Fuzzy Hash: F24129B150075C5EDB228E248C84BFBBBF89F05309F1444EEE5CA86183D1799BCA8F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t17;
				intOrPtr _t19;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;

				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				if((0 | _t39 != 0x00000000) != 0) {
					E0040FB29(__ebx, _t39, _t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					if(E0040FA20(_t39) == 0xffffffff || E0040FA20(_t39) == 0xfffffffe) {
						_t17 = 0x4227e0;
					} else {
						_t22 = E0040FA20(_t39);
						_t17 = ((E0040FA20(_t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
				} else {
					_t27 = E0040BFC1();
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__ebx, __edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6df
0x0040c70f
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __fileno
String ID: 'B
API String ID: 1873356214-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043F334 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043F334(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				intOrPtr* _t18;
				void* _t22;
				void* _t23;
				void* _t24;

				_t23 = __edx;
				if( *((intOrPtr*)( *_a4)) == 0xe0434f4d) {
					if( *((intOrPtr*)(E0043BC01(_t22, _t24) + 0x90)) > 0) {
						 *((intOrPtr*)(E0043BC01(_t22, _t24) + 0x90)) =  *((intOrPtr*)(E0043BC01(_t22, _t24) + 0x90)) - 1;
					}
					goto L9;
				} else {
					if(__eax != 0xe06d7363) {
						L9:
						return 0;
					} else {
						 *(E0043BC01(__ebx, __edi) + 0x90) =  *(__eax + 0x90) & 0x00000000;
						_push(8);
						_push(0x448e08);
						E0043C508(_t22, _t24, __esi);
						_t18 =  *((intOrPtr*)(E0043BC01(_t22, _t24) + 0x78));
						if(_t18 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t18();
							_v8 = 0xfffffffe;
						}
						return E0043C54D(E00441556(_t22, _t23, _t24));
					}
				}
			}

0x0043f334
0x0043f345
0x0043f36b
0x0043f377
0x0043f377
0x00000000
0x0043f347
0x0043f34c
0x0043f379
0x0043f37c
0x0043f34e
0x0043f353
0x0043c470
0x0043c472
0x0043c477
0x0043c481
0x0043c486
0x0043c488
0x0043c48c
0x0043c497
0x0043c497
0x0043c4a8
0x0043c4a8
0x0043f34c

APIs

__getptd.LIBCMT ref: 0043F34E

Part of subcall function 0043BC01: __amsg_exit.LIBCMT ref: 0043BC11

__getptd.LIBCMT ref: 0043F35F
__getptd.LIBCMT ref: 0043F36D

Strings

MOC, xrefs: 0043F340
csm, xrefs: 0043F347

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __getptd$__amsg_exit
String ID: MOC$csm
API String ID: 1969926928-1389381023
Opcode ID: 33b9cced6b741998e27e7e2c03043b0455c789580758d048f674bb0431158d77
Instruction ID: 5f5aa3e705d447b49f1f7445426b4a470afefd4f920d53020610e4d2990cd4c1
Opcode Fuzzy Hash: 33b9cced6b741998e27e7e2c03043b0455c789580758d048f674bb0431158d77
Instruction Fuzzy Hash: F4E04F31640504CFC720AB79C046B297394EB4D318F1A25ABF98CC7323DB3DE848A68A

Uniqueness

Uniqueness Score: -1.00%

Function 004447A0 Relevance: 7.8, APIs: 5, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004447A0(intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v64;
				char _v68;
				void* __edi;
				signed int _t84;
				intOrPtr _t87;
				signed int _t89;
				signed int _t92;
				char* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				intOrPtr* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t107;
				signed int _t108;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t116;
				signed int _t119;
				intOrPtr _t120;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t134;
				intOrPtr* _t135;
				signed int _t142;
				intOrPtr _t143;
				signed int _t144;
				intOrPtr _t150;
				intOrPtr _t156;
				signed int _t161;
				intOrPtr _t164;
				intOrPtr _t166;
				void* _t168;
				signed int _t169;
				signed int _t172;
				signed int _t174;
				void* _t175;
				intOrPtr _t176;
				void* _t177;

				_push(0xfffffffe);
				_push(0x449e60);
				_push(E0043C570);
				_push( *[fs:0x0]);
				_t176 = _t175 - 0x30;
				_t84 =  *0x44b8b4; // 0x13e789ea
				_v12 = _v12 ^ _t84;
				_push(_t84 ^ _t174);
				 *[fs:0x0] =  &_v20;
				_v28 = _t176;
				_t166 = _a4;
				_t144 =  *(_t166 + 8);
				_v32 = _t144;
				if((_t144 & 0x00000003) == 0) {
					_t87 =  *[fs:0x18];
					_t121 =  *((intOrPtr*)(_t87 + 8));
					_v36 = _t121;
					__eflags = _t144 - _t121;
					if(_t144 < _t121) {
						L4:
						_t156 =  *((intOrPtr*)(_t166 + 0xc));
						_v40 = _t156;
						__eflags = _t156 - 0xffffffff;
						if(_t156 == 0xffffffff) {
							L65:
							 *[fs:0x0] = _v20;
							return 1;
						} else {
							_t116 = 0;
							_t89 = 0;
							__eflags = 0;
							_t124 = _t144;
							do {
								_t168 =  *_t124;
								__eflags = _t168 - 0xffffffff;
								if(_t168 == 0xffffffff) {
									goto L8;
								} else {
									__eflags = _t168 - _t89;
									if(_t168 >= _t89) {
										goto L1;
									} else {
										goto L8;
									}
								}
								goto L66;
								L8:
								__eflags =  *(_t124 + 4);
								if( *(_t124 + 4) != 0) {
									_t116 = 1;
								}
								_t89 = _t89 + 1;
								_t124 = _t124 + 0xc;
								__eflags = _t89 - _t156;
							} while (_t89 <= _t156);
							__eflags = _t116;
							if(_t116 == 0) {
								L14:
								_t92 = _t144 & 0xfffff000;
								_v36 = _t92;
								_t169 = 0;
								__eflags = 0;
								_t125 =  *0x44ef30; // 0x0
								while(1) {
									__eflags = _t169 - _t125;
									if(_t169 >= _t125) {
										break;
									}
									_t120 =  *((intOrPtr*)(0x44ef38 + _t169 * 8));
									_t164 =  *((intOrPtr*)(0x44ef3c + _t169 * 8));
									__eflags = _t120 - _t92;
									if(_t120 != _t92) {
										_t169 = _t169 + 1;
										continue;
									} else {
										_v8 = 0;
										_t105 = E004417D0(_t164);
										_t176 = _t176 + 4;
										__eflags = _t105;
										if(_t105 == 0) {
											L38:
											_v8 = 0xfffffffe;
											_t144 = _v32;
											break;
										} else {
											_t107 = E004446E0(_v40, _t144, _t164, _v32);
											_t176 = _t176 + 4;
											__eflags = _t107;
											if(_t107 == 0) {
												goto L38;
											} else {
												_t108 = E00441810(_t164,  *((intOrPtr*)(_a4 + 4)) - _t164);
												_t176 = _t176 + 8;
												__eflags = _t108;
												if(_t108 == 0) {
													goto L38;
												} else {
													_v8 = 0xfffffffe;
													__eflags = _t169;
													if(_t169 > 0) {
														 *0x44ef34 = 1;
														__eflags =  *0x44ef34;
														if( *0x44ef34 == 0) {
															_t111 = _v36;
															__eflags =  *((intOrPtr*)(0x44ef38 + _t169 * 8)) - _t111;
															if( *((intOrPtr*)(0x44ef38 + _t169 * 8)) == _t111) {
																L32:
																__eflags = _t169;
															} else {
																_t142 =  *0x44ef30; // 0x0
																_t35 = _t142 - 1; // -1
																_t169 = _t35;
																__eflags = _t169;
																if(_t169 < 0) {
																	L29:
																	__eflags = _t142 - 0x10;
																	if(_t142 < 0x10) {
																		_t142 = _t142 + 1;
																		__eflags = _t142;
																		 *0x44ef30 = _t142;
																	}
																	_t42 = _t142 - 1; // 0x0
																	_t169 = _t42;
																	goto L32;
																} else {
																	while(1) {
																		__eflags =  *((intOrPtr*)(0x44ef38 + _t169 * 8)) - _t111;
																		if( *((intOrPtr*)(0x44ef38 + _t169 * 8)) == _t111) {
																			break;
																		}
																		_t169 = _t169 - 1;
																		__eflags = _t169;
																		if(_t169 >= 0) {
																			continue;
																		} else {
																		}
																		L28:
																		__eflags = _t169;
																		if(__eflags < 0) {
																			goto L29;
																		}
																		goto L33;
																	}
																	_t120 =  *((intOrPtr*)(0x44ef38 + _t169 * 8));
																	_t164 =  *((intOrPtr*)(0x44ef3c + _t169 * 8));
																	goto L28;
																}
															}
															L33:
															if(__eflags > 0) {
																_t112 = 0;
																__eflags = _t169;
																if(_t169 >= 0) {
																	do {
																		 *((intOrPtr*)(0x44ef38 + _t112 * 8)) = _t120;
																		 *((intOrPtr*)(0x44ef3c + _t112 * 8)) = _t164;
																		_t120 =  *((intOrPtr*)(0x44ef38 + _t112 * 8));
																		_t164 =  *((intOrPtr*)(0x44ef3c + _t112 * 8));
																		_t112 = _t112 + 1;
																		__eflags = _t112 - _t169;
																	} while (_t112 <= _t169);
																}
															}
															L64:
															__eflags = 0;
															 *0x44ef34 = 0;
														}
													}
													goto L65;
												}
											}
										}
									}
									goto L66;
								}
								_push(0x1c);
								_t93 =  &_v68;
								_push(_t93);
								_push(_t144);
								_push(_t93);
								_t94 = E0061F087(_t144);
								__eflags = _t94;
								if(_t94 == 0) {
									goto L65;
								} else {
									__eflags = _v44 - 0x1000000;
									_t159 = _v64;
									_t95 = E004417D0(_v64);
									_t177 = _t176 + 4;
									__eflags = _t95;
									if(_t95 == 0) {
										_t96 = _t95 | 0xffffffff;
										__eflags = _t96;
										 *[fs:0x0] = _v20;
										return _t96;
									} else {
										__eflags = _v48 & 0x000000cc;
										if((_v48 & 0x000000cc) == 0) {
											L47:
											_t97 = E004446E0(_v40, _v32, _t159, _v32);
											__eflags = _t97;
											if(_t97 == 0) {
												goto L1;
											} else {
												_t99 = E00441810(_t159,  *((intOrPtr*)(_a4 + 4)) - _t159);
												__eflags = _t99;
												if(_t99 == 0) {
													goto L1;
												} else {
													 *0x44ef34 = 1;
													__eflags =  *0x44ef34;
													if( *0x44ef34 == 0) {
														_t161 =  *0x44ef30; // 0x0
														_t101 = _t161;
														__eflags = _t161;
														if(_t161 > 0) {
															_t135 = 0x44ef30 + _t161 * 8;
															while(1) {
																__eflags =  *_t135 - _v36;
																if( *_t135 == _v36) {
																	goto L54;
																}
																_t101 = _t101 - 1;
																_t135 = _t135 - 8;
																__eflags = _t101;
																if(_t101 > 0) {
																	continue;
																}
																goto L54;
															}
														}
														L54:
														__eflags = _t101;
														if(_t101 != 0) {
															 *((intOrPtr*)(0x44ef34 + _t101 * 8)) = _v64;
														} else {
															__eflags = _t161 - 0xf;
															_t72 = _t101 + 0xf; // 0xe
															_t172 = _t72;
															if(_t161 <= 0xf) {
																_t172 = _t161;
															}
															_t134 = _v36;
															_t150 = _v64;
															__eflags = _t172;
															if(_t172 >= 0) {
																_t103 = 0x44ef38;
																_t75 = _t172 + 1; // 0x1
																_t119 = _t75;
																do {
																	_t76 = _t103 + 4; // 0x0
																	 *_t103 = _t134;
																	 *((intOrPtr*)(_t103 + 4)) = _t150;
																	_t134 =  *_t103;
																	_t150 =  *_t76;
																	_t103 = _t103 + 8;
																	_t119 = _t119 - 1;
																	__eflags = _t119;
																} while (_t119 != 0);
																_t161 =  *0x44ef30; // 0x0
															}
															__eflags = _t161 - 0x10;
															if(_t161 < 0x10) {
																 *0x44ef30 = _t161 + 1;
															}
														}
														goto L64;
													}
													goto L65;
												}
											}
										} else {
											_t104 = E00441810(_t159, _v32 - _t159);
											_t177 = _t177 + 8;
											__eflags = _t104;
											if(_t104 == 0) {
												goto L1;
											} else {
												__eflags =  *(_t104 + 0x24) & 0x80000000;
												if(( *(_t104 + 0x24) & 0x80000000) != 0) {
													goto L1;
												} else {
													goto L47;
												}
											}
										}
									}
								}
							} else {
								_t143 = _a4;
								_t113 =  *((intOrPtr*)(_t143 - 8));
								__eflags = _t113 - _v36;
								if(_t113 < _v36) {
									goto L1;
								} else {
									__eflags = _t113 - _t143;
									if(_t113 >= _t143) {
										goto L1;
									} else {
										goto L14;
									}
								}
							}
						}
					} else {
						__eflags = _t144 -  *((intOrPtr*)(_t87 + 4));
						if(_t144 <  *((intOrPtr*)(_t87 + 4))) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					 *[fs:0x0] = _v20;
					return 0;
				}
				L66:
			}

0x004447a5
0x004447a7
0x004447ac
0x004447b7
0x004447b8
0x004447be
0x004447c3
0x004447c8
0x004447cc
0x004447d2
0x004447d5
0x004447d8
0x004447db
0x004447e1
0x004447f7
0x004447fd
0x00444800
0x00444803
0x00444805
0x0044480c
0x0044480c
0x0044480f
0x00444812
0x00444815
0x00444ad2
0x00444ada
0x00444ae8
0x0044481b
0x0044481b
0x0044481d
0x0044481d
0x0044481f
0x00444821
0x00444821
0x00444823
0x00444826
0x00000000
0x00444828
0x00444828
0x0044482a
0x00000000
0x00000000
0x00000000
0x00000000
0x0044482a
0x00000000
0x0044482c
0x0044482c
0x00444830
0x00444832
0x00444832
0x00444837
0x00444838
0x0044483b
0x0044483b
0x0044483f
0x00444841
0x00444852
0x00444854
0x00444859
0x0044485c
0x0044485c
0x0044485e
0x00444864
0x00444864
0x00444866
0x00000000
0x00000000
0x0044486c
0x00444873
0x0044487a
0x0044487c
0x004449ce
0x00000000
0x00444882
0x00444882
0x0044488a
0x0044488f
0x00444892
0x00444894
0x00444991
0x00444991
0x00444998
0x00000000
0x0044489a
0x004448a1
0x004448a6
0x004448a9
0x004448ab
0x00000000
0x004448b1
0x004448bb
0x004448c0
0x004448c3
0x004448c5
0x00000000
0x004448cb
0x004448cb
0x004448d2
0x004448d4
0x004448e4
0x004448e6
0x004448e8
0x004448ee
0x004448f1
0x004448f8
0x00444938
0x00444938
0x004448fa
0x004448fa
0x00444900
0x00444900
0x00444903
0x00444905
0x00444929
0x00444929
0x0044492c
0x0044492e
0x0044492e
0x0044492f
0x0044492f
0x00444935
0x00444935
0x00000000
0x00444907
0x00444907
0x00444907
0x0044490e
0x00000000
0x00000000
0x00444910
0x00444910
0x00444913
0x00000000
0x00000000
0x00444915
0x00444925
0x00444925
0x00444927
0x00000000
0x00000000
0x00000000
0x00444927
0x00444917
0x0044491e
0x00000000
0x0044491e
0x00444905
0x0044493a
0x0044493a
0x00444940
0x00444942
0x00444944
0x00444950
0x0044495e
0x00444965
0x0044496c
0x0044496e
0x00444970
0x00444971
0x00444971
0x00444975
0x00444944
0x00444ac9
0x00444ace
0x00444ad0
0x00444ad0
0x004448e8
0x00000000
0x004448d4
0x004448c5
0x004448ab
0x00444894
0x00000000
0x0044487c
0x0044499b
0x0044499d
0x004449a0
0x004449a1
0x004449a2
0x004449a3
0x004449a8
0x004449aa
0x00000000
0x004449b0
0x004449b0
0x004449d4
0x004449d8
0x004449dd
0x004449e0
0x004449e2
0x004449b9
0x004449b9
0x004449bf
0x004449cd
0x004449e4
0x004449e4
0x004449e8
0x00444a0e
0x00444a15
0x00444a1d
0x00444a1f
0x00000000
0x00444a25
0x00444a2f
0x00444a37
0x00444a39
0x00000000
0x00444a3f
0x00444a49
0x00444a4b
0x00444a4d
0x00444a53
0x00444a59
0x00444a5b
0x00444a5d
0x00444a5f
0x00444a66
0x00444a68
0x00444a6b
0x00000000
0x00000000
0x00444a6d
0x00444a6e
0x00444a71
0x00444a73
0x00000000
0x00000000
0x00000000
0x00444a73
0x00444a66
0x00444a75
0x00444a75
0x00444a77
0x00444ac2
0x00444a79
0x00444a79
0x00444a7c
0x00444a7c
0x00444a7f
0x00444a81
0x00444a81
0x00444a83
0x00444a86
0x00444a89
0x00444a8b
0x00444a8d
0x00444a92
0x00444a92
0x00444a95
0x00444a97
0x00444a9a
0x00444a9c
0x00444a9f
0x00444aa1
0x00444aa3
0x00444aa6
0x00444aa6
0x00444aa6
0x00444aab
0x00444aab
0x00444ab1
0x00444ab4
0x00444ab7
0x00444ab7
0x00444ab4
0x00000000
0x00444a77
0x00000000
0x00444a4d
0x00444a39
0x004449ea
0x004449f1
0x004449f6
0x004449f9
0x004449fb
0x00000000
0x00444a01
0x00444a01
0x00444a08
0x00000000
0x00000000
0x00000000
0x00000000
0x00444a08
0x004449fb
0x004449e8
0x004449e2
0x00444843
0x00444843
0x00444846
0x00444849
0x0044484c
0x00000000
0x0044484e
0x0044484e
0x00444850
0x00000000
0x00000000
0x00000000
0x00000000
0x00444850
0x0044484c
0x00444841
0x00444807
0x00444807
0x0044480a
0x00000000
0x00000000
0x00000000
0x00000000
0x0044480a
0x004447e3
0x004447e3
0x004447e8
0x004447f6
0x004447f6
0x00000000

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 004448A1
__FindPESection.LIBCMT ref: 004448BB

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: b50dd67d736f7e3918fc01de20833590d190e2867508cafd1d97ce48de2ff59c
Instruction ID: f65a202a405daf215614dd66543d835c6f6d714e305161c4fad1af1c309a5add
Opcode Fuzzy Hash: b50dd67d736f7e3918fc01de20833590d190e2867508cafd1d97ce48de2ff59c
Instruction Fuzzy Hash: 4791D276A002549BFB14CF6AD84076EB3A5FBC5314F15422ED805A73A4EB39EC01CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00440D06 Relevance: 7.7, APIs: 5, Instructions: 169
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00440D06(intOrPtr* __ecx, void* __edx, intOrPtr _a4, char* _a8, int _a12, intOrPtr _a16, int _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				short* _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				intOrPtr _t45;
				char* _t46;
				short* _t48;
				int _t61;
				short* _t65;
				void* _t70;
				void* _t71;
				short* _t73;
				void* _t74;
				int* _t76;
				intOrPtr* _t84;
				short* _t85;
				void* _t86;
				int _t87;
				char* _t89;
				void* _t90;
				signed int _t95;
				short* _t97;
				void* _t106;

				_t82 = __edx;
				_t95 = _t97;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x44b8b4; // 0x13e789ea
				_v8 = _t43 ^ _t95;
				_t45 =  *0x44eab4; // 0x1
				_t73 = 0;
				_t84 = __ecx;
				if(_t45 != 0) {
					L6:
					__eflags = _t45 - 2;
					if(_t45 == 2) {
						L26:
						_t89 = 0;
						__eflags = _a24 - _t73;
						if(_a24 == _t73) {
							_a24 =  *((intOrPtr*)( *_t84 + 0x14));
						}
						__eflags = _a20 - _t73;
						if(_a20 == _t73) {
							_a20 =  *((intOrPtr*)( *_t84 + 4));
						}
						_t46 = E00442925(_a24);
						_pop(_t76);
						__eflags = _t46 - 0xffffffff;
						if(_t46 != 0xffffffff) {
							__eflags = _t46 - _a20;
							if(_t46 == _a20) {
								L35:
								_push(_a16);
								_push(_a12);
								_push(_a8);
								_push(_a4);
								_push(_a24);
								_push(_t76);
								_t85 = E0048DEAE(_t46);
								__eflags = _t89 - _t73;
								if(__eflags != 0) {
									_push(_t89);
									E0043AEA4(_t73, _t82, _t85, _t89, __eflags);
								}
								_t48 = _t85;
							} else {
								_t76 =  &_a12;
								_t89 = _t46;
								__eflags = _t89 - _t73;
								if(_t89 == _t73) {
									goto L31;
								} else {
									_a8 = _t89;
									goto L35;
								}
							}
						} else {
							goto L31;
						}
					} else {
						__eflags = _t45 - _t73;
						if(_t45 == _t73) {
							goto L26;
						} else {
							__eflags = _t45 - 1;
							if(_t45 != 1) {
								goto L31;
							} else {
								goto L9;
							}
						}
					}
				} else {
					_push( &_v12);
					_push(1);
					_push(0x4463a4);
					_push(1);
					_push(__edx);
					_t70 = E0048F466( &_v12);
					if(_t70 == 0) {
						_push(_t70);
						_t71 = E0063D5F7();
						__eflags = _t71 - 0x78;
						if(_t71 != 0x78) {
							_t45 =  *0x44eab4; // 0x1
						} else {
							_t45 = 2;
							 *0x44eab4 = _t45;
						}
						goto L6;
					} else {
						 *0x44eab4 = 1;
						L9:
						_v12 = _t73;
						if(_a20 == _t73) {
							_a20 =  *((intOrPtr*)( *_t84 + 4));
						}
						_t87 = MultiByteToWideChar(_a20, 1 + (0 | _a28 != _t73) * 8, _a8, _a12, _t73, _t73);
						_t106 = _t87 - _t73;
						if(_t106 == 0) {
							L31:
							_t48 = 0;
						} else {
							if(_t106 > 0 && _t87 <= 0x7ffffff0) {
								_t16 = _t87 + 8; // 0x8
								_t64 = _t87 + _t16;
								if(_t87 + _t16 > 0x400) {
									_t65 = E0043C36F(_t73, _t82, _t87, _t64);
									__eflags = _t65 - _t73;
									if(_t65 != _t73) {
										 *_t65 = 0xdddd;
										goto L19;
									}
								} else {
									E00442B30(_t64);
									_t65 = _t97;
									if(_t65 != _t73) {
										 *_t65 = 0xcccc;
										L19:
										_t65 =  &(_t65[4]);
									}
								}
								_t73 = _t65;
							}
							if(_t73 == 0) {
								goto L31;
							} else {
								E0043D9C0(_t87, _t73, 0, _t87 + _t87);
								_t61 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t73, _t87);
								if(_t61 != 0) {
									_push(_a16);
									_push(_t61);
									_push(_t73);
									_push(_a4);
									return E006A6B2D(_t61, _t73, _t87);
								}
								E0043D560(_t73);
								_t48 = _v12;
							}
						}
					}
				}
				_pop(_t86);
				_pop(_t90);
				_pop(_t74);
				__eflags = _v8 ^ _t95;
				return E0043AE18(_t48, _t74, _v8 ^ _t95, _t82, _t86, _t90);
			}

0x00440d06
0x00440d09
0x00440d0b
0x00440d0c
0x00440d0d
0x00440d14
0x00440d17
0x00440d1e
0x00440d21
0x00440d25
0x00440d61
0x00440d61
0x00440d64
0x00440e39
0x00440e39
0x00440e3b
0x00440e3e
0x00440e45
0x00440e45
0x00440e48
0x00440e4b
0x00440e52
0x00440e52
0x00440e58
0x00440e5d
0x00440e5e
0x00440e61
0x00440e67
0x00440e6a
0x00440e8a
0x00440e8a
0x00440e8d
0x00440e90
0x00440e93
0x00440e96
0x00440e99
0x00440e9f
0x00440ea1
0x00440ea3
0x00440ea5
0x00440ea6
0x00440eab
0x00440eac
0x00440e6c
0x00440e6e
0x00440e7e
0x00440e83
0x00440e85
0x00000000
0x00440e87
0x00440e87
0x00000000
0x00440e87
0x00440e85
0x00000000
0x00000000
0x00000000
0x00440d6a
0x00440d6a
0x00440d6c
0x00000000
0x00440d72
0x00440d72
0x00440d75
0x00000000
0x00000000
0x00000000
0x00000000
0x00440d75
0x00440d6c
0x00440d27
0x00440d2a
0x00440d2e
0x00440d2f
0x00440d34
0x00440d35
0x00440d36
0x00440d3d
0x00440d47
0x00440d48
0x00440d4d
0x00440d50
0x00440d5c
0x00440d52
0x00440d54
0x00440d55
0x00440d55
0x00000000
0x00440d3f
0x00440d3f
0x00440d7b
0x00440d7b
0x00440d81
0x00440d88
0x00440d88
0x00440dae
0x00440db0
0x00440db2
0x00440e63
0x00440e63
0x00440db8
0x00440db8
0x00440dc2
0x00440dc2
0x00440dcb
0x00440de1
0x00440de7
0x00440de9
0x00440deb
0x00000000
0x00440deb
0x00440dcd
0x00440dcd
0x00440dd2
0x00440dd6
0x00440dd8
0x00440df1
0x00440df1
0x00440df1
0x00440dd6
0x00440df4
0x00440df4
0x00440df8
0x00000000
0x00440dfa
0x00440e01
0x00440e16
0x00440e1a
0x00440e1c
0x00440e1f
0x00440e20
0x00440e21
0x00000000
0x00440e24
0x00440e2e
0x00440e33
0x00440e36
0x00440df8
0x00440db2
0x00440d3d
0x00440eb1
0x00440eb2
0x00440eb3
0x00440eb7
0x00440ebf

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00440EF0,00000001,00000000,?), ref: 00440DAC
_malloc.LIBCMT ref: 00440DE1
_memset.LIBCMT ref: 00440E01
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,00000000,00000001,?), ref: 00440E16

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide$_malloc_memset
String ID:
API String ID: 1563474556-0
Opcode ID: 167b37edb6608bea9c2c4a3bfe8b2f6884846bac5628a36facdcd43c416ab835
Instruction ID: 25d1c9b2afdcf17fb188ac79b7fc2cb37938145574ec0c9c65c97adae8e13750
Opcode Fuzzy Hash: 167b37edb6608bea9c2c4a3bfe8b2f6884846bac5628a36facdcd43c416ab835
Instruction Fuzzy Hash: 945163B190010AAFEF109FA5DC81DAF7BA9EB08354F24482AFB1497250D738DD719B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041746B Relevance: 7.7, APIs: 5, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E0041746B(intOrPtr* __ecx, void* __edx, intOrPtr _a4, char* _a8, int _a12, intOrPtr _a16, int _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				short* _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				intOrPtr _t45;
				char* _t46;
				short* _t48;
				int _t60;
				short* _t64;
				short** _t68;
				void* _t70;
				short* _t72;
				void* _t73;
				void* _t81;
				intOrPtr* _t83;
				void* _t84;
				int _t85;
				char* _t88;
				void* _t89;
				signed int _t94;
				short* _t96;
				void* _t105;

				_t81 = __edx;
				_t94 = _t96;
				_push(__ecx);
				_push(__ecx);
				_t43 =  *0x422234; // 0x3100e2c7
				_v8 = _t43 ^ _t94;
				_t45 =  *0x423e80; // 0x1
				_t72 = 0;
				_t83 = __ecx;
				if(_t45 != 0) {
					L6:
					__eflags = _t45 - 2;
					if(_t45 == 2) {
						L26:
						__eflags = _a24 - _t72;
						if(_a24 == _t72) {
							_a24 =  *((intOrPtr*)( *_t83 + 0x14));
						}
						__eflags = _a20 - _t72;
						if(_a20 == _t72) {
							_a20 =  *((intOrPtr*)( *_t83 + 4));
						}
						_t46 = E00417A20(_t72, _t81, _t83, 0, _a24);
						__eflags = _t46 - 0xffffffff;
						if(_t46 != 0xffffffff) {
							__eflags = _t46 - _a20;
							if(_t46 == _a20) {
								L35:
								_push(_a16);
								_push(_a12);
								_push(_a8);
								_push(_a4);
								_push(_a24);
								return E0058D73D(_t46, _t83);
							}
							_t88 = _t46;
							__eflags = _t88 - _t72;
							if(_t88 == _t72) {
								goto L31;
							} else {
								_a8 = _t88;
								goto L35;
							}
						}
						goto L31;
					} else {
						__eflags = _t45 - _t72;
						if(_t45 == _t72) {
							goto L26;
						} else {
							__eflags = _t45 - 1;
							if(_t45 != 1) {
								goto L31;
							} else {
								goto L9;
							}
						}
					}
				} else {
					_t68 =  &_v12;
					_push(_t68);
					_push(1);
					_push(0x420398);
					_push(1);
					_push(_t68);
					if(E005C0B8A(1) == 0) {
						_push(0);
						_t70 = E0062C80C(_t69);
						__eflags = _t70 - 0x78;
						if(_t70 != 0x78) {
							_t45 =  *0x423e80; // 0x1
						} else {
							_t45 = 2;
							 *0x423e80 = _t45;
						}
						goto L6;
					} else {
						 *0x423e80 = 1;
						L9:
						_v12 = _t72;
						if(_a20 == _t72) {
							_a20 =  *((intOrPtr*)( *_t83 + 4));
						}
						_t85 = MultiByteToWideChar(_a20, 1 + (0 | _a28 != _t72) * 8, _a8, _a12, _t72, _t72);
						_t105 = _t85 - _t72;
						if(_t105 == 0) {
							L31:
							_t48 = 0;
						} else {
							if(_t105 > 0 && _t85 <= 0x7ffffff0) {
								_t16 = _t85 + 8; // 0x8
								_t63 = _t85 + _t16;
								if(_t85 + _t16 > 0x400) {
									_t64 = E0040B84D(_t72, _t81, _t85, _t63);
									__eflags = _t64 - _t72;
									if(_t64 != _t72) {
										 *_t64 = 0xdddd;
										goto L19;
									}
								} else {
									E0040CFB0(_t63);
									_t64 = _t96;
									if(_t64 != _t72) {
										 *_t64 = 0xcccc;
										L19:
										_t64 =  &(_t64[4]);
									}
								}
								_t72 = _t64;
							}
							if(_t72 == 0) {
								goto L31;
							} else {
								E0040BA30(_t85, _t72, 0, _t85 + _t85);
								_t60 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t72, _t85);
								_t111 = _t60;
								if(_t60 != 0) {
									_push(_a16);
									_push(_t60);
									_push(_t72);
									_push(_a4);
									return E00698949(_t60, _t81, _t111);
								}
								E004147AE(_t72);
								_t48 = _v12;
							}
						}
					}
				}
				_pop(_t84);
				_pop(_t89);
				_pop(_t73);
				__eflags = _v8 ^ _t94;
				return E0040CE09(_t48, _t73, _v8 ^ _t94, _t81, _t84, _t89);
			}

0x0041746b
0x0041746e
0x00417470
0x00417471
0x00417472
0x00417479
0x0041747c
0x00417483
0x00417486
0x0041748a
0x004174c6
0x004174c6
0x004174c9
0x0041759e
0x004175a0
0x004175a3
0x004175aa
0x004175aa
0x004175ad
0x004175b0
0x004175b7
0x004175b7
0x004175bd
0x004175c3
0x004175c6
0x004175cc
0x004175cf
0x004175ef
0x004175ef
0x004175f2
0x004175f5
0x004175f8
0x004175fb
0x00000000
0x004175fe
0x004175e3
0x004175e8
0x004175ea
0x00000000
0x004175ec
0x004175ec
0x00000000
0x004175ec
0x004175ea
0x00000000
0x004174cf
0x004174cf
0x004174d1
0x00000000
0x004174d7
0x004174d7
0x004174da
0x00000000
0x00000000
0x00000000
0x00000000
0x004174da
0x004174d1
0x0041748c
0x0041748c
0x0041748f
0x00417493
0x00417494
0x00417499
0x0041749a
0x004174a2
0x004174ac
0x004174ad
0x004174b2
0x004174b5
0x004174c1
0x004174b7
0x004174b9
0x004174ba
0x004174ba
0x00000000
0x004174a4
0x004174a4
0x004174e0
0x004174e0
0x004174e6
0x004174ed
0x004174ed
0x00417513
0x00417515
0x00417517
0x004175c8
0x004175c8
0x0041751d
0x0041751d
0x00417527
0x00417527
0x00417530
0x00417546
0x0041754c
0x0041754e
0x00417550
0x00000000
0x00417550
0x00417532
0x00417532
0x00417537
0x0041753b
0x0041753d
0x00417556
0x00417556
0x00417556
0x0041753b
0x00417559
0x00417559
0x0041755d
0x00000000
0x0041755f
0x00417566
0x0041757b
0x0041757d
0x0041757f
0x00417581
0x00417584
0x00417585
0x00417586
0x00000000
0x00417589
0x00417593
0x00417598
0x0041759b
0x0041755d
0x00417517
0x004174a2
0x00417616
0x00417617
0x00417618
0x0041761c
0x00417624

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00001006,00001004,00000000,?,?,?,00417655,00000001,?,00000000), ref: 00417511
_malloc.LIBCMT ref: 00417546
_memset.LIBCMT ref: 00417566
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,?,?,00000000), ref: 0041757B

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide$_malloc_memset
String ID:
API String ID: 1563474556-0
Opcode ID: 932cc076147e582f523aa053c135e36afae343b1f72b3cfc2e5a07e949568bfc
Instruction ID: fa2bf30345e359ee6e39fa227a405d87c80e4d70351cdd99922d5e64e7ff3dd4
Opcode Fuzzy Hash: 932cc076147e582f523aa053c135e36afae343b1f72b3cfc2e5a07e949568bfc
Instruction Fuzzy Hash: 20519F7150411ABFCF209F68DC81DEF3BBAEB08364B20452AF91497261D738DD908BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00414738(void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t22;
				intOrPtr _t28;
				void* _t29;

				_t26 = __edi;
				_t25 = __edx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(_t22, __edi, __esi);
				_t28 = E00410735(_t22, __edx);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0 ||  *((intOrPtr*)(_t28 + 0x6c)) == 0) {
					E0040D6E0(_t22, _t25, _t26, _t28, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t22, _t25, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t28 =  *((intOrPtr*)(E00410735(_t22, __edx) + 0x6c));
				}
				if(_t28 == 0) {
					E0040E79A(_t22, _t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x0041475b
0x00414760
0x00414760
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __amsg_exit__getptd
String ID: @.B
API String ID: 1765460086-470711618
Opcode ID: ef4c1f30d4e7cb4c26a12f9c7c5d19691947f753c35b33cee4b6994213305e92
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: ef4c1f30d4e7cb4c26a12f9c7c5d19691947f753c35b33cee4b6994213305e92
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D580 Relevance: 6.2, APIs: 4, Instructions: 176
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0043D580(signed int __ecx, signed int _a4, intOrPtr _a8, char* _a12, int _a16, intOrPtr _a20, intOrPtr _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				short* _v12;
				short* _v16;
				short* _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t63;
				intOrPtr _t64;
				signed int _t78;
				signed int _t81;
				intOrPtr* _t85;
				int _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				int _t100;
				signed int _t101;
				void* _t104;
				int _t105;
				intOrPtr* _t108;
				void* _t109;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				intOrPtr _t119;
				int _t132;

				_t94 = __ecx;
				_t112 = _t114;
				_t115 = _t114 - 0x14;
				_t58 =  *0x44b8b4; // 0x13e789ea
				_t59 = _t58 ^ _t112;
				_v8 = _t58 ^ _t112;
				_push(1);
				_t108 = __ecx;
				_t119 =  *0x44e4e0; // 0x1
				if(_t119 == 0) {
					_push(0);
					_push(0);
					_push(1);
					_push(0x4463a4);
					_push(0x100);
					_push(0);
					_push(_t112);
					_t89 = E00703F43(_t59);
					if(_t89 == 0) {
						_push(_t89);
						_t90 = E0048A07A(1);
						__eflags = _t90 - 0x78;
						if(_t90 == 0x78) {
							 *0x44e4e0 = 2;
						}
					} else {
						 *0x44e4e0 = 1;
					}
				}
				if(_a16 > 0) {
					_t100 = _a16;
					_t85 = _a12;
					while(1) {
						_t94 = _t100 - 1;
						if( *_t85 == 0) {
							break;
						}
						_t85 = _t85 + 1;
						if(_t94 != 0) {
							continue;
						} else {
							_t94 = _t94 | 0xffffffff;
						}
						break;
					}
					_t88 = _a16 - _t94 - 1;
					if(_t88 < _a16) {
						_t88 = _t88 + 1;
					}
					_a16 = _t88;
				}
				_t60 =  *0x44e4e0; // 0x1
				if(_t60 == 2 || _t60 == 0) {
					_v16 = 0;
					_v20 = 0;
					__eflags = _a4;
					if(_a4 == 0) {
						_a4 =  *((intOrPtr*)( *_t108 + 0x14));
					}
					__eflags = _a28;
					if(_a28 == 0) {
						_a28 =  *((intOrPtr*)( *_t108 + 4));
					}
					_t61 = E00442925(_a4);
					_v24 = _t61;
					__eflags = _t61 - 0xffffffff;
					if(_t61 != 0xffffffff) {
						__eflags = _t61 - _a28;
						if(__eflags == 0) {
							_push(_a24);
							_push(_a20);
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push(_a4);
							return E006EF302(_t61, _t112, __eflags);
						} else {
							_t63 = E0044296E(_t101, _a28, _t61, _a12,  &_a16, 0, 0);
							_v16 = _t63;
							__eflags = _t63;
							if(_t63 == 0) {
								goto L38;
							} else {
								return E006E7365(_t63,  &_a16, 1, _t108, _t112);
							}
						}
					} else {
						goto L38;
					}
				} else {
					if(_t60 != 1) {
						L38:
						_t64 = 0;
						goto L44;
					} else {
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t108 + 4));
						}
						_t105 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t132 = _t105;
						if(_t132 == 0) {
							goto L38;
						} else {
							if(_t132 <= 0) {
								L28:
								_v16 = 0;
							} else {
								_t78 = 0xffffffe0;
								_t101 = _t78 % _t105;
								if(_t78 / _t105 < 2) {
									goto L28;
								} else {
									_t25 = _t105 + 8; // 0x8
									_t80 = _t105 + _t25;
									if(_t105 + _t25 > 0x400) {
										_t81 = E0043C36F(0, _t101, _t105, _t80);
										_pop(_t94);
										__eflags = _t81;
										if(_t81 != 0) {
											 *_t81 = 0xdddd;
											goto L26;
										}
									} else {
										E00442B30(_t80);
										_t81 = _t115;
										if(_t81 != 0) {
											 *_t81 = 0xcccc;
											L26:
											_t81 = _t81 + 8;
										}
									}
									_v16 = _t81;
								}
							}
							if(_v16 == 0) {
								goto L38;
							} else {
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t105) == 0) {
									E0043D560(_v16);
									_t64 = _v12;
									L44:
									_pop(_t104);
									_pop(_t109);
									_pop(_t93);
									__eflags = _v8 ^ _t112;
									return E0043AE18(_t64, _t93, _v8 ^ _t112, _t101, _t104, _t109);
								} else {
									return E005A0A01(_t75, _t94, _t105);
								}
							}
						}
					}
				}
				goto L45;
			}

0x0043d580
0x0043d583
0x0043d585
0x0043d588
0x0043d58d
0x0043d58f
0x0043d596
0x0043d597
0x0043d599
0x0043d59f
0x0043d5a1
0x0043d5a2
0x0043d5a6
0x0043d5a7
0x0043d5ac
0x0043d5b1
0x0043d5b2
0x0043d5b3
0x0043d5ba
0x0043d5c4
0x0043d5c5
0x0043d5ca
0x0043d5cd
0x0043d5cf
0x0043d5cf
0x0043d5bc
0x0043d5bc
0x0043d5bc
0x0043d5ba
0x0043d5dc
0x0043d5de
0x0043d5e1
0x0043d5e4
0x0043d5e4
0x0043d5e7
0x00000000
0x00000000
0x0043d5e9
0x0043d5ec
0x00000000
0x0043d5ee
0x0043d5ee
0x0043d5ee
0x00000000
0x0043d5ec
0x0043d5f6
0x0043d5fa
0x0043d5fc
0x0043d5fc
0x0043d5fd
0x0043d5fd
0x0043d600
0x0043d608
0x0043d7ba
0x0043d7bd
0x0043d7c0
0x0043d7c3
0x0043d7ca
0x0043d7ca
0x0043d7cd
0x0043d7d0
0x0043d7d7
0x0043d7d7
0x0043d7dd
0x0043d7e3
0x0043d7e6
0x0043d7e9
0x0043d7f2
0x0043d7f5
0x0043d8d6
0x0043d8d9
0x0043d8dc
0x0043d8df
0x0043d8e2
0x0043d8e5
0x0043d8ed
0x0043d7fb
0x0043d808
0x0043d810
0x0043d813
0x0043d815
0x00000000
0x0043d817
0x00000000
0x0043d817
0x0043d815
0x00000000
0x00000000
0x00000000
0x0043d616
0x0043d619
0x0043d7eb
0x0043d7eb
0x00000000
0x0043d61f
0x0043d61f
0x0043d625
0x0043d62c
0x0043d62c
0x0043d652
0x0043d654
0x0043d656
0x00000000
0x0043d65c
0x0043d65c
0x0043d6a1
0x0043d6a1
0x0043d65e
0x0043d662
0x0043d663
0x0043d668
0x00000000
0x0043d66a
0x0043d66a
0x0043d66a
0x0043d673
0x0043d689
0x0043d68e
0x0043d68f
0x0043d691
0x0043d693
0x00000000
0x0043d693
0x0043d675
0x0043d675
0x0043d67a
0x0043d67e
0x0043d680
0x0043d699
0x0043d699
0x0043d699
0x0043d67e
0x0043d69c
0x0043d69c
0x0043d668
0x0043d6a7
0x00000000
0x0043d6ad
0x0043d6c0
0x0043d7ac
0x0043d7b1
0x0043d913
0x0043d916
0x0043d917
0x0043d918
0x0043d91c
0x0043d924
0x0043d6c6
0x0043d6cb
0x0043d6cb
0x0043d6c0
0x0043d6a7
0x0043d656
0x0043d619
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?,?,?), ref: 0043D650
_malloc.LIBCMT ref: 0043D689
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,?,?,?,?,?), ref: 0043D6BC

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharMultiWide$_malloc
String ID:
API String ID: 4030181574-0
Opcode ID: 96e49848d1a56cea49f13d298635ec8300d12752f0def4c7b5dcfff1cce8af60
Instruction ID: 4552fab619bb73c7a53163b58aa827f22f9a48fb23ddebe8b50ba6f2afa96305
Opcode Fuzzy Hash: 96e49848d1a56cea49f13d298635ec8300d12752f0def4c7b5dcfff1cce8af60
Instruction Fuzzy Hash: 2E5179B1D00109AFDF20EF69EC819AE7BA5FB4C318F10592BF915A6250D738CD60DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				if(_t104 != 0) {
					_t70 = E0040FA20(_t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(_t98 < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1();
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1();
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(0, __edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __fileno__locking
String ID:
API String ID: 2385650056-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed int _t85;
				signed int _t89;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				intOrPtr* _t101;
				void* _t102;

				_t91 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t101 = _a16;
					if(_t101 != 0) {
						_t83 = _a4;
						__eflags = _t83;
						if(_t83 == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t91 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(_a12 > _t63 / _a8) {
							goto L3;
						}
						_t98 = _a8 * _a12;
						__eflags =  *(_t101 + 0xc) & 0x0000010c;
						_v8 = _t83;
						_v16 = _t98;
						_t82 = _t98;
						if(( *(_t101 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t101 + 0x18);
						}
						__eflags = _t98;
						if(_t98 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t85 =  *(_t101 + 0xc) & 0x00000108;
								__eflags = _t85;
								if(_t85 == 0) {
									L18:
									__eflags = _t82 - _v12;
									if(_t82 < _v12) {
										_t68 = E0040F0AD(_t91, _t98,  *_v8, _t101);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t98;
											L35:
											return (_t69 - _t82) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t101 + 0x18);
										_t82 = _t82 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t85;
									if(_t85 == 0) {
										L21:
										__eflags = _v12;
										_t99 = _t82;
										if(_v12 != 0) {
											_t75 = _t82;
											_t91 = _t75 % _v12;
											_t99 = _t99 - _t75 % _v12;
											__eflags = _t99;
										}
										_push(_t99);
										_push(_v8);
										_push(E0040FA20(_t101));
										_t74 = E0040F944(_t82, _t91, _t99, _t101, __eflags);
										_t102 = _t102 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t101 + 0xc) =  *(_t101 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t89 = _t99;
											__eflags = _t74 - _t99;
											if(_t74 <= _t99) {
												_t89 = _t74;
											}
											_v8 = _v8 + _t89;
											_t82 = _t82 - _t89;
											__eflags = _t74 - _t99;
											if(_t74 < _t99) {
												goto L36;
											} else {
												L27:
												_t98 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t91, _t101);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t101 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t101 + 0xc;
									 *_t48 =  *(_t101 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t100 = _t82;
								__eflags = _t82 - _t78;
								if(_t82 >= _t78) {
									_t100 = _t78;
								}
								E0040B350(_t82, _t100, _t101,  *_t101, _v8, _t100);
								 *(_t101 + 4) =  *(_t101 + 4) - _t100;
								 *_t101 =  *_t101 + _t100;
								_t102 = _t102 + 0xc;
								_t82 = _t82 - _t100;
								_v8 = _v8 + _t100;
								goto L27;
								L31:
								__eflags = _t82;
							} while (_t82 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t81, _t91, 0, _t101);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __fileno__flsbuf__flush__locking
String ID:
API String ID: 2259706978-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0040EC86(0,  &_v20, __edi, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E004153D0( *_t73 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t73[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152de
0x00415310
0x004153ae
0x004152ee
0x004152f1
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537e
0x00415380
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531e
0x00415345
0x0041534e
0x00000000
0x00000000
0x00000000
0x00000000
0x00415325
0x00415338
0x00415340
0x00415343
0x00415355
0x00415355
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00000000
0x00415343
0x0041531e
0x004152e0
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004427F4 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004427F4(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0043927A( &_v20, __edx, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E0043D96A( *_t73 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E0043C199();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t73[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004427fe
0x00442805
0x0044281c
0x00000000
0x0044280c
0x0044280e
0x00442828
0x00442833
0x00442865
0x00442903
0x00442843
0x00442846
0x0044284b
0x0044284b
0x00000000
0x00442851
0x004428c5
0x004428c5
0x004428ca
0x004428d3
0x004428d5
0x004428d8
0x004428d8
0x00000000
0x004428dc
0x00442867
0x0044286a
0x00442873
0x0044289a
0x004428a3
0x00000000
0x00000000
0x00000000
0x00000000
0x0044287a
0x0044288d
0x00442895
0x00442898
0x004428aa
0x004428aa
0x004428b3
0x00442821
0x00442821
0x004428bc
0x00000000
0x004428bc
0x00000000
0x00442898
0x00442873
0x00442835
0x0044283a
0x00442840
0x00442840
0x00000000
0x00442810
0x00442810
0x00442815
0x00442819
0x00442819
0x00000000
0x00442815
0x0044280e

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00442828
__isleadbyte_l.LIBCMT ref: 0044285C
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,?), ref: 0044288D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004428FB

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8a8b3223315bd9dd2f494cc227204dd49cbd903abdb2dd4758727c47cdabd0be
Instruction ID: cdf489e984613c57eb056efbf47742e725db3c70b741688ca674fc4851705c54
Opcode Fuzzy Hash: 8a8b3223315bd9dd2f494cc227204dd49cbd903abdb2dd4758727c47cdabd0be
Instruction Fuzzy Hash: 2E31F230A00246EFEF20EF64C980ABE7BA0FF01311F55866AF464AB291D7B4DD40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134db
0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Function 004104E9 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E004104E9(void* __ebx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t6;
				intOrPtr* _t10;
				void* _t12;
				void* _t14;
				char* _t17;

				_t14 = __edi;
				_t12 = __ebx;
				if(TlsGetValue( *0x4227d4) == 0) {
					L4:
					_t17 = L"KERNEL32.DLL";
					_push(_t17);
					_push(_t12);
					_t6 = E006DD96B(_t5);
					if(_t6 != 0) {
						L6:
						_push("DecodePointer");
						_push(_t6);
						return E00460395(_t6, _t17);
					} else {
						_push(_t17);
						_t6 = E0040E76A(_t14);
						if(_t6 == 0) {
							goto L9;
						} else {
							goto L6;
						}
					}
				} else {
					_t5 =  *0x4227d0; // 0x6
					if(_t5 == 0xffffffff) {
						goto L4;
					} else {
						_push(_t5);
						_t5 =  *(TlsGetValue( *0x4227d4))();
						if(_t5 == 0) {
							goto L4;
						} else {
							_t10 =  *((intOrPtr*)(_t5 + 0x1fc));
							if(_t10 != 0) {
								_a4 =  *_t10(_a4);
							}
							L9:
							return _a4;
						}
					}
				}
			}

0x004104e9
0x004104e9
0x004104ff
0x00410522
0x00410522
0x00410527
0x00410528
0x00410529
0x00410530
0x0041053d
0x0041053d
0x00410542
0x00410548
0x00410532
0x00410532
0x00410533
0x0041053b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041053b
0x00410501
0x00410501
0x00410509
0x00000000
0x0041050b
0x0041050b
0x00410514
0x00410518
0x00000000
0x0041051a
0x0041051a
0x0041054b
0x00410552
0x00410552
0x00410555
0x0041055a
0x0041055a
0x00410518
0x00410509

APIs

TlsGetValue.KERNEL32(00000001,?,0040D2F3,?,0040B906,00000001,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240), ref: 004104FB
TlsGetValue.KERNEL32(00000006,?,0040D2F3,?,0040B906,00000001,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240), ref: 00410512

Strings

DecodePointer, xrefs: 0041053D
KERNEL32.DLL, xrefs: 00410522, 00410527, 00410532

Memory Dump Source

Source File: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value
String ID: DecodePointer$KERNEL32.DLL
API String ID: 3702945584-629428536
Opcode ID: 03f77b24651e6dda69b516fc0a55d4a6286babdaa5890ed42dab1dfa1938c7e8
Instruction ID: 778149ca229a6e408f162dd190a6e0fa7806e00b596d11308893816a74f2a171
Opcode Fuzzy Hash: 03f77b24651e6dda69b516fc0a55d4a6286babdaa5890ed42dab1dfa1938c7e8
Instruction Fuzzy Hash: E6F04431600216BA8B20A776ED44DDB3B9DEE413A47944073B818D7261EB68DDC28BAC

Uniqueness

Uniqueness Score: -1.00%

Function 0043B9B5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E0043B9B5(void* __ebx, void* __edx, intOrPtr _a4) {
				void* __ecx;
				void* __esi;
				void* _t6;
				intOrPtr* _t10;
				void* _t12;
				void* _t13;
				void* _t14;

				_t14 = __edx;
				_t12 = __ebx;
				if(TlsGetValue( *0x44b6ac) == 0) {
					L4:
					_t17 = L"KERNEL32.DLL";
					_push(L"KERNEL32.DLL");
					_push(_t13);
					_t6 = E0062959B(_t5, _t13);
					if(_t6 != 0) {
						L6:
						_push("DecodePointer");
						_push(_t6);
						return E005B6000(_t6, _t13, _t17);
					} else {
						_t6 = E0043E1EC(_t12, _t14, _t17);
						_pop(_t13);
						if(_t6 == 0) {
							goto L9;
						} else {
							goto L6;
						}
					}
				} else {
					_t5 =  *0x44b6a8; // 0x5
					if(_t5 == 0xffffffff) {
						goto L4;
					} else {
						_push(_t5);
						_t5 =  *(TlsGetValue( *0x44b6ac))();
						if(_t5 == 0) {
							goto L4;
						} else {
							_t10 =  *((intOrPtr*)(_t5 + 0x1fc));
							if(_t10 != 0) {
								_a4 =  *_t10(_a4);
							}
							L9:
							return _a4;
						}
					}
				}
			}

0x0043b9b5
0x0043b9b5
0x0043b9cb
0x0043b9ee
0x0043b9ee
0x0043b9f3
0x0043b9f4
0x0043b9f5
0x0043b9fc
0x0043ba09
0x0043ba09
0x0043ba0e
0x0043ba14
0x0043b9fe
0x0043b9ff
0x0043ba04
0x0043ba07
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ba07
0x0043b9cd
0x0043b9cd
0x0043b9d5
0x00000000
0x0043b9d7
0x0043b9d7
0x0043b9e0
0x0043b9e4
0x00000000
0x0043b9e6
0x0043b9e6
0x0043ba17
0x0043ba1e
0x0043ba1e
0x0043ba21
0x0043ba26
0x0043ba26
0x0043b9e4
0x0043b9d5

APIs

TlsGetValue.KERNEL32(004394DF,?,0043C458,?,0043C428,004394DF,?,?,004394DF,?), ref: 0043B9C7
TlsGetValue.KERNEL32(00000005,?,0043C458,?,0043C428,004394DF,?,?,004394DF,?), ref: 0043B9DE

Strings

DecodePointer, xrefs: 0043BA09
KERNEL32.DLL, xrefs: 0043B9EE, 0043B9F3, 0043B9FE

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: Value
String ID: DecodePointer$KERNEL32.DLL
API String ID: 3702945584-629428536
Opcode ID: d79c27ead3be65625d018d9d8f74531c2c67abce66ab5567b523582456077726
Instruction ID: a1700da8a673be5d28d0324b196747693916444123c69507c67f664535d6aa44
Opcode Fuzzy Hash: d79c27ead3be65625d018d9d8f74531c2c67abce66ab5567b523582456077726
Instruction Fuzzy Hash: 5CF0C874200A196B9F506B65DC01FA73E98DF4E360F054132FD08D7260DB38CC00C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 0043F70B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0043F70B(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				_t27 = __edi;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0043AD66(__ebx, __edx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0043BC01(__ebx, __edi) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0043BC01(_t19, _t27);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E0043AD3F( *((intOrPtr*)(_t28 + 0x18)));
							_t37 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E0043F4A3(_t37);
							}
						}
					}
				}
				return _t17;
			}

0x0043f70b
0x0043f70b
0x0043f70b
0x0043f70e
0x0043f714
0x0043f722
0x0043f728
0x0043f730
0x0043f73c
0x0043f744
0x0043f74c
0x0043f760
0x0043f76b
0x0043f771
0x0043f773
0x0043f775
0x0043f778
0x00000000
0x0043f77f
0x0043f773
0x0043f760
0x0043f74c
0x0043f780

APIs

Part of subcall function 0043AD66: __getptd.LIBCMT ref: 0043AD6C
Part of subcall function 0043AD66: __getptd.LIBCMT ref: 0043AD7C

__getptd.LIBCMT ref: 0043F71A

Part of subcall function 0043BC01: __amsg_exit.LIBCMT ref: 0043BC11

__getptd.LIBCMT ref: 0043F728

Strings

csm, xrefs: 0043F736

Memory Dump Source

Source File: 00000000.00000002.514520214.0000000000426000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.514292550.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514312176.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514445072.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514496714.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514711523.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514723556.000000000044C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514744058.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.514758694.0000000000451000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516646775.000000000086B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.516711327.00000000008F3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I2ECXQvrEh.jbxd

Similarity

API ID: __getptd$__amsg_exit
String ID: csm
API String ID: 1969926928-1018135373
Opcode ID: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
Instruction ID: f4a0271017337717bfe72788a2c8f3a1ff3f23db4e03f4ae39b2faf5fa01a8cf
Opcode Fuzzy Hash: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
Instruction Fuzzy Hash: 5B014B34D003048ACF349F61C4416AEB3B5AF1C315F94683FE4809A7A1DB39A998DB49

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CP-ASDE	INV_PackingL_202208031_0104.exe	Get hash	malicious	Browse	65.21.9.53
	quotation.exe	Get hash	malicious	Browse	65.21.9.51
	2uE45eIM1V	Get hash	malicious	Browse	65.20.206.150
	https://tamilblasters.casa/	Get hash	malicious	Browse	65.21.224.187
	https://trackwish9322.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkYyMDBmb242cGkxcWdoZ2E4MWpiNW9pdGF0bmRmNTNjNmxkZzBra3VidGtrYjBmdGg4aHVqNWcwLnNpYXNreS5uZXQlMkY=&sig=3eJSk53b3izPNQrMTLbuEhfTiFLVAN8TLddaixw8nbPU&iat=1661403184&a=%7C%7C612206636%7C%7C&account=trackwish9322%2Eactivehosted%2Ecom&email=x6oapX3iNmxTwgP5rV3dPSqm%2BcSrBsVD%2F3kjWt%2FSoLg%3D&s=2cc3dd3081470099000a06a374dfd2e9&i=6A8A1A21#a2NvdXJhZ2VAYXRsYXMtYXBleC5jb20=	Get hash	malicious	Browse	65.21.195.162
	file.exe	Get hash	malicious	Browse	65.21.176.128
	https://siasky.net/7ABsSiBX_M9mznaS0nxBRHcffRHsv1ILYWwk5_KCYkX0gg#michael.ross@dollarama.com	Get hash	malicious	Browse	65.21.195.162
	skid.arm7-20220815-1256	Get hash	malicious	Browse	65.21.250.115
	95FD6DBD5B34B84D5F126EC006FD2578EB32189CBE679.exe	Get hash	malicious	Browse	65.21.186.115
	jsFCw8G4ig.exe	Get hash	malicious	Browse	65.21.195.131
	TpXMnFHYAH.exe	Get hash	malicious	Browse	65.21.186.115
	mizkB8caOL.exe	Get hash	malicious	Browse	65.21.254.234
	L8j8EwkPlU.exe	Get hash	malicious	Browse	65.21.254.234
	BVegtPL8wa.exe	Get hash	malicious	Browse	65.21.254.234
	RFQ_0029388827772_Square General Contracting.exe	Get hash	malicious	Browse	65.21.166.30
	Drawing_0029388827772_Square_General_ContractingDrawing_0029388827772_Square_General_Contracting.exe	Get hash	malicious	Browse	65.21.166.30
	botx.mips	Get hash	malicious	Browse	65.21.220.240
	https://1drv.ms/o/s!BG6HqrFy4UX8nFGLjkkZc95NBr6I?e=Hj5alGa1gkaGEv6VpyWc9g&at=9	Get hash	malicious	Browse	65.21.195.162
	http://4002cd2pv7jrlhvgdombn479mkvqodjq3i91qfro3tphu8cku2mlij8.siasky.net	Get hash	malicious	Browse	65.21.195.162
	Ares.mpsl	Get hash	malicious	Browse	65.21.180.181

Target ID:	0
Start time:	09:39:30
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\I2ECXQvrEh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\I2ECXQvrEh.exe"
Imagebase:	0x400000
File size:	5191168 bytes
MD5 hash:	D36E2F2A3AAE17357BD7DBE542209BE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.519290496.0000000005210000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.518199281.0000000002C10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I2ECXQvrEh

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: I2ECXQvrEh.exePID: 5436, Parent PID: 5464

Windows Analysis Report
I2ECXQvrEh

Function 00401AD3 Relevance: 40.3, Strings: 32, Instructions: 268
COMMON

Function 00401FAC Relevance: 45.6, APIs: 2, Strings: 24, Instructions: 111
COMMON

Function 004019F0 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 61
COMMON

Function 0043A697 Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Function 0041046E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Function 0043B93A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Function 00401EB9 Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 0040AF66 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON